diff --git a/.github/workflows/checkmarx-sca-scan-on-pr.yml b/.github/workflows/checkmarx-sca-scan-on-pr.yml new file mode 100644 index 0000000..dca3b43 --- /dev/null +++ b/.github/workflows/checkmarx-sca-scan-on-pr.yml @@ -0,0 +1,40 @@ +# This workflow is to automate Checkmarx SCA scans. It runs on a push to the main branch. +# +# The following GitHub Secrets must be first defined: +# - CHECKMARX_SCA_USERNAME +# - CHECKMARX_SCA_PASSWORD +## +# The following variables must be inserted below: +# - +# - +# +# For full documentation, including a list of all inputs, please refer to the README https://github.com/checkmarx-ts/checkmarx-cxflow-github-action + +name: Checkmarx SCA Scan (Pull Request) +on: + #pull_request: + # types: [opened, reopened, synchronize] # Types specify which pull request events will trigger the workflow. For more events refer Github Actions documentation. + # branches: + # - master + # - main + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Checkmarx CxFlow Action + uses: checkmarx-ts/checkmarx-cxflow-github-action@v1.1 # GitHub Action version + with: + project: CxPhil_JVL_Test # <-- Insert Checkmarx CxSCA Project Name + sca_api_url: https://api.scacheckmarx.com + sca_app_url: https://sca.scacheckmarx.com + sca_access_control_url: https://platform.checkmarx.net + sca_tenant: SCA-Champions # <-- Insert Checkmarx CxSCA Tenant + sca_username: ${{ secrets.CHECKMARX_SCA_USERNAME }} # To be stored in GitHub Secrets. + sca_password: ${{ secrets.CHECKMARX_SCA_PASSWORD }} # To be stored in GitHub Secrets. + break_build: false + scanners: sca + bug_tracker: GITHUBPULL + params: --sca.thresholds-score=8.5 --github.block-merge=true --github.error-merge=true --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.head_ref }} --merge-id=${{ github.event.number }} diff --git a/.github/workflows/checkmarx-sca-scan-on-push.yml b/.github/workflows/checkmarx-sca-scan-on-push.yml new file mode 100644 index 0000000..dd5499f --- /dev/null +++ b/.github/workflows/checkmarx-sca-scan-on-push.yml @@ -0,0 +1,39 @@ +# This workflow is to automate Checkmarx SCA scans. It runs on a push to the main branch. +# +# The following GitHub Secrets must be first defined: +# - CHECKMARX_SCA_USERNAME +# - CHECKMARX_SCA_PASSWORD +## +# The following variables must be inserted below: +# - +# - +# +# For full documentation, including a list of all inputs, please refer to the README https://github.com/checkmarx-ts/checkmarx-cxflow-github-action + +name: Checkmarx SCA Scan (Push) +on: + #push: + # branches: + # - main + # - master + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Checkmarx CxFlow Action + uses: checkmarx-ts/checkmarx-cxflow-github-action@v1.1 # GitHub Action version + with: + project: CxPhil_JVL_Push_Master # <-- Insert Checkmarx CxSCA Project Name + sca_api_url: https://api.scacheckmarx.com + sca_app_url: https://sca.scacheckmarx.com + sca_access_control_url: https://platform.checkmarx.net + sca_tenant: SCA-Champions # <-- Insert Checkmarx CxSCA Tenant + sca_username: ${{ secrets.CHECKMARX_SCA_USERNAME }} # To be stored in GitHub Secrets. + sca_password: ${{ secrets.CHECKMARX_SCA_PASSWORD }} # To be stored in GitHub Secrets. + break_build: false + scanners: sca + bug_tracker: JIRA + params: --config=cx.config --jira.url=${{secrets.JIRA_URL}} --jira.username=${{secrets.JIRA_USER}} --jira.token=${{secrets.JIRA_TOKEN}} --sca.enabledZipScan=true --sca.filter-score=8.0 --sca.filter-severity=HIGH --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} diff --git a/.github/workflows/cx.yml b/.github/workflows/cx.yml index b807343..93887a9 100644 --- a/.github/workflows/cx.yml +++ b/.github/workflows/cx.yml @@ -13,7 +13,7 @@ jobs: uses: CheckmarxDev/ast-github-action@more_engines id: scan with: - github_repo_token: ${{ secrets.GITHUB_TOKEN }} + github_repo_token: ${{ secrets.GH_TOKEN }} ast_uri: ${{ secrets.AST_URI }} ast_access_key_id: ${{ secrets.AST_ACCESS_KEY_ID }} ast_access_key_secret: ${{ secrets.AST_ACCESS_KEY_SECRET }} diff --git a/README.md b/README.md index 80e96b0..56b3b48 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ ![](https://github.com/CheckmarxDev/NodeGoat-test/workflows/cx/badge.svg) - -This is a "Vulnerable" Web Application developed by Cyber Security and Privacy Foundation(www.cysecurity.org). This app is intended for the Java Programmers and other people who wish to learn about Web application vulnerabilities and write secure code.123 +##test +This is a "Vulnerable" Web Application developed by Cyber Security and Privacy Foundation(www.cysecurity.org). This app is intended for the Java Programmers and other people who wish to learn about Web application vulnerabilities and write secure code. **The full course content is now available on Github for free:** @@ -78,4 +78,4 @@ How to Use/Setup ? Get the VulnerableSpring Project from here: https://github.com/CSPF-Founder/VulnerableSpring - +10 diff --git a/application.yml b/application.yml new file mode 100644 index 0000000..2ce6d05 --- /dev/null +++ b/application.yml @@ -0,0 +1,96 @@ +logging: + file: flow.log + level: + com: + checkmarx: + flow: + service: TRACE + org: + apache: + http: + wire: TRACE + springframework: + web: + client: + RestTemplate: TRACE + +cxflow: + bug-tracker: Jira + #bug-tracker-impl: + #- GitHub + branches: + - master + filter-severity: + filter-category: + - SQL_Injection + - Stored_XSS + - Reflected_XSS_All_Clients + filter-cwe: + filter-status: + # - Urgent + # - Confirmed + #mitre-url: https://cwe.mitre.org/data/definitions/%s.html + #wiki-url: https://custodela.atlassian.net/wiki/spaces/AS/pages/79462432/Remediation+Guidance + codebash-url: https://checkmarx-demo.codebashing.com/courses/ + +jira: + url: ${{ secrets.JIRA_URL }} + username: philipmolive@gmail.com + token: ${{ secrets.JIRA_TOKEN }} + project: DSVW + issue-type: Bug + priorities: + High: High + Medium: Medium + Low: Low + Informational: Lowest + open-transition: In Progress + close-transition: Done + open-status: + - Backlog + - Selected for Development + - In Progress + closed-status: + - Done + fields: + - type: result + name: application + jira-field-name: Application + jira-field-type: label +# - type: result +# name: cwe +# jira-field-name: CWEs +# jira-field-type: label + - type: result + name: category + jira-field-name: Category + jira-field-type: label +# - type: result +# name: loc +# jira-field-name: LOC +# jira-field-type: label +# jira-default-value: XXXXX + +checkmarx: + version: 9.0 + scope: access_control_api sast_rest_api + team: /CxServer/ + username: admin + password: ${{ secrets.CHECKMARX_SCA_USERNAME }} + client-secret: 014DF517-39D1-4453-B7B3-9930C563627C + base-url: http://cxsast.ngrok.io + url: ${checkmarx.base-url}/cxrestapi + #WSDL Config + portal-url: ${checkmarx.base-url}/cxwebinterface/Portal/CxWebService.asmx + sdk-url: ${checkmarx.base-url}/cxwebinterface/SDK/CxSDKWebService.asmx + portal-wsdl: ${checkmarx.base-url}/Portal/CxWebService.asmx?wsdl + sdk-wsdl: ${checkmarx.base-url}/SDK/CxSDKWebService.asmx?wsdl + + +github: + webhook-token: 12345 + token: ${{ secrets.GH_TOKEN }} + url: https://github.com + api-url: https://api.github.com/repos/ + false-positive-label: false-positive + block-merge: true diff --git a/cx.config b/cx.config new file mode 100644 index 0000000..7d897ca --- /dev/null +++ b/cx.config @@ -0,0 +1,29 @@ +{ + "bugTracker": "JIRA", + "jira": { + "project": "DSVW", + "issue_type": "Bug", + "opened_status": ["Open","Reopen"], + "closed_status": ["Closed","Done"], + "open_transition": "Reopen Issue", + "close_transition": "Close Issue", + "close_transition_field": "resolution", + "close_transition_value": "Done", + "priorities": { + "High": "High", + "Medium": "Medium", + "Low": "Low" + }, + "fields": [{ + "type": "result", + "name": "application", + "jira_field_type": "label" + }, + { + "type": "result", + "name": "category", + "jira_field_name": "Category", + "jira_field_type": "label" + }] + } +}