From a13ced5263848bfd51682361257c171d8318c254 Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Thu, 24 Mar 2022 12:25:25 +0530 Subject: [PATCH 01/14] adding ShiftLeft build rules --- shiftleft.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 shiftleft.yml diff --git a/shiftleft.yml b/shiftleft.yml new file mode 100644 index 0000000000..220d4baf42 --- /dev/null +++ b/shiftleft.yml @@ -0,0 +1,12 @@ +build_rules: + - id: allow-zero-findings + finding_types: + - vuln + - secret + - insight + - "*" + severity: + - SEVERITY_MEDIUM_IMPACT + - SEVERITY_HIGH_IMPACT + - SEVERITY_LOW_IMPACT + threshold: 0 \ No newline at end of file From b4e5ef85cf19a2c010661d13657be676f5defb9a Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Thu, 24 Mar 2022 12:25:25 +0530 Subject: [PATCH 02/14] adding ShiftLeft GitHub action --- .github/workflows/shiftleft.yml | 137 ++++++++++++++++++++++++++++++++ 1 file changed, 137 insertions(+) create mode 100644 .github/workflows/shiftleft.yml diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml new file mode 100644 index 0000000000..c43d6b8298 --- /dev/null +++ b/.github/workflows/shiftleft.yml @@ -0,0 +1,137 @@ +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + # We are building this application with Java 11 + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 11.0.x + - name: Package with maven + run: mvn compile package + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + # ShiftLeft requires Java 1.8. Post the package step override the version + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 1.8 + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --analysis-timeout=1h --app Benchmark --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/benchmark.war + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + OWASP-Benchmark-Score: + runs-on: ubuntu-20.04 + needs: NextGen-Static-Analysis + steps: + - uses: actions/checkout@v2 + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 11.0.x + - name: Export NG SAST Findings + run: | + cd $HOME + git clone --depth 1 --branch v0.0.3 https://github.com/ShiftLeftSecurity/field-integrations + cd field-integrations/shiftleft-utils || exit 1 + mkdir -p ${GITHUB_WORKSPACE}/ngsast_results + pip3 install -r requirements.txt + python3 export.py --app Benchmark -f sl -o ${GITHUB_WORKSPACE}/ngsast_results/Benchmark.sl + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + - name: Package with maven + run: mvn compile package + - name: Calculate OWASP Benchmark Score + run: | + cd ${GITHUB_WORKSPACE} + mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.2.csv ngsast_results ShiftLeft anonymous" + if [ -e "scorecard/Benchmark_Scorecard_for_ShiftLeft.html" ]; then + echo "*** Thank you for Benchmarking ShiftLeft NextGen Static Analysis ***" + echo "You can find the results for ShiftLeft under workflow artifacts called scorecard" + else + echo "Benchmark results were not produced correctly. Check if you have Java 1.8 installed" + fi + - uses: actions/upload-artifact@v2 + with: + name: Benchmark_v1.2_Scorecard_for_ShiftLeft + path: scorecard + + - name: Generate Results Checksum + run: | + OWASP_BENCHMARK_CHECKSUM=$(tail -n +2 scorecard/Benchmark_v1.2_Scorecard_for_ShiftLeft.csv | + sort | + tr -d '[:space:]' | + tr '[:upper:]' '[:lower:]' | + shasum | + tr -d " -") + echo "OWASP_BENCHMARK_CHECKSUM=$OWASP_BENCHMARK_CHECKSUM" >> $GITHUB_ENV + + - uses: actions/setup-node@v2 + with: + node-version: 14 + - run: npm install jwt-decode node-fetch@2 + if: github.event_name == 'pull_request' + + - name: Notify Benchmark Results + uses: actions/github-script@v4 + if: github.event_name == 'pull_request' + env: + OWASP_BENCHMARK_CHECKSUM: ${{ env.OWASP_BENCHMARK_CHECKSUM }} + SHIFTLEFT_USER_ID_V2: f82c02ab-752c-4156-a639-978ceafd0ccc + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + // Leave a comment on the PR + const { issue: { number: issue_number }, repo: { owner, repo } } = context; + const run = await github.actions.getWorkflowRun({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.runId + }); + const loc = run.data.html_url ? '[GitHub Action](' + run.data.html_url + ')' : 'GitHub Action'; + const body = '👋 ' + '@' + context.actor + ' OWASP