Add workflow app support

.github/workflows/nigthlySecurityScan.yml

@@ -0,0 +1,47 @@
+name: Veracode Security Scan
+
+on: 
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: 0 4 * * *
+  workflow_dispatch:
+
+jobs:
+  veracode-sca-task:
+    runs-on: ubuntu-latest
+    name: Veracode SCA scan
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Run Veracode SCA
+        env:
+          SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }}
+        uses: veracode/veracode-sca@v2.1.9
+
+  veracode-sast-task:
+    runs-on: ubuntu-latest
+    name: Veracode SAST policy scan
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: create new package-lock.json
+        run: npm install
+      - name: ZIP source folder
+        run: zip -r app.zip *.js package-lock.json -x node_modules -x doc -x test -x helpers -x .vscode
+      - name: Run Veracode Policy scan
+        uses: veracode/veracode-uploadandscan-action@0.2.6
+        with:
+          appname: 'GitHub Flaws to Issues Action'
+          createprofile: true
+          filepath: 'app.zip'
+          scantimeout: 30
+          vid: '${{ secrets.API_ID }}'
+          vkey: '${{ secrets.API_KEY }}'
+
+
+
+

.gitignore

@@ -5,3 +5,8 @@
 
 # helper test output
 helpers/flaws*
+Archive.zip
+package-lock.json
+.DS_Store
+Archive.zip
+.DS_Store

README.md

@@ -11,7 +11,13 @@ Note that when Issues are added, a tag is inserted into the Issue title.  The ta
 For a Policy or Sandbox scan, this is done with the Findings REST API call, see [Findings REST API](https://help.veracode.com/r/c_findings_v2_intro).
 
 Note that when Issues are added, a tag is inserted into the Issue title.  The tag is of the form `[VID:<flaw_number>]`.  This tag is used to prevent duplicate issues from getting created.  
-
+
+## Pull request decoration  
+This action now supports pull request decoration. Once an issue is generated and the job runs on a PR, the issue will automatically be linked to the PR. This is done for easy review and an easy approval process.  
+
+## Fail the build upon findings  
+As this job needs to run after a Veracode pipeline/sandbox/policy scan, the scan job cannot fail the pipeline upon findings as otherwiese the following job, this flaws-to-issues job, won't be started. In order to still fail the pipeline this action now includes and option to fail the pipeline upon findings. Make sure you pass the correct pipelins-scan results or download the correct sandbox/policy scan results (most probably all unmitigated, policy relevant findings) to fail the pipeline.  
+
 ---
 
 ## Inputs
@@ -22,15 +28,75 @@ Note that when Issues are added, a tag is inserted into the Issue title.  The ta
 |Default value |  `"filtered_results.json"`|
 --- | ---
 
-### `github-token`
-
-**Required** GitHub token needed to access the repo.  Normally, when run in a Workflow, use the `{{ secrets.GITHUB-TOKEN }}` that is created by GitHub.  See [here](https://docs.github.com/en/actions/reference/authentication-in-a-workflow) for further information.
-
 ### `wait-time`
 
 **Optional** GitHub (at least the free/public version) has a rate limiter to prevent a user from adding Issues too quickly.  This value is used to insert a small delay between each new issue created so as to not trip the rate limiter.  This value sets the number of seconds between each issue.  See [here](https://docs.github.com/en/rest/guides/best-practices-for-integrators#dealing-with-rate-limits) for additional information.
 | Default value | `"2"` |
 --- | ---
+
+### `source_base_path_1`, `source_base_path_2`, `source_base_path_3`
+
+**Optional** In some compilations, the path representation is not the same as the repository root folder. In order to add the ability to navigate back from the scanning issue to the file in the repository, a base path to the source is required. The input format is regex base (`"[search pattern]:[replace with pattern]"`).
+| Default value | `""` |
+--- | ---  
+
+Example:  
+```yml
+source-base-path-1: "^com/veracode:src/main/java/com/veracode"
+source-base-path-2: "^WEB-INF:src/main/webapp/WEB-INF"
+```  
+
+### `fail_build`
+
+**Optional** If a previous task run and was set to `fail_build: false` as you need to run this `flaws-to-issues` action after the scan is finished but you still need to fail the pipeline based on findings from a Veracode scan, this option is require to be set to `true`.
+| Default value | `""` |
+--- | ---   
+
+---
+
+## Permissions
+
+If you get an error like:
+
+```
+Failure at Error: Error 404 creating VeracodeFlaw label "VeracodeFlaw: Very High": Not Found
+```
+Or:
+```
+Failure at Error: Error 403 creating VeracodeFlaw label "VeracodeFlaw: Very High": Resource not accessible by integration
+```
+
+It is likely that something is wrong with the permissions for the token provided to the action (GitHub API responds with 403 or 404 if there are permission issues).
+
+### GITHUB_TOKEN
+
+This action requires `issues: write` of all (new) Personal Access Tokens, including the automatically generated `GITHUB_TOKEN`.
+
+If you do not add anything to the YAML, by default the `GITHUB_TOKEN` will be used and it will not be given "write" rights to "issues".
+
+You can [change the default permissions](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository), but this would apply to all workflows in your repository and we generally don't recommend this
+
+To follow the Principle of Least Privilege we recommend only granting the permission to the job in the job configuration by including [job.<job_id>.permissions](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions):
+
+```
+    permissions:
+      issues: write
+```
+
+
+### Your own token
+
+You can specify your own token with the `github-token` argument:
+```
+        with:
+          github-token: ${{ secrets.MY_TOKEN }}
+```
+
+If this is a Classic token this token must have the `repo` scope.
+[You can check this with curl](https://stackoverflow.com/a/70588035).
+
+If this is a new 'fine-grained, repository-scoped token' you will need to ensure that for the given repository it says "Read and Write access to issues".
+[You can check that here](https://github.com/settings/tokens?type=beta)
 
 ## Example usage
 
@@ -39,48 +105,43 @@ Note that when Issues are added, a tag is inserted into the Issue title.  The ta
 ```yaml
   . . . 
 # This first step is assumed to exist already in your Workflow
-  scan:
-    runs-on: ubuntu-latest
-    container: 
-      image: veracode/pipeline-scan:latest
-      options: --user root
-    steps:
-      - name: get archive
-        uses: actions/download-artifact@v2
-        with:
-          name: scan-target
-          path: /tmp
-
-      - name: scan
-        run: |
-          java -jar /opt/veracode/pipeline-scan.jar \
-              -vid ${{ secrets.VERACODE_API_ID }}   \
-              -vkey ${{ secrets.VERACODE_API_KEY }} \
-              --file /tmp/upload.zip                \
-              --fail_on_severity="Very High,High"   \
-        continue-on-error: true
-
-      - name: save filtered results file
-        uses: actions/upload-artifact@v2
-        with:
-          name: filtered-results
-          path: filtered_results.json
+  pipeline_scan:
+      needs: build
+      runs-on: ubuntu-latest
+      name: pipeline scan
+      steps:
+        - name: checkout repo
+          uses: actions/checkout@v3
+
+        - name: get archive
+          uses: actions/download-artifact@v3
+          with:
+            name: verademo.war
+        - name: pipeline-scan action step
+          id: pipeline-scan
+          uses: veracode/Veracode-pipeline-scan-action@pipeline-scan-beta-v0.0.4
+          with:
+            vid: ${{ secrets.VID }}
+            vkey: ${{ secrets.VKEY }}
+            file: "verademo.war" 
+            fail_build: false
 
 # This step will import the flaws from the step above
   import-issues:
     needs: scan
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - name: get scan results
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v3
         with:
           name: filtered-results
 
       - name: import flaws as issues
-        uses: buzzcode/veracode-flaws-to-issues@v1
+        uses: veracode/veracode-flaws-to-issues@v2.1.19
         with:
           scan-results-json: 'filtered_results.json'
-          github-token: ${{ secrets.GITHUB_TOKEN }}
 ```
 
 ### Policy/Sandbox scan
@@ -111,7 +172,7 @@ Note that when Issues are added, a tag is inserted into the Issue title.  The ta
           http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/${guid}/findings?scan_type=STATIC&violates_policy=True&size=${total_flaws}" > policy_flaws.json
 
       - name: save results file
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: policy-flaws
           path: /tmp/policy_flaws.json
@@ -120,16 +181,17 @@ Note that when Issues are added, a tag is inserted into the Issue title.  The ta
   import-policy-flaws:
     needs: get-policy-flaws
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - name: get flaw file
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v3
         with:
           name: policy-flaws
           path: /tmp
 
       - name: import flaws as issues
-        uses: buzzcode/veracode-flaws-to-issues@v1
+        uses: veracode/veracode-flaws-to-issues@v2.1.19
         with:
           scan-results-json: '/tmp/policy_flaws.json'
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-```
+```

