From b98f37665af9476ee66504e60e8c096b49d28ed4 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Sun, 15 Sep 2024 23:16:42 +0300 Subject: [PATCH 01/68] edit SonarQube workflow --- .github/workflows/sonarqube.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index 5e0a3e4e..fc4047d4 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -28,6 +28,12 @@ jobs: java-version: '11' distribution: 'temurin' java-package: 'jdk' + + - name: Start SonarQube + run: | + docker run -d --name sonar-server -p 9000:9000 sonarqube + # Wait for SonarQube to be fully up + while ! curl -s http://localhost:9000/api/system/status | grep UP; do sleep 5; done - name: SonarQube Scan uses: sonarsource/sonarqube-scan-action@v2.3.0 # Latest version of SonarQube scan action From c23154bf673ad652ad00f9af8e9896494583a434 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Sun, 15 Sep 2024 23:36:15 +0300 Subject: [PATCH 02/68] edit SonarQube workflow --- .github/workflows/sonarqube.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index fc4047d4..ffc6339c 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -22,10 +22,10 @@ jobs: # Disabling shallow clones is recommended for improving the relevancy of reporting fetch-depth: 0 - - name: Set up JDK 11 (Required for SonarQube) + - name: Set up JDK 17 (Required for SonarQube) uses: actions/setup-java@v4 with: - java-version: '11' + java-version: '17' distribution: 'temurin' java-package: 'jdk' From be7123ecf62b0b9594c8a327b19d4639837e4ad6 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Mon, 16 Sep 2024 00:11:02 +0300 Subject: [PATCH 03/68] edit SonarQube workflow --- .github/workflows/sonarqube.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index ffc6339c..87f3d095 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -14,33 +14,41 @@ name: Mutillidae II SonarQube Workflow jobs: sonarqube: runs-on: ubuntu-latest - + steps: + # Step 1: Check out your repository code - name: Checkout Code uses: actions/checkout@v4 with: # Disabling shallow clones is recommended for improving the relevancy of reporting fetch-depth: 0 + # Step 2: Set up Java - name: Set up JDK 17 (Required for SonarQube) uses: actions/setup-java@v4 with: java-version: '17' distribution: 'temurin' java-package: 'jdk' - + + # Step 3: Start SonarQube Docker container - name: Start SonarQube run: | docker run -d --name sonar-server -p 9000:9000 sonarqube # Wait for SonarQube to be fully up + echo "Waiting for SonarQube to start..." while ! curl -s http://localhost:9000/api/system/status | grep UP; do sleep 5; done + # Step 4: Run the SonarQube Scan - name: SonarQube Scan uses: sonarsource/sonarqube-scan-action@v2.3.0 # Latest version of SonarQube scan action env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # SonarQube authentication token SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }} # SonarQube URL + with: + projectBaseDir: . + # Step 5: Quality Gate Check (Optional) - name: Report Quality Gate Status if: always() # Ensure the status is reported even if the scan fails uses: sonarsource/sonarqube-quality-gate-action@master From 723dc2ad852428c8f4a1a8c9c0d23db1cc6b81ea Mon Sep 17 00:00:00 2001 From: meleksabit Date: Mon, 16 Sep 2024 00:13:39 +0300 Subject: [PATCH 04/68] edit SonarQube workflow --- .github/workflows/sonarqube.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index 87f3d095..fceab282 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -37,7 +37,7 @@ jobs: docker run -d --name sonar-server -p 9000:9000 sonarqube # Wait for SonarQube to be fully up echo "Waiting for SonarQube to start..." - while ! curl -s http://localhost:9000/api/system/status | grep UP; do sleep 5; done + while ! curl -s http://localhost:9000/api/system/status | grep UP; do sleep 9; done # Step 4: Run the SonarQube Scan - name: SonarQube Scan From fa147fcb31a989adcf1123308b0a0d604892af69 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Mon, 16 Sep 2024 00:24:54 +0300 Subject: [PATCH 05/68] edit SonarQube workflow --- .github/workflows/sonarqube.yml | 54 +++++++++++++++++++++++---------- 1 file changed, 38 insertions(+), 16 deletions(-) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index fceab282..82a5636d 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -30,28 +30,50 @@ jobs: java-version: '17' distribution: 'temurin' java-package: 'jdk' + + # Step 3: Create a Docker network + - name: Create Docker network + run: docker network create sonarnet - # Step 3: Start SonarQube Docker container + # Step 4: Start SonarQube Docker container - name: Start SonarQube run: | - docker run -d --name sonar-server -p 9000:9000 sonarqube - # Wait for SonarQube to be fully up + docker run -d --name sonar-server --network sonarnet -p 9000:9000 sonarqube echo "Waiting for SonarQube to start..." - while ! curl -s http://localhost:9000/api/system/status | grep UP; do sleep 9; done + while ! curl -s http://localhost:9000/api/system/status | grep -q "UP"; do sleep 10; done - # Step 4: Run the SonarQube Scan + # Step 5: Run the SonarQube Scan - name: SonarQube Scan - uses: sonarsource/sonarqube-scan-action@v2.3.0 # Latest version of SonarQube scan action - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # SonarQube authentication token - SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }} # SonarQube URL - with: - projectBaseDir: . + run: | + docker run --rm --network sonarnet \ + -e SONAR_HOST_URL="http://sonar-server:9000" \ + -e SONAR_TOKEN="${{ secrets.SONAR_TOKEN }}" \ + -v $(pwd):/usr/src \ + sonarsource/sonar-scanner-cli - # Step 5: Quality Gate Check (Optional) - - name: Report Quality Gate Status - if: always() # Ensure the status is reported even if the scan fails + # Check the Quality Gate status. + - name: SonarQube Quality Gate check + id: sonarqube-quality-gate-check uses: sonarsource/sonarqube-quality-gate-action@master + # Force to fail step after specific time. + timeout-minutes: 5 env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + + # Optionally you can use the output from the Quality Gate in another step. + # The possible outputs of the `quality-gate-status` variable are `PASSED`, `WARN` or `FAILED`. + - name: Show SonarQube Quality Gate Status value + run: echo "The Quality Gate status is ${{ steps.sonarqube-quality-gate-check.outputs.quality-gate-status }}" + + # Step 6: Stop SonarQube Docker container + - name: Stop SonarQube + run: docker stop sonar-server + + # Step 7: Remove SonarQube Docker network + - name: Remove SonarQube network + run: docker network rm sonarnet + + # Step 8: Remove SonarQube Docker container + - name: Remove SonarQube + run: docker rm sonar-server + \ No newline at end of file From 1a82f529c385a3b55cb79643daba3f58feb93b91 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Mon, 16 Sep 2024 00:37:05 +0300 Subject: [PATCH 06/68] edit SonarQube workflow --- .github/workflows/sonarqube.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index 82a5636d..41bfb410 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -49,7 +49,7 @@ jobs: -e SONAR_HOST_URL="http://sonar-server:9000" \ -e SONAR_TOKEN="${{ secrets.SONAR_TOKEN }}" \ -v $(pwd):/usr/src \ - sonarsource/sonar-scanner-cli + sonarsource/sonar-scanner-cli -X # Check the Quality Gate status. - name: SonarQube Quality Gate check From 3a5f479bd7a38f682a27aef96849a068c74f31e9 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Mon, 16 Sep 2024 02:03:50 +0300 Subject: [PATCH 07/68] add sonar-project.properties file + edit SonarQube workflow --- .github/workflows/sonarqube.yml | 1 + sonar-project.properties | 1 + 2 files changed, 2 insertions(+) create mode 100644 sonar-project.properties diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index 41bfb410..5904f469 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -59,6 +59,7 @@ jobs: timeout-minutes: 5 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # Optionally you can use the output from the Quality Gate in another step. # The possible outputs of the `quality-gate-status` variable are `PASSED`, `WARN` or `FAILED`. diff --git a/sonar-project.properties b/sonar-project.properties new file mode 100644 index 00000000..5106bfeb --- /dev/null +++ b/sonar-project.properties @@ -0,0 +1 @@ +sonar.projectKey=Mutillidae-II \ No newline at end of file From c2741c50c9b8a98395d49d53cd82002f2c2d62ce Mon Sep 17 00:00:00 2001 From: meleksabit Date: Mon, 16 Sep 2024 02:12:13 +0300 Subject: [PATCH 08/68] edit SonarQube workflow --- .github/workflows/sonarqube.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index 5904f469..c076c14b 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -50,6 +50,8 @@ jobs: -e SONAR_TOKEN="${{ secrets.SONAR_TOKEN }}" \ -v $(pwd):/usr/src \ sonarsource/sonar-scanner-cli -X + -Dsonar.projectKey=Mutillidae-II \ + -Dsonar.sources=. # Check the Quality Gate status. - name: SonarQube Quality Gate check From 47207bcb03ed003411c8b5093bd0a38d3491afe9 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Mon, 16 Sep 2024 02:34:08 +0300 Subject: [PATCH 09/68] edit SonarQube workflow --- .github/workflows/sonarqube.yml | 88 +++++++-------------------------- 1 file changed, 17 insertions(+), 71 deletions(-) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index c076c14b..d976d33e 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -1,82 +1,28 @@ +name: Build + on: - # Trigger analysis when pushing to your main branches, and when creating a pull request. push: branches: - main - - master - development - - 'releases/**' - pull_request: - types: [opened, synchronize, reopened] -name: Mutillidae II SonarQube Workflow jobs: - sonarqube: + build: + name: Build and analyze runs-on: ubuntu-latest steps: - # Step 1: Check out your repository code - - name: Checkout Code - uses: actions/checkout@v4 - with: - # Disabling shallow clones is recommended for improving the relevancy of reporting - fetch-depth: 0 - - # Step 2: Set up Java - - name: Set up JDK 17 (Required for SonarQube) - uses: actions/setup-java@v4 - with: - java-version: '17' - distribution: 'temurin' - java-package: 'jdk' - - # Step 3: Create a Docker network - - name: Create Docker network - run: docker network create sonarnet - - # Step 4: Start SonarQube Docker container - - name: Start SonarQube - run: | - docker run -d --name sonar-server --network sonarnet -p 9000:9000 sonarqube - echo "Waiting for SonarQube to start..." - while ! curl -s http://localhost:9000/api/system/status | grep -q "UP"; do sleep 10; done - - # Step 5: Run the SonarQube Scan - - name: SonarQube Scan - run: | - docker run --rm --network sonarnet \ - -e SONAR_HOST_URL="http://sonar-server:9000" \ - -e SONAR_TOKEN="${{ secrets.SONAR_TOKEN }}" \ - -v $(pwd):/usr/src \ - sonarsource/sonar-scanner-cli -X - -Dsonar.projectKey=Mutillidae-II \ - -Dsonar.sources=. - - # Check the Quality Gate status. - - name: SonarQube Quality Gate check - id: sonarqube-quality-gate-check - uses: sonarsource/sonarqube-quality-gate-action@master - # Force to fail step after specific time. - timeout-minutes: 5 - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} - - # Optionally you can use the output from the Quality Gate in another step. - # The possible outputs of the `quality-gate-status` variable are `PASSED`, `WARN` or `FAILED`. - - name: Show SonarQube Quality Gate Status value - run: echo "The Quality Gate status is ${{ steps.sonarqube-quality-gate-check.outputs.quality-gate-status }}" - - # Step 6: Stop SonarQube Docker container - - name: Stop SonarQube - run: docker stop sonar-server - - # Step 7: Remove SonarQube Docker network - - name: Remove SonarQube network - run: docker network rm sonarnet - - # Step 8: Remove SonarQube Docker container - - name: Remove SonarQube - run: docker rm sonar-server - \ No newline at end of file + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + - uses: sonarsource/sonarqube-scan-action@master + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + # If you wish to fail your job when the Quality Gate is red, uncomment the + # following lines. This would typically be used to fail a deployment. + # - uses: sonarsource/sonarqube-quality-gate-action@master + # timeout-minutes: 5 + # env: + # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} \ No newline at end of file From 1b787b6de7f1a4670a0dea301ebce642af5cadc9 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Mon, 16 Sep 2024 02:35:46 +0300 Subject: [PATCH 10/68] Revert "edit SonarQube workflow" This reverts commit 47207bcb03ed003411c8b5093bd0a38d3491afe9. --- .github/workflows/sonarqube.yml | 88 ++++++++++++++++++++++++++------- 1 file changed, 71 insertions(+), 17 deletions(-) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index d976d33e..c076c14b 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -1,28 +1,82 @@ -name: Build - on: + # Trigger analysis when pushing to your main branches, and when creating a pull request. push: branches: - main + - master - development + - 'releases/**' + pull_request: + types: [opened, synchronize, reopened] +name: Mutillidae II SonarQube Workflow jobs: - build: - name: Build and analyze + sonarqube: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - - uses: sonarsource/sonarqube-scan-action@master - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} - # If you wish to fail your job when the Quality Gate is red, uncomment the - # following lines. This would typically be used to fail a deployment. - # - uses: sonarsource/sonarqube-quality-gate-action@master - # timeout-minutes: 5 - # env: - # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} \ No newline at end of file + # Step 1: Check out your repository code + - name: Checkout Code + uses: actions/checkout@v4 + with: + # Disabling shallow clones is recommended for improving the relevancy of reporting + fetch-depth: 0 + + # Step 2: Set up Java + - name: Set up JDK 17 (Required for SonarQube) + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + java-package: 'jdk' + + # Step 3: Create a Docker network + - name: Create Docker network + run: docker network create sonarnet + + # Step 4: Start SonarQube Docker container + - name: Start SonarQube + run: | + docker run -d --name sonar-server --network sonarnet -p 9000:9000 sonarqube + echo "Waiting for SonarQube to start..." + while ! curl -s http://localhost:9000/api/system/status | grep -q "UP"; do sleep 10; done + + # Step 5: Run the SonarQube Scan + - name: SonarQube Scan + run: | + docker run --rm --network sonarnet \ + -e SONAR_HOST_URL="http://sonar-server:9000" \ + -e SONAR_TOKEN="${{ secrets.SONAR_TOKEN }}" \ + -v $(pwd):/usr/src \ + sonarsource/sonar-scanner-cli -X + -Dsonar.projectKey=Mutillidae-II \ + -Dsonar.sources=. + + # Check the Quality Gate status. + - name: SonarQube Quality Gate check + id: sonarqube-quality-gate-check + uses: sonarsource/sonarqube-quality-gate-action@master + # Force to fail step after specific time. + timeout-minutes: 5 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + + # Optionally you can use the output from the Quality Gate in another step. + # The possible outputs of the `quality-gate-status` variable are `PASSED`, `WARN` or `FAILED`. + - name: Show SonarQube Quality Gate Status value + run: echo "The Quality Gate status is ${{ steps.sonarqube-quality-gate-check.outputs.quality-gate-status }}" + + # Step 6: Stop SonarQube Docker container + - name: Stop SonarQube + run: docker stop sonar-server + + # Step 7: Remove SonarQube Docker network + - name: Remove SonarQube network + run: docker network rm sonarnet + + # Step 8: Remove SonarQube Docker container + - name: Remove SonarQube + run: docker rm sonar-server + \ No newline at end of file From e600cb7ba450655eb15c34ab7a07283221a986e2 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Wed, 18 Sep 2024 00:06:46 +0300 Subject: [PATCH 11/68] edit SonarQube workflow --- .github/workflows/sonarqube.yml | 89 +++++++-------------------------- 1 file changed, 17 insertions(+), 72 deletions(-) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index c076c14b..1268e15a 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -1,82 +1,27 @@ +name: Build + on: - # Trigger analysis when pushing to your main branches, and when creating a pull request. push: branches: - main - - master - - development - - 'releases/**' - pull_request: - types: [opened, synchronize, reopened] -name: Mutillidae II SonarQube Workflow jobs: - sonarqube: + build: + name: Build and analyze runs-on: ubuntu-latest steps: - # Step 1: Check out your repository code - - name: Checkout Code - uses: actions/checkout@v4 - with: - # Disabling shallow clones is recommended for improving the relevancy of reporting - fetch-depth: 0 - - # Step 2: Set up Java - - name: Set up JDK 17 (Required for SonarQube) - uses: actions/setup-java@v4 - with: - java-version: '17' - distribution: 'temurin' - java-package: 'jdk' - - # Step 3: Create a Docker network - - name: Create Docker network - run: docker network create sonarnet - - # Step 4: Start SonarQube Docker container - - name: Start SonarQube - run: | - docker run -d --name sonar-server --network sonarnet -p 9000:9000 sonarqube - echo "Waiting for SonarQube to start..." - while ! curl -s http://localhost:9000/api/system/status | grep -q "UP"; do sleep 10; done - - # Step 5: Run the SonarQube Scan - - name: SonarQube Scan - run: | - docker run --rm --network sonarnet \ - -e SONAR_HOST_URL="http://sonar-server:9000" \ - -e SONAR_TOKEN="${{ secrets.SONAR_TOKEN }}" \ - -v $(pwd):/usr/src \ - sonarsource/sonar-scanner-cli -X - -Dsonar.projectKey=Mutillidae-II \ - -Dsonar.sources=. - - # Check the Quality Gate status. - - name: SonarQube Quality Gate check - id: sonarqube-quality-gate-check - uses: sonarsource/sonarqube-quality-gate-action@master - # Force to fail step after specific time. - timeout-minutes: 5 - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} - - # Optionally you can use the output from the Quality Gate in another step. - # The possible outputs of the `quality-gate-status` variable are `PASSED`, `WARN` or `FAILED`. - - name: Show SonarQube Quality Gate Status value - run: echo "The Quality Gate status is ${{ steps.sonarqube-quality-gate-check.outputs.quality-gate-status }}" - - # Step 6: Stop SonarQube Docker container - - name: Stop SonarQube - run: docker stop sonar-server - - # Step 7: Remove SonarQube Docker network - - name: Remove SonarQube network - run: docker network rm sonarnet - - # Step 8: Remove SonarQube Docker container - - name: Remove SonarQube - run: docker rm sonar-server - \ No newline at end of file + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + - uses: sonarsource/sonarqube-scan-action@master + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + # If you wish to fail your job when the Quality Gate is red, uncomment the + # following lines. This would typically be used to fail a deployment. + # - uses: sonarsource/sonarqube-quality-gate-action@master + # timeout-minutes: 5 + # env: + # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} \ No newline at end of file From 2765342d5c0706d37468b38346255a4b6ad94ca7 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Wed, 18 Sep 2024 00:07:39 +0300 Subject: [PATCH 12/68] edit SonarQube workflow --- .github/workflows/sonarqube.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index 1268e15a..d976d33e 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -4,6 +4,7 @@ on: push: branches: - main + - development jobs: From a42b70bbd85771a1a4fbb992c6eea9be5b0c2e5b Mon Sep 17 00:00:00 2001 From: meleksabit Date: Wed, 18 Sep 2024 00:16:00 +0300 Subject: [PATCH 13/68] edit SonarQube workflow --- .github/workflows/sonarqube.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index d976d33e..21aa0d8b 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -20,6 +20,15 @@ jobs: env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + # Step 5: Run the SonarQube Scan + - name: SonarQube Scan + run: | + -e SONAR_HOST_URL="http://sonar-server:9000" \ + -e SONAR_TOKEN="${{ secrets.SONAR_TOKEN }}" \ + -v $(pwd):/usr/src \ + sonarsource/sonar-scanner-cli -X + -Dsonar.projectKey=Mutillidae-II \ + -Dsonar.sources=. # If you wish to fail your job when the Quality Gate is red, uncomment the # following lines. This would typically be used to fail a deployment. # - uses: sonarsource/sonarqube-quality-gate-action@master From 34ec8de7bd44828bac95452ad738c9500d6e2800 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Wed, 18 Sep 2024 00:19:38 +0300 Subject: [PATCH 14/68] edit SonarQube workflow --- .github/workflows/sonarqube.yml | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index 21aa0d8b..d133b086 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -20,15 +20,10 @@ jobs: env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} - # Step 5: Run the SonarQube Scan - - name: SonarQube Scan - run: | - -e SONAR_HOST_URL="http://sonar-server:9000" \ - -e SONAR_TOKEN="${{ secrets.SONAR_TOKEN }}" \ - -v $(pwd):/usr/src \ - sonarsource/sonar-scanner-cli -X - -Dsonar.projectKey=Mutillidae-II \ - -Dsonar.sources=. + run: | + sonarsource/sonar-scanner-cli -X + -Dsonar.projectKey=Mutillidae-II \ + -Dsonar.sources=. # If you wish to fail your job when the Quality Gate is red, uncomment the # following lines. This would typically be used to fail a deployment. # - uses: sonarsource/sonarqube-quality-gate-action@master From b67aaf5a11a54aab8f3a764e650fcc77e528ff38 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Wed, 18 Sep 2024 00:23:03 +0300 Subject: [PATCH 15/68] edit SonarQube workflow --- .github/workflows/sonarqube.yml | 92 +++++++++++++++++++++++++-------- 1 file changed, 71 insertions(+), 21 deletions(-) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index d133b086..c076c14b 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -1,32 +1,82 @@ -name: Build - on: + # Trigger analysis when pushing to your main branches, and when creating a pull request. push: branches: - main + - master - development + - 'releases/**' + pull_request: + types: [opened, synchronize, reopened] +name: Mutillidae II SonarQube Workflow jobs: - build: - name: Build and analyze + sonarqube: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - - uses: sonarsource/sonarqube-scan-action@master - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} - run: | - sonarsource/sonar-scanner-cli -X - -Dsonar.projectKey=Mutillidae-II \ - -Dsonar.sources=. - # If you wish to fail your job when the Quality Gate is red, uncomment the - # following lines. This would typically be used to fail a deployment. - # - uses: sonarsource/sonarqube-quality-gate-action@master - # timeout-minutes: 5 - # env: - # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} \ No newline at end of file + # Step 1: Check out your repository code + - name: Checkout Code + uses: actions/checkout@v4 + with: + # Disabling shallow clones is recommended for improving the relevancy of reporting + fetch-depth: 0 + + # Step 2: Set up Java + - name: Set up JDK 17 (Required for SonarQube) + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + java-package: 'jdk' + + # Step 3: Create a Docker network + - name: Create Docker network + run: docker network create sonarnet + + # Step 4: Start SonarQube Docker container + - name: Start SonarQube + run: | + docker run -d --name sonar-server --network sonarnet -p 9000:9000 sonarqube + echo "Waiting for SonarQube to start..." + while ! curl -s http://localhost:9000/api/system/status | grep -q "UP"; do sleep 10; done + + # Step 5: Run the SonarQube Scan + - name: SonarQube Scan + run: | + docker run --rm --network sonarnet \ + -e SONAR_HOST_URL="http://sonar-server:9000" \ + -e SONAR_TOKEN="${{ secrets.SONAR_TOKEN }}" \ + -v $(pwd):/usr/src \ + sonarsource/sonar-scanner-cli -X + -Dsonar.projectKey=Mutillidae-II \ + -Dsonar.sources=. + + # Check the Quality Gate status. + - name: SonarQube Quality Gate check + id: sonarqube-quality-gate-check + uses: sonarsource/sonarqube-quality-gate-action@master + # Force to fail step after specific time. + timeout-minutes: 5 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + + # Optionally you can use the output from the Quality Gate in another step. + # The possible outputs of the `quality-gate-status` variable are `PASSED`, `WARN` or `FAILED`. + - name: Show SonarQube Quality Gate Status value + run: echo "The Quality Gate status is ${{ steps.sonarqube-quality-gate-check.outputs.quality-gate-status }}" + + # Step 6: Stop SonarQube Docker container + - name: Stop SonarQube + run: docker stop sonar-server + + # Step 7: Remove SonarQube Docker network + - name: Remove SonarQube network + run: docker network rm sonarnet + + # Step 8: Remove SonarQube Docker container + - name: Remove SonarQube + run: docker rm sonar-server + \ No newline at end of file From 1dcdad13df0ac8ab91da04da186dd12c0b73333f Mon Sep 17 00:00:00 2001 From: meleksabit Date: Wed, 18 Sep 2024 00:40:20 +0300 Subject: [PATCH 16/68] edit SonarQube workflow --- .github/workflows/sonarqube.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index c076c14b..d5cdd69e 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -50,7 +50,7 @@ jobs: -e SONAR_TOKEN="${{ secrets.SONAR_TOKEN }}" \ -v $(pwd):/usr/src \ sonarsource/sonar-scanner-cli -X - -Dsonar.projectKey=Mutillidae-II \ + -Dsonar.projectKey=Mutillidae-II-2 \ -Dsonar.sources=. # Check the Quality Gate status. From deda6f4ea4af915c6005dead51798441c88664ba Mon Sep 17 00:00:00 2001 From: meleksabit Date: Wed, 18 Sep 2024 00:44:37 +0300 Subject: [PATCH 17/68] edit SonarQube workflow --- .github/workflows/sonarqube.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index d5cdd69e..de12d1a1 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -46,7 +46,7 @@ jobs: - name: SonarQube Scan run: | docker run --rm --network sonarnet \ - -e SONAR_HOST_URL="http://sonar-server:9000" \ + -e SONAR_HOST_URL="http://localhost:9000" \ -e SONAR_TOKEN="${{ secrets.SONAR_TOKEN }}" \ -v $(pwd):/usr/src \ sonarsource/sonar-scanner-cli -X From 48f514818b78b6e5a9ef236a2063f47015466326 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Wed, 18 Sep 2024 00:58:36 +0300 Subject: [PATCH 18/68] edit SonarQube workflow --- .github/workflows/sonarqube.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index de12d1a1..d5cdd69e 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -46,7 +46,7 @@ jobs: - name: SonarQube Scan run: | docker run --rm --network sonarnet \ - -e SONAR_HOST_URL="http://localhost:9000" \ + -e SONAR_HOST_URL="http://sonar-server:9000" \ -e SONAR_TOKEN="${{ secrets.SONAR_TOKEN }}" \ -v $(pwd):/usr/src \ sonarsource/sonar-scanner-cli -X From 0dfa13259453a1d5789c3156c7c97211aa8eb0c0 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Wed, 18 Sep 2024 01:17:19 +0300 Subject: [PATCH 19/68] edit SonarQube workflow + add docker-compose file --- .github/workflows/sonarqube.yml | 83 ++++++--------------------------- docker-compose.yml | 42 +++++++++++++++++ 2 files changed, 57 insertions(+), 68 deletions(-) create mode 100644 docker-compose.yml diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index d5cdd69e..da14bd83 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -1,82 +1,29 @@ +name: SonarQube Analysis + on: - # Trigger analysis when pushing to your main branches, and when creating a pull request. push: branches: - main - - master - development - - 'releases/**' - pull_request: - types: [opened, synchronize, reopened] - -name: Mutillidae II SonarQube Workflow jobs: - sonarqube: + sonar-scan: runs-on: ubuntu-latest steps: - # Step 1: Check out your repository code - - name: Checkout Code - uses: actions/checkout@v4 - with: - # Disabling shallow clones is recommended for improving the relevancy of reporting - fetch-depth: 0 - - # Step 2: Set up Java - - name: Set up JDK 17 (Required for SonarQube) - uses: actions/setup-java@v4 - with: - java-version: '17' - distribution: 'temurin' - java-package: 'jdk' - - # Step 3: Create a Docker network - - name: Create Docker network - run: docker network create sonarnet - - # Step 4: Start SonarQube Docker container - - name: Start SonarQube - run: | - docker run -d --name sonar-server --network sonarnet -p 9000:9000 sonarqube - echo "Waiting for SonarQube to start..." - while ! curl -s http://localhost:9000/api/system/status | grep -q "UP"; do sleep 10; done - - # Step 5: Run the SonarQube Scan - - name: