Merge pull request #7 from CarlTern/main

Add more open source obstacles and improve scan setup
debricked · Feb 21, 2025 · 8efd631 · 8efd631
2 parents 9966ece + 5676364
commit 8efd631
Show file tree

Hide file tree

Showing 13 changed files with 172 additions and 16 deletions.
diff --git a/.github/workflows/debricked.yml b/.github/workflows/debricked.yml
@@ -7,9 +7,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
-      - uses: debricked/actions/callgraph@v3
-      - uses: debricked/actions/fingerprint@v3
-      - uses: debricked/actions@v3
+      - uses: actions/checkout@v4
+      - uses: debricked/actions/callgraph@v4
+      - uses: debricked/actions@v4
         env:
-          DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}
+          DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}
diff --git a/LICENSE b/LICENSE
@@ -19,3 +19,8 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
+
+
+Includes other software related under the MIT license:
+- jasypt-spring-boot-starter-3.0.5, Copyright (c) 2021 Sergio Ulises Bocchio. For licensing see /src/main/libs/LICENSE-jasypt-spring-boot-starter-3.0.5.txt
+- vite-plugin-purgecss, Copyright (c) 2023 Joe Stanley. For licensing see /web/app/src/LICENSE-vite-plugin-purgecss.txt
diff --git a/README.md b/README.md
@@ -1,2 +1,64 @@
-# demo
-Demo project with various Open Source obstacles
+# Debricked Demo Repository
+
+This is an intentionally vulnerable demo repository by [Debricked](https://debricked.com) that showcases common obstacles and risks related to open source dependencies. It demonstrates how our tool helps you analyze, detect, manage and remediate open source risks.
+
+## Getting Started
+
+### 1. Get a copy of the Repository
+
+> [!NOTE]
+>This repository comes with a pre-configured GitHub Actions workflow located at [.github/workflows/debricked.yml](.github/workflows/debricked.yml), but it is also possible to use your CI/CD tool of choice or download/clone the repository and scan it locally using the [Debricked CLI](https://github.com/debricked/cli/tree/main). For more information on integrating with other tools, visit [the documentation](https://docs.debricked.com/tools-and-integrations/integrations). 
+
+The easiest way to get set up is to simply fork or import this repository to your own GitHub account, making use of the existing GitHub Actions workflow.
+
+#### 1.1 (If forking the repository) Enable GitHub Actions in Forked Repositories
+
+If you've forked this repository, please note that GitHub disables running workflows by default. To enable them:
+
+1. Navigate to the **Actions** tab in your forked repository.
+2. Click the button labeled **"I understand my workflows, go ahead and enable them"**.
+
+This step is necessary for the workflows to run as expected.
+
+### 2. Configure Your Debricked Access Token
+
+To enable the dependency scans with GitHub actions, set up your Debricked Access Token as a GitHub secret:
+
+1. Generate an Access Token through the Debricked UI (instructions can be found [here](https://docs.debricked.com/product/administration/generate-access-token))
+2. Navigate to the repository on GitHub.
+3. Go to **Settings** > **Secrets and variables** > **Actions**.
+4. Click **New repository secret**.
+5. Name the secret `DEBRICKED_API_KEY` and paste your Access Token as the value.
+
+### 3. Run a scan
+
+Once the API key is configured, the workflow will automatically scan your repository for dependency issues on:
+* Every push to any branch.
+* [Manually triggering the workflow](https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/manually-running-a-workflow#running-a-workflow)
+
+## Repository Structure
+
+- **[.github/workflows/debricked.yml](.github/workflows/debricked.yml)**:  
+  Contains the GitHub Actions workflow that triggers the Debricked dependency scan.
+- **[README.md](README.md)**:  
+  This documentation file.
+- **[LICENSE](LICENSE)**:  
+  The repository license.
+- **[web/](web/)**:  
+  Folder with code related to the frontend, using various vulnerable open source dependencies
+- **[src/](src/)**:  
+  Folder with code related to the backend, which is set up using a vulnerable version of the [Spring Framework](https://spring.io/projects/spring-framework).
+
+## Additional Resources
+
+- [Debricked Website](https://debricked.com)
+- [Debricked Documentation](https://docs.debricked.com)
+- [GitHub Actions Documentation](https://docs.github.com/en/actions)
+
+## Contributing
+
+Contributions to improve this demo are welcome! Please open an issue or submit a pull request with your suggestions.
+
+## License
+
+This repository is licensed under the MIT License. See the [LICENSE](LICENSE) file for more details.
diff --git a/pom.xml b/pom.xml
@@ -16,24 +16,40 @@
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-web</artifactId>
-			<version>2.7.6</version>
+			<version>3.3.7</version>
 		</dependency>
 		<dependency>
 			<groupId>org.apache.zookeeper</groupId>
 			<artifactId>zookeeper</artifactId>
-			<version>3.4.11</version>
+			<version>3.5.10</version>
 		</dependency>
 		<dependency>
 			<groupId>org.kitchen-eel</groupId>
 			<artifactId>json-schema-validator</artifactId>
 			<version>1.5.2</version>
 		</dependency>
+		<dependency>
+			<groupId> org.apache.logging.log4j</groupId>
+			<artifactId>log4j-core</artifactId>
+			<version>2.13.0</version>
+		</dependency>
+		<dependency>
+		    <groupId>org.jsoup</groupId>
+		    <artifactId>jsoup</artifactId>
+		    <version>1.8.3</version>
+		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-test</artifactId>
-			<version>2.7.6</version>
+			<version>3.3.7</version>
 			<scope>test</scope>
 		</dependency>
+		<dependency>
+		    <groupId>org.jboss.spec.javax.rmi</groupId>
+		    <artifactId>jboss-rmi-api_1.0_spec</artifactId>
+		    <version>1.0.6.Final</version>
+		    <scope>test</scope>
+		</dependency>
 	</dependencies>
 	<build>
 		<plugins>

diff --git a/src/main/java/com/github/debricked/demo/DemoController.java b/src/main/java/com/github/debricked/demo/DemoController.java
@@ -3,12 +3,22 @@
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 
+import org.jsoup.Jsoup;
+import org.jsoup.nodes.Document;
+import org.jsoup.nodes.Element;
+import org.jsoup.select.Elements;
+
+import java.io.IOException;
+
 @RestController
 public class DemoController {
 
 	@GetMapping("/")
-	public String index() {
-		return "Greetings from Spring Boot!";
-	}
+	public String index() throws IOException {
+		Document doc = Jsoup.connect("https://debricked.com/").get();
+
+	        Elements loginButton = doc.select("div[class^=journey-button] > *:contains(Log in)");
 
+		return "Please visit %s to log into Debricked!".formatted(loginButton.attr("href")); 
+	}
 }
diff --git a/src/main/libs/LICENSE-jasypt-spring-boot-starter-3.0.5.txt b/src/main/libs/LICENSE-jasypt-spring-boot-starter-3.0.5.txt
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 Sergio Ulises Bocchio
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/src/main/libs/jasypt-spring-boot-starter-3.0.5.jar b/src/main/libs/jasypt-spring-boot-starter-3.0.5.jar
diff --git a/web/app/src/App.vue b/web/app/src/App.vue
@@ -13,7 +13,7 @@ import HelloWorld from './components/HelloWorld.vue'
       <img src="./assets/vue.svg" class="logo vue" alt="Vue logo" />
     </a>
   </div>
-  <HelloWorld msg="Vite + Vue" />
+  <HelloWorld msg="Vite + Vue examples" />
 </template>
 
 <style scoped>

diff --git a/web/app/src/LICENSE-vite-plugin-purgecss.txt b/web/app/src/LICENSE-vite-plugin-purgecss.txt
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Joe Stanley
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/web/app/src/components/HelloWorld.vue b/web/app/src/components/HelloWorld.vue
@@ -23,7 +23,7 @@ const count = ref(0)
     Check out
     <a href="https://vuejs.org/guide/quick-start.html#local" target="_blank"
       >create-vue</a
-    >, the official Vue + Vite starter
+    >, the official Vue + Vite starter guide
   </p>
   <p>
     Install

diff --git a/web/app/src/main.js b/web/app/src/main.js
@@ -1,5 +1,5 @@
 import { createApp } from 'vue'
-import './style.css'
+import './style-examples.css'
 import App from './App.vue'
 
 createApp(App).mount('#app')
diff --git a/web/app/src/style.css → web/app/src/style-examples.css b/web/app/src/style.css → web/app/src/style-examples.css
diff --git a/web/app/src/vite-plugin-purgecss.ts b/web/app/src/vite-plugin-purgecss.ts
@@ -0,0 +1,22 @@
+import PurgeCSS, { UserDefinedSafelist } from "purgecss";
+
+export default (safeList?: UserDefinedSafelist) => {
+    let _html: string = '';
+    return {
+        name: 'vite-plugin-html-purgecss',
+        enforce: 'post',
+        transformIndexHtml(html) { _html += html;},
+        async generateBundle(_options, bundle) {
+            const cssFiles = Object.keys(bundle).filter(key => key.endsWith('.css'));
+            if (!cssFiles) return;
+            for (const file of cssFiles) {
+                const purged = await new PurgeCSS().purge({
+                    content: [{raw: _html, extension: 'html'}],
+                    css: [{raw: bundle[file].source}],
+                    safelist: safeList || []
+                });
+                bundle[file].source = purged[0].css;
+            }
+        }
+    }
+}