From 54ede7e97543c5cb5e4cf30f7894d6bde6303da8 Mon Sep 17 00:00:00 2001 From: gjofili <55558404+gjofili@users.noreply.github.com> Date: Mon, 8 Jul 2024 10:43:51 -0300 Subject: [PATCH 01/18] Create SECURITY.md --- SECURITY.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..034e848032 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. From 2fb0d6a37b059ec6f0a22bf8ba8ab3463c787fee Mon Sep 17 00:00:00 2001 From: gjofili <55558404+gjofili@users.noreply.github.com> Date: Mon, 8 Jul 2024 11:47:43 -0300 Subject: [PATCH 02/18] Create TESTE.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit isso é um pecado! Não pdoe commit direto na main --- TESTE.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 TESTE.md diff --git a/TESTE.md b/TESTE.md new file mode 100644 index 0000000000..dce167e67b --- /dev/null +++ b/TESTE.md @@ -0,0 +1 @@ +Teste de branch protection v1 From 39607a4531cbcfe5636540e00cd761ab82a3663d Mon Sep 17 00:00:00 2001 From: gjofili <55558404+gjofili@users.noreply.github.com> Date: Mon, 8 Jul 2024 11:57:19 -0300 Subject: [PATCH 03/18] Update TESTE.md --- TESTE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TESTE.md b/TESTE.md index dce167e67b..77731f1226 100644 --- a/TESTE.md +++ b/TESTE.md @@ -1 +1 @@ -Teste de branch protection v1 +Teste de branch protection v2 - aprovação habilitada From d2a3d35ac9e847f2114ee5ac446a108a0a7fa28c Mon Sep 17 00:00:00 2001 From: gjofili <55558404+gjofili@users.noreply.github.com> Date: Mon, 8 Jul 2024 14:40:49 -0300 Subject: [PATCH 04/18] Update CODEOWNERS --- .github/CODEOWNERS | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 901d76deea..a36064cfa0 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1,2 @@ -* @snyk/devrel +* @gjofili +TESTE.md @lucardosobr From 72a432bee0a042e1cfe8550431d43d010e39b078 Mon Sep 17 00:00:00 2001 From: gjofili <55558404+gjofili@users.noreply.github.com> Date: Mon, 15 Jul 2024 15:11:16 -0300 Subject: [PATCH 05/18] Create pull_request_template.md --- pull_request_template.md | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 pull_request_template.md diff --git a/pull_request_template.md b/pull_request_template.md new file mode 100644 index 0000000000..27013ab75f --- /dev/null +++ b/pull_request_template.md @@ -0,0 +1,9 @@ +## Descreve sua mudança + +## Número do ticket + +## Checklist de segurança +- [ ] O código possui codificação de saída adequada +- [ ] O código não possui string concatenada em query +- [ ] O código não possui credenciais hardcoded +- [ ] O código fraz validação de entrada adquada From 9129d47418d4621ccc1dd826349f9b6c7c866572 Mon Sep 17 00:00:00 2001 From: gjofili <55558404+gjofili@users.noreply.github.com> Date: Thu, 12 Sep 2024 11:08:52 -0300 Subject: [PATCH 06/18] Delete .github/workflows directory --- .github/workflows/codeql-analysis.yml | 71 -------------------------- .github/workflows/snyk-code-manual.yml | 16 ------ .github/workflows/snyk-code.yml | 17 ------ .github/workflows/snyk-test-sarif.yml | 17 ------ 4 files changed, 121 deletions(-) delete mode 100644 .github/workflows/codeql-analysis.yml delete mode 100644 .github/workflows/snyk-code-manual.yml delete mode 100644 .github/workflows/snyk-code.yml delete mode 100644 .github/workflows/snyk-test-sarif.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index 3ebc0c31fb..0000000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,71 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '32 19 * * 4' - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: [ 'javascript' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] - # Learn more: - # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v1 - - # ℹ️ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl - - # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language - - #- run: | - # make bootstrap - # make release - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 diff --git a/.github/workflows/snyk-code-manual.yml b/.github/workflows/snyk-code-manual.yml deleted file mode 100644 index 0cb48af11c..0000000000 --- a/.github/workflows/snyk-code-manual.