Merge pull request #34 from julz0815/development

Development

.github/workflows/development_branch.yml

@@ -8,15 +8,11 @@ on:
     branches: [ development ]
 
 
-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
-  # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter
-  build-and-security-scan:
-    # The type of runner that the job will run on
+  # This step will build the maven application
+  build:
     runs-on: ubuntu-latest
     steps:
-
-    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it, compiles with maven and copies the .war file for submitting for analysis. Replace this section with your applications build steps
     - uses: actions/checkout@v2
     - uses: actions/setup-java@v1
       with: 
@@ -33,38 +29,93 @@ jobs:
       with:
         name: verademo.war
         path: target/verademo.war
-
-    # download the Veracode Static Analysis Pipeline scan jar
-    - uses: wei/curl@master
-      with:
-        args: -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
-    - run: unzip -o pipeline-scan-LATEST.zip
-
-    # run the Veracode Pipeline scan
+
+
+  # This step will run the Veracode pipeline scan 
+  pipeline-scan:
+    needs: build
+    runs-on: ubuntu-latest
+    container: 
+      image: veracode/pipeline-scan:latest
+      options: --user root
+    steps:
+      - name: get archive
+        uses: actions/download-artifact@v2
+        with:
+          name: verademo.war
+          path: /tmp
+      - name: pipeline-scan
+        run: | 
+          java -jar /opt/veracode/pipeline-scan.jar \
+            -vid "${{secrets.VERACODE_API_ID}}" \
+            -vkey "${{secrets.VERACODE_API_KEY}}" \
+            --fail_on_severity="Very High, High" \
+            --file /tmp/verademo.war \
+            -jf results.json \
+            -fjf filtered_results.json 
+        continue-on-error: true
+      - name: save standard results
+        uses: actions/upload-artifact@v1
+        with:
+          name: PipelineScanResults
+          path: results.json
+      - name: save filtered results
+        uses: actions/upload-artifact@v1
+        with:
+          name: filtered-results
+          path: filtered_results.json
+
+
+  # Convert Pipeline scan results to the SARFI format  
+  import-findings-to-code-scanning-alerts:
+    needs: pipeline-scan
+    runs-on: ubuntu-latest
+    steps:  
+      - name: get scan results
+        uses: actions/download-artifact@v2
+        with:
+          name: PipelineScanResults
+      - name: Convert pipeline scan output to SARIF format 
+        id: convert
+        uses: veracode/veracode-pipeline-scan-results-to-sarif@v0.1.5
+        with:
+          pipeline-results-json: results.json
+          source-base-path-1: "^com/veracode:src/main/java/com/veracode"
+          source-base-path-2: "^WEB-INF:src/main/webapp/WEB-INF"
+      - uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: veracode-results.sarif
+
+  # Create issues from piepline scan
+  import-issues:
+    needs: pipeline-scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: get scan results
+        uses: actions/download-artifact@v2
+        with:
+          name: filtered-results
+
+      - name: import flaws as issues
+        uses: buzzcode/veracode-flaws-to-issues@v1
+        with:
+          scan-results-json: 'filtered_results.json'
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+
+  # Run a Software Composition Analysis scan
+  software-composition-analysis:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
     - uses: actions/setup-java@v1
-      with:
+      with: 
         java-version: 1.8
-    - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file target/verademo.war
-      continue-on-error: true
-    - uses: actions/upload-artifact@v1
-      with:
-        name: PipelineScanResults
-        path: results.json
-
-    # Convert Pipeline scan results to the SARFI format    
-    - name: Convert pipeline scan output to SARIF format 
-      id: convert
-      uses: veracode/veracode-pipeline-scan-results-to-sarif@v0.1.5
-      with:
-        pipeline-results-json: results.json
-        source-base-path-1: "^com/veracode:src/main/java/com/veracode"
-        source-base-path-2: "^WEB-INF:src/main/webapp/WEB-INF"
-    - uses: github/codeql-action/upload-sarif@v1
+    - name: Cache Maven packages
+      uses: actions/cache@v2
       with:
-        # Path to SARIF file relative to the root of the repository
-        sarif_file: veracode-results.sarif
-
-    # Run a Software Composition Analysis scan
+        path: ~/.m2
+        key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
     - run: curl -sSL https://download.sourceclear.com/ci.sh | bash -s scan . --update-advisor 2>&1 | tee sca_output.txt
       env:
         SRCCLR_API_TOKEN: ${{secrets.SRCCLR_API_TOKEN}}

.github/workflows/feature_branch.yml

@@ -10,15 +10,11 @@ on:
 
 
 