Benchmark scorecard is available for download in the Artifacts Section of ' + loc; + github.issues.createComment({ issue_number, owner, repo, body }); + + // Report the results + const jwt_decode = require('jwt-decode'); + const fetch = require("node-fetch"); + const { + SHIFTLEFT_API_HOST, + SHIFTLEFT_ACCESS_TOKEN, + SHIFTLEFT_USER_ID_V2, + OWASP_BENCHMARK_CHECKSUM, + } = process.env; + const decoded = jwt_decode(SHIFTLEFT_ACCESS_TOKEN); + const orgID = decoded.orgID; + const apiHost = SHIFTLEFT_API_HOST || 'www.shiftleft.io'; + fetch(`https://${apiHost}/api/v4/private/orgs/${orgID}/bi_proxy/owasp_benchmark_complete`, { + headers: { + "Content-Type": "application/json; charset=utf-8", + "Authorization": `Bearer ${SHIFTLEFT_ACCESS_TOKEN}`, + }, + method: 'POST', + body: JSON.stringify({ + artifact_url: run.data.html_url || '', + result_sha1: OWASP_BENCHMARK_CHECKSUM, + user_id_v2: SHIFTLEFT_USER_ID_V2, + }) + }) From caf0779f86e2a217189d4b6a05fe0e0e20162b86 Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Thu, 24 Mar 2022 12:33:58 +0530 Subject: [PATCH 03/14] adding ShiftLeft GitHub action From 182e2f6c35f0cd44e2249b34686147537eef2f07 Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Thu, 24 Mar 2022 12:33:59 +0530 Subject: [PATCH 04/14] adding ShiftLeft build rules From a0654cc947deced4530605954c99da3915796cac Mon Sep 17 00:00:00 2001 From: Ashish Mohanty <85564114+0day-Pwn@users.noreply.github.com> Date: Thu, 24 Mar 2022 21:56:25 +0530 Subject: [PATCH 05/14] Update shiftleft.yml sl check-environment --- .github/workflows/shiftleft.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml index c43d6b8298..f4eefc19c0 100644 --- a/.github/workflows/shiftleft.yml +++ b/.github/workflows/shiftleft.yml @@ -22,6 +22,7 @@ jobs: - name: Download ShiftLeft CLI run: | curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + sl check-environment # ShiftLeft requires Java 1.8. Post the package step override the version - name: Setup Java JDK uses: actions/setup-java@v1.4.3 From b831c137779f1e8756f01a91808acc83393f8ab2 Mon Sep 17 00:00:00 2001 From: Ashish Mohanty <85564114+0day-Pwn@users.noreply.github.com> Date: Thu, 24 Mar 2022 22:00:44 +0530 Subject: [PATCH 06/14] Update BenchmarkTest00001.java --- .../java/org/owasp/benchmark/testcode/BenchmarkTest00001.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java index 60e54fbbb6..b9c7c1d6bf 100644 --- a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java @@ -51,7 +51,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr javax.servlet.http.Cookie[] theCookies = request.getCookies(); - + String password = "password"; String param = "noCookieValueSupplied"; if (theCookies != null) { for (javax.servlet.http.Cookie theCookie : theCookies) { From 457f95d75a2fe4cf8df1cfd39e8a6dda33ec7865 Mon Sep 17 00:00:00 2001 From: Ashish Mohanty <85564114+0day-Pwn@users.noreply.github.com> Date: Thu, 24 Mar 2022 22:09:51 +0530 Subject: [PATCH 07/14] Update shiftleft.yml --- .github/workflows/shiftleft.yml | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml index f4eefc19c0..4fe63fba48 100644 --- a/.github/workflows/shiftleft.yml +++ b/.github/workflows/shiftleft.yml @@ -32,8 +32,31 @@ jobs: shell: bash run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" id: extract_branch - - name: NextGen Static Analysis - run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --analysis-timeout=1h --app Benchmark --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/benchmark.war + - name: NG SAST Trunk + # Removed the --wait since we wont be checking the scan + if: ${{ github.ref == 'refs/heads/main' }} + run: ${GITHUB_WORKSPACE}/sl analyze --strict --app Benchmark --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/benchmark.war + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }} + - name: NG SAST PR + # --wait in place because we will run check-analysis with this scan + if: ${{ github.event_name == 'pull_request' }} + run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app Benchmark --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/benchmark.war + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }} + - name: Validate Build Rules + # Only run on pull request and compare