diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 901d76deea..a36064cfa0 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1,2 @@ -* @snyk/devrel +* @gjofili +TESTE.md @lucardosobr diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index 3ebc0c31fb..0000000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,71 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '32 19 * * 4' - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: [ 'javascript' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] - # Learn more: - # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v1 - - # ℹ️ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl - - # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language - - #- run: | - # make bootstrap - # make release - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml new file mode 100644 index 0000000000..9efde5a63d --- /dev/null +++ b/.github/workflows/gitleaks.yml @@ -0,0 +1,19 @@ +name: gitleaks +on: + pull_request: + push: + workflow_dispatch: + schedule: + - cron: "0 4 * * *" # run once a day at 4 AM +jobs: + scan: + name: gitleaks + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} # Only required for Organizations, not personal accounts. diff --git a/.github/workflows/nuclei.yml b/.github/workflows/nuclei.yml new file mode 100644 index 0000000000..ac6ddad862 --- /dev/null +++ b/.github/workflows/nuclei.yml @@ -0,0 +1,32 @@ +name: Nuclei - Vulnerability Scan + +on: + schedule: + - cron: '0 0 * * *' + workflow_dispatch: + +jobs: + nuclei-scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Nuclei - Vulnerability Scan + id: nuclei_scan + uses: projectdiscovery/nuclei-action@main + with: + target: https://demo.owasp-juice.shop/ + + - name: GitHub Workflow artifacts + uses: actions/upload-artifact@v4 + with: + name: nuclei.log + path: nuclei.log + + - name: GitHub Security Dashboard Alerts update + uses: github/codeql-action/upload-sarif@v3 + if: steps.nuclei_scan.outputs.sarif_exists == 'true' + with: + sarif_file: nuclei.sarif + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/snyk-code-manual.yml b/.github/workflows/snyk-code-manual.yml deleted file mode 100644 index 0cb48af11c..0000000000 --- a/.github/workflows/snyk-code-manual.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: "snyk code manual test" -on: [push, pull_request] - -jobs: - build: - name: sarif testing action - runs-on: ubuntu-latest - permissions: - security-events: write - steps: - - uses: actions/checkout@v3 - - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: sarif.json - # sarif_file: example111.json diff --git a/.github/workflows/snyk-code.yml b/.github/workflows/snyk-code.yml deleted file mode 100644 index 6acfa140db..0000000000 --- a/.github/workflows/snyk-code.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: "snyk code test" -on: [push, pull_request] -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: snyk/actions/setup@master - - name: Snyk Test - run: snyk code test --org=${{ secrets.SNYK_ORG }} --sarif > snyk-sarif2.json - continue-on-error: true - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: snyk-sarif2.json diff --git a/.github/workflows/snyk-test-sarif.yml b/.github/workflows/snyk-test-sarif.yml deleted file mode 100644 index d583e5aafe..0000000000 --- a/.github/workflows/snyk-test-sarif.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: "snyk test" -on: [push, pull_request] -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: snyk/actions/setup@master - - name: Snyk Test - run: snyk test --sarif-file-output=snyk-sarif1.json - continue-on-error: true - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: snyk-sarif1.json diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml new file mode 100644 index 0000000000..e4d0e54e0c --- /dev/null +++ b/.github/workflows/snyk.yml @@ -0,0 +1,13 @@ +name: Snyk +on: push +jobs: + Snyk: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/node@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: monitor diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml new file mode 100644 index 0000000000..2796c7625d --- /dev/null +++ b/.github/workflows/sonarcloud.yml @@ -0,0 +1,20 @@ +name: Build +on: + push: + branches: + - main + pull_request: + types: [opened, synchronize, reopened] +jobs: + sonarcloud: + name: SonarCloud + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + - name: SonarCloud Scan + uses: SonarSource/sonarcloud-github-action@master + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000000..6b36b820f5 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,25 @@ +name: trivy +on: + push: + branches: + - main + pull_request: +jobs: + build: + name: trivy + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Build an image from Dockerfile + run: | + docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.20.0 + with: + image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' diff --git a/.github/workflows/zap.yml b/.github/workflows/zap.yml new file mode 100644 index 0000000000..18b336252c --- /dev/null +++ b/.github/workflows/zap.yml @@ -0,0 +1,15 @@ +on: [push] + +jobs: + zap_scan: + runs-on: ubuntu-latest + name: Scan the webapplication + steps: + - name: ZAP Scan + uses: zaproxy/action-baseline@v0.12.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + docker_name: 'ghcr.io/zaproxy/zaproxy:stable' + target: 'https://demo.owasp-juice.shop/' + rules_file_name: '.zap/rules.tsv' + cmd_options: '-a' diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..034e848032 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. diff --git a/TESTE.md b/TESTE.md new file mode 100644 index 0000000000..77731f1226 --- /dev/null +++ b/TESTE.md @@ -0,0 +1 @@ +Teste de branch protection v2 - aprovação habilitada diff --git a/package-lock.json b/package-lock.json index fef2be2035..d8a4b14a14 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9,7 +9,7 @@ "version": "1.0.1", "license": "Apache-2.0", "dependencies": { - "adm-zip": "0.4.7", + "adm-zip": "^0.4.11", "body-parser": "1.9.0", "cfenv": "^1.0.4", "consolidate": "0.14.5", @@ -332,9 +332,10 @@ } }, "node_modules/adm-zip": { - "version": "0.4.7", - "resolved": "https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.7.tgz", - "integrity": "sha1-hgbCy/HEJs6MjsABdER/1Jtur8E=", + "version": "0.4.11", + "resolved": "https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.11.tgz", + "integrity": "sha512-L8vcjDTCOIJk7wFvmlEUN7AsSb8T+2JrdP7KINBjzr24TJ5Mwj590sLu3BC7zNZowvJWa/JtPmD8eJCzdtDWjA==", + "license": "MIT", "engines": { "node": ">=0.3.0" } @@ -12832,9 +12833,9 @@ "dev": true }, "adm-zip": { - "version": "0.4.7", - "resolved": "https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.7.tgz", - "integrity": "sha1-hgbCy/HEJs6MjsABdER/1Jtur8E=" + "version": "0.4.11", + "resolved": "https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.11.tgz", + "integrity": "sha512-L8vcjDTCOIJk7wFvmlEUN7AsSb8T+2JrdP7KINBjzr24TJ5Mwj590sLu3BC7zNZowvJWa/JtPmD8eJCzdtDWjA==" }, "agent-base": { "version": "4.3.0", diff --git a/package.json b/package.json index d5f9362a36..755181715a 100644 --- a/package.json +++ b/package.json @@ -15,7 +15,7 @@ "test": "snyk test" }, "dependencies": { - "adm-zip": "0.4.7", + "adm-zip": "0.4.11", "body-parser": "1.9.0", "cfenv": "^1.0.4", "consolidate": "0.14.5", diff --git a/pull_request_template.md b/pull_request_template.md new file mode 100644 index 0000000000..27013ab75f --- /dev/null +++ b/pull_request_template.md @@ -0,0 +1,9 @@ +## Descreve sua mudança + +## Número do ticket + +## Checklist de segurança +- [ ] O código possui codificação de saída adequada +- [ ] O código não possui string concatenada em query +- [ ] O código não possui credenciais hardcoded +- [ ] O código fraz validação de entrada adquada diff --git a/sonar-project.properties b/sonar-project.properties new file mode 100644 index 0000000000..baff1acd36 --- /dev/null +++ b/sonar-project.properties @@ -0,0 +1,13 @@ +sonar.projectKey=gjofili_nodejs-goof +sonar.organization=gjofili + +# This is the name and version displayed in the SonarCloud UI. +#sonar.projectName=nodejs-goof +#sonar.projectVersion=1.0 + + +# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows. +#sonar.sources=. + +# Encoding of the source code. Default is default system encoding +#sonar.sourceEncoding=UTF-8