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: "snyk code manual test" -on: [push, pull_request] - -jobs: - build: - name: sarif testing action - runs-on: ubuntu-latest - permissions: - security-events: write - steps: - - uses: actions/checkout@v3 - - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: sarif.json - # sarif_file: example111.json diff --git a/.github/workflows/snyk-code.yml b/.github/workflows/snyk-code.yml deleted file mode 100644 index 6acfa140db..0000000000 --- a/.github/workflows/snyk-code.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: "snyk code test" -on: [push, pull_request] -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: snyk/actions/setup@master - - name: Snyk Test - run: snyk code test --org=${{ secrets.SNYK_ORG }} --sarif > snyk-sarif2.json - continue-on-error: true - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: snyk-sarif2.json diff --git a/.github/workflows/snyk-test-sarif.yml b/.github/workflows/snyk-test-sarif.yml deleted file mode 100644 index d583e5aafe..0000000000 --- a/.github/workflows/snyk-test-sarif.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: "snyk test" -on: [push, pull_request] -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: snyk/actions/setup@master - - name: Snyk Test - run: snyk test --sarif-file-output=snyk-sarif1.json - continue-on-error: true - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: snyk-sarif1.json From 80407cd04b13c5d9099e029503d9531187768efc Mon Sep 17 00:00:00 2001 From: gjofili <55558404+gjofili@users.noreply.github.com> Date: Thu, 12 Sep 2024 11:18:11 -0300 Subject: [PATCH 07/18] Create zap.yml --- .github/workflows/zap.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/zap.yml diff --git a/.github/workflows/zap.yml b/.github/workflows/zap.yml new file mode 100644 index 0000000000..5d9c65c865 --- /dev/null +++ b/.github/workflows/zap.yml @@ -0,0 +1,19 @@ +on: [push] + +jobs: + zap_scan: + runs-on: ubuntu-latest + name: Scan the webapplication + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + ref: master + - name: ZAP Scan + uses: zaproxy/action-baseline@v0.12.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + docker_name: 'ghcr.io/zaproxy/zaproxy:stable' + target: 'https://demo.owasp-juice.shop/' + rules_file_name: '.zap/rules.tsv' + cmd_options: '-a' From 6d0a8ed4bc0d2c91db3353c2dae3ab5006997bd1 Mon Sep 17 00:00:00 2001 From: gjofili <55558404+gjofili@users.noreply.github.com> Date: Thu, 12 Sep 2024 11:19:31 -0300 Subject: [PATCH 08/18] Update zap.yml --- .github/workflows/zap.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/zap.yml b/.github/workflows/zap.yml index 5d9c65c865..18b336252c 100644 --- a/.github/workflows/zap.yml +++ b/.github/workflows/zap.yml @@ -5,10 +5,6 @@ jobs: runs-on: ubuntu-latest name: Scan the webapplication steps: - - name: Checkout - uses: actions/checkout@v2 - with: - ref: master - name: ZAP Scan uses: zaproxy/action-baseline@v0.12.0 with: From ff1e5c3846409fb372fcab16469e7f2623aaf797 Mon Sep 17 00:00:00 2001 From: gjofili <55558404+gjofili@users.noreply.github.com> Date: Thu, 12 Sep 2024 11:38:31 -0300 Subject: [PATCH 09/18] Create nuclei.yml --- .github/workflows/nuclei.yml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .github/workflows/nuclei.yml diff --git a/.github/workflows/nuclei.yml b/.github/workflows/nuclei.yml new file mode 100644 index 0000000000..8273aaa364 --- /dev/null +++ b/.github/workflows/nuclei.yml @@ -0,0 +1,32 @@ +name: Nuclei - Vulnerability Scan + +on: + schedule: + - cron: '0 0 * * *' + workflow_dispatch: + +jobs: + nuclei-scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Nuclei - Vulnerability Scan + id: nuclei_scan + uses: projectdiscovery/nuclei-action@main + with: + target: https://demo.owasp-juice.shop/#/ + + - name: GitHub Workflow artifacts + uses: actions/upload-artifact@v4 + with: + name: nuclei.log + path: nuclei.log + + - name: GitHub Security Dashboard Alerts update + uses: github/codeql-action/upload-sarif@v3 + if: steps.nuclei_scan.outputs.sarif_exists == 'true' + with: + sarif_file: nuclei.sarif + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 6f14ce2cf7b1334fa54151f49aad869dc03ea088 Mon Sep 17 00:00:00 2001 From: gjofili <55558404+gjofili@users.noreply.github.com> Date: Thu, 12 Sep 2024 11:58:50 -0300 Subject: [PATCH 10/18] Update nuclei.yml --- .github/workflows/nuclei.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/nuclei.yml b/.github/workflows/nuclei.yml index 8273aaa364..ac6ddad862 100644 --- a/.github/workflows/nuclei.yml +++ b/.github/workflows/nuclei.yml @@ -15,7 +15,7 @@ jobs: id: nuclei_scan uses: projectdiscovery/nuclei-action@main with: - target: https://demo.owasp-juice.shop/#/ + target: https://demo.owasp-juice.shop/ - name: GitHub Workflow artifacts uses: actions/upload-artifact@v4 From 5189ee617f8feb1cc28366cb23e1036db5b07e0c Mon Sep 17 00:00:00 2001 From: gjofili <55558404+gjofili@users.noreply.github.com> Date: Thu, 12 Sep 2024 12:16:30 -0300 Subject: [PATCH 11/18] Create sonarcloud.yml --- .github/workflows/sonarcloud.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/sonarcloud.yml diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml new file mode 100644 index 0000000000..5f896a6ea0 --- /dev/null +++ b/.github/workflows/sonarcloud.yml @@ -0,0 +1,20 @@ +name: Build +on: + push: + branches: + - master + pull_request: + types: [opened, synchronize, reopened] +jobs: + sonarcloud: + name: SonarCloud + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + - name: SonarCloud Scan + uses: SonarSource/sonarcloud-github-action@master + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} From 00d8c60c39c4bfa80520af90bffcc24d44259157 Mon Sep 17 00:00:00 2001 From: gjofili <55558404+gjofili@users.noreply.github.com> Date: Thu, 12 Sep 2024 12:17:25 -0300 Subject: [PATCH 12/18] Update sonarcloud.yml --- .github/workflows/sonarcloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index 5f896a6ea0..2796c7625d 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -2,7 +2,7 @@ name: Build on: push: branches: - - master + - main pull_request: types: [opened, synchronize, reopened] jobs: From 7035e852bb9e014eb00e21419fe605a08902f7c4 Mon Sep 17 00:00:00 2001 From: gjofili <55558404+gjofili@users.noreply.github.com> Date: Thu, 12 Sep 2024 12:20:02 -0300 Subject: [PATCH 13/18] Create sonar-project.properties --- sonar-project.properties | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 sonar-project.properties diff --git a/sonar-project.properties b/sonar-project.properties new file mode 100644 index 0000000000..baff1acd36 --- /dev/null +++ b/sonar-project.properties @@ -0,0 +1,13 @@ +sonar.projectKey=gjofili_nodejs-goof +sonar.organization=gjofili + +# This is the name and version displayed in the SonarCloud UI. +#sonar.projectName=nodejs-goof +#sonar.projectVersion=1.0 + + +# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows. +#sonar.sources=. + +# Encoding of the source code. Default is default system encoding +#sonar.sourceEncoding=UTF-8 From f41e6459b3699b54f992c01e4e03169d93783043 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Mon, 16 Sep 2024 14:13:35 +0000 Subject: [PATCH 14/18] fix: package.json & package-lock.