SonarQube Scan - run: | - docker run --rm --network sonarnet \ - -e SONAR_HOST_URL="http://sonar-server:9000" \ - -e SONAR_TOKEN="${{ secrets.SONAR_TOKEN }}" \ - -v $(pwd):/usr/src \ - sonarsource/sonar-scanner-cli -X - -Dsonar.projectKey=Mutillidae-II-2 \ - -Dsonar.sources=. - - # Check the Quality Gate status. - - name: SonarQube Quality Gate check - id: sonarqube-quality-gate-check - uses: sonarsource/sonarqube-quality-gate-action@master - # Force to fail step after specific time. - timeout-minutes: 5 - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + - name: Checkout repository + uses: actions/checkout@v4 - # Optionally you can use the output from the Quality Gate in another step. - # The possible outputs of the `quality-gate-status` variable are `PASSED`, `WARN` or `FAILED`. - - name: Show SonarQube Quality Gate Status value - run: echo "The Quality Gate status is ${{ steps.sonarqube-quality-gate-check.outputs.quality-gate-status }}" + - name: Set up Docker Compose + run: sudo apt-get install docker-compose - # Step 6: Stop SonarQube Docker container - - name: Stop SonarQube - run: docker stop sonar-server + - name: Build and Run SonarQube with Docker Compose + run: docker-compose up -d - # Step 7: Remove SonarQube Docker network - - name: Remove SonarQube network - run: docker network rm sonarnet + - name: Run SonarScanner + run: | + docker-compose run sonar-scanner - # Step 8: Remove SonarQube Docker container - - name: Remove SonarQube - run: docker rm sonar-server - \ No newline at end of file + - name: Tear down Docker Compose + if: always() + run: docker-compose down diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 00000000..6680cb53 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,42 @@ +version: '3' + +services: + sonar-server: + image: sonarqube:latest + container_name: sonar-server + ports: + - "9000:9000" # Expose port 9000 for SonarQube + networks: + - sonarnet + environment: + - SONAR_JDBC_URL=jdbc:postgresql://db:5432/sonarqube + - SONAR_JDBC_USERNAME=sonar + - SONAR_JDBC_PASSWORD=sonar + + db: + image: postgres:latest + container_name: sonar-db + networks: + - sonarnet + environment: + - POSTGRES_USER=sonar + - POSTGRES_PASSWORD=sonar + - POSTGRES_DB=sonarqube + + sonar-scanner: + image: sonarsource/sonar-scanner-cli:latest + container_name: sonar-scanner + depends_on: + - sonar-server + networks: + - sonarnet + environment: + - SONAR_HOST_URL=http://sonar-server:9000 + - SONAR_TOKEN=${{ secrets.SONAR_TOKEN }} # GitHub Secret for SonarQube Token + volumes: + - .:/usr/src + entrypoint: ["/bin/bash", "-c", "sonar-scanner -Dsonar.projectKey=Mutillidae-II-2 -Dsonar.sources=."] + +networks: + sonarnet: + driver: bridge From a21508ef51d8df9bc6a58dbd56eeec7a28bb7b21 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Wed, 18 Sep 2024 01:32:09 +0300 Subject: [PATCH 20/68] edit SonarQube workflow + edit docker-compose file --- .github/workflows/sonarqube.yml | 3 +++ docker-compose.yml | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index da14bd83..e1bcbbe4 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -17,6 +17,9 @@ jobs: - name: Set up Docker Compose run: sudo apt-get install docker-compose + - name: Create .env file + run: echo "SONAR_TOKEN=${{ secrets.SONAR_TOKEN }}" > .env + - name: Build and Run SonarQube with Docker Compose run: docker-compose up -d diff --git a/docker-compose.yml b/docker-compose.yml index 6680cb53..6f2b44dc 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -32,7 +32,7 @@ services: - sonarnet environment: - SONAR_HOST_URL=http://sonar-server:9000 - - SONAR_TOKEN=${{ secrets.SONAR_TOKEN }} # GitHub Secret for SonarQube Token + - SONAR_TOKEN=${SONAR_TOKEN} # Use standard Docker variable interpolation here volumes: - .:/usr/src entrypoint: ["/bin/bash", "-c", "sonar-scanner -Dsonar.projectKey=Mutillidae-II-2 -Dsonar.sources=."] From dea6e5cd0713b1e2845b8a0fee4a5061b84a9bfb Mon Sep 17 00:00:00 2001 From: meleksabit Date: Wed, 18 Sep 2024 02:02:19 +0300 Subject: [PATCH 21/68] edit SonarQube workflow + edit docker-compose file --- .github/workflows/sonarqube.yml | 84 ++++++++++++++++++++++++++------- docker-compose.yml | 2 +- 2 files changed, 68 insertions(+), 18 deletions(-) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index e1bcbbe4..d5cdd69e 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -1,32 +1,82 @@ -name: SonarQube Analysis - on: + # Trigger analysis when pushing to your main branches, and when creating a pull request. push: branches: - main + - master - development + - 'releases/**' + pull_request: + types: [opened, synchronize, reopened] + +name: Mutillidae II SonarQube Workflow jobs: - sonar-scan: + sonarqube: runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v4 + # Step 1: Check out your repository code + - name: Checkout Code + uses: actions/checkout@v4 + with: + # Disabling shallow clones is recommended for improving the relevancy of reporting + fetch-depth: 0 + + # Step 2: Set up Java + - name: Set up JDK 17 (Required for SonarQube) + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + java-package: 'jdk' + + # Step 3: Create a Docker network + - name: Create Docker network + run: docker network create sonarnet + + # Step 4: Start SonarQube Docker container + - name: Start SonarQube + run: | + docker run -d --name sonar-server --network sonarnet -p 9000:9000 sonarqube + echo "Waiting for SonarQube to start..." + while ! curl -s http://localhost:9000/api/system/status | grep -q "UP"; do sleep 10; done + + # Step 5: Run the SonarQube Scan + - name: SonarQube Scan + run: | + docker run --rm --network sonarnet \ + -e SONAR_HOST_URL="http://sonar-server:9000" \ + -e SONAR_TOKEN="${{ secrets.SONAR_TOKEN }}" \ + -v $(pwd):/usr/src \ + sonarsource/sonar-scanner-cli -X + -Dsonar.projectKey=Mutillidae-II-2 \ + -Dsonar.sources=. - - name: Set up Docker Compose - run: sudo apt-get install docker-compose + # Check the Quality Gate status. + - name: SonarQube Quality Gate check + id: sonarqube-quality-gate-check + uses: sonarsource/sonarqube-quality-gate-action@master + # Force to fail step after specific time. + timeout-minutes: 5 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} - - name: Create .env file - run: echo "SONAR_TOKEN=${{ secrets.SONAR_TOKEN }}" > .env + # Optionally you can use the output from the Quality Gate in another step. + # The possible outputs of the `quality-gate-status` variable are `PASSED`, `WARN` or `FAILED`. + - name: Show SonarQube Quality Gate Status value + run: echo "The Quality Gate status is ${{ steps.sonarqube-quality-gate-check.outputs.quality-gate-status }}" - - name: Build and Run SonarQube with Docker Compose - run: docker-compose up -d + # Step 6: Stop SonarQube Docker container + - name: Stop SonarQube + run: docker stop sonar-server - - name: Run SonarScanner - run: | - docker-compose run sonar-scanner + # Step 7: Remove SonarQube Docker network + - name: Remove SonarQube network + run: docker network rm sonarnet - - name: Tear down Docker Compose - if: always() - run: docker-compose down + # Step 8: Remove SonarQube Docker container + - name: Remove SonarQube + run: docker rm sonar-server + \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 6f2b44dc..12b42818 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,4 +1,4 @@ -version: '3' +version: '3.8' services: sonar-server: From 5589b4ce3d1c5e6d730fb8b4c58bf24ecab441e0 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Wed, 18 Sep 2024 12:58:20 +0300 Subject: [PATCH 22/68] edit SonarQube workflow --- .github/workflows/sonarqube.yml | 84 +++++++-------------------------- 1 file changed, 17 insertions(+), 67 deletions(-) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index d5cdd69e..e1bcbbe4 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -1,82 +1,32 @@ +name: SonarQube Analysis + on: - # Trigger analysis when pushing to your main branches, and when creating a pull request. push: branches: - main - - master - development - - 'releases/**' - pull_request: - types: [opened, synchronize, reopened] - -name: Mutillidae II SonarQube Workflow jobs: - sonarqube: + sonar-scan: runs-on: ubuntu-latest steps: - # Step 1: Check out your repository code - - name: Checkout Code - uses: actions/checkout@v4 - with: - # Disabling shallow clones is recommended for improving the relevancy of reporting - fetch-depth: 0 - - # Step 2: Set up Java - - name: Set up JDK 17 (Required for SonarQube) - uses: actions/setup-java@v4 - with: - java-version: '17' - distribution: 'temurin' - java-package: 'jdk' - - # Step 3: Create a Docker network - - name: Create Docker network - run: docker network create sonarnet - - # Step 4: Start SonarQube Docker container - - name: Start SonarQube - run: | - docker run -d --name sonar-server --network sonarnet -p 9000:9000 sonarqube - echo "Waiting for SonarQube to start..." - while ! curl -s http://localhost:9000/api/system/status | grep -q "UP"; do sleep 10; done - - # Step 5: Run the SonarQube Scan - - name: SonarQube Scan - run: | - docker run --rm --network sonarnet \ - -e SONAR_HOST_URL="http://sonar-server:9000" \ - -e SONAR_TOKEN="${{ secrets.SONAR_TOKEN }}" \ - -v $(pwd):/usr/src \ - sonarsource/sonar-scanner-cli -X - -Dsonar.projectKey=Mutillidae-II-2 \ - -Dsonar.sources=. + - name: Checkout repository + uses: actions/checkout@v4 - # Check the Quality Gate status. - - name: SonarQube Quality Gate check - id: sonarqube-quality-gate-check - uses: sonarsource/sonarqube-quality-gate-action@master - # Force to fail step after specific time. - timeout-minutes: 5 - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + - name: Set up Docker Compose + run: sudo apt-get install docker-compose - # Optionally you can use the output from the Quality Gate in another step. - # The possible outputs of the `quality-gate-status` variable are `PASSED`, `WARN` or `FAILED`. - - name: Show SonarQube Quality Gate Status value - run: echo "The Quality Gate status is ${{ steps.sonarqube-quality-gate-check.outputs.quality-gate-status }}" + - name: Create .env file + run: echo "SONAR_TOKEN=${{ secrets.SONAR_TOKEN }}" > .env - # Step 6: Stop SonarQube Docker container - - name: Stop SonarQube - run: docker stop sonar-server + - name: Build and Run SonarQube with Docker Compose + run: docker-compose up -d - # Step 7: Remove SonarQube Docker network - - name: Remove SonarQube network - run: docker network rm sonarnet + - name: Run SonarScanner + run: | + docker-compose run sonar-scanner - # Step 8: Remove SonarQube Docker container - - name: Remove SonarQube - run: docker rm sonar-server - \ No newline at end of file + - name: Tear down Docker Compose + if: always() + run: docker-compose down From 356b4f81fcfc81951325632e050a4eacb74904e3 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Wed, 18 Sep 2024 13:06:22 +0300 Subject: [PATCH 23/68] edit SonarQube workflow --- .github/workflows/sonarqube.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index e1bcbbe4..a6bc25dc 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -12,20 +12,20 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v3 - name: Set up Docker Compose run: sudo apt-get install docker-compose - - name: Create .env file - run: echo "SONAR_TOKEN=${{ secrets.SONAR_TOKEN }}" > .env - - name: Build and Run SonarQube with Docker Compose + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} run: docker-compose up -d - - name: Run SonarScanner - run: | - docker-compose run sonar-scanner + - name: Run SonarScanner with the environment variable + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + run: docker-compose run sonar-scanner - name: Tear down Docker Compose if: always() From 3748168e7ed42114db128c5884e9dcef7276ceb9 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Wed, 18 Sep 2024 14:06:31 +0300 Subject: [PATCH 24/68] edit SonarQube workflow --- .github/workflows/sonarqube.yml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index a6bc25dc..4234fead 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -12,20 +12,17 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up Docker Compose run: sudo apt-get install docker-compose - name: Build and Run SonarQube with Docker Compose - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - run: docker-compose up -d + run: SONAR_TOKEN=${{ secrets.SONAR_TOKEN }} docker-compose up -d - - name: Run SonarScanner with the environment variable - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - run: docker-compose run sonar-scanner + - name: Run SonarScanner + run: | + SONAR_TOKEN=${{ secrets.SONAR_TOKEN }} docker-compose run sonar-scanner - name: Tear down Docker Compose if: always() From 7e7fd8ece6149afddd3385bc0c6e66947ece56f4 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Wed, 18 Sep 2024 14:15:10 +0300 Subject: [PATCH 25/68] edit SonarQube workflow + edit docker-compose file --- .github/workflows/sonarqube.yml | 15 +++++++++++---- docker-compose.yml | 2 +- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index 4234fead..df7aa52e 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -18,11 +18,18 @@ jobs: run: sudo apt-get install docker-compose - name: Build and Run SonarQube with Docker Compose - run: SONAR_TOKEN=${{ secrets.SONAR_TOKEN }} docker-compose up -d + # Pass the SONAR_TOKEN from GitHub Secrets as an environment variable + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + run: docker-compose up -d sonar-server - - name: Run SonarScanner - run: | - SONAR_TOKEN=${{ secrets.SONAR_TOKEN }} docker-compose run sonar-scanner + - name: Wait for SonarQube to be ready + run: sleep 60 # Adjust this time if needed, depending on your server startup time + + - name: Run SonarScanner with the environment variable + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + run: docker-compose run sonar-scanner - name: Tear down Docker Compose if: always() diff --git a/docker-compose.yml b/docker-compose.yml index 12b42818..0ba66487 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -35,7 +35,7 @@ services: - SONAR_TOKEN=${SONAR_TOKEN} # Use standard Docker variable interpolation here volumes: - .:/usr/src - entrypoint: ["/bin/bash", "-c", "sonar-scanner -Dsonar.projectKey=Mutillidae-II-2 -Dsonar.sources=."] + entrypoint: ["/bin/bash", "-c", "sonar-scanner -X -Dsonar.projectKey=Mutillidae-II-2 -Dsonar.sources=."] networks: sonarnet: From f4fb8381c32de5f8189509f345ca6feab33bf467 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Wed, 18 Sep 2024 14:33:39 +0300 Subject: [PATCH 26/68] edit SonarQube workflow + edit docker-compose file --- docker-compose.yml | 28 +++++++--------------------- 1 file changed, 7 insertions(+), 21 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 0ba66487..9df56efe 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,38 +5,24 @@ services: image: sonarqube:latest container_name: sonar-server ports: - - "9000:9000" # Expose port 9000 for SonarQube + - "9000:9000" networks: - sonarnet - environment: - - SONAR_JDBC_URL=jdbc:postgresql://db:5432/sonarqube - - SONAR_JDBC_USERNAME=sonar - - SONAR_JDBC_PASSWORD=sonar - - db: - image: postgres:latest - container_name: sonar-db - networks: - - sonarnet - environment: - - POSTGRES_USER=sonar - - POSTGRES_PASSWORD=sonar - - POSTGRES_DB=sonarqube + healthcheck: + test: ["CMD-SHELL", "curl -f http://localhost:9000 || exit 1"] + interval: 30s + timeout: 10s + retries: 10 sonar-scanner: image: sonarsource/sonar-scanner-cli:latest - container_name: sonar-scanner depends_on: - sonar-server networks: - sonarnet environment: - SONAR_HOST_URL=http://sonar-server:9000 - - SONAR_TOKEN=${SONAR_TOKEN} # Use standard Docker variable interpolation here + - SONAR_TOKEN=${SONAR_TOKEN} volumes: - .:/usr/src entrypoint: ["/bin/bash", "-c", "sonar-scanner -X -Dsonar.projectKey=Mutillidae-II-2 -Dsonar.sources=."] - -networks: - sonarnet: - driver: bridge From 011ac38ba9829261fcfae1c120af48f9512656e9 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Wed, 18 Sep 2024 14:37:35 +0300 Subject: [PATCH 27/68] edit docker-compose file --- docker-compose.