ShiftLeftSecurity · Encryptshell · Mar 24, 2022 · Mar 24, 2022 · Mar 24, 2022 · Mar 24, 2022
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -0,0 +1,164 @@
+---
+# This workflow integrates ShiftLeft NG SAST with GitHub
+# Visit https://docs.shiftleft.io for help
+name: ShiftLeft
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches: [ master ]
+  push:
+    branches: [ master ]
+
+jobs:
+  NextGen-Static-Analysis:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    # We are building this application with Java 11
+    - name: Setup Java JDK
+      uses: actions/[email protected]
+      with:
+        java-version: 11.0.x
+    - name: Package with maven
+      run: mvn compile package
+    - name: Download ShiftLeft CLI
+      run: |
+        curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+        sl check-environment
+    # ShiftLeft requires Java 1.8. Post the package step override the version
+    - name: Setup Java JDK
+      uses: actions/[email protected]
+      with:
+        java-version: 1.8
+    - name: Extract branch name
+      shell: bash
+      run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+      id: extract_branch
+    - name: NG SAST Trunk
+      # Removed the --wait since we wont be checking the scan
+      if: ${{ github.ref == 'refs/heads/main' }}
+      run: ${GITHUB_WORKSPACE}/sl analyze --strict --app Benchmark --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/benchmark.war
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+        SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }}
+    - name: NG SAST PR
+      # --wait in place because we will run check-analysis with this scan
+      if: ${{ github.event_name == 'pull_request' }}
+      run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app Benchmark --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/benchmark.war
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+        SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }}
+    - name: Validate Build Rules
+      # Only run on pull request and compare to Main as set in the build rules file Shiftleft.yml
+      if: ${{ github.event_name == 'pull_request' }}
+      run: | 
+            ${GITHUB_WORKSPACE}/sl check-analysis --app Benchmark \
+            --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" \
+            --report \
+            --github-pr-number=${{github.event.number}} \
+            --github-pr-user=${{ github.repository_owner }} \
+            --github-pr-repo=${{ github.event.repository.name }} \
+            --github-token=${{ secrets.GITHUB_TOKEN }}
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+
+  OWASP-Benchmark-Score:
+    runs-on: ubuntu-20.04
+    needs: NextGen-Static-Analysis
+    steps:
+    - uses: actions/checkout@v2
+    - name: Setup Java JDK
+      uses: actions/[email protected]
+      with:
+        java-version: 11.0.x
+    - name: Export NG SAST Findings
+      run: |
+        cd $HOME
+        git clone --depth 1 --branch v0.0.3  https://github.com/ShiftLeftSecurity/field-integrations
+        cd field-integrations/shiftleft-utils || exit 1
+        mkdir -p ${GITHUB_WORKSPACE}/ngsast_results
+        pip3 install -r requirements.txt
+        python3 export.py --app Benchmark -f sl -o ${GITHUB_WORKSPACE}/ngsast_results/Benchmark.sl
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+
+    - name: Package with maven
+      run: mvn compile package
+    - name: Calculate OWASP Benchmark Score
+      run: |
+        cd ${GITHUB_WORKSPACE}
+        mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.2.csv ngsast_results ShiftLeft anonymous"
+        if [ -e "scorecard/Benchmark_Scorecard_for_ShiftLeft.html" ]; then
+            echo "*** Thank you for Benchmarking ShiftLeft NextGen Static Analysis ***"
+            echo "You can find the results for ShiftLeft under workflow artifacts called scorecard"
+        else
+            echo "Benchmark results were not produced correctly. Check if you have Java 1.8 installed"
+        fi
+    - uses: actions/upload-artifact@v2
+      with:
+        name: Benchmark_v1.2_Scorecard_for_ShiftLeft
+        path: scorecard
+
+    - name: Generate Results Checksum
+      run: |