to Main as set in the build rules file Shiftleft.yml + if: ${{ github.event_name == 'pull_request' }} + run: | + ${GITHUB_WORKSPACE}/sl check-analysis --app Benchmark \ + --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" \ + --report \ + --github-pr-number=${{github.event.number}} \ + --github-pr-user=${{ github.repository_owner }} \ + --github-pr-repo=${{ github.event.repository.name }} \ + --github-token=${{ secrets.GITHUB_TOKEN }} env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} From 07bf19fc1b87485b2fe2837469a3a6f92e2e6bb7 Mon Sep 17 00:00:00 2001 From: Ashish Mohanty <85564114+0day-Pwn@users.noreply.github.com> Date: Thu, 24 Mar 2022 22:11:47 +0530 Subject: [PATCH 08/14] Create main.yml --- .github/workflows/main.yml | 161 +++++++++++++++++++++++++++++++++++++ 1 file changed, 161 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000000..4fe63fba48 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,161 @@ +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + # We are building this application with Java 11 + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 11.0.x + - name: Package with maven + run: mvn compile package + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + sl check-environment + # ShiftLeft requires Java 1.8. Post the package step override the version + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 1.8 + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NG SAST Trunk + # Removed the --wait since we wont be checking the scan + if: ${{ github.ref == 'refs/heads/main' }} + run: ${GITHUB_WORKSPACE}/sl analyze --strict --app Benchmark --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/benchmark.war + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }} + - name: NG SAST PR + # --wait in place because we will run check-analysis with this scan + if: ${{ github.event_name == 'pull_request' }} + run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app Benchmark --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/benchmark.war + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }} + - name: Validate Build Rules + # Only run on pull request and compare to Main as set in the build rules file Shiftleft.yml + if: ${{ github.event_name == 'pull_request' }} + run: | + ${GITHUB_WORKSPACE}/sl check-analysis --app Benchmark \ + --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" \ + --report \ + --github-pr-number=${{github.event.number}} \ + --github-pr-user=${{ github.repository_owner }} \ + --github-pr-repo=${{ github.event.repository.name }} \ + --github-token=${{ secrets.GITHUB_TOKEN }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + OWASP-Benchmark-Score: + runs-on: ubuntu-20.04 + needs: NextGen-Static-Analysis + steps: + - uses: actions/checkout@v2 + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 11.0.x + - name: Export NG SAST Findings + run: | + cd $HOME + git clone --depth 1 --branch v0.0.3 https://github.com/ShiftLeftSecurity/field-integrations + cd field-integrations/shiftleft-utils || exit 1 + mkdir -p ${GITHUB_WORKSPACE}/ngsast_results + pip3 install -r requirements.txt + python3 export.py --app Benchmark -f sl -o ${GITHUB_WORKSPACE}/ngsast_results/Benchmark.sl + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + - name: Package with maven + run: mvn compile package + - name: Calculate OWASP Benchmark Score + run: | + cd ${GITHUB_WORKSPACE} + mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.2.csv ngsast_results ShiftLeft anonymous" + if [ -e "scorecard/Benchmark_Scorecard_for_ShiftLeft.html" ]; then + echo "*** Thank you for Benchmarking ShiftLeft NextGen Static Analysis ***" + echo "You can find the results for ShiftLeft under workflow artifacts called scorecard" + else + echo "Benchmark results were not produced correctly. Check if you have Java 1.8 installed" + fi + - uses: actions/upload-artifact@v2 + with: + name: Benchmark_v1.2_Scorecard_for_ShiftLeft + path: scorecard + + - name: Generate Results Checksum + run: | + OWASP_BENCHMARK_CHECKSUM=$(tail -n +2 scorecard/Benchmark_v1.2_Scorecard_for_ShiftLeft.csv | + sort | + tr -d '[:space:]' | + tr '[:upper:]' '[:lower:]' | + shasum | + tr -d " -") + echo "OWASP_BENCHMARK_CHECKSUM=$OWASP_BENCHMARK_CHECKSUM" >> $GITHUB_ENV + + - uses: actions/setup-node@v2 + with: + node-version: 14 + - run: npm install jwt-decode node-fetch@2 + if: github.event_name == 'pull_request' + + - name: Notify Benchmark Results + uses: actions/github-script@v4 + if: github.event_name == 'pull_request' + env: + OWASP_BENCHMARK_CHECKSUM: ${{ env.OWASP_BENCHMARK_CHECKSUM }} + SHIFTLEFT_USER_ID_V2: f82c02ab-752c-4156-a639-978ceafd0ccc + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + // Leave a comment on the PR + const { issue: { number: issue_number }, repo: { owner, repo } } = context; + const run = await github.actions.getWorkflowRun({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.runId + }); + const loc = run.data.html_url ? '[GitHub Action](' + run.data.html_url + ')' : 'GitHub Action'; + const body = '👋 ' + '@' + context.actor + ' OWASP Benchmark scorecard is available for download in the Artifacts Section of ' + loc; + github.issues.createComment({ issue_number, owner, repo, body }); + + // Report the results + const jwt_decode = require('jwt-decode'); + const fetch = require("node-fetch"); + const { + SHIFTLEFT_API_HOST, + SHIFTLEFT_ACCESS_TOKEN, + SHIFTLEFT_USER_ID_V2, + OWASP_BENCHMARK_CHECKSUM, + } = process.env; + const decoded = jwt_decode(SHIFTLEFT_ACCESS_TOKEN); + const orgID = decoded.orgID; + const apiHost = SHIFTLEFT_API_HOST || 'www.shiftleft.io'; + fetch(`https://${apiHost}/api/v4/private/orgs/${orgID}/bi_proxy/owasp_benchmark_complete`, { + headers: { + "Content-Type": "application/json; charset=utf-8", + "Authorization": `Bearer ${SHIFTLEFT_ACCESS_TOKEN}`, + }, + method: 'POST', + body: JSON.stringify({ + artifact_url: run.data.html_url || '', + result_sha1: OWASP_BENCHMARK_CHECKSUM, + user_id_v2: SHIFTLEFT_USER_ID_V2, + }) + }) From e1263ef419c70720acba3359488a75ca03e6d7e6 Mon Sep 17 00:00:00 2001 From: Ashish Mohanty <85564114+0day-Pwn@users.noreply.github.com> Date: Thu, 24 Mar 2022 22:14:56 +0530 Subject: [PATCH 09/14] Update shiftleft.yml --- .github/workflows/shiftleft.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml index 4fe63fba48..212676999c 100644 --- a/.github/workflows/shiftleft.yml +++ b/.github/workflows/shiftleft.yml @@ -4,8 +4,11 @@ name: ShiftLeft on: - pull_request: workflow_dispatch: + pull_request: + branches: [ master ] + push: + branches: [ master ] jobs: NextGen-Static-Analysis: From dae0057daef2d1d01eef1d091ae71a87fbfafcaa Mon Sep 17 00:00:00 2001 From: Ashish Mohanty <85564114+0day-Pwn@users.noreply.github.com> Date: Thu, 24 Mar 2022 22:16:01 +0530 Subject: [PATCH 10/14] Update main.yml --- .github/workflows/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4fe63fba48..212676999c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -4,8 +4,11 @@ name: ShiftLeft on: - pull_request: workflow_dispatch: + pull_request: + branches: [ master ] + push: + branches: [ master ] jobs: NextGen-Static-Analysis: From 3d5124f74106d85d01999a7de6af097e391e6e69 Mon Sep 17 00:00:00 2001 From: Ashish Mohanty <85564114+0day-Pwn@users.noreply.github.com> Date: Thu, 24 Mar 2022 22:16:58 +0530 Subject: [PATCH 11/14] Update shiftleft.yml --- .github/workflows/shiftleft.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml index 212676999c..70c11adcf9 100644 --- a/.github/workflows/shiftleft.yml +++ b/.github/workflows/shiftleft.yml @@ -6,9 +6,9 @@ name: ShiftLeft on: workflow_dispatch: pull_request: - branches: [ master ] + branches: [master] push: - branches: [ master ] + branches: [master] jobs: NextGen-Static-Analysis: From 2158ff9b628d1ec256a53ef97fe8a054b73132f1 Mon Sep 17 00:00:00 2001 From: Ashish Mohanty <85564114+0day-Pwn@users.noreply.github.com> Date: Thu, 24 Mar 2022 22:22:11 +0530 Subject: [PATCH 12/14] Update shiftleft.yml --- .github/workflows/shiftleft.