-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
-  # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter
-  build-and-security-scan:
-    # The type of runner that the job will run on
+  # This will build the Java application
+  build:
     runs-on: ubuntu-latest
     steps:
-
-    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it, compiles with maven and copies the .war file for submitting for analysis. Replace this section with your applications build steps
     - uses: actions/checkout@v2
     - uses: actions/setup-java@v1
       with: 
@@ -36,55 +32,115 @@ jobs:
         name: verademo.war
         path: target/verademo.war
 
-    # Upload and Scan with Veracode (Sandbox scan)
-    - name: Veracode Upload and Scan Action Step
-      uses: veracode/veracode-uploadandscan-action@0.2.1
-      id: upload_and_scan
-      with:
-        appname: 'Verademo'
-        version: '${{ github.run_id }}'
-        filepath: 'target/verademo.war'
-        vid: '${{ secrets.VERACODE_API_ID }}'
-        vkey: '${{ secrets.VERACODE_API_KEY }}'
-        createsandbox: true
-        sandboxname: 'Github - ${{ github.ref }}'
+  # Upload and Scan with Veracode (Sandbox scan)
+  veracode-sandbox-scan:
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Veracode Upload and Scan Action Step
+        uses: veracode/veracode-uploadandscan-action@0.2.1
+        id: upload_and_scan
+        with:
+          appname: 'Verademo'
+          version: '${{ github.run_id }}'
+          filepath: 'target/verademo.war'
+          vid: '${{ secrets.VERACODE_API_ID }}'
+          vkey: '${{ secrets.VERACODE_API_KEY }}'
+          createsandbox: true
+          sandboxname: 'Github - ${{ github.ref }}'
 
 
-    - name: Invoke deployment hook
-      uses: distributhor/workflow-webhook@v1
-      env:
-        webhook_type: 'json-extended'
-        webhook_url: https://a6mp4czm6k.execute-api.eu-central-1.amazonaws.com/dev/github
-        webhook_secret: ${{ secrets.WEBHOOK_SECRET }}
-        data: '{"commit":"${{github.sha}}","run_id":"${{github.run_id}}","veracode_app_name":"Verademo","veracode_sandbox_name":"Github - ${{ github.ref }}"}' 
-
-
-
-    # Import flaws into code scanning alerts
-#    - name: Veracode Flaw Importer
-#      if: ${{ failure() }}
-#      uses: julz0815/veracode_flaw_importer@main
+#    - name: Invoke deployment hook
+#      uses: distributhor/workflow-webhook@v1
 #      env:
-#        VERACODE_API_KEY_ID: '${{ secrets.VERACODE_API_ID }}'
-#        VERACODE_API_KEY_SECRET: '${{ secrets.VERACODE_API_KEY }}'
-#      id: import_flaws
-#      with:
-#        app_name: 'Verademo'
-#        sandbox_name: 'Github - ${{ github.ref }}'
+#        webhook_type: 'json-extended'
+#        webhook_url: https://a6mp4czm6k.execute-api.eu-central-1.amazonaws.com/dev/github
+#        webhook_secret: ${{ secrets.WEBHOOK_SECRET }}
+#        data: '{"commit":"${{github.sha}}","run_id":"${{github.run_id}}","veracode_app_name":"Verademo","veracode_sandbox_name":"Github - ${{ github.ref }}"}' 
 
-#    - uses: actions/upload-artifact@master
-#      if: ${{ failure() }}
-#      with:
-#        name: flaws
-#        path: /home/runner/work/Verademo/Verademo/fullResults.json
-#    - uses: github/codeql-action/upload-sarif@v1
-#      if: ${{ failure() }}
-#      with:
-#        # Path to SARIF file relative to the root of the repository
-#        sarif_file: fullResults.json
 
