diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000000..212676999c --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,164 @@ +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + workflow_dispatch: + pull_request: + branches: [ master ] + push: + branches: [ master ] + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + # We are building this application with Java 11 + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 11.0.x + - name: Package with maven + run: mvn compile package + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + sl check-environment + # ShiftLeft requires Java 1.8. Post the package step override the version + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 1.8 + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NG SAST Trunk + # Removed the --wait since we wont be checking the scan + if: ${{ github.ref == 'refs/heads/main' }} + run: ${GITHUB_WORKSPACE}/sl analyze --strict --app Benchmark --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/benchmark.war + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }} + - name: NG SAST PR + # --wait in place because we will run check-analysis with this scan + if: ${{ github.event_name == 'pull_request' }} + run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app Benchmark --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/benchmark.war + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }} + - name: Validate Build Rules + # Only run on pull request and compare to Main as set in the build rules file Shiftleft.yml + if: ${{ github.event_name == 'pull_request' }} + run: | + ${GITHUB_WORKSPACE}/sl check-analysis --app Benchmark \ + --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" \ + --report \ + --github-pr-number=${{github.event.number}} \ + --github-pr-user=${{ github.repository_owner }} \ + --github-pr-repo=${{ github.event.repository.name }} \ + --github-token=${{ secrets.GITHUB_TOKEN }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + OWASP-Benchmark-Score: + runs-on: ubuntu-20.04 + needs: NextGen-Static-Analysis + steps: + - uses: actions/checkout@v2 + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 11.0.x + - name: Export NG SAST Findings + run: | + cd $HOME + git clone --depth 1 --branch v0.0.3 https://github.com/ShiftLeftSecurity/field-integrations + cd field-integrations/shiftleft-utils || exit 1 + mkdir -p ${GITHUB_WORKSPACE}/ngsast_results + pip3 install -r requirements.txt + python3 export.py --app Benchmark -f sl -o ${GITHUB_WORKSPACE}/ngsast_results/Benchmark.sl + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + - name: Package with maven + run: mvn compile package + - name: Calculate OWASP Benchmark Score + run: | + cd ${GITHUB_WORKSPACE} + mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.2.csv ngsast_results ShiftLeft anonymous" + if [ -e "scorecard/Benchmark_Scorecard_for_ShiftLeft.html" ]; then + echo "*** Thank you for Benchmarking ShiftLeft NextGen Static Analysis ***" + echo "You can find the results for ShiftLeft under workflow artifacts called scorecard" + else + echo "Benchmark results were not produced correctly. Check if you have Java 1.8 installed" + fi + - uses: actions/upload-artifact@v2 + with: + name: Benchmark_v1.2_Scorecard_for_ShiftLeft + path: scorecard + + - name: Generate Results Checksum + run: | + OWASP_BENCHMARK_CHECKSUM=$(tail -n +2 scorecard/Benchmark_v1.2_Scorecard_for_ShiftLeft.csv | + sort | + tr -d '[:space:]' | + tr '[:upper:]' '[:lower:]' | + shasum | + tr -d " -") + echo "OWASP_BENCHMARK_CHECKSUM=$OWASP_BENCHMARK_CHECKSUM" >> $GITHUB_ENV + + - uses: actions/setup-node@v2 + with: + node-version: 14 + - run: npm install jwt-decode node-fetch@2 + if: github.event_name == 'pull_request' + + - name: Notify Benchmark Results + uses: actions/github-script@v4 + if: github.event_name == 'pull_request' + env: + OWASP_BENCHMARK_CHECKSUM: ${{ env.OWASP_BENCHMARK_CHECKSUM }} + SHIFTLEFT_USER_ID_V2: f82c02ab-752c-4156-a639-978ceafd0ccc + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + // Leave a comment on the PR + const { issue: { number: issue_number }, repo: { owner, repo } } = context; + const run = await github.actions.getWorkflowRun({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.runId + }); + const loc = run.data.html_url ? '[GitHub Action](' + run.data.html_url + ')' : 'GitHub Action'; + const body = '👋 ' + '@' + context.actor + ' OWASP Benchmark scorecard is available for download in the Artifacts Section of ' + loc; + github.issues.createComment({ issue_number, owner, repo, body }); + + // Report the results + const jwt_decode = require('jwt-decode'); + const fetch = require("node-fetch"); + const { + SHIFTLEFT_API_HOST, + SHIFTLEFT_ACCESS_TOKEN, + SHIFTLEFT_USER_ID_V2, + OWASP_BENCHMARK_CHECKSUM, + } = process.env; + const decoded = jwt_decode(SHIFTLEFT_ACCESS_TOKEN); + const orgID = decoded.orgID; + const apiHost = SHIFTLEFT_API_HOST || 'www.shiftleft.io'; + fetch(`https://${apiHost}/api/v4/private/orgs/${orgID}/bi_proxy/owasp_benchmark_complete`, { + headers: { + "Content-Type": "application/json; charset=utf-8", + "Authorization": `Bearer ${SHIFTLEFT_ACCESS_TOKEN}`, + }, + method: 