+        OWASP_BENCHMARK_CHECKSUM=$(tail -n +2 scorecard/Benchmark_v1.2_Scorecard_for_ShiftLeft.csv |
+          sort |
+          tr -d '[:space:]' |
+          tr '[:upper:]' '[:lower:]' |
+          shasum |
+          tr -d " -")
+        echo "OWASP_BENCHMARK_CHECKSUM=$OWASP_BENCHMARK_CHECKSUM" >> $GITHUB_ENV
+
+    - uses: actions/setup-node@v2
+      with:
+        node-version: 14
+    - run: npm install jwt-decode node-fetch@2
+      if: github.event_name == 'pull_request'
+
+    - name: Notify Benchmark Results
+      uses: actions/github-script@v4
+      if: github.event_name == 'pull_request'
+      env:
+        OWASP_BENCHMARK_CHECKSUM: ${{ env.OWASP_BENCHMARK_CHECKSUM }}
+        SHIFTLEFT_USER_ID_V2: f82c02ab-752c-4156-a639-978ceafd0ccc
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        script: |
+          // Leave a comment on the PR
+          const { issue: { number: issue_number }, repo: { owner, repo }  } = context;
+          const run = await github.actions.getWorkflowRun({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                run_id: context.runId
+              });
+          const loc = run.data.html_url ? '[GitHub Action](' + run.data.html_url + ')' : 'GitHub Action';
+          const body = '👋 ' + '@' + context.actor + ' OWASP Benchmark scorecard is available for download in the Artifacts Section of ' + loc;
+          github.issues.createComment({ issue_number, owner, repo, body });
+
+          // Report the results
+          const jwt_decode = require('jwt-decode');
+          const fetch = require("node-fetch");
+          const {
+            SHIFTLEFT_API_HOST,
+            SHIFTLEFT_ACCESS_TOKEN,
+            SHIFTLEFT_USER_ID_V2,
+            OWASP_BENCHMARK_CHECKSUM,
+          } = process.env;
+          const decoded = jwt_decode(SHIFTLEFT_ACCESS_TOKEN);
+          const orgID = decoded.orgID;
+          const apiHost = SHIFTLEFT_API_HOST || 'www.shiftleft.io';
+          fetch(`https://${apiHost}/api/v4/private/orgs/${orgID}/bi_proxy/owasp_benchmark_complete`, {
+            headers: {
+              "Content-Type": "application/json; charset=utf-8",
+              "Authorization": `Bearer ${SHIFTLEFT_ACCESS_TOKEN}`,
+            },
+            method: 'POST',
+            body: JSON.stringify({
+              artifact_url: run.data.html_url || '',
+              result_sha1: OWASP_BENCHMARK_CHECKSUM,
+              user_id_v2: SHIFTLEFT_USER_ID_V2,
+            })
+          })
diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml
@@ -0,0 +1,137 @@
+---
+# This workflow integrates ShiftLeft NG SAST with GitHub
+# Visit https://docs.shiftleft.io for help
+name: ShiftLeft
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  NextGen-Static-Analysis:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    # We are building this application with Java 11
+    - name: Setup Java JDK
+      uses: actions/[email protected]
+      with:
+        java-version: 11.0.x
+    - name: Package with maven
+      run: mvn compile package
+    - name: Download ShiftLeft CLI
+      run: |
+        curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+    # ShiftLeft requires Java 1.8. Post the package step override the version
+    - name: Setup Java JDK
+      uses: actions/[email protected]
+      with:
+        java-version: 1.8
+    - name: Extract branch name
+      shell: bash
+      run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+      id: extract_branch
+    - name: NextGen Static Analysis
+      run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --analysis-timeout=1h --app Benchmark --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/benchmark.war --vcs-prefix-correction "*=/src/main/java"
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+
+  OWASP-Benchmark-Score:
+    runs-on: ubuntu-20.04
+    needs: NextGen-Static-Analysis
+    steps:
+    - uses: actions/checkout@v2
+    - name: Setup Java JDK
+      uses: actions/[email protected]
+      with:
+        java-version: 11.0.x
+    - name: Export NG SAST Findings
+      run: |
+        cd $HOME
+        git clone --depth 1 --branch v0.0.3  https://github.com/ShiftLeftSecurity/field-integrations
+        cd field-integrations/shiftleft-utils || exit 1