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index 9df56efe..969e83af 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -26,3 +26,8 @@ services: volumes: - .:/usr/src entrypoint: ["/bin/bash", "-c", "sonar-scanner -X -Dsonar.projectKey=Mutillidae-II-2 -Dsonar.sources=."] + +networks: + sonarnet: + driver: bridge # This defines the 'sonarnet' network with the bridge driver + \ No newline at end of file From 7c59c1c45e1a459664e895879fb460f3306446af Mon Sep 17 00:00:00 2001 From: meleksabit Date: Wed, 18 Sep 2024 18:30:06 +0300 Subject: [PATCH 28/68] remove version attribute from the docker-compose.yml --- docker-compose.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 969e83af..e1ce7afb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,5 +1,3 @@ -version: '3.8' - services: sonar-server: image: sonarqube:latest @@ -30,4 +28,3 @@ services: networks: sonarnet: driver: bridge # This defines the 'sonarnet' network with the bridge driver - \ No newline at end of file From c31dae3c4f13a98c275d73bf9c444d8efaab500c Mon Sep 17 00:00:00 2001 From: meleksabit Date: Wed, 18 Sep 2024 18:34:28 +0300 Subject: [PATCH 29/68] increase seconds in the sleep attribute --- .github/workflows/sonarqube.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index df7aa52e..9bbda5e8 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -24,7 +24,7 @@ jobs: run: docker-compose up -d sonar-server - name: Wait for SonarQube to be ready - run: sleep 60 # Adjust this time if needed, depending on your server startup time + run: sleep 180 # Adjust this time if needed, depending on your server startup time - name: Run SonarScanner with the environment variable env: From 5a1bef46c6c40947c0311f9e19d52d2a1cf0c5ff Mon Sep 17 00:00:00 2001 From: meleksabit Date: Thu, 19 Sep 2024 17:47:42 +0300 Subject: [PATCH 30/68] edit workflow, docker-compose and Jenkinsfile files + add Dockerfile --- .github/workflows/sonarqube.yml | 5 +++ Dockerfile | 29 ++++++++++++++ Jenkinsfile | 68 +++++++++++++++++++++++++++++++++ docker-compose.yml | 16 +++++++- 4 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 Dockerfile create mode 100644 Jenkinsfile diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index 9bbda5e8..11720a42 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -1,10 +1,15 @@ name: SonarQube Analysis on: + # Trigger analysis when pushing to your main branches, and when creating a pull request. push: branches: - main + - master - development + - 'releases/**' + pull_request: + types: [opened, synchronize, reopened] jobs: sonar-scan: diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..3851b075 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,29 @@ +# Stage 1: Build the application +FROM php:7.4-apache AS build +WORKDIR /var/www/html +COPY . /var/www/html/ +RUN composer install --no-dev --prefer-dist + +# Stage 2: Create the final image +FROM php:7.4-apache +RUN groupadd -r www-data && useradd -r -g www-data -G www-data -d /var/www/html www-data +RUN chown -R www-data:www-data /var/www/html +COPY --from=build /var/www/html/public /var/www/html/ +COPY --from=build /var/www/html/.htaccess /var/www/html/ +COPY --from=build /var/www/html/index.php /var/www/html/ + +# Install the required PHP extensions +RUN apt-get update && apt-get install -y --no-install-recommends libapache2-mod-php7.4 php7.4-mysql php7.4-curl + +# Configure Apache to serve the Mutillidae-II application +RUN a2enmod rewrite +RUN sed -i 's/DocumentRoot \/var\/www\/html/DocumentRoot \/var\/www\/html\/public/g' /etc/apache2/sites-available/000-default.conf + +# Expose the Apache port +EXPOSE 80 + +# Switch to the non-root user +USER www-data + +# Start Apache when the container is launched +CMD ["apache2-foreground"] diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 00000000..714089d0 --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,68 @@ +pipeline { + agent any + + tools { + // Define tools if needed (optional for PHP) + } + + environment { + SONAR_TOKEN = credentials('SONAR_TOKEN') // SonarQube token from Jenkins credentials + MYSQL_ROOT_PASSWORD = 'root' // MySQL root password for the MySQL container + } + + stages { + stage('Start MySQL Service') { + steps { + script { + // Start MySQL as a service container + sh ''' + docker run --name mysql-server -e MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD} -d mysql:5.7 + ''' + } + } + } + + stage('SonarQube Analysis') { + steps { + withCredentials([string(credentialsId: 'SONAR_TOKEN', variable: 'SONAR_TOKEN')]) { + script { + // Run SonarScanner for PHP with the correct SonarQube server URL and project key + sh ''' + sonar-scanner \ + -Dsonar.projectKey=Mutillidae-II \ + -Dsonar.sources=. \ + -Dsonar.host.url=http://localhost:9000 \ + -Dsonar.login=$SONAR_TOKEN \ + -Dsonar.php.tests.reportPath=./test-reports/unit-report.xml \ + -Dsonar.php.coverage.reportPaths=./test-reports/coverage.xml + ''' + } + } + } + } + + stage('Build PHP Application Docker Image') { + steps { + withDockerRegistry([credentialsId: "dockerlogin", url: ""]) { + script { + // Build the PHP application Docker image + app = docker.build("angel3/mutillidae:latest") + } + } + } + } + } + + post { + always { + stage('Tear Down') { + steps { + script { + // Stop MySQL container after use + sh 'docker stop mysql-server && docker rm mysql-server' + } + } + } + } + } +} diff --git a/docker-compose.yml b/docker-compose.yml index e1ce7afb..a4075835 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,9 +3,23 @@ services: image: sonarqube:latest container_name: sonar-server ports: - - "9000:9000" + - "9000:9000" # Expose port 9000 for SonarQube networks: - sonarnet + environment: + - SONAR_JDBC_URL=jdbc:postgresql://db:5432/sonarqube + - SONAR_JDBC_USERNAME=sonar + - SONAR_JDBC_PASSWORD=sonar + + db: + image: postgres:latest + container_name: sonar-db + networks: + - sonarnet + environment: + - POSTGRES_USER=sonar + - POSTGRES_PASSWORD=sonar + - POSTGRES_DB=sonarqube healthcheck: test: ["CMD-SHELL", "curl -f http://localhost:9000 || exit 1"] interval: 30s From d42e472a9203414e04e0f1c181af3e558dcdff96 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Thu, 19 Sep 2024 18:24:26 +0300 Subject: [PATCH 31/68] improve CodeQL Scan --- .github/workflows/scan-with-codeql.yml | 55 ++++++++++++++------------ 1 file changed, 29 insertions(+), 26 deletions(-) diff --git a/.github/workflows/scan-with-codeql.yml b/.github/workflows/scan-with-codeql.yml index 2cebc709..95858976 100644 --- a/.github/workflows/scan-with-codeql.yml +++ b/.github/workflows/scan-with-codeql.yml @@ -1,47 +1,50 @@ -# Name of the GitHub Actions workflow -name: CodeQL Analysis for JavaScript +name: JavaScript CodeQL Analysis -# Define when the workflow should be triggered on: - push: + pull_request: branches: - - development # Trigger when code is pushed to the 'development' branch - - main # Trigger when code is pushed to the 'main' branch + - development + - main -# Define the jobs to be executed within the workflow jobs: - build: - name: Scan JavaScript code with CodeQL - runs-on: [ 'ubuntu-latest' ] # Use the latest version of Ubuntu + analyze: + name: Analyze JavaScript code with CodeQL + runs-on: ubuntu-latest + needs: init permissions: actions: read contents: read security-events: write - strategy: - fail-fast: false - matrix: - language: [ 'javascript' ] - # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] - # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: - name: Checkout code uses: actions/checkout@v4 - # Action to check out the code from the repository - # This step fetches the codebase from the GitHub repository + if: github.event.pull_request.head.sha == github.event.pull_request.base.sha - name: Initialize CodeQL + id: initialize-codeql uses: github/codeql-action/init@v3 with: languages: javascript - # Action to initialize the CodeQL environment - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 + if: github.event.pull_request.head.sha == github.event.pull_request.base.sha with: - # Specify a category to distinguish between multiple analyses - # for the same tool and ref. If you don't use `category` in your workflow, - # GitHub will generate a default category name for you - category: "Scan-JavaScript-code-with-CodeQL" - \ No newline at end of file + category: "JavaScript CodeQL Analysis" + + init: + name: Initialize CodeQL environment + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Initialize CodeQL + id: initialize-codeql + uses: github/codeql-action/init@v3 + with: + languages: javascript + + outputs: + needs: initialize-codeql + codeql-version: ${{ steps.initialize-codeql.outputs.codeql-version }} From 94fe74686bfa8f75b1b8b6a9545a20d7d2ffcc12 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Thu, 19 Sep 2024 18:49:08 +0300 Subject: [PATCH 32/68] improve OWASP Dependency Check workflow --- .../scan-with-owasp-dependency-check.yml | 37 ++++++++----------- 1 file changed, 15 insertions(+), 22 deletions(-) diff --git a/.github/workflows/scan-with-owasp-dependency-check.yml b/.github/workflows/scan-with-owasp-dependency-check.yml index 783e27c3..dee7e7f7 100644 --- a/.github/workflows/scan-with-owasp-dependency-check.yml +++ b/.github/workflows/scan-with-owasp-dependency-check.yml @@ -1,19 +1,24 @@ # Name of the GitHub Actions workflow name: Scan with OWASP Dependency Check +# Define environment variables +env: + PROJECT_NAME: Mutillidae + OUTPUT_DIR: . + # Define when the workflow should be triggered on: push: branches: - - development # Trigger when code is pushed to the 'development' branch - - main # Trigger when code is pushed to the 'main' branch + - development + - main # Define the job(s) to be executed within the workflow jobs: depchecktest: name: Scan with OWASP Dependency Check - - runs-on: [ 'ubuntu-latest' ] # Use the latest version of Ubuntu + runs-on: ubuntu-latest + timeout-minutes: 30 # Define permissions for specific actions permissions: @@ -24,33 +29,21 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - # Step: Checkout code - # Action to check out the code from the repository - # This step fetches the codebase from the GitHub repository - name: Scan with OWASP Dependency Check + id: owasp-dependency-check uses: dependency-check/Dependency-Check_Action@main - id: Depcheck with: - project: 'Mutillidae' # Project name for Dependency Check - path: '.' # Scan all files in the current directory - format: 'SARIF' # Output format for scan results - out: '.' # Output directory (default is the current directory) + project: $PROJECT_NAME + path: $OUTPUT_DIR + format: SARIF + out: $OUTPUT_DIR args: > - --enableRetired # Additional scan arguments for Dependency Check + --enableRetired continue-on-error: true - # Step: Scan with OWASP Dependency Check - # Action to run OWASP Dependency Check to scan dependencies - # It identifies vulnerabilities in project dependencies - name: Upload results from OWASP Dependency Check to GitHub Code Scanning uses: github/codeql-action/upload-sarif@main with: sarif_file: dependency-check-report.sarif - # Step: Upload results to GitHub Code Scanning - # Action to upload the results of the OWASP Dependency Check scan in SARIF format - # This allows viewing and analyzing the scan results in the GitHub repository category: "Scan-dependencies-code-with-OWASP-Dependency-Check" - # Specify a category to distinguish between multiple analyses - # for the same tool and ref. If you don't use `category` in your workflow, - # GitHub will generate a default category name for you \ No newline at end of file From beef81039065d28baeeaeb16fec6cbce28c9bf17 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Thu, 19 Sep 2024 18:58:04 +0300 Subject: [PATCH 33/68] edit OWASP Dependency Check workflow --- .github/workflows/scan-with-owasp-dependency-check.