'POST', + body: JSON.stringify({ + artifact_url: run.data.html_url || '', + result_sha1: OWASP_BENCHMARK_CHECKSUM, + user_id_v2: SHIFTLEFT_USER_ID_V2, + }) + }) diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml new file mode 100644 index 0000000000..5aadb43f13 --- /dev/null +++ b/.github/workflows/shiftleft.yml @@ -0,0 +1,137 @@ +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + # We are building this application with Java 11 + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 11.0.x + - name: Package with maven + run: mvn compile package + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + # ShiftLeft requires Java 1.8. Post the package step override the version + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 1.8 + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --analysis-timeout=1h --app Benchmark --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/benchmark.war --vcs-prefix-correction "*=/src/main/java" + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + OWASP-Benchmark-Score: + runs-on: ubuntu-20.04 + needs: NextGen-Static-Analysis + steps: + - uses: actions/checkout@v2 + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 11.0.x + - name: Export NG SAST Findings + run: | + cd $HOME + git clone --depth 1 --branch v0.0.3 https://github.com/ShiftLeftSecurity/field-integrations + cd field-integrations/shiftleft-utils || exit 1 + mkdir -p ${GITHUB_WORKSPACE}/ngsast_results + pip3 install -r requirements.txt + python3 export.py --app Benchmark -f sl -o ${GITHUB_WORKSPACE}/ngsast_results/Benchmark.sl + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + - name: Package with maven + run: mvn compile package + - name: Calculate OWASP Benchmark Score + run: | + cd ${GITHUB_WORKSPACE} + mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.2.csv ngsast_results ShiftLeft anonymous" + if [ -e "scorecard/Benchmark_Scorecard_for_ShiftLeft.html" ]; then + echo "*** Thank you for Benchmarking ShiftLeft NextGen Static Analysis ***" + echo "You can find the results for ShiftLeft under workflow artifacts called scorecard" + else + echo "Benchmark results were not produced correctly. Check if you have Java 1.8 installed" + fi + - uses: actions/upload-artifact@v2 + with: + name: Benchmark_v1.2_Scorecard_for_ShiftLeft + path: scorecard + + - name: Generate Results Checksum + run: | + OWASP_BENCHMARK_CHECKSUM=$(tail -n +2 scorecard/Benchmark_v1.2_Scorecard_for_ShiftLeft.csv | + sort | + tr -d '[:space:]' | + tr '[:upper:]' '[:lower:]' | + shasum | + tr -d " -") + echo "OWASP_BENCHMARK_CHECKSUM=$OWASP_BENCHMARK_CHECKSUM" >> $GITHUB_ENV + + - uses: actions/setup-node@v2 + with: + node-version: 14 + - run: npm install jwt-decode node-fetch@2 + if: github.event_name == 'pull_request' + + - name: Notify Benchmark Results + uses: actions/github-script@v4 + if: github.event_name == 'pull_request' + env: + OWASP_BENCHMARK_CHECKSUM: ${{ env.OWASP_BENCHMARK_CHECKSUM }} + SHIFTLEFT_USER_ID_V2: 1fb2c004-b53f-48e4-bccd-764ef9d06b83 + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + // Leave a comment on the PR + const { issue: { number: issue_number }, repo: { owner, repo } } = context; + const run = await github.actions.getWorkflowRun({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.runId + }); + const loc = run.data.html_url ? '[GitHub Action](' + run.data.html_url + ')' : 'GitHub Action'; + const body = '👋 ' + '@' + context.actor + ' OWASP Benchmark scorecard is available for download in the Artifacts Section of ' + loc; + github.issues.createComment({ issue_number, owner, repo, body }); + + // Report the results + const jwt_decode = require('jwt-decode'); + const fetch = require("node-fetch"); + const { + SHIFTLEFT_API_HOST, + SHIFTLEFT_ACCESS_TOKEN, + SHIFTLEFT_USER_ID_V2, + OWASP_BENCHMARK_CHECKSUM, + } = process.env; + const decoded = jwt_decode(SHIFTLEFT_ACCESS_TOKEN); + const orgID = decoded.orgID; + const apiHost = SHIFTLEFT_API_HOST || 'www.shiftleft.io'; + fetch(`https://${apiHost}/api/v4/private/orgs/${orgID}/bi_proxy/owasp_benchmark_complete`, { + headers: { + "Content-Type": "application/json; charset=utf-8", + "Authorization": `Bearer ${SHIFTLEFT_ACCESS_TOKEN}`, + }, + method: 'POST', + body: JSON.stringify({ + artifact_url: run.data.html_url || '', + result_sha1: OWASP_BENCHMARK_CHECKSUM, + user_id_v2: SHIFTLEFT_USER_ID_V2, + }) + }) diff --git a/shiftleft.yml b/shiftleft.yml new file mode 100644 index 0000000000..220d4baf42 --- /dev/null +++ b/shiftleft.yml @@ -0,0 +1,12 @@ +build_rules: + - id: allow-zero-findings + finding_types: + - vuln + - secret + - insight + - "*" + severity: + - SEVERITY_MEDIUM_IMPACT + - SEVERITY_HIGH_IMPACT + - SEVERITY_LOW_IMPACT + threshold: 0 \ No newline at end of file diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java index 60e54fbbb6..b9c7c1d6bf 100644 --- a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java @@ -51,7 +51,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr javax.servlet.http.Cookie[] theCookies = request.getCookies(); - + String password = "password"; String param = "noCookieValueSupplied"; if (theCookies != null) { for (javax.servlet.http.Cookie theCookie : theCookies) {