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml index 70c11adcf9..a5fb99e033 100644 --- a/.github/workflows/shiftleft.yml +++ b/.github/workflows/shiftleft.yml @@ -35,6 +35,12 @@ jobs: shell: bash run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" id: extract_branch + - name: Extract branch names + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branchs + - name: Branch name + run: echo running on branch ${GITHUB_REF##*/} - name: NG SAST Trunk # Removed the --wait since we wont be checking the scan if: ${{ github.ref == 'refs/heads/main' }} From 5f0e36b7a503e4068935df8a96e9c2c277c9004b Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Fri, 8 Apr 2022 10:57:41 +0530 Subject: [PATCH 13/14] adding ShiftLeft GitHub action --- .github/workflows/shiftleft.yml | 41 ++++----------------------------- 1 file changed, 4 insertions(+), 37 deletions(-) diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml index a5fb99e033..25387daa0d 100644 --- a/.github/workflows/shiftleft.yml +++ b/.github/workflows/shiftleft.yml @@ -4,11 +4,8 @@ name: ShiftLeft on: - workflow_dispatch: pull_request: - branches: [master] - push: - branches: [master] + workflow_dispatch: jobs: NextGen-Static-Analysis: @@ -25,7 +22,6 @@ jobs: - name: Download ShiftLeft CLI run: | curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl - sl check-environment # ShiftLeft requires Java 1.8. Post the package step override the version - name: Setup Java JDK uses: actions/setup-java@v1.4.3 @@ -35,37 +31,8 @@ jobs: shell: bash run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" id: extract_branch - - name: Extract branch names - shell: bash - run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" - id: extract_branchs - - name: Branch name - run: echo running on branch ${GITHUB_REF##*/} - - name: NG SAST Trunk - # Removed the --wait since we wont be checking the scan - if: ${{ github.ref == 'refs/heads/main' }} - run: ${GITHUB_WORKSPACE}/sl analyze --strict --app Benchmark --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/benchmark.war - env: - SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} - SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }} - - name: NG SAST PR - # --wait in place because we will run check-analysis with this scan - if: ${{ github.event_name == 'pull_request' }} - run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app Benchmark --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/benchmark.war - env: - SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} - SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }} - - name: Validate Build Rules - # Only run on pull request and compare to Main as set in the build rules file Shiftleft.yml - if: ${{ github.event_name == 'pull_request' }} - run: | - ${GITHUB_WORKSPACE}/sl check-analysis --app Benchmark \ - --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" \ - --report \ - --github-pr-number=${{github.event.number}} \ - --github-pr-user=${{ github.repository_owner }} \ - --github-pr-repo=${{ github.event.repository.name }} \ - --github-token=${{ secrets.GITHUB_TOKEN }} + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --analysis-timeout=1h --app Benchmark --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/benchmark.war env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} @@ -127,7 +94,7 @@ jobs: if: github.event_name == 'pull_request' env: OWASP_BENCHMARK_CHECKSUM: ${{ env.OWASP_BENCHMARK_CHECKSUM }} - SHIFTLEFT_USER_ID_V2: f82c02ab-752c-4156-a639-978ceafd0ccc + SHIFTLEFT_USER_ID_V2: 1fb2c004-b53f-48e4-bccd-764ef9d06b83 SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} with: From 82d0603f139e49f304c0dbfde1307f29d59acee4 Mon Sep 17 00:00:00 2001 From: Ashish Mohanty <85564114+0day-Pwn@users.noreply.github.com> Date: Fri, 8 Apr 2022 11:45:26 +0530 Subject: [PATCH 14/14] Update shiftleft.yml --- .github/workflows/shiftleft.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml index 25387daa0d..5aadb43f13 100644 --- a/.github/workflows/shiftleft.yml +++ b/.github/workflows/shiftleft.yml @@ -32,7 +32,7 @@ jobs: run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" id: extract_branch - name: NextGen Static Analysis - run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --analysis-timeout=1h --app Benchmark --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/benchmark.war + run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --analysis-timeout=1h --app Benchmark --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/benchmark.war --vcs-prefix-correction "*=/src/main/java" env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}