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/scan-with-owasp-dependency-check.yml b/.github/workflows/scan-with-owasp-dependency-check.yml index dee7e7f7..a0ac4e4a 100644 --- a/.github/workflows/scan-with-owasp-dependency-check.yml +++ b/.github/workflows/scan-with-owasp-dependency-check.yml @@ -47,3 +47,10 @@ jobs: with: sarif_file: dependency-check-report.sarif category: "Scan-dependencies-code-with-OWASP-Dependency-Check" + + - name: Verify SARIF file + run: | + if [ ! -f "$OUTPUT_DIR/dependency-check-report.sarif" ]; then + echo "Error: SARIF file not found" + exit 1 + fi From 4022f864b38726ec698010cb6298274b0bc35689 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Thu, 19 Sep 2024 19:05:05 +0300 Subject: [PATCH 34/68] edit OWASP Dependency Check workflow --- .github/workflows/scan-with-owasp-dependency-check.yml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/.github/workflows/scan-with-owasp-dependency-check.yml b/.github/workflows/scan-with-owasp-dependency-check.yml index a0ac4e4a..b999ac69 100644 --- a/.github/workflows/scan-with-owasp-dependency-check.yml +++ b/.github/workflows/scan-with-owasp-dependency-check.yml @@ -45,12 +45,5 @@ jobs: - name: Upload results from OWASP Dependency Check to GitHub Code Scanning uses: github/codeql-action/upload-sarif@main with: - sarif_file: dependency-check-report.sarif + sarif_file: $OUTPUT_DIR/dependency-check-report.sarif category: "Scan-dependencies-code-with-OWASP-Dependency-Check" - - - name: Verify SARIF file - run: | - if [ ! -f "$OUTPUT_DIR/dependency-check-report.sarif" ]; then - echo "Error: SARIF file not found" - exit 1 - fi From 1b96603254603382b130cf8a4a83604c05193dc1 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Thu, 19 Sep 2024 19:10:29 +0300 Subject: [PATCH 35/68] edit OWASP Dependency Check workflow --- .github/workflows/scan-with-owasp-dependency-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan-with-owasp-dependency-check.yml b/.github/workflows/scan-with-owasp-dependency-check.yml index b999ac69..e1d0d381 100644 --- a/.github/workflows/scan-with-owasp-dependency-check.yml +++ b/.github/workflows/scan-with-owasp-dependency-check.yml @@ -45,5 +45,5 @@ jobs: - name: Upload results from OWASP Dependency Check to GitHub Code Scanning uses: github/codeql-action/upload-sarif@main with: - sarif_file: $OUTPUT_DIR/dependency-check-report.sarif + sarif_file: ${{ env.OUTPUT_DIR }}/dependency-check-report.sarif category: "Scan-dependencies-code-with-OWASP-Dependency-Check" From d8123b88f166318a108228f7a4047a7bf3365862 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Thu, 19 Sep 2024 19:15:28 +0300 Subject: [PATCH 36/68] edit OWASP Dependency Check workflow --- .github/workflows/scan-with-owasp-dependency-check.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/scan-with-owasp-dependency-check.yml b/.github/workflows/scan-with-owasp-dependency-check.yml index e1d0d381..61093a27 100644 --- a/.github/workflows/scan-with-owasp-dependency-check.yml +++ b/.github/workflows/scan-with-owasp-dependency-check.yml @@ -4,7 +4,6 @@ name: Scan with OWASP Dependency Check # Define environment variables env: PROJECT_NAME: Mutillidae - OUTPUT_DIR: . # Define when the workflow should be triggered on: @@ -45,5 +44,5 @@ jobs: - name: Upload results from OWASP Dependency Check to GitHub Code Scanning uses: github/codeql-action/upload-sarif@main with: - sarif_file: ${{ env.OUTPUT_DIR }}/dependency-check-report.sarif + sarif_file: dependency-check-report.sarif category: "Scan-dependencies-code-with-OWASP-Dependency-Check" From 7db450548b851ae6a2a34478fc04b2e7038db218 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Thu, 19 Sep 2024 19:32:23 +0300 Subject: [PATCH 37/68] edit OWASP Dependency Check workflow --- .github/workflows/scan-with-owasp-dependency-check.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/scan-with-owasp-dependency-check.yml b/.github/workflows/scan-with-owasp-dependency-check.yml index 61093a27..e2dd4847 100644 --- a/.github/workflows/scan-with-owasp-dependency-check.yml +++ b/.github/workflows/scan-with-owasp-dependency-check.yml @@ -4,6 +4,7 @@ name: Scan with OWASP Dependency Check # Define environment variables env: PROJECT_NAME: Mutillidae + OUTPUT_DIR: . # Define when the workflow should be triggered on: @@ -34,9 +35,9 @@ jobs: uses: dependency-check/Dependency-Check_Action@main with: project: $PROJECT_NAME - path: $OUTPUT_DIR + path: ${{ env.OUTPUT_DIR }} format: SARIF - out: $OUTPUT_DIR + out: ${{ env.OUTPUT_DIR }} args: > --enableRetired continue-on-error: true @@ -44,5 +45,5 @@ jobs: - name: Upload results from OWASP Dependency Check to GitHub Code Scanning uses: github/codeql-action/upload-sarif@main with: - sarif_file: dependency-check-report.sarif + sarif_file: ${{ env.OUTPUT_DIR }}/dependency-check-report.sarif category: "Scan-dependencies-code-with-OWASP-Dependency-Check" From 3dce21686353d60eea8cfae086cf7402b7fc2822 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Fri, 20 Sep 2024 00:34:57 +0300 Subject: [PATCH 38/68] edit Semgrep SAST workflow --- .github/workflows/scan-with-semgrep.yml | 98 +++++++++++-------------- 1 file changed, 41 insertions(+), 57 deletions(-) diff --git a/.github/workflows/scan-with-semgrep.yml b/.github/workflows/scan-with-semgrep.yml index ba9f18c4..380da1de 100644 --- a/.github/workflows/scan-with-semgrep.yml +++ b/.github/workflows/scan-with-semgrep.yml @@ -1,73 +1,57 @@ -# Name of this GitHub Actions workflow. name: Scan Application Code with Semgrep SAST on: - # Trigger the workflow on the following events: - - # Scan changed files in Pull Requests (diff-aware scanning). pull_request: {} - - # Trigger the workflow on-demand through the GitHub Actions interface. - workflow_dispatch: {} - - # Scan mainline branches (main and development) and report all findings. + workflow_dispatch: + inputs: + xss_config: + description: 'Path to Semgrep configuration file' + required: true + xss_output: + description: 'Path to Semgrep output file' + required: true + ci_config: + description: 'Path to Semgrep configuration file' + required: true + ci_output: + description: 'Path to Semgrep output file' + required: true push: branches: ["main", "development"] jobs: semgrep: - # User definable name of this GitHub Actions job. name: Scan Application Code with Semgrep SAST - - # Specify the runner environment. Use the latest version of Ubuntu. runs-on: ubuntu-latest - - # Define permissions for specific GitHub Actions. permissions: - actions: read # Permission to read GitHub Actions. - contents: read # Permission to read repository contents. - security-events: write # Permission to write security events. - + actions: read + contents: read + security-events: write container: - # Use a Docker image with Semgrep installed. Do not change this. - image: returntocorp/semgrep + image: returntocorp/semgrep:latest - # Skip any Pull Request created by the Dependabot to avoid permission issues. - if: (github.actor != 'dependabot[bot]') + if: github.actor != 'dependabot[bot]' steps: - - name: Checkout code - uses: actions/checkout@v4 - # Step: Checkout code - # Action to check out the code from the repository. - # This step fetches the codebase from the GitHub repository. - - - name: Run Semgrep XSS Scan - run: semgrep --config p/xss --sarif --output=semgrep-xss-results.sarif - continue-on-error: true - # Execute Semgrep to scan the code for XSS (Cross-Site Scripting) vulnerabilities using the p/xss configuration. - # Save the results in SARIF format to semgrep-xss-results.sarif. - # Continue the workflow even if there are errors during the scan. - - - name: Run Semgrep High-Confidence SAST Scan - run: semgrep --config p/ci --sarif --output=semgrep-ci-results.sarif - continue-on-error: true - # Execute Semgrep to scan the code for XSS (Cross-Site Scripting) vulnerabilities using the p/xss configuration. - # Save the results in SARIF format to semgrep-xss-results.sarif. - # Continue the workflow even if there are errors during the scan. - - - name: Upload XSS SARIF file for GitHub Advanced Security Dashboard - uses: github/codeql-action/upload-sarif@main - with: - sarif_file: semgrep-xss-results.sarif - category: "Semgrep XSS Scan" - if: always() - # Upload the SARIF file with scan results to the GitHub Advanced Security Dashboard. - - - name: Upload CI SARIF file for GitHub Advanced Security Dashboard - uses: github/codeql-action/upload-sarif@main - with: - sarif_file: semgrep-ci-results.sarif - category: "Semgrep High-Confidence SAST Scan" - if: always() - # Upload the SARIF file with scan results to the GitHub Advanced Security Dashboard. + - name: Checkout code + uses: actions/checkout@v2 + + - name: Run Semgrep XSS Scan + run: semgrep --config ${{ inputs.xss_config }} --sarif --output=${{ inputs.xss_output }} + continue-on-error: true + + - name: Run Semgrep High-Confidence SAST Scan + run: semgrep --config ${{ inputs.ci_config }} --sarif --output=${{ inputs.ci_output }} + continue-on-error: true + + - name: Upload XSS SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ inputs.xss_output }} + category: "Semgrep XSS Scan" + + - name: Upload CI SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ inputs.ci_output }} + category: "Semgrep High-Confidence SAST Scan" From 1557efc32488945eb856693efc62bf6e18267cea Mon Sep 17 00:00:00 2001 From: meleksabit Date: Fri, 20 Sep 2024 00:42:54 +0300 Subject: [PATCH 39/68] edit Semgrep SAST workflow --- .github/workflows/scan-with-semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan-with-semgrep.yml b/.github/workflows/scan-with-semgrep.yml index 380da1de..8730b1a0 100644 --- a/.github/workflows/scan-with-semgrep.yml +++ b/.github/workflows/scan-with-semgrep.yml @@ -51,7 +51,7 @@ jobs: category: "Semgrep XSS Scan" - name: Upload CI SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@main with: sarif_file: ${{ inputs.ci_output }} category: "Semgrep High-Confidence SAST Scan" From 885a5fc453a428e16c81b0af96d3d949570ed2e6 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Fri, 20 Sep 2024 01:06:02 +0300 Subject: [PATCH 40/68] edit Semgrep SAST workflow --- .github/workflows/scan-with-semgrep.yml | 32 ++++++++++++++++++++----- 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/.github/workflows/scan-with-semgrep.yml b/.github/workflows/scan-with-semgrep.yml index 8730b1a0..2b84ecfc 100644 --- a/.github/workflows/scan-with-semgrep.yml +++ b/.github/workflows/scan-with-semgrep.yml @@ -34,24 +34,44 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 + # Step to set the environment variables dynamically based on the event + - name: Set Config and Output Paths + id: vars + run: | + if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then + echo "xss_config=${{ github.event.inputs.xss_config }}" >> $GITHUB_ENV + echo "xss_output=${{ github.event.inputs.xss_output }}" >> $GITHUB_ENV + echo "ci_config=${{ github.event.inputs.ci_config }}" >> $GITHUB_ENV + echo "ci_output=${{ github.event.inputs.ci_output }}" >> $GITHUB_ENV + else + echo "xss_config=.github/semgrep/xss-config.yml" >> $GITHUB_ENV + echo "xss_output=xss-output.sarif" >> $GITHUB_ENV + echo "ci_config=.github/semgrep/ci-config.yml" >> $GITHUB_ENV + echo "ci_output=ci-output.sarif" >> $GITHUB_ENV + shell: bash + + # Run Semgrep XSS Scan using the dynamically set environment variables - name: Run Semgrep XSS Scan - run: semgrep --config ${{ inputs.xss_config }} --sarif --output=${{ inputs.xss_output }} + run: semgrep --config "$xss_config" --sarif --output="$xss_output" continue-on-error: true + # Run Semgrep High-Confidence SAST Scan using the dynamically set environment variables - name: Run Semgrep High-Confidence SAST Scan - run: semgrep --config ${{ inputs.ci_config }} --sarif --output=${{ inputs.ci_output }} + run: semgrep --config "$ci_config" --sarif --output="$ci_output" continue-on-error: true + # Upload the XSS SARIF file - name: Upload XSS SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@main with: - sarif_file: ${{ inputs.xss_output }} + sarif_file: "$xss_output" category: "Semgrep XSS Scan" + # Upload the High-Confidence SAST SARIF file - name: Upload CI SARIF file uses: github/codeql-action/upload-sarif@main with: - sarif_file: ${{ inputs.ci_output }} + sarif_file: "$ci_output" category: "Semgrep High-Confidence SAST Scan" From a03fd3dcda2478700f64c59ca3ee9b18abbf845c Mon Sep 17 00:00:00 2001 From: meleksabit Date: Fri, 20 Sep 2024 01:10:52 +0300 Subject: [PATCH 41/68] edit Semgrep SAST workflow --- .github/workflows/scan-with-semgrep.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/scan-with-semgrep.yml b/.github/workflows/scan-with-semgrep.yml index 2b84ecfc..d85796ab 100644 --- a/.github/workflows/scan-with-semgrep.yml +++ b/.github/workflows/scan-with-semgrep.yml @@ -50,6 +50,7 @@ jobs: echo "xss_output=xss-output.sarif" >> $GITHUB_ENV echo "ci_config=.github/semgrep/ci-config.yml" >> $GITHUB_ENV echo "ci_output=ci-output.sarif" >> $GITHUB_ENV + fi shell: bash # Run Semgrep XSS Scan using the dynamically set environment variables From c7665d75cf7b3c6dc93265b1ac981db681dd308f Mon Sep 17 00:00:00 2001 From: meleksabit Date: Fri, 20 Sep 2024 02:11:49 +0300 Subject: [PATCH 42/68] add SonarCloud workflow + add Quality Gate in the Jenkinsfile --- .github/workflows/sonarcloud.yml | 44 ++++++++++++++++++++++++++++++++ Jenkinsfile | 14 ++++++++++ sonar-project.properties | 11 +++++++- 3 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/sonarcloud.yml diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml new file mode 100644 index 00000000..645720e8 --- /dev/null +++ b/.github/workflows/sonarcloud.yml @@ -0,0 +1,44 @@ +name: SonarCloud Analysis + +on: + # Trigger analysis when pushing to your main branches, and when creating a pull request. + push: + branches: + - main + - master + - development + - 'releases/**' + pull_request: + types: [opened, synchronize, reopened] + +jobs: + sonar-scan: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + java-package: 'jdk' + + - name: Cache SonarCloud packages + uses: actions/cache@v3 + with: + path: ~/.sonar/cache + key: ${{ runner.os }}-sonar + restore-keys: ${{ runner.os }}-sonar + + - name: SonarCloud Scan + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + run: | + sonar-scanner \ + -Dsonar.organization=meleksabit \ + -Dsonar.projectKey=meleksabit_mutillidae \ + -Dsonar.host.url=https://sonarcloud.io \ + -Dsonar.login=${{ secrets.SONAR_TOKEN }} diff --git a/Jenkinsfile b/Jenkinsfile index 714089d0..a6861493 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -53,6 +53,20 @@ pipeline { } } + stage('Quality Gate') { + steps { + script { + // Wait for the quality gate result from SonarQube + timeout(time: 10, unit: 'MINUTES') { + def qg = waitForQualityGate() + if (qg.status != 'OK') { + error "Pipeline failed due to SonarQube quality gate failure: ${qg.status}" + } + } + } + } + } + post { always { stage('Tear Down') { diff --git a/sonar-project.properties b/sonar-project.properties index 5106bfeb..13b0ade0 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -1 +1,10 @@ -sonar.projectKey=Mutillidae-II \ No newline at end of file +# Required project settings +sonar.organization=meleksabit +sonar.projectKey=meleksabit_mutillidae +sonar.projectName=mutillidae +sonar.host.url=https://sonarcloud.io + +# Optional configuration +sonar.sources=. +sonar.language=php # (or your project's primary language) +sonar.sourceEncoding=UTF-8 From aa0693b830d6ab43ff3269ac64d182aa81105965 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Fri, 20 Sep 2024 02:20:27 +0300 Subject: [PATCH 43/68] edit the SonarCloud workflow --- .github/workflows/sonarcloud.yml | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index 645720e8..c5bd88b0 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -26,19 +26,18 @@ jobs: distribution: 'temurin' java-package: 'jdk' - - name: Cache SonarCloud packages - uses: actions/cache@v3 - with: - path: ~/.sonar/cache - key: ${{ runner.os }}-sonar - restore-keys: ${{ runner.os }}-sonar + - name: Install SonarScanner + run: | + curl -sSLo sonar-scanner-cli.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.8.0.2856-linux.zip + unzip sonar-scanner-cli.zip + mv sonar-scanner-4.8.0.2856-linux sonar-scanner + export PATH="$PATH:${{ github.workspace }}/sonar-scanner/bin" - - name: SonarCloud Scan - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + - name: Run SonarScanner for PHP run: | - sonar-scanner \ + sonar-scanner \ -Dsonar.organization=meleksabit \ -Dsonar.projectKey=meleksabit_mutillidae \ -Dsonar.host.url=https://sonarcloud.io \ -Dsonar.login=${{ secrets.SONAR_TOKEN }} + \ No newline at end of file From 904a38d5aff445c39e08a8fd7f511e62683519d2 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Fri, 20 Sep 2024 02:33:56 +0300 Subject: [PATCH 44/68] edit the SonarCloud workflow --- .github/workflows/sonarcloud.yml | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index c5bd88b0..0374d3d4 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -26,18 +26,7 @@ jobs: distribution: 'temurin' java-package: 'jdk' - - name: Install SonarScanner - run: | - curl -sSLo sonar-scanner-cli.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.8.0.2856-linux.zip - unzip sonar-scanner-cli.zip - mv sonar-scanner-4.8.0.2856-linux sonar-scanner - export PATH="$PATH:${{ github.workspace }}/sonar-scanner/bin" - - - name: Run SonarScanner for PHP - run: | - sonar-scanner \ - -Dsonar.organization=meleksabit \ - -Dsonar.projectKey=meleksabit_mutillidae \ - -Dsonar.host.url=https://sonarcloud.io \ - -Dsonar.login=${{ secrets.SONAR_TOKEN }} - \ No newline at end of file + - name: SonarCloud Scan + uses: sonarsource/sonarcloud-github-action@v3 # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} From c5cbe1740eb778cd55225db3ceb60763d11e374c Mon Sep 17 00:00:00 2001 From: meleksabit Date: Fri, 20 Sep 2024 02:57:16 +0300 Subject: [PATCH 45/68] add badges to the README file --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index e4280700..9b9aa24d 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,8 @@ # $\color{LimeGreen}{OWASP\ Mutillidae\ II\ -\ Forked\ to\ showcase\ DevSecOps\ pipelines\}$ +[![JavaScript CodeQL Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml) [![Scan Application Code with Semgrep SAST](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-semgrep.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-semgrep.yml) [![Scan with OWASP Dependency Check](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml) [![SonarCloud Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml) [![Scan PHP code with Snyk Code](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml) [![SonarQube Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml) + OWASP Mutillidae II is a free, open-source, deliberately vulnerable web application designed for web-security enthusiasts. It serves as a target for learning and practicing web security skills. Mutillidae can be easily installed on Linux and Windows systems using LAMP, WAMP, and XAMMP stacks. Additionally, it comes pre-installed on SamuraiWTF and OWASP BWA, and the existing version can be updated on these platforms. With dozens of vulnerabilities and hints to guide the user, Mutillidae provides an accessible web hacking environment suitable for labs, security enthusiasts, classrooms, CTFs, and vulnerability assessment tool targets. It has been widely used in graduate security courses, corporate web security training, and as an assessment target for vulnerability assessment software. OWASP Mutillidae II provides a comprehensive platform for learning and practicing web security techniques in a controlled environment. ## $\color{red}{Project\ Announcements\}$ From fb687227922af51834d1d1a161658649d95af88c Mon Sep 17 00:00:00 2001 From: meleksabit Date: Fri, 20 Sep 2024 10:36:17 +0300 Subject: [PATCH 46/68] edit Semgrep workflow --- .github/workflows/scan-with-semgrep.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/scan-with-semgrep.yml b/.github/workflows/scan-with-semgrep.yml index d85796ab..af6d0daa 100644 --- a/.github/workflows/scan-with-semgrep.yml +++ b/.github/workflows/scan-with-semgrep.yml @@ -62,6 +62,9 @@ jobs: - name: Run Semgrep High-Confidence SAST Scan run: semgrep --config "$ci_config" --sarif --output="$ci_output" continue-on-error: true + + - name: List files after Semgrep XSS Scan + run: ls -la # Upload the XSS SARIF file - name: Upload XSS SARIF file From b970b70bb4bb80e66f09957b41bf74a1db4d7406 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Sun, 22 Sep 2024 00:23:40 +0300 Subject: [PATCH 47/68] edit Semgrep workflow --- .github/workflows/scan-with-semgrep.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/scan-with-semgrep.yml b/.github/workflows/scan-with-semgrep.yml index 3b7b7468..c04197da 100644 --- a/.github/workflows/scan-with-semgrep.yml +++ b/.github/workflows/scan-with-semgrep.yml @@ -53,11 +53,23 @@ jobs: fi shell: bash + # Debug: Print environment variables to check they are set correctly + - name: Print environment variables + run: | + echo "xss_config=$xss_config" + echo "xss_output=$xss_output" + echo "ci_config=$ci_config" + echo "ci_output=$ci_output" + # Run Semgrep XSS Scan using the dynamically set environment variables - name: Run Semgrep XSS Scan run: semgrep --config "$xss_config" --sarif --output="$xss_output" continue-on-error: true + # Debug: List files to check if SARIF file was generated + - name: List files after Semgrep XSS Scan + run: ls -la + # Run Semgrep High-Confidence SAST Scan using the dynamically set environment variables - name: Run Semgrep High-Confidence SAST Scan run: semgrep --config "$ci_config" --sarif --output="$ci_output" @@ -65,7 +77,7 @@ jobs: - name: List files after Semgrep XSS Scan run: ls -la - + # Upload the XSS SARIF file - name: Upload XSS SARIF file uses: github/codeql-action/upload-sarif@main From f43873398c89e8adc4745e61b20855104944c326 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Sun, 22 Sep 2024 01:39:26 +0300 Subject: [PATCH 48/68] edit Semgrep workflow --- .github/workflows/scan-with-semgrep.yml | 30 +++++++------------------ 1 file changed, 8 insertions(+), 22 deletions(-) diff --git a/.github/workflows/scan-with-semgrep.yml b/.github/workflows/scan-with-semgrep.yml index c04197da..229e1de1 100644 --- a/.github/workflows/scan-with-semgrep.yml +++ b/.github/workflows/scan-with-semgrep.yml @@ -21,17 +21,10 @@ on: jobs: semgrep: - name: Scan Application Code with Semgrep SAST runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write container: image: returntocorp/semgrep:latest - if: github.actor != 'dependabot[bot]' - steps: - name: Checkout code uses: actions/checkout@v4 @@ -53,31 +46,24 @@ jobs: fi shell: bash - # Debug: Print environment variables to check they are set correctly - - name: Print environment variables - run: | - echo "xss_config=$xss_config" - echo "xss_output=$xss_output" - echo "ci_config=$ci_config" - echo "ci_output=$ci_output" - # Run Semgrep XSS Scan using the dynamically set environment variables - name: Run Semgrep XSS Scan - run: semgrep --config "$xss_config" --sarif --output="$xss_output" + shell: bash # Switch to bash for better variable handling + run: | + semgrep --config "$xss_config" --sarif --output="$xss_output" . continue-on-error: true - # Debug: List files to check if SARIF file was generated + # Debug: List files to ensure the SARIF file is generated - name: List files after Semgrep XSS Scan run: ls -la # Run Semgrep High-Confidence SAST Scan using the dynamically set environment variables - name: Run Semgrep High-Confidence SAST Scan - run: semgrep --config "$ci_config" --sarif --output="$ci_output" + shell: bash # Switch to bash for better variable handling + run: | + semgrep --config "$ci_config" --sarif --output="$ci_output" . continue-on-error: true - - - name: List files after Semgrep XSS Scan - run: ls -la - + # Upload the XSS SARIF file - name: Upload XSS SARIF file uses: github/codeql-action/upload-sarif@main From 979d360b17d7008222f4c79fbef7ded33642587f Mon Sep 17 00:00:00 2001 From: meleksabit Date: Tue, 24 Sep 2024 15:15:16 +0300 Subject: [PATCH 49/68] edit Semgrep workflow --- .github/workflows/scan-with-semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan-with-semgrep.yml b/.github/workflows/scan-with-semgrep.yml index 229e1de1..f7827b17 100644 --- a/.github/workflows/scan-with-semgrep.yml +++ b/.github/workflows/scan-with-semgrep.yml @@ -50,7 +50,7 @@ jobs: - name: Run Semgrep XSS Scan shell: bash # Switch to bash for better variable handling run: | - semgrep --config "$xss_config" --sarif --output="$xss_output" . + semgrep --config "$xss_config" --sarif --output="$xss_output" --verbose . continue-on-error: true # Debug: List files to ensure the SARIF file is generated From 5070ea8592ec16b2fa925f176fe4216de5d59903 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Tue, 24 Sep 2024 15:17:45 +0300 Subject: [PATCH 50/68] edit Semgrep workflow --- .github/workflows/scan-with-semgrep.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/scan-with-semgrep.yml b/.github/workflows/scan-with-semgrep.yml index f7827b17..99117007 100644 --- a/.github/workflows/scan-with-semgrep.yml +++ b/.github/workflows/scan-with-semgrep.yml @@ -51,6 +51,7 @@ jobs: shell: bash # Switch to bash for better variable handling run: | semgrep --config "$xss_config" --sarif --output="$xss_output" --verbose . + working-directory: /home/runner/work/mutillidae/mutillidae continue-on-error: true # Debug: List files to ensure the SARIF file is generated From 5fc22b27cac0edae0ccf2edbc9d83d75682dcfe3 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Tue, 24 Sep 2024 15:20:47 +0300 Subject: [PATCH 51/68] edit Semgrep workflow --- .github/workflows/scan-with-semgrep.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/scan-with-semgrep.yml b/.github/workflows/scan-with-semgrep.yml index 99117007..fa2a4572 100644 --- a/.github/workflows/scan-with-semgrep.yml +++ b/.github/workflows/scan-with-semgrep.yml @@ -50,8 +50,7 @@ jobs: - name: Run Semgrep XSS Scan shell: bash # Switch to bash for better variable handling run: | - semgrep --config "$xss_config" --sarif --output="$xss_output" --verbose . - working-directory: /home/runner/work/mutillidae/mutillidae + semgrep --config "${{ env.xss_config }}" --sarif --output="${{ env.xss_output }}" . continue-on-error: true # Debug: List files to ensure the SARIF file is generated From 2119795d3a1ee91eb1a7b4354958a61be372f5eb Mon Sep 17 00:00:00 2001 From: meleksabit Date: Tue, 24 Sep 2024 15:24:55 +0300 Subject: [PATCH 52/68] edit Semgrep workflow --- .github/workflows/scan-with-semgrep.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/scan-with-semgrep.yml b/.github/workflows/scan-with-semgrep.yml index fa2a4572..f8900de9 100644 --- a/.github/workflows/scan-with-semgrep.yml +++ b/.github/workflows/scan-with-semgrep.yml @@ -51,7 +51,6 @@ jobs: shell: bash # Switch to bash for better variable handling run: | semgrep --config "${{ env.xss_config }}" --sarif --output="${{ env.xss_output }}" . - continue-on-error: true # Debug: List files to ensure the SARIF file is generated - name: List files after Semgrep XSS Scan From fdfe37343d00023ce1ea5d96ec9b2d350bbdcea2 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Tue, 24 Sep 2024 15:28:19 +0300 Subject: [PATCH 53/68] edit Semgrep workflow --- .github/workflows/scan-with-semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan-with-semgrep.yml b/.github/workflows/scan-with-semgrep.yml index f8900de9..f6fb995d 100644 --- a/.github/workflows/scan-with-semgrep.yml +++ b/.github/workflows/scan-with-semgrep.yml @@ -50,7 +50,7 @@ jobs: - name: Run Semgrep XSS Scan shell: bash # Switch to bash for better variable handling run: | - semgrep --config "${{ env.xss_config }}" --sarif --output="${{ env.xss_output }}" . + semgrep --config "${{ env.xss_config }}" --sarif --output="${{ env.xss_output }}" --metrics=off . # Debug: List files to ensure the SARIF file is generated - name: List files after Semgrep XSS Scan From 23833c54a66780143d5d1329f2c9ff5af5ee31e0 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Tue, 24 Sep 2024 16:01:44 +0300 Subject: [PATCH 54/68] edit Semgrep workflow --- .github/workflows/scan-with-semgrep.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/scan-with-semgrep.yml b/.github/workflows/scan-with-semgrep.yml index f6fb995d..612c63d4 100644 --- a/.github/workflows/scan-with-semgrep.yml +++ b/.github/workflows/scan-with-semgrep.yml @@ -21,6 +21,7 @@ on: jobs: semgrep: + name: Scan Application Code with Semgrep SAST runs-on: ubuntu-latest container: image: returntocorp/semgrep:latest @@ -46,11 +47,18 @@ jobs: fi shell: bash + # Add step to check if Semgrep config files are correct + - name: Check Semgrep Configs + run: | + cat "$xss_config" + cat "$ci_config" + # Run Semgrep XSS Scan using the dynamically set environment variables - name: Run Semgrep XSS Scan shell: bash # Switch to bash for better variable handling run: | - semgrep --config "${{ env.xss_config }}" --sarif --output="${{ env.xss_output }}" --metrics=off . + semgrep --config "$xss_config" --sarif --output="$xss_output" . + continue-on-error: true # Debug: List files to ensure the SARIF file is generated - name: List files after Semgrep XSS Scan From 62af793d47b0a571e53e740e93f30f34ee1cee51 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Tue, 24 Sep 2024 22:35:43 +0300 Subject: [PATCH 55/68] edit Semgrep workflow --- .github/workflows/scan-with-semgrep.yml | 157 +++++++++++++----------- 1 file changed, 86 insertions(+), 71 deletions(-) diff --git a/.github/workflows/scan-with-semgrep.yml b/.github/workflows/scan-with-semgrep.yml index 612c63d4..f65e958f 100644 --- a/.github/workflows/scan-with-semgrep.yml +++ b/.github/workflows/scan-with-semgrep.yml @@ -1,86 +1,101 @@ +# Name of this GitHub Actions workflow. name: Scan Application Code with Semgrep SAST on: + # Trigger the workflow on the following events: + + # Scan changed files in Pull Requests (diff-aware scanning). pull_request: {} - workflow_dispatch: - inputs: - xss_config: - description: 'Path to Semgrep configuration file' - required: true - xss_output: - description: 'Path to Semgrep output file' - required: true - ci_config: - description: 'Path to Semgrep configuration file' - required: true - ci_output: - description: 'Path to Semgrep output file' - required: true + + # Trigger the workflow on-demand through the GitHub Actions interface. + workflow_dispatch: {} + + # Scan mainline branches (main and development) and report all findings. push: branches: ["main", "development"] jobs: semgrep: + # User-defined name of this GitHub Actions job. name: Scan Application Code with Semgrep SAST + + # Specify the runner environment. Use the latest version of Ubuntu. runs-on: ubuntu-latest + + # Define permissions for specific GitHub Actions. + permissions: + actions: read # Permission to read GitHub Actions. + contents: read # Permission to read repository contents. + security-events: write # Permission to write security events (SARIF reports). + container: + # Use a Docker image with Semgrep pre-installed. image: returntocorp/semgrep:latest + # Skip any Pull Request created by the Dependabot to avoid permission issues. + if: (github.actor != 'dependabot[bot]') + steps: - - name: Checkout code - uses: actions/checkout@v4 - - # Step to set the environment variables dynamically based on the event - - name: Set Config and Output Paths - id: vars - run: | - if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then - echo "xss_config=${{ github.event.inputs.xss_config }}" >> $GITHUB_ENV - echo "xss_output=${{ github.event.inputs.xss_output }}" >> $GITHUB_ENV - echo "ci_config=${{ github.event.inputs.ci_config }}" >> $GITHUB_ENV - echo "ci_output=${{ github.event.inputs.ci_output }}" >> $GITHUB_ENV - else - echo "xss_config=.github/semgrep/xss-config.yml" >> $GITHUB_ENV - echo "xss_output=xss-output.sarif" >> $GITHUB_ENV - echo "ci_config=.github/semgrep/ci-config.yml" >> $GITHUB_ENV - echo "ci_output=ci-output.sarif" >> $GITHUB_ENV - fi - shell: bash - - # Add step to check if Semgrep config files are correct - - name: Check Semgrep Configs - run: | - cat "$xss_config" - cat "$ci_config" - - # Run Semgrep XSS Scan using the dynamically set environment variables - - name: Run Semgrep XSS Scan - shell: bash # Switch to bash for better variable handling - run: | - semgrep --config "$xss_config" --sarif --output="$xss_output" . - continue-on-error: true - - # Debug: List files to ensure the SARIF file is generated - - name: List files after Semgrep XSS Scan - run: ls -la - - # Run Semgrep High-Confidence SAST Scan using the dynamically set environment variables - - name: Run Semgrep High-Confidence SAST Scan - shell: bash # Switch to bash for better variable handling - run: | - semgrep --config "$ci_config" --sarif --output="$ci_output" . - continue-on-error: true - - # Upload the XSS SARIF file - - name: Upload XSS SARIF file - uses: github/codeql-action/upload-sarif@main - with: - sarif_file: "$xss_output" - category: "Semgrep XSS Scan" - - # Upload the High-Confidence SAST SARIF file - - name: Upload CI SARIF file - uses: github/codeql-action/upload-sarif@main - with: - sarif_file: "$ci_output" - category: "Semgrep High-Confidence SAST Scan" + # Step 1: Checkout the repository code. + - name: Checkout code + uses: actions/checkout@v4 + + # Step 2: Run Semgrep XSS Scan using the Semgrep Registry (p/xss). + - name: Run Semgrep XSS Scan + run: | + echo "Starting XSS scan with Semgrep..." + semgrep --config p/xss --sarif --output=semgrep-xss-results.sarif + continue-on-error: true + + # Step 3: Check if XSS SARIF file exists and log the result + - name: Check and log XSS SARIF file + run: | + if [ -f semgrep-xss-results.sarif ]; then + echo "XSS SARIF file generated successfully." + else + echo "XSS SARIF file not found!" + exit 1 + fi + + # Step 4: Run Semgrep High-Confidence SAST Scan using the Semgrep Registry (p/ci). + - name: Run Semgrep High-Confidence SAST Scan + run: | + echo "Starting High-Confidence SAST scan with Semgrep..." + semgrep --config p/ci --sarif --output=semgrep-ci-results.sarif + continue-on-error: true + + # Step 5: Check if CI SARIF file exists and log the result + - name: Check and log CI SARIF file + run: | + if [ -f semgrep-ci-results.sarif ]; then + echo "CI SARIF file generated successfully." + else + echo "CI SARIF file not found!" + exit 1 + fi + + # Step 6: Upload the XSS SARIF file to GitHub Advanced Security Dashboard. + - name: Upload XSS SARIF file for GitHub Advanced Security Dashboard + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: semgrep-xss-results.sarif + category: "Semgrep XSS Scan" + if: always() + + # Step 7: Upload the CI SARIF file to GitHub Advanced Security Dashboard. + - name: Upload CI SARIF file for GitHub Advanced Security Dashboard + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: semgrep-ci-results.sarif + category: "Semgrep High-Confidence SAST Scan" + if: always() + + # Step 8: Cache Semgrep results for faster future runs (optional). + - name: Cache Semgrep results + uses: actions/cache@v4 + with: + path: | + semgrep-xss-results.sarif + semgrep-ci-results.sarif + key: ${{ runner.os }}-semgrep-${{ github.sha }} + continue-on-error: true From a155fd1df164c482ee168016e30cd2794c489d5f Mon Sep 17 00:00:00 2001 From: meleksabit Date: Tue, 24 Sep 2024 23:20:43 +0300 Subject: [PATCH 56/68] edit Semgrep workflow --- .github/workflows/scan-with-semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan-with-semgrep.yml b/.github/workflows/scan-with-semgrep.yml index f65e958f..e060bfb5 100644 --- a/.github/workflows/scan-with-semgrep.yml +++ b/.github/workflows/scan-with-semgrep.yml @@ -30,7 +30,7 @@ jobs: container: # Use a Docker image with Semgrep pre-installed. - image: returntocorp/semgrep:latest + image: semgrep/semgrep:latest # Skip any Pull Request created by the Dependabot to avoid permission issues. if: (github.actor != 'dependabot[bot]') From f2779fe243f355ad0bc5b62640f6f8ff3b1de1fe Mon Sep 17 00:00:00 2001 From: meleksabit Date: Tue, 24 Sep 2024 23:45:38 +0300 Subject: [PATCH 57/68] edit Semgrep workflow --- .github/workflows/scan-with-semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan-with-semgrep.yml b/.github/workflows/scan-with-semgrep.yml index e060bfb5..6e13f055 100644 --- a/.github/workflows/scan-with-semgrep.yml +++ b/.github/workflows/scan-with-semgrep.yml @@ -61,7 +61,7 @@ jobs: - name: Run Semgrep High-Confidence SAST Scan run: | echo "Starting High-Confidence SAST scan with Semgrep..." - semgrep --config p/ci --sarif --output=semgrep-ci-results.sarif + semgrep --config p/ci --sarif --output=semgrep-ci-results.sarif --verbose continue-on-error: true # Step 5: Check if CI SARIF file exists and log the result From 00811bba49de25fce59a8f0c86e40084d8e37247 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Tue, 24 Sep 2024 23:54:35 +0300 Subject: [PATCH 58/68] edit README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9b9aa24d..6a4987a7 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # $\color{LimeGreen}{OWASP\ Mutillidae\ II\ -\ Forked\ to\ showcase\ DevSecOps\ pipelines\}$ -[![JavaScript CodeQL Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml) [![Scan Application Code with Semgrep SAST](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-semgrep.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-semgrep.yml) [![Scan with OWASP Dependency Check](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml) [![SonarCloud Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml) [![Scan PHP code with Snyk Code](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml) [![SonarQube Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml) +[![JavaScript CodeQL Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml) [![Scan with OWASP Dependency Check](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml) [![SonarCloud Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml) [![Scan PHP code with Snyk Code](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml) [![SonarQube Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml) OWASP Mutillidae II is a free, open-source, deliberately vulnerable web application designed for web-security enthusiasts. It serves as a target for learning and practicing web security skills. Mutillidae can be easily installed on Linux and Windows systems using LAMP, WAMP, and XAMMP stacks. Additionally, it comes pre-installed on SamuraiWTF and OWASP BWA, and the existing version can be updated on these platforms. With dozens of vulnerabilities and hints to guide the user, Mutillidae provides an accessible web hacking environment suitable for labs, security enthusiasts, classrooms, CTFs, and vulnerability assessment tool targets. It has been widely used in graduate security courses, corporate web security training, and as an assessment target for vulnerability assessment software. OWASP Mutillidae II provides a comprehensive platform for learning and practicing web security techniques in a controlled environment. From 6885501234ce88d5bde7aa7c89462e312096c677 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Tue, 24 Sep 2024 23:57:21 +0300 Subject: [PATCH 59/68] edit README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6a4987a7..b54729c7 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # $\color{LimeGreen}{OWASP\ Mutillidae\ II\ -\ Forked\ to\ showcase\ DevSecOps\ pipelines\}$ -[![JavaScript CodeQL Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml) [![Scan with OWASP Dependency Check](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml) [![SonarCloud Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml) [![Scan PHP code with Snyk Code](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml) [![SonarQube Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml) +[![JavaScript CodeQL Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml) [![Scan Application Code with Semgrep SAST](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-semgrep.yml/badge.svg?branch=development)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-semgrep.yml) [![Scan with OWASP Dependency Check](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml) [![SonarCloud Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml) [![Scan PHP code with Snyk Code](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml) [![SonarQube Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml) OWASP Mutillidae II is a free, open-source, deliberately vulnerable web application designed for web-security enthusiasts. It serves as a target for learning and practicing web security skills. Mutillidae can be easily installed on Linux and Windows systems using LAMP, WAMP, and XAMMP stacks. Additionally, it comes pre-installed on SamuraiWTF and OWASP BWA, and the existing version can be updated on these platforms. With dozens of vulnerabilities and hints to guide the user, Mutillidae provides an accessible web hacking environment suitable for labs, security enthusiasts, classrooms, CTFs, and vulnerability assessment tool targets. It has been widely used in graduate security courses, corporate web security training, and as an assessment target for vulnerability assessment software. OWASP Mutillidae II provides a comprehensive platform for learning and practicing web security techniques in a controlled environment. From 6a35fa94261c1c85b947104982ae690a238a3a00 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Mon, 30 Sep 2024 22:21:25 +0300 Subject: [PATCH 60/68] add release badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b54729c7..e0a0756d 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # $\color{LimeGreen}{OWASP\ Mutillidae\ II\ -\ Forked\ to\ showcase\ DevSecOps\ pipelines\}$ -[![JavaScript CodeQL Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml) [![Scan Application Code with Semgrep SAST](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-semgrep.yml/badge.svg?branch=development)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-semgrep.yml) [![Scan with OWASP Dependency Check](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml) [![SonarCloud Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml) [![Scan PHP code with Snyk Code](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml) [![SonarQube Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml) +[![JavaScript CodeQL Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml) [![Scan Application Code with Semgrep SAST](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-semgrep.yml/badge.svg?branch=development)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-semgrep.yml) [![Scan with OWASP Dependency Check](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml) [![SonarCloud Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml) [![Scan PHP code with Snyk Code](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml) [![SonarQube Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml)![GitHub Release](https://img.shields.io/github/v/release/meleksabit/mutillidae) OWASP Mutillidae II is a free, open-source, deliberately vulnerable web application designed for web-security enthusiasts. It serves as a target for learning and practicing web security skills. Mutillidae can be easily installed on Linux and Windows systems using LAMP, WAMP, and XAMMP stacks. Additionally, it comes pre-installed on SamuraiWTF and OWASP BWA, and the existing version can be updated on these platforms. With dozens of vulnerabilities and hints to guide the user, Mutillidae provides an accessible web hacking environment suitable for labs, security enthusiasts, classrooms, CTFs, and vulnerability assessment tool targets. It has been widely used in graduate security courses, corporate web security training, and as an assessment target for vulnerability assessment software. OWASP Mutillidae II provides a comprehensive platform for learning and practicing web security techniques in a controlled environment. From 7fe74e58d6299d4e4a693758b560ff76cb754dbc Mon Sep 17 00:00:00 2001 From: meleksabit Date: Mon, 30 Sep 2024 22:29:40 +0300 Subject: [PATCH 61/68] edit release badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e0a0756d..19844ab7 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # $\color{LimeGreen}{OWASP\ Mutillidae\ II\ -\ Forked\ to\ showcase\ DevSecOps\ pipelines\}$ -[![JavaScript CodeQL Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml) [![Scan Application Code with Semgrep SAST](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-semgrep.yml/badge.svg?branch=development)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-semgrep.yml) [![Scan with OWASP Dependency Check](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml) [![SonarCloud Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml) [![Scan PHP code with Snyk Code](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml) [![SonarQube Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml)![GitHub Release](https://img.shields.io/github/v/release/meleksabit/mutillidae) +[![JavaScript CodeQL Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml) [![Scan Application Code with Semgrep SAST](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-semgrep.yml/badge.svg?branch=development)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-semgrep.yml) [![Scan with OWASP Dependency Check](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml) [![SonarCloud Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml) [![Scan PHP code with Snyk Code](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml) [![SonarQube Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml) ![GitHub Release](https://img.shields.io/github/v/release/meleksabit/mutillidae) OWASP Mutillidae II is a free, open-source, deliberately vulnerable web application designed for web-security enthusiasts. It serves as a target for learning and practicing web security skills. Mutillidae can be easily installed on Linux and Windows systems using LAMP, WAMP, and XAMMP stacks. Additionally, it comes pre-installed on SamuraiWTF and OWASP BWA, and the existing version can be updated on these platforms. With dozens of vulnerabilities and hints to guide the user, Mutillidae provides an accessible web hacking environment suitable for labs, security enthusiasts, classrooms, CTFs, and vulnerability assessment tool targets. It has been widely used in graduate security courses, corporate web security training, and as an assessment target for vulnerability assessment software. OWASP Mutillidae II provides a comprehensive platform for learning and practicing web security techniques in a controlled environment. From 2c4a75e98c284b097b37d8f9f59f25695b19ddef Mon Sep 17 00:00:00 2001 From: meleksabit Date: Mon, 7 Oct 2024 23:18:54 +0300 Subject: [PATCH 62/68] edit release badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 19844ab7..9129b274 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # $\color{LimeGreen}{OWASP\ Mutillidae\ II\ -\ Forked\ to\ showcase\ DevSecOps\ pipelines\}$ -[![JavaScript CodeQL Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml) [![Scan Application Code with Semgrep SAST](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-semgrep.yml/badge.svg?branch=development)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-semgrep.yml) [![Scan with OWASP Dependency Check](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml) [![SonarCloud Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml) [![Scan PHP code with Snyk Code](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml) [![SonarQube Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml) ![GitHub Release](https://img.shields.io/github/v/release/meleksabit/mutillidae) +[![JavaScript CodeQL Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml) [![Scan Application Code with Semgrep SAST](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-semgrep.yml/badge.svg?branch=development)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-semgrep.yml) [![Scan with OWASP Dependency Check](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml) [![SonarCloud Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml) [![Scan PHP code with Snyk Code](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml) [![SonarQube Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml) [![GitHub Release](https://img.shields.io/github/v/release/meleksabit/mutillidae)](https://github.com/meleksabit/mutillidae/releases) OWASP Mutillidae II is a free, open-source, deliberately vulnerable web application designed for web-security enthusiasts. It serves as a target for learning and practicing web security skills. Mutillidae can be easily installed on Linux and Windows systems using LAMP, WAMP, and XAMMP stacks. Additionally, it comes pre-installed on SamuraiWTF and OWASP BWA, and the existing version can be updated on these platforms. With dozens of vulnerabilities and hints to guide the user, Mutillidae provides an accessible web hacking environment suitable for labs, security enthusiasts, classrooms, CTFs, and vulnerability assessment tool targets. It has been widely used in graduate security courses, corporate web security training, and as an assessment target for vulnerability assessment software. OWASP Mutillidae II provides a comprehensive platform for learning and practicing web security techniques in a controlled environment. From 0e3054dbdcb0895687ab21e90d1a86e4e0dce37a Mon Sep 17 00:00:00 2001 From: meleksabit Date: Tue, 8 Oct 2024 03:59:10 +0300 Subject: [PATCH 63/68] add .gitignore file --- .gitignore | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..dcfc30ee --- /dev/null +++ b/.gitignore @@ -0,0 +1,74 @@ +# PHP-specific +*.log +*.cache +*.php_cs.cache +vendor/ +composer.lock +composer.phar + +# HTML-specific +*.html +*.htm + +# JavaScript-specific +node_modules/ +npm-debug.log* +yarn-debug.log* +yarn-error.log* +pnpm-debug.log* +dist/ +build/ +.eslintcache +*.js.map + +# CSS-specific +*.css.map + +# NASL-specific (assuming any generated files or unnecessary logs) +*.nasl +nasl-logs/ + +# Shell-specific +*.sh~ +*.bash_history +*.bashrc +*.bash_profile +*.profile +*.zshrc +*.zprofile +*.zsh_history + +# Common files +.idea/ +.vscode/ +.DS_Store +Thumbs.db +*.swp +*.swo +*.bak +*.tmp +*.lock + +# Logs and databases +logs/ +*.log +*.sql +*.sqlite + +# Dependency directories +node_modules/ +vendor/ + +# IDE-specific (JetBrains, VSCode) +.idea/ +.vscode/ +*.sublime-workspace +*.sublime-project + +# Operating system files +.DS_Store +Thumbs.db + +# Backup files +*.bak +*.orig From 27cbf3f4acd3818fe2e4765c52227244edb8a8f8 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Wed, 16 Oct 2024 23:19:40 +0300 Subject: [PATCH 64/68] edit README file --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9129b274..7100fc1c 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ -# $\color{LimeGreen}{OWASP\ Mutillidae\ II\ -\ Forked\ to\ showcase\ DevSecOps\ pipelines\}$ +# $\color{LimeGreen}{OWASP\ Mutillidae\ II\ -\ Forked\ and\ enhanced\ to\ showcase\ DevSecOps\ pipelines\}$ [![JavaScript CodeQL Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-codeql.yml) [![Scan Application Code with Semgrep SAST](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-semgrep.yml/badge.svg?branch=development)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-semgrep.yml) [![Scan with OWASP Dependency Check](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-owasp-dependency-check.yml) [![SonarCloud Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarcloud.yml) [![Scan PHP code with Snyk Code](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/scan-with-snyk-code.yml) [![SonarQube Analysis](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml/badge.svg)](https://github.com/meleksabit/mutillidae/actions/workflows/sonarqube.yml) [![GitHub Release](https://img.shields.io/github/v/release/meleksabit/mutillidae)](https://github.com/meleksabit/mutillidae/releases) From 4070c3d0d01eaa2b2ad5efb7da0d40eaa09fc392 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Tue, 22 Oct 2024 16:19:53 +0300 Subject: [PATCH 65/68] add GitGuardian Scan --- .github/workflows/gitguardian.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/workflows/gitguardian.yml diff --git a/.github/workflows/gitguardian.yml b/.github/workflows/gitguardian.yml new file mode 100644 index 00000000..ea9dbfa1 --- /dev/null +++ b/.github/workflows/gitguardian.yml @@ -0,0 +1,21 @@ +name: GitGuardian scan + +on: [push, pull_request] + +jobs: + scanning: + name: GitGuardian scan + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 # fetch all history so multiple commits can be scanned + - name: GitGuardian scan + uses: GitGuardian/ggshield/actions/secret@v1.32.2 + env: + GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} + GITHUB_PUSH_BASE_SHA: ${{ github.event.base }} + GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }} + GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} From c29db0f212e7ba40a0ecfaa2a5ebe302aee6369c Mon Sep 17 00:00:00 2001 From: meleksabit Date: Tue, 22 Oct 2024 16:45:43 +0300 Subject: [PATCH 66/68] add GitGuardian Scan --- .github/workflows/gitguardian.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/gitguardian.yml b/.github/workflows/gitguardian.yml index ea9dbfa1..80e83220 100644 --- a/.github/workflows/gitguardian.yml +++ b/.github/workflows/gitguardian.yml @@ -1,6 +1,12 @@ name: GitGuardian scan -on: [push, pull_request] +on: + pull_request: + types: [opened, synchronize] + push: + branches: + - development + - main jobs: scanning: From c6c8fa6a6353a32c91a36dc7f3580c75201cba5a Mon Sep 17 00:00:00 2001 From: meleksabit Date: Tue, 22 Oct 2024 18:06:52 +0300 Subject: [PATCH 67/68] update README file --- README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/README.md b/README.md index 7100fc1c..3753f05b 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,18 @@ OWASP Mutillidae II is a free, open-source, deliberately vulnerable web application designed for web-security enthusiasts. It serves as a target for learning and practicing web security skills. Mutillidae can be easily installed on Linux and Windows systems using LAMP, WAMP, and XAMMP stacks. Additionally, it comes pre-installed on SamuraiWTF and OWASP BWA, and the existing version can be updated on these platforms. With dozens of vulnerabilities and hints to guide the user, Mutillidae provides an accessible web hacking environment suitable for labs, security enthusiasts, classrooms, CTFs, and vulnerability assessment tool targets. It has been widely used in graduate security courses, corporate web security training, and as an assessment target for vulnerability assessment software. OWASP Mutillidae II provides a comprehensive platform for learning and practicing web security techniques in a controlled environment. +## 📈🚀💡🏋️💪Enhancements and Additions in This Fork: +* **README Updates**: Enhanced the **`README.md`** file with improved documentation, ensuring better clarity and usability. +* **SonarQube Integration**: + * Added **SonarQube analysis** to the project, enabling continuous code quality checks. + * Included a **`Jenkinsfile`** for SonarQube integration to automate the process. +* **CodeQL Scan Improvements**: Enhanced the CodeQL scan process for better security analysis and coverage. +* **OWASP Dependency Check Workflow**: Optimized the **OWASP Dependency Check** workflow to improve the detection of vulnerable dependencies. +* **Semgrep SAST Workflow Updates**: Updated the **Semgrep SAST workflow** to use the latest versions for improved static analysis capabilities. +* **SonarCloud Workflow and Quality Gate**: + * Introduced a **SonarCloud workflow** for seamless integration with SonarCloud’s continuous analysis tools. + * Implemented a **Quality Gate** in the Jenkins pipeline to ensure code meets the required quality standards before deployment. + ## $\color{red}{Project\ Announcements\}$ > [!TIP] From fab798bc5ab0691839c5d22d900c713e79cbcd00 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Mon, 18 Nov 2024 01:32:38 +0200 Subject: [PATCH 68/68] add PR Title Linter --- .github/workflows/pr-title-linter.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/pr-title-linter.yml diff --git a/.github/workflows/pr-title-linter.yml b/.github/workflows/pr-title-linter.yml new file mode 100644 index 00000000..df5cab12 --- /dev/null +++ b/.github/workflows/pr-title-linter.yml @@ -0,0 +1,25 @@ +name: PR Title Check + +on: + pull_request: + types: [opened, edited] + +jobs: + lint-pr-title: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Check PR Title + uses: actions/github-script@v7.0.1 + with: + script: | + const title = context.payload.pull_request.title; + const regex = /^(feat|fix|chore|docs|style|refactor|perf|test): .+/; + if (!regex.test(title)) { + core.setFailed(`Invalid PR title: "${title}". Titles must match the pattern "type: description" (e.g., "feat: Add new feature").`); + } else { + console.log(`PR title "${title}" is valid.`); + }