 
-    # Run a Software Composition Analysis scan
+  # Import flaws into code scanning alerts
+  import-flaws-code-scanning-alerts:
+    runs-on: ubuntu-latest
+    needs: veracode-sandbox-scan
+    steps:
+      - name: Veracode Flaw Importer
+        if: ${{ failure() }}
+        uses: julz0815/veracode_flaw_importer@main
+        env:
+          VERACODE_API_KEY_ID: '${{ secrets.VERACODE_API_ID }}'
+          VERACODE_API_KEY_SECRET: '${{ secrets.VERACODE_API_KEY }}'
+        id: import_flaws
+        with:
+          app_name: 'Verademo'
+          sandbox_name: 'Github - ${{ github.ref }}'
+
+      - uses: actions/upload-artifact@master
+        if: ${{ failure() }}
+        with:
+          name: flaws
+          path: /home/runner/work/Verademo/Verademo/fullResults.json
+      - uses: github/codeql-action/upload-sarif@v1
+        if: ${{ failure() }}
+        with:
+          sarif_file: fullResults.json
+
+
+# Import flaws as issues
+  get-policy-flaws:
+    runs-on: ubuntu-latest
+    needs: veracode-sandbox-scan
+    container: 
+      image: veracode/api-signing:latest
+    steps:
+      - name: get policy flaws
+        run: |
+          cd /tmp
+          export VERACODE_API_KEY_ID=${{ secrets.VERACODE_API_ID }}
+          export VERACODE_API_KEY_SECRET=${{ secrets.VERACODE_API_KEY }}
+          guid=$(http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v1/applications?name=Verademo" | jq -r '._embedded.applications[0].guid') 
+          echo GUID: ${guid}
+          total_flaws=$(http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/${guid}/findings?scan_type=STATIC&violates_policy=True" | jq -r '.page.total_elements')
+          echo TOTAL_FLAWS: ${total_flaws}
+          http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/${guid}/findings?scan_type=STATIC&violates_policy=True&size=${total_flaws}" > policy_flaws.json
+
+      - name: save results file
+        uses: actions/upload-artifact@v2
+        with:
+          name: policy-flaws
+          path: /tmp/policy_flaws.json
+
+# This step will import flaws from the step above
+  import-policy-flaws:
+    needs: get-policy-flaws
+    runs-on: ubuntu-latest
+    steps:
+      - name: get flaw file
+        uses: actions/download-artifact@v2
+        with:
+          name: policy-flaws
+          path: /tmp
+
+      - name: import flaws as issues
+        uses: buzzcode/veracode-flaws-to-issues@v1
+        with:
+          scan-results-json: '/tmp/policy_flaws.json'
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+  # Run a Software Composition Analysis scan
+  software-composition-analysis:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: actions/setup-java@v1
+      with: 
+        java-version: 1.8
+    - name: Cache Maven packages
+      uses: actions/cache@v2
+      with:
+        path: ~/.m2
+        key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
     - run: curl -sSL https://download.sourceclear.com/ci.sh | bash -s scan . --update-advisor 2>&1 | tee sca_output.txt
       env:
         SRCCLR_API_TOKEN: ${{secrets.SRCCLR_API_TOKEN}}

pipeline-basline.json

@@ -0,0 +1,55 @@
+{
+  "_links": {
+    "root": {
+      "href": "/"
+    },
+    "self": {
+      "href": "/scans/a895828c-bfed-4c4b-9c47-d5b8e341ccc1/findings"
+    },
+    "help": {
+      "href": "https://help.veracode.com/reader/tS9CaFwL4_lbIEWWomsJoA/ovfZGgu96UINQxIuTqRDwg"
+    }
+  },
+  "scan_id": "a895828c-bfed-4c4b-9c47-d5b8e341ccc1",
+  "scan_status": "SUCCESS",
+  "message": "Scan successful. Results size: 330779 bytes",
+  "modules": [
+    "verademo.war",
+    "JS files within verademo.war"
+  ],
+  "modules_count": 2,
+  "findings": [
+    {
+      "title": "java.lang.Runtime.exec",
+      "issue_id": 1246,
+      "gob": "B",
+      "severity": 5,
+      "issue_type_id": "taint",
+      "issue_type": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
+      "cwe_id": "78",
+      "display_text": "\u003cspan\u003eThis call to java.lang.Runtime.exec() contains a command injection flaw.  The argument to the function is constructed using untrusted input.  If an attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server with the privileges of the executing process.  The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to exec() contains tainted data from the variables (new String\\[...\\]). The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry.\u003c/span\u003e \u003cspan\u003eValidate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.  When using blocklists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters.  Most APIs that execute system commands also have a \"safe\" version of the method that takes an array of strings as input rather than a single string, which protects against some forms of command injection.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/78.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://www.owasp.org/index.php/Command_Injection\"\u003eOWASP\u003c/a\u003e \u003ca href\u003d\"https://webappsec.pbworks.com/OS-Commanding\"\u003eWASC\u003c/a\u003e\u003c/span\u003e",
+      "files": {
+        "source_file": {
+          "file": "com/veracode/verademo/controller/ToolsController.java",
+          "line": 91,
+          "function_name": "fortune",
+          "qualified_function_name": "com.veracode.verademo.controller.ToolsController.fortune",
+          "function_prototype": "java.lang.String fortune(java.lang.String)",
+          "scope": "com.veracode.verademo.controller.ToolsController"
+        }
+      },
+      "flaw_match": {
+        "procedure_hash": "2161030689",
+        "prototype_hash": "3827778930",
+        "flaw_hash": "3753823106",
+        "flaw_hash_count": 1,
+        "flaw_hash_ordinal": 1,
+        "cause_hash": "4165693487",
+        "cause_hash_count": 1,
+        "cause_hash_ordinal": 1
+      }
+    }
+  ],
+  "pipeline_scan": "21.1.2-0",
+  "dev_stage": "DEVELOPMENT"
+}

readme.md

@@ -1,4 +1,4 @@
-# VeraDemo - Blab-a-Gag
+# VeraDemo - Blab-a-Gag. 
 
 ## About