+        mkdir -p ${GITHUB_WORKSPACE}/ngsast_results
+        pip3 install -r requirements.txt
+        python3 export.py --app Benchmark -f sl -o ${GITHUB_WORKSPACE}/ngsast_results/Benchmark.sl
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+
+    - name: Package with maven
+      run: mvn compile package
+    - name: Calculate OWASP Benchmark Score
+      run: |
+        cd ${GITHUB_WORKSPACE}
+        mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.2.csv ngsast_results ShiftLeft anonymous"
+        if [ -e "scorecard/Benchmark_Scorecard_for_ShiftLeft.html" ]; then
+            echo "*** Thank you for Benchmarking ShiftLeft NextGen Static Analysis ***"
+            echo "You can find the results for ShiftLeft under workflow artifacts called scorecard"
+        else
+            echo "Benchmark results were not produced correctly. Check if you have Java 1.8 installed"
+        fi
+    - uses: actions/upload-artifact@v2
+      with:
+        name: Benchmark_v1.2_Scorecard_for_ShiftLeft
+        path: scorecard
+
+    - name: Generate Results Checksum
+      run: |
+        OWASP_BENCHMARK_CHECKSUM=$(tail -n +2 scorecard/Benchmark_v1.2_Scorecard_for_ShiftLeft.csv |
+          sort |
+          tr -d '[:space:]' |
+          tr '[:upper:]' '[:lower:]' |
+          shasum |
+          tr -d " -")
+        echo "OWASP_BENCHMARK_CHECKSUM=$OWASP_BENCHMARK_CHECKSUM" >> $GITHUB_ENV
+
+    - uses: actions/setup-node@v2
+      with:
+        node-version: 14
+    - run: npm install jwt-decode node-fetch@2
+      if: github.event_name == 'pull_request'
+
+    - name: Notify Benchmark Results
+      uses: actions/github-script@v4
+      if: github.event_name == 'pull_request'
+      env:
+        OWASP_BENCHMARK_CHECKSUM: ${{ env.OWASP_BENCHMARK_CHECKSUM }}
+        SHIFTLEFT_USER_ID_V2: 1fb2c004-b53f-48e4-bccd-764ef9d06b83
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        script: |
+          // Leave a comment on the PR
+          const { issue: { number: issue_number }, repo: { owner, repo }  } = context;
+          const run = await github.actions.getWorkflowRun({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                run_id: context.runId
+              });
+          const loc = run.data.html_url ? '[GitHub Action](' + run.data.html_url + ')' : 'GitHub Action';
+          const body = '👋 ' + '@' + context.actor + ' OWASP Benchmark scorecard is available for download in the Artifacts Section of ' + loc;
+          github.issues.createComment({ issue_number, owner, repo, body });
+
+          // Report the results
+          const jwt_decode = require('jwt-decode');
+          const fetch = require("node-fetch");
+          const {
+            SHIFTLEFT_API_HOST,
+            SHIFTLEFT_ACCESS_TOKEN,
+            SHIFTLEFT_USER_ID_V2,
+            OWASP_BENCHMARK_CHECKSUM,
+          } = process.env;
+          const decoded = jwt_decode(SHIFTLEFT_ACCESS_TOKEN);
+          const orgID = decoded.orgID;
+          const apiHost = SHIFTLEFT_API_HOST || 'www.shiftleft.io';
+          fetch(`https://${apiHost}/api/v4/private/orgs/${orgID}/bi_proxy/owasp_benchmark_complete`, {
+            headers: {
+              "Content-Type": "application/json; charset=utf-8",
+              "Authorization": `Bearer ${SHIFTLEFT_ACCESS_TOKEN}`,
+            },
+            method: 'POST',
+            body: JSON.stringify({
+              artifact_url: run.data.html_url || '',
+              result_sha1: OWASP_BENCHMARK_CHECKSUM,
+              user_id_v2: SHIFTLEFT_USER_ID_V2,
+            })
+          })
diff --git a/shiftleft.yml b/shiftleft.yml
@@ -0,0 +1,12 @@
+build_rules:
+  - id: allow-zero-findings
+    finding_types:
+      - vuln
+      - secret
+      - insight
+      - "*"
+    severity:
+      - SEVERITY_MEDIUM_IMPACT
+      - SEVERITY_HIGH_IMPACT
+      - SEVERITY_LOW_IMPACT
+    threshold: 0
diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java
@@ -51,7 +51,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr
 
 
 		javax.servlet.http.Cookie[] theCookies = request.getCookies();
-
+		String password = "password";
 		String param = "noCookieValueSupplied";
 		if (theCookies != null) {
 			for (javax.servlet.http.Cookie theCookie : theCookies) {