From 2df87f4af458c142565d4e6940df95869cf6e99a Mon Sep 17 00:00:00 2001 From: Sebastian Roth <97243337+sebsnyk@users.noreply.github.com> Date: Mon, 2 Dec 2024 17:10:17 +0000 Subject: [PATCH] Various string replacement improvements - prevent injection (#92) --- GitHub/GH Action pipeline-FullPlatform.yml | 13 +-- .../GH Action pipeline-Windows-Dotnet-CLI.yml | 4 +- GitHub/GH-actions-pipeline-npm-java.yml | 30 ++++--- .../GH-actions-pipeline-npm-nodejs-sarif.yml | 89 ++++++++++--------- GitHub/GH-actions-pipeline-npm-nodejs.yml | 14 +-- 5 files changed, 79 insertions(+), 71 deletions(-) diff --git a/GitHub/GH Action pipeline-FullPlatform.yml b/GitHub/GH Action pipeline-FullPlatform.yml index 1fe0f05..3c631ad 100644 --- a/GitHub/GH Action pipeline-FullPlatform.yml +++ b/GitHub/GH Action pipeline-FullPlatform.yml @@ -2,9 +2,9 @@ name: Snyk SCA, Code, IaC and Container CLI monitor example on: push: - branches: [ master ] + branches: [master] pull_request: - branches: [ master ] + branches: [master] jobs: build: @@ -24,19 +24,20 @@ steps: uses: actions/setup-node@v2 with: node-version: ${{ matrix.node-version }} - cache: 'npm' + cache: "npm" - name: Setup Snyk + snyk-to-html # For information about the required commands for generating an HTML report see https://github.com/snyk/snyk-to-html + env: + SNYK_TOKEN: ${{ secrets.SNYK_AUTH }} run: | npm install snyk -g npm install snyk-to-html -g - snyk auth ${{secrets.SNYK_AUTH}} + snyk auth "$SNYK_TOKEN" - name: Snyk Open Source # For testing and failing please add snyk test before snyk monitor run: | snyk monitor -# For a list of additional available flags/options see: https://docs.snyk.io/snyk-cli/commands - + # For a list of additional available flags/options see: https://docs.snyk.io/snyk-cli/commands - name: Snyk Code # Remove || true to fail if there are vulnerabilities run: | snyk code test || true diff --git a/GitHub/GH Action pipeline-Windows-Dotnet-CLI.yml b/GitHub/GH Action pipeline-Windows-Dotnet-CLI.yml index 73fc7e8..4237332 100644 --- a/GitHub/GH Action pipeline-Windows-Dotnet-CLI.yml +++ b/GitHub/GH Action pipeline-Windows-Dotnet-CLI.yml @@ -36,9 +36,11 @@ jobs: run: dotnet restore - name: Install & configure Snyk + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} run: | curl "https://static.snyk.io/cli/latest/snyk-win.exe" -o snyk.exe - .\snyk auth ${{secrets.SNYK_TOKEN}} + .\snyk auth "$SNYK_TOKEN" - name: Run Snyk Open Source (SCA) run: | diff --git a/GitHub/GH-actions-pipeline-npm-java.yml b/GitHub/GH-actions-pipeline-npm-java.yml index 63cf3f5..480eb74 100644 --- a/GitHub/GH-actions-pipeline-npm-java.yml +++ b/GitHub/GH-actions-pipeline-npm-java.yml @@ -2,9 +2,9 @@ name: Java CI with Maven on: push: - branches: [ master ] + branches: [master] pull_request: - branches: [ master ] + branches: [master] jobs: archive-build-artifacts: @@ -15,8 +15,8 @@ jobs: - name: Set up JDK 11 uses: actions/setup-java@v2 with: - java-version: '11' - distribution: 'adopt' + java-version: "11" + distribution: "adopt" - name: Build with Maven run: mvn -B package --file pom.xml - name: run MVN install @@ -24,24 +24,26 @@ jobs: - uses: actions/setup-node@v2 with: - node-version: '14' + node-version: "14" - run: npm install snyk -g # install snyk - run: snyk -v - - run: snyk auth ${{ secrets.snyk_token }} # snyk authentication using GH secrets + - name: Setup Snyk + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + run: snyk auth "$SNYK_TOKEN" - # Generate the HTML report - name: install snyk-to-html run: | - # Install the Snyk JSON to HTML Mapper using npm - npm install snyk-to-html -g - # Convert JSON output from `snyk test --json` into a static HTML - snyk test --json | snyk-to-html -o result.html - mkdir downloads - cp -v /home/runner/work/java-goof/java-goof/*.html /home/runner/work/java-goof/java-goof/downloads + # Install the Snyk JSON to HTML Mapper using npm + npm install snyk-to-html -g + # Convert JSON output from `snyk test --json` into a static HTML + snyk test --json | snyk-to-html -o result.html + mkdir downloads + cp -v /home/runner/work/java-goof/java-goof/*.html /home/runner/work/java-goof/java-goof/downloads # save the HTML in the artifact - name: Use the Upload Artifact GitHub Action uses: actions/upload-artifact@v2 with: name: results - path: downloads \ No newline at end of file + path: downloads diff --git a/GitHub/GH-actions-pipeline-npm-nodejs-sarif.yml