From 10637f16ad87b01666e939c6e10e5b0fa3330ec5 Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Sat, 18 Sep 2021 17:16:08 -0500 Subject: [PATCH 1/5] adding ShiftLeft build rules --- shiftleft.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 shiftleft.yml diff --git a/shiftleft.yml b/shiftleft.yml new file mode 100644 index 000000000..220d4baf4 --- /dev/null +++ b/shiftleft.yml @@ -0,0 +1,12 @@ +build_rules: + - id: allow-zero-findings + finding_types: + - vuln + - secret + - insight + - "*" + severity: + - SEVERITY_MEDIUM_IMPACT + - SEVERITY_HIGH_IMPACT + - SEVERITY_LOW_IMPACT + threshold: 0 \ No newline at end of file From ad9c7b808af3eee08c75205e75f0dfa8b23c5794 Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Sat, 18 Sep 2021 17:16:08 -0500 Subject: [PATCH 2/5] adding ShiftLeft GitHub action --- .github/workflows/shiftleft.yml | 59 +++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 .github/workflows/shiftleft.yml diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml new file mode 100644 index 000000000..79695c970 --- /dev/null +++ b/.github/workflows/shiftleft.yml @@ -0,0 +1,59 @@ +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + # We are building this application with Java 11 + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 11.0.x + - name: Package with maven + run: mvn compile package + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + # ShiftLeft requires Java 1.8. Post the package step override the version + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 1.8 + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --wait --app shiftleft-java-demo --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --vcs-prefix-correction "io/shiftleft=src/main/java/" --java --cpg target/hello-shiftleft-0.0.1.jar + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + Build-Rules: + runs-on: ubuntu-latest + needs: NextGen-Static-Analysis + steps: + - uses: actions/checkout@v2 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Validate Build Rules + run: | + ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-java-demo \ + --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" \ + --report \ + --github-pr-number=${{github.event.number}} \ + --github-pr-user=${{ github.repository_owner }} \ + --github-pr-repo=${{ github.event.repository.name }} \ + --github-token=${{ secrets.GITHUB_TOKEN }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + \ No newline at end of file From 5ede3f6cd962c69034b5b45017f95a9e5ae1ba7e Mon Sep 17 00:00:00 2001 From: t3chn0t3s <46801776+t3chn0t3s@users.noreply.github.com> Date: Sat, 18 Sep 2021 17:26:18 -0500 Subject: [PATCH 3/5] Update pom.xml Fixing XSS vuln discovered by shiftleft --- pom.xml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index eb17410c8..1ea555e1e 100644 --- a/pom.xml +++ b/pom.xml @@ -67,7 +67,11 @@ spring-boot-starter-test test - + + org.springframework.boot + spring-boot-starter-validation + + org.springframework spring-web From a237d73f04bbd88276cdfb9a701a7d73a7e7c20a Mon Sep 17 00:00:00 2001 From: t3chn0t3s <46801776+t3chn0t3s@users.noreply.github.com> Date: Sat, 18 Sep 2021 17:27:48 -0500 Subject: [PATCH 4/5] Update CustomerController.java Continuing to fix XSS found by shiftleft --- src/main/java/io/shiftleft/controller/CustomerController.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/io/shiftleft/controller/CustomerController.java b/src/main/java/io/shiftleft/controller/CustomerController.java index 40e1c4917..33a6ddaf2 100644 --- a/src/main/java/io/shiftleft/controller/CustomerController.java +++ b/src/main/java/io/shiftleft/controller/CustomerController.java @@ -51,7 +51,7 @@ import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RestController; import org.springframework.web.context.request.WebRequest; - +import org.springframekwork.validation.annotation.Validated; import com.ulisesbocchio.jasyptspringboot.annotation.EnableEncryptableProperties; import io.shiftleft.data.DataLoader; @@ -71,7 +71,7 @@ @PropertySource({ "classpath:config/application-sfdc.properties" }) @RestController public class CustomerController { - + @Validated @Autowired private CustomerRepository customerRepository; From 11f833352e701e6d771d39af848b496af86172b9 Mon Sep 17 00:00:00 2001 From: t3chn0t3s <46801776+t3chn0t3s@users.noreply.github.com> Date: Sat, 18 Sep 2021 17:29:32 -0500 Subject: [PATCH 5/5] Update Customer.java Fixing XSS by validating user input --- src/main/java/io/shiftleft/model/Customer.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/main/java/io/shiftleft/model/Customer.java b/src/main/java/io/shiftleft/model/Customer.java index 6ecdc3000..6ef84e498 100644 --- a/src/main/java/io/shiftleft/model/Customer.java +++ b/src/main/java/io/shiftleft/model/Customer.java @@ -10,6 +10,7 @@ import javax.persistence.Id; import javax.persistence.OneToMany; import javax.persistence.OneToOne; +import javax.validation.constraints.Pattern; @Entity public class Customer { @@ -53,7 +54,9 @@ public Customer(String customerId, int clientId, String firstName, String lastNa private String tin; private String phoneNumber; - + + @Pattern(regexp = "[0-9]{3}-[0-9]{3}-[0-9]{4}") + @OneToOne(cascade = { CascadeType.ALL }) private Address address;