From e9190d97677abd9030dc1487faa907a95d87e6e8 Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Wed, 16 Mar 2022 12:14:42 -0400 Subject: [PATCH 01/14] adding ShiftLeft GitHub action --- .github/workflows/shiftleft.yml | 59 +++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 .github/workflows/shiftleft.yml diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml new file mode 100644 index 000000000..cfb5aa127 --- /dev/null +++ b/.github/workflows/shiftleft.yml @@ -0,0 +1,59 @@ +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + # We are building this application with Java 11 + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 11.0.x + - name: Package with maven + run: mvn compile package + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + # ShiftLeft requires Java 1.8. Post the package step override the version + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 1.8 + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app shiftleft-java-demo --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --vcs-prefix-correction "io/shiftleft=src/main/java/" --java --cpg target/hello-shiftleft-0.0.1.jar + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + Build-Rules: + runs-on: ubuntu-latest + needs: NextGen-Static-Analysis + steps: + - uses: actions/checkout@v2 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Validate Build Rules + run: | + ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-java-demo \ + --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" \ + --report \ + --github-pr-number=${{github.event.number}} \ + --github-pr-user=${{ github.repository_owner }} \ + --github-pr-repo=${{ github.event.repository.name }} \ + --github-token=${{ secrets.GITHUB_TOKEN }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + \ No newline at end of file From 3d8b44f401398411038cfba0a7251a3c8c814ae4 Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Mon, 21 Mar 2022 09:25:26 -0400 Subject: [PATCH 02/14] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 694690e97..45a4505c8 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# HelloShiftLeft +# HelloShiftLeft - Shiftleft-chuck This is a demo application which provides a real world representation of a REST service that uses a mix of convention and configuration to simulate a decent set of vulnerabilities exposed in the code. It includes scenarios such as sensitive data leaking to logs, data secrets leaks, authentication bypass, remote code execution, XSS vulnerabilites etc. The sample sensitive data is a mix of financial data such as account information, medical data of patients, and other PII data such as customer information. HelloShiftLeft also contains patterns/anti-patterns of how data is used/abused in interfaces or channels (to and from HTTP/TCP, third-party, database) that can lead to vulnerabilites. The application is built on the Spring Framework and exposes a series of endpoints and APIs for queries and simulating exploits. From f4597098378dede72b4fee048787a22d9b87b2a7 Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Mon, 21 Mar 2022 09:36:37 -0400 Subject: [PATCH 03/14] Create shiftleft.yml --- shiftleft.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 shiftleft.yml diff --git a/shiftleft.yml b/shiftleft.yml new file mode 100644 index 000000000..495d08ec9 --- /dev/null +++ b/shiftleft.yml @@ -0,0 +1,12 @@ +build_rules: + - id: allow-zero-findings + finding_types: + - vuln + - secret +# - insight +# - "*" + severity: + - SEVERITY_MEDIUM_IMPACT + - SEVERITY_HIGH_IMPACT + - SEVERITY_LOW_IMPACT + threshold: 0 From e67e2b6341dc732dfb9292afaadc5094d81d2ed8 Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Fri, 25 Mar 2022 09:33:46 -0400 Subject: [PATCH 04/14] Removing RCE to AdminController --- src/main/java/io/shiftleft/controller/AdminController.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/io/shiftleft/controller/AdminController.java b/src/main/java/io/shiftleft/controller/AdminController.java index 296c26573..2510e4d2f 100644 --- a/src/main/java/io/shiftleft/controller/AdminController.java +++ b/src/main/java/io/shiftleft/controller/AdminController.java @@ -87,7 +87,7 @@ public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset") try { // no cookie no fun - if (!auth.equals("notset")) { + //if (!auth.equals("notset")) { if(isAdmin(auth)) { request.getSession().setAttribute("auth",auth); return succ; From 847fc72e14c6db7bb0327ec5452ab9c614dc7717 Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Fri, 25 Mar 2022 10:47:17 -0400 Subject: [PATCH 05/14] Update AdminController.java --- src/main/java/io/shiftleft/controller/AdminController.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/io/shiftleft/controller/AdminController.java b/src/main/java/io/shiftleft/controller/AdminController.java index 2510e4d2f..296c26573 100644 --- a/src/main/java/io/shiftleft/controller/AdminController.java +++ b/src/main/java/io/shiftleft/controller/AdminController.java @@ -87,7 +87,7 @@ public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset") try { // no cookie no fun - //if (!auth.equals("notset")) { + if (!auth.equals("notset")) { if(isAdmin(auth)) { request.getSession().setAttribute("auth",auth); return succ; From e4a8b9229054ec0957eed27c30120ee1a236e040 Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Fri, 25 Mar 2022 11:44:36 -0400 Subject: [PATCH 06/14] adding ShiftLeft GitHub action From 2923c8bcd53e22e6dd45e8f2f8976aa099f07e2d Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Mon, 28 Mar 2022 09:36:33 -0400 Subject: [PATCH 07/14] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 45a4505c8..b8cb5decd 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# HelloShiftLeft - Shiftleft-chuck +# HelloShiftLeft - Shiftleft-chuck (edit) This is a demo application which provides a real world representation of a REST service that uses a mix of convention and configuration to simulate a decent set of vulnerabilities exposed in the code. It includes scenarios such as sensitive data leaking to logs, data secrets leaks, authentication bypass, remote code execution, XSS vulnerabilites etc. The sample sensitive data is a mix of financial data such as account information, medical data of patients, and other PII data such as customer information. HelloShiftLeft also contains patterns/anti-patterns of how data is used/abused in interfaces or channels (to and from HTTP/TCP, third-party, database) that can lead to vulnerabilites. The application is built on the Spring Framework and exposes a series of endpoints and APIs for queries and simulating exploits. From 4e488dbea0610478c8162ff3ae97a89467f29410 Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Mon, 28 Mar 2022 11:34:53 -0400 Subject: [PATCH 08/14] adding ShiftLeft GitHub action From dfbbb4b02f88189872c265e5f7a49a1f252cf82e Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Wed, 30 Mar 2022 09:18:53 -0400 Subject: [PATCH 09/14] adding ShiftLeft GitHub action From b96ca14654be9214254f288019722eb7bf574109 Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Wed, 30 Mar 2022 09:18:54 -0400 Subject: [PATCH 10/14] adding ShiftLeft build rules --- shiftleft.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/shiftleft.yml b/shiftleft.yml index 495d08ec9..220d4baf4 100644 --- a/shiftleft.yml +++ b/shiftleft.yml @@ -3,10 +3,10 @@ build_rules: finding_types: - vuln - secret -# - insight -# - "*" + - insight + - "*" severity: - SEVERITY_MEDIUM_IMPACT - SEVERITY_HIGH_IMPACT - SEVERITY_LOW_IMPACT - threshold: 0 + threshold: 0 \ No newline at end of file From bb6ba8ae6a76807428476f44b6a52d0c9ea1a23c Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Thu, 7 Apr 2022 13:53:49 -0400 Subject: [PATCH 11/14] Update shiftleft.yml --- .github/workflows/shiftleft.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml index cfb5aa127..60f5c7a1f 100644 --- a/.github/workflows/shiftleft.yml +++ b/.github/workflows/shiftleft.yml @@ -1,11 +1,14 @@ ---- # This workflow integrates ShiftLeft NG SAST with GitHub # Visit https://docs.shiftleft.io for help name: ShiftLeft on: - pull_request: workflow_dispatch: + pull_request: + push: + branches: + - main + - master jobs: NextGen-Static-Analysis: @@ -56,4 +59,4 @@ jobs: env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} - \ No newline at end of file + From 85b03cdbe7171a6a699cc300a7c343c498403964 Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Thu, 7 Apr 2022 14:02:45 -0400 Subject: [PATCH 12/14] Update shiftleft.yml --- .github/workflows/shiftleft.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml index 60f5c7a1f..9bad789a2 100644 --- a/.github/workflows/shiftleft.yml +++ b/.github/workflows/shiftleft.yml @@ -49,7 +49,7 @@ jobs: curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl - name: Validate Build Rules run: | - ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-java-demo \ + ${GITHUB_WORKSPACE}/sl check-analysis --v2 --app shiftleft-java-demo \ --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" \ --report \ --github-pr-number=${{github.event.number}} \ From 1e5d3532d463e73af2de23109618a191640dac08 Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Thu, 7 Apr 2022 14:10:44 -0400 Subject: [PATCH 13/14] Update shiftleft.yml --- .github/workflows/shiftleft.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml index 9bad789a2..521148383 100644 --- a/.github/workflows/shiftleft.yml +++ b/.github/workflows/shiftleft.yml @@ -51,11 +51,12 @@ jobs: run: | ${GITHUB_WORKSPACE}/sl check-analysis --v2 --app shiftleft-java-demo \ --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" \ - --report \ - --github-pr-number=${{github.event.number}} \ - --github-pr-user=${{ github.repository_owner }} \ - --github-pr-repo=${{ github.event.repository.name }} \ - --github-token=${{ secrets.GITHUB_TOKEN }} + --report + + #--github-pr-number=${{github.event.number}} \ + #--github-pr-user=${{ github.repository_owner }} \ + #--github-pr-repo=${{ github.event.repository.name }} \ + #--github-token=${{ secrets.GITHUB_TOKEN }} env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} From f95e8e08467488b153328ff06a222f5810f3e944 Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Mon, 11 Apr 2022 08:50:19 -0400 Subject: [PATCH 14/14] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b8cb5decd..9c05128cf 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# HelloShiftLeft - Shiftleft-chuck (edit) +# HelloShiftLeft - Shiftleft-chuck (edit - 04-11-22) This is a demo application which provides a real world representation of a REST service that uses a mix of convention and configuration to simulate a decent set of vulnerabilities exposed in the code. It includes scenarios such as sensitive data leaking to logs, data secrets leaks, authentication bypass, remote code execution, XSS vulnerabilites etc. The sample sensitive data is a mix of financial data such as account information, medical data of patients, and other PII data such as customer information. HelloShiftLeft also contains patterns/anti-patterns of how data is used/abused in interfaces or channels (to and from HTTP/TCP, third-party, database) that can lead to vulnerabilites. The application is built on the Spring Framework and exposes a series of endpoints and APIs for queries and simulating exploits.