b/GitHub/GH-actions-pipeline-npm-nodejs-sarif.yml index ce6666e..86da453 100644 --- a/GitHub/GH-actions-pipeline-npm-nodejs-sarif.yml +++ b/GitHub/GH-actions-pipeline-npm-nodejs-sarif.yml @@ -15,54 +15,55 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v2 - - name: Use Node.js for installing Snyk - uses: actions/setup-node@v2 - with: - node-version: 18.4 + - name: Use Node.js for installing Snyk + uses: actions/setup-node@v2 + with: + node-version: 18.4 - # Install & prepare Snyk - - run: npm install --location=global snyk - - # This OPTIONAL step will configure the Snyk CLI to connect to the EU instance of Snyk - #- run: snyk config set use-base64-encoding=true - #- run: snyk config set endpoint='https://app.eu.snyk.io/api' - - - run: snyk auth ${{ secrets.SNYK_TOKEN }} + # Install & prepare Snyk + - run: npm install --location=global snyk - - name: Snyk Open Source Scanning - run: snyk test --org=${{ secrets.SNYK_ORG }} --all-projects --sarif-file-output=snyk-oss.sarif - continue-on-error: true - - name: Upload results to GitHub Open Source Scanning - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: snyk-oss.sarif + # This OPTIONAL step will configure the Snyk CLI to connect to the EU instance of Snyk + #- run: snyk config set endpoint='https://app.eu.snyk.io/api' - - name: Snyk Code Scanning - run: snyk code test --org=${{ secrets.SNYK_ORG }} --sarif-file-output=snyk-code.sarif - continue-on-error: true - - name: Upload results to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: snyk-code.sarif + - name: Setup Snyk + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + run: snyk auth "$SNYK_TOKEN" - #- name: Build the Docker Image - # run: docker build . --file Dockerfile --tag sebsnyk/juice-shop:latest + - name: Snyk Open Source Scanning + run: snyk test --org=${{ secrets.SNYK_ORG }} --all-projects --sarif-file-output=snyk-oss.sarif + continue-on-error: true + - name: Upload results to GitHub Open Source Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-oss.sarif - - name: Snyk Container Scanning - run: snyk container test --org=${{ secrets.SNYK_ORG }} --file=Dockerfile --sarif-file-output=snyk-container.sarif sebsnyk/juice-shop:latest - continue-on-error: true - - name: Upload results to GitHub Container Scanning - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: snyk-container.sarif + - name: Snyk Code Scanning + run: snyk code test --sarif-file-output=snyk-code.sarif + continue-on-error: true + - name: Upload results to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-code.sarif - - name: Snyk Infrastructure-as-Code Scanning - run: snyk iac test --org=${{ secrets.SNYK_ORG }} --sarif-file-output=snyk-iac.sarif - continue-on-error: true - - name: Upload results to GitHub IaC Scanning - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: snyk-iac.sarif - + #- name: Build the Docker Image + # run: docker build . --file Dockerfile --tag sebsnyk/juice-shop:latest + + - name: Snyk Container Scanning + run: snyk container test --file=Dockerfile --sarif-file-output=snyk-container.sarif sebsnyk/juice-shop:latest + continue-on-error: true + - name: Upload results to GitHub Container Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-container.sarif + + - name: Snyk Infrastructure-as-Code Scanning + run: snyk iac test --sarif-file-output=snyk-iac.sarif + continue-on-error: true + - name: Upload results to GitHub IaC Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-iac.sarif diff --git a/GitHub/GH-actions-pipeline-npm-nodejs.yml b/GitHub/GH-actions-pipeline-npm-nodejs.yml index 3e09db4..58b91e6 100644 --- a/GitHub/GH-actions-pipeline-npm-nodejs.yml +++ b/GitHub/GH-actions-pipeline-npm-nodejs.yml @@ -2,13 +2,12 @@ name: Node.js CI on: push: - branches: [ master ] + branches: [master] pull_request: - branches: [ master ] + branches: [master] jobs: build: - runs-on: ubuntu-latest strategy: @@ -22,10 +21,13 @@ jobs: uses: actions/setup-node@v2 with: node-version: ${{ matrix.node-version }} - cache: 'npm' + cache: "npm" - run: npm install - run: npm i -g snyk - - run: snyk auth ${{ secrets.SNYK_TOKEN }} + - name: Setup Snyk + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + run: snyk auth "$SNYK_TOKEN" - run: snyk monitor - name: install snyk-to-html @@ -39,4 +41,4 @@ jobs: uses: actions/upload-artifact@v2 with: name: results - path: downloads \ No newline at end of file + path: downloads