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/npm:adm-zip:20180415 --- package-lock.json | 15 ++++++++------- package.json | 2 +- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/package-lock.json b/package-lock.json index fef2be2035..d8a4b14a14 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9,7 +9,7 @@ "version": "1.0.1", "license": "Apache-2.0", "dependencies": { - "adm-zip": "0.4.7", + "adm-zip": "^0.4.11", "body-parser": "1.9.0", "cfenv": "^1.0.4", "consolidate": "0.14.5", @@ -332,9 +332,10 @@ } }, "node_modules/adm-zip": { - "version": "0.4.7", - "resolved": "https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.7.tgz", - "integrity": "sha1-hgbCy/HEJs6MjsABdER/1Jtur8E=", + "version": "0.4.11", + "resolved": "https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.11.tgz", + "integrity": "sha512-L8vcjDTCOIJk7wFvmlEUN7AsSb8T+2JrdP7KINBjzr24TJ5Mwj590sLu3BC7zNZowvJWa/JtPmD8eJCzdtDWjA==", + "license": "MIT", "engines": { "node": ">=0.3.0" } @@ -12832,9 +12833,9 @@ "dev": true }, "adm-zip": { - "version": "0.4.7", - "resolved": "https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.7.tgz", - "integrity": "sha1-hgbCy/HEJs6MjsABdER/1Jtur8E=" + "version": "0.4.11", + "resolved": "https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.11.tgz", + "integrity": "sha512-L8vcjDTCOIJk7wFvmlEUN7AsSb8T+2JrdP7KINBjzr24TJ5Mwj590sLu3BC7zNZowvJWa/JtPmD8eJCzdtDWjA==" }, "agent-base": { "version": "4.3.0", diff --git a/package.json b/package.json index d5f9362a36..755181715a 100644 --- a/package.json +++ b/package.json @@ -15,7 +15,7 @@ "test": "snyk test" }, "dependencies": { - "adm-zip": "0.4.7", + "adm-zip": "0.4.11", "body-parser": "1.9.0", "cfenv": "^1.0.4", "consolidate": "0.14.5", From a3529bc38f29cf3a857a5ae064056b9b5a382a64 Mon Sep 17 00:00:00 2001 From: gjofili <55558404+gjofili@users.noreply.github.com> Date: Mon, 16 Sep 2024 11:36:48 -0300 Subject: [PATCH 15/18] Create snyk.yml --- .github/workflows/snyk.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/workflows/snyk.yml diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml new file mode 100644 index 0000000000..d101cb8f1a --- /dev/null +++ b/.github/workflows/snyk.yml @@ -0,0 +1,11 @@ +name: Snyk +on: push +jobs: + Snyk: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/node@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} From 1ab02787ed8e527baa39f6b510c6b87447b94a6e Mon Sep 17 00:00:00 2001 From: gjofili <55558404+gjofili@users.noreply.github.com> Date: Mon, 16 Sep 2024 11:42:00 -0300 Subject: [PATCH 16/18] Update snyk.yml --- .github/workflows/snyk.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index d101cb8f1a..e4d0e54e0c 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -9,3 +9,5 @@ jobs: uses: snyk/actions/node@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: monitor From c8644dbeed5ea99c47b5d65507d3be2083cb7d14 Mon Sep 17 00:00:00 2001 From: gjofili <55558404+gjofili@users.noreply.github.com> Date: Mon, 16 Sep 2024 12:14:26 -0300 Subject: [PATCH 17/18] Create gitleaks.yml --- .github/workflows/gitleaks.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/gitleaks.yml diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml new file mode 100644 index 0000000000..9efde5a63d --- /dev/null +++ b/.github/workflows/gitleaks.yml @@ -0,0 +1,19 @@ +name: gitleaks +on: + pull_request: + push: + workflow_dispatch: + schedule: + - cron: "0 4 * * *" # run once a day at 4 AM +jobs: + scan: + name: gitleaks + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} # Only required for Organizations, not personal accounts. From fd8cb274b3d8ad5286fe9c8b93f47337b7819b51 Mon Sep 17 00:00:00 2001 From: gjofili <55558404+gjofili@users.noreply.github.com> Date: Mon, 16 Sep 2024 12:31:33 -0300 Subject: [PATCH 18/18] Create trivy.yml --- .github/workflows/trivy.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000000..6b36b820f5 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,25 @@ +name: trivy +on: + push: + branches: + - main + pull_request: +jobs: + build: + name: trivy + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Build an image from Dockerfile + run: | + docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.20.0 + with: + image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH'