Skip to content

Commit

Permalink
Merge pull request #13 from harekrishnarai/add-xz-java
Browse files Browse the repository at this point in the history
chore: add compromised package (xz-java)
  • Loading branch information
harekrishnarai authored Aug 3, 2024
2 parents 3716d83 + a97f416 commit ab6dd7d
Show file tree
Hide file tree
Showing 4 changed files with 81 additions and 11 deletions.
21 changes: 12 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,23 +7,26 @@

## What is SCA-Goat?

SCAGoat is an application for Software Composition Analysis (SCA) that focuses on vulnerable JAR dependencies used in development code, providing users with hands-on learning opportunities to understand potential attack scenarios. It is designed to identify vulnerabilities that may arise from using vulnerable JAR files.
SCAGoat is an application for Software Composition Analysis (SCA) that focuses on vulnerable and compromised JAR dependencies used in development code, providing users with hands-on learning opportunities to understand potential attack scenarios. It is designed to identify vulnerabilities that may arise from using vulnerable JAR files.



## What All CVE Covered?

The CVEs covered under SCAGoat are primarily critical and high severity, which have a CVSS score of 9. This aid in understanding the vulnerable package being used and its potential for exploitation.

In addition, there is one compromised package, that lacks a CVE, but is malicious by nature and cannot be detected with traditional SCA scanners.

| CVE | Package Name | Link |
|---------------|--------------|-------|
| CVE-2023-42282 | IP | [https://nvd.nist.gov/vuln/detail/CVE-2023-42282](https://nvd.nist.gov/vuln/detail/CVE-2023-42282) |
| CVE-2017-1000427 | Marked | [https://nvd.nist.gov/vuln/detail/CVE-2017-1000427](https://nvd.nist.gov/vuln/detail/CVE-2017-1000427) |
| CVE-2017-16114 | Marked | [https://github.com/markedjs/marked/issues/926](https://github.com/markedjs/marked/issues/926) |
| CVE-2021-44228 | log4j | [https://nvd.nist.gov/vuln/detail/CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)|
| CVE-2020-9547 | Jackson-Binding | [https://nvd.nist.gov/vuln/detail/CVE-2020-9547](https://nvd.nist.gov/vuln/detail/CVE-2020-9547)|
|CVE-2021-33623 | trim-newlines | [https://nvd.nist.gov/vuln/detail/CVE-2021-33623](https://nvd.nist.gov/vuln/detail/CVE-2021-33623)|

| CVE | Package Name | Link |
|----------------------------|-----------------|-------|
| CVE-2023-42282 | IP | [https://nvd.nist.gov/vuln/detail/CVE-2023-42282](https://nvd.nist.gov/vuln/detail/CVE-2023-42282) |
| CVE-2017-1000427 | Marked | [https://nvd.nist.gov/vuln/detail/CVE-2017-1000427](https://nvd.nist.gov/vuln/detail/CVE-2017-1000427) |
| CVE-2017-16114 | Marked | [https://github.com/markedjs/marked/issues/926](https://github.com/markedjs/marked/issues/926) |
| CVE-2021-44228 | log4j | [https://nvd.nist.gov/vuln/detail/CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)|
| CVE-2020-9547 | Jackson-Binding | [https://nvd.nist.gov/vuln/detail/CVE-2020-9547](https://nvd.nist.gov/vuln/detail/CVE-2020-9547)|
| CVE-2021-33623 | trim-newlines | [https://nvd.nist.gov/vuln/detail/CVE-2021-33623](https://nvd.nist.gov/vuln/detail/CVE-2021-33623)|
| Malicious Package (No CVE) | xz-java | [https://central.sonatype.com/artifact/io.github.xz-java/xz-java](https://central.sonatype.com/artifact/io.github.xz-java/xz-java)|


## Steps to run SCAGoat
Expand Down
9 changes: 8 additions & 1 deletion backend/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,14 @@
<artifactId>unboundid-ldapsdk</artifactId>
<version>3.1.1</version>
</dependency>


<!-- Malicious XZ Java -->
<dependency>
<groupId>io.github.xz-java</groupId>
<artifactId>xz-java</artifactId>
<version>1.9.2</version>
</dependency>

<!-- CVE-2020-9547 -->
<dependency>
<groupId>br.com.anteros</groupId>
Expand Down
59 changes: 59 additions & 0 deletions backend/src/main/java/com/acme/foo/FileUploadApi.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
package com.acme.foo;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.multipart.MultipartFile;
import org.tukaani.xz.LZMA2Options;
import org.tukaani.xz.XZOutputStream;

import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;

@RestController
@CrossOrigin("*")
@RequestMapping("/api/files")
public class FileUploadApi {

private static final Logger logger = LogManager.getLogger(FileUploadApi.class);


private static final String UPLOAD_DIR = "uploads/";

@PostMapping("/upload")
public ResponseEntity<String> uploadFile(@RequestParam("file") MultipartFile file) {
try {
// Ensure the uploads directory exists
Path uploadPath = Paths.get(UPLOAD_DIR);
if (!Files.exists(uploadPath)) {
Files.createDirectories(uploadPath);
}

// Get the file and save it
byte[] bytes = file.getBytes();
Path path = Paths.get(UPLOAD_DIR + file.getOriginalFilename());
Files.write(path, bytes);

Path zipPath = Paths.get(UPLOAD_DIR + file.getOriginalFilename() + ".xz");
LZMA2Options options = new LZMA2Options();
XZOutputStream xz = new XZOutputStream(Files.newOutputStream(zipPath), options);

byte[] buf = new byte[8192];
int size;
while ((size = System.in.read(buf)) != -1) {
xz.write(buf, 0, size);
}

xz.finish();

return ResponseEntity.status(HttpStatus.OK).body("File uploaded successfully: " + file.getOriginalFilename() + " -> " + path + " -> " + zipPath);
} catch (IOException e) {
logger.error("Failed to upload file", e);
return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body("Failed to upload file: " + e.getMessage());
}
}
}
3 changes: 2 additions & 1 deletion docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,10 @@ services:
dockerfile: Dockerfile-backend
ports:
- 8080:8080
- 11337:11337
frontend:
build:
context: .
dockerfile: Dockerfile-frontend
ports:
- 3000:3000
- 3000:3000

0 comments on commit ab6dd7d

Please sign in to comment.