SECURITY.md

@@ -0,0 +1,19 @@
+# Our Commitment to Security
+
+Veracode was founded on the idea that companies should be able to access technology that allows them to scan their software for vulnerabilities so that they can identify them, fix them and improve their security. Since that time, we have created new technologies and services to enable our customers to scan for flaws in along the entire software development lifecycle, seeing results in seconds or minutes, to allow them to code securely while also remaining on schedule with continuous release cycles.
+
+Veracode envisions a world where the software fueling our economic growth and solving society's greatest challenges is developed secure from the start.
+
+We value transparency in the security industry and openness with sharing information that could improve security for every organization. Veracode is committed to engaging the research community in a professional, positive and agreeable manner that protects our company and our customers.
+
+As such, we encourage and welcome anyone who believes he or she has identified a vulnerability to contact us with security concerns or pertinent information to the integrity, functionality or confidentiality of our software.
+
+The terms below apply to any website, application or service distributed by or hosted by Veracode, Inc.
+
+Please use the email address  [**security-alerts@veracode.com**](mailto:security-alerts@veracode.com?subject=Responsible%20Disclosure%20Notice&body=URL(s)/Application(s)%20Impacted:%0A%0ASuspected%20Vulnerability%20Details:%0A%0ADescription%20of%20how%20the%20Vulnerability%20was%20found:%0A%0AContact%20Information:%0A%0AAny%20other%20relevant%20information:%0A%0A)  to alert us to:
+
+-   Vulnerabilities or breaches in our software or environments which threaten the confidentiality, integrity or availability of our data, software, or services, or our customers’ data
+-   Applications that mimic, mislabel, misdirect, or "copycat" Veracode, or phishing attacks even if they do not originate from Veracode sources
+-   Written or verbal discussion, activities, or data in any public forum which you believe constitutes a threat to Veracode, our employees or our customers
+
+For more, please refer to our [**Responsible Disclosure Policy**](https://www.veracode.com/legal-privacy/responsible-disclosure-policy)

action.yml

@@ -1,4 +1,4 @@
-name: 'Veracode scan results to GitHub issues'
+name: 'Veracode scan results to GitHub issues Action'
 description: 'Import the results of a Veracode scan as Issues for a repo'
 inputs:
   scan-results-json:
@@ -7,6 +7,7 @@ inputs:
     default: 'filtered_results.json'
   github-token:
     description: 'GitHub token to access the repo'
+    default: ${{ github.token }}
     required: true
   wait-time:
     description: 'Delay (in seconds) between entering Issues into GitHub (due to rate limiting)'
@@ -21,9 +22,16 @@ inputs:
   source_base_path_3:
     description: 'Rewrite 3'
     required: false
-  commit-hash:
-    description: 'Commit Hash'
+  repo_owner:
+    description: 'repo owner'
     required: false
+  fail_build:
+    description: fail pipeline upon findings (true | false)
+    required: false
+  debug:
+    description: enable debug logging
+    required: false
+
 runs:
-  using: 'node12'
-  main: 'index.js'
+  using: 'node20'
+  main: 'index.js'

importer.js

@@ -3,6 +3,7 @@
 // 
 
 const fs = require('fs');
+const core = require('@actions/core');
 const processPipelineFlaws = require('./pipeline').processPipelineFlaws;
 const processPolicyFlaws = require('./policy').processPolicyFlaws;
 const label = require('./label');
@@ -21,6 +22,10 @@ async function importFlaws(options) {
     const source_base_path_2 = options.source_base_path_2; 
     const source_base_path_3 = options.source_base_path_3;
     const commit_hash = options.commit_hash;
+    const fail_build = options.fail_build;
+    const isPR = options.isPR
+    const debug = options.debug
+    var internal_flaw_count = 0
     var flawData;
 
     // basic sanity checking
@@ -61,18 +66,36 @@ async function importFlaws(options) {
 
     label.buildSeverityXref();          // TODO: cleanup, merge into label init?
 
+
     // process the flaws
     if(scanType == 'pipeline') {
         await processPipelineFlaws(options, flawData)
         .then (count => {
+            internal_flaw_count = count
             console.log(`Done.  ${count} flaws processed.`);
         })
     } else {
+        if ( debug == "true" ){
+            core.info('#### DEBUG START ####')
+            core.info('importer.js')
+            console.log("isPr?: "+isPR)
+            core.info('#### DEBUG END ####')
+        }
         await processPolicyFlaws(options, flawData)
         .then (count => {
             console.log(`Done.  ${count} flaws processed.`);
+            internal_flaw_count = count
         })
     }
+
+    // add break build functionality
+    if ( fail_build == "true" ){
+        if ( internal_flaw_count > 0 ){
+            console.log('There are Veracode flaws found that require the build to fail, please review generated GitHub issues')
+            core.setFailed('There are Veracode flaws found that require the build to fail, please review generated GitHub issues')
+        }
+    }
 }
 
+
 module.exports = { importFlaws };