Merge branch 'main' into main

pluribus-one · Nov 20, 2024 · b0dbb3f · b0dbb3f
2 parents e41c7aa + 4f4d5df
commit b0dbb3f
Show file tree

Hide file tree

Showing 5 changed files with 140 additions and 11 deletions.
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -0,0 +1,24 @@
+on:
+  workflow_dispatch: {}
+  pull_request: {}
+  push:
+    branches:
+    - main
+    - master
+    paths:
+    - .github/workflows/semgrep.yml
+  schedule:
+  # random HH:MM to avoid a load spike on GitHub Actions at 00:00
+  - cron: 12 1 * * *
+name: Semgrep
+jobs:
+  semgrep:
+    name: semgrep/ci
+    runs-on: ubuntu-20.04
+    env:
+      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+    container:
+      image: returntocorp/semgrep
+    steps:
+    - uses: actions/checkout@v3
+    - run: semgrep ci
diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml
@@ -8,6 +8,7 @@ jobs:
   sbom:
     name: Generate app SBOM
     runs-on: ubuntu-latest
+
     strategy:
       fail-fast: false
       matrix:
@@ -31,12 +32,7 @@ jobs:
       - name: Generate SBOMs
         run: |
           cd vuln_apps/${{ matrix.project }}
-          cdxgen \
-          --format json \
-          --spec-version="${{matrix.cdx_spec_version}}" \
-          --project-name="${{ matrix.project }}" \
-          --project-version="${{ github.run_number }}" \
-          -o "${{ matrix.project }}_bom.json"
+          cdxgen --format json -o "${{ matrix.project }}_bom.json"
 
       - name: Upload results
         if: always()
@@ -47,12 +43,12 @@ jobs:
           retention-days: 5
           if-no-files-found: error
 
-
 ## Exercise Docker SBOM generation
   # sbom-docker:
   #   name: Generate docker SBOM
   #   runs-on: ubuntu-latest
   #   container: quay.io/pluribus_one/sbom_vex_scanner@sha256:4c93316f95a2fe12bd2683ec34ff36d8e3a29501c797fb4825e7e510bab29ce3
+
   #   strategy:
   #     fail-fast: false
   #     matrix:
@@ -86,11 +82,12 @@ jobs:
   #         -o "${{ project }}-docker_bom.json"
   #         image:tag
 
+
   #     - name: upload Artifacts
   #       uses: actions/upload-artifact@v4
   #       with:
   #         name: sbom-${{matrix.project}}-docker
-  #         path: ${{ matrix.project }}-docker_bom.json
+  #         path: "/path/to/output/bom.json"
   #         retention-days: 5
   #         if-no-files-found: error
 
@@ -132,6 +129,6 @@ jobs:
   #       uses: actions/upload-artifact@v4
   #       with:
   #         name: sbom-${{matrix.project}}-merged
-  #         path: ${{ matrix.project }}_merged_sbom.json
+  #         path: "path/to/file_out.json"
   #         retention-days: 5
   #         if-no-files-found: error
diff --git a/.github/workflows/vuln_man_mod.yml b/.github/workflows/vuln_man_mod.yml
@@ -0,0 +1,104 @@
+name: SBOM generation mod
+
+on:
+  workflow_dispatch:
+
+jobs:
+  sbom:
+    name: Generate app SBOM
+    runs-on: ubuntu-latest
+    container: quay.io/pluribus_one/sbom_vex_scanner:latest
+    strategy:
+      fail-fast: false
+      matrix:
+        project: ["dvna", "vulnado"]
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Generate SBOMs
+        run: |
+          cd vuln_apps/${{ matrix.project }}
+          cdxgen --format json -o "${{ matrix.project }}_bom.json"
+
+      - name: Upload results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-${{matrix.project}}
+          path: vuln_apps/${{ matrix.project }}/${{ matrix.project }}_bom.json
+          retention-days: 5
+          if-no-files-found: error
+
+  sbom-docker:
+    name: Generate docker SBOM
+    runs-on: ubuntu-latest
+    container: quay.io/pluribus_one/sbom_vex_scanner:latest
+    strategy:
+      fail-fast: false
+      matrix:
+        project: ["dvna", "vulnado"]
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker image
+        id: build-image
+        uses: docker/build-push-action@v5
+        with:
+          context: "${{ github.workspace }}/vuln_apps/${{ matrix.project }}"
+          push: false
+          load: true
+          tags: ${{ matrix.project }}:latest
+
+      - name: Generate docker SBOMs
+        run: |
+          cdxgen --type docker -o "${{ matrix.project }}-docker_bom.json" ${{ matrix.project }}:latest
+
+      - name: upload Artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-${{matrix.project}}-docker
+          path: ${{ matrix.project }}-docker_bom.json
+          retention-days: 5
+          if-no-files-found: error
+
+  merge-sbom:
+    name: Merge previously generated SBOM
+    runs-on: ubuntu-latest
+    needs: ["sbom", "sbom-docker"]
+    container: cyclonedx/cyclonedx-cli:0.25.0
+    strategy:
+      fail-fast: false
+      matrix:
+        project: ["dvna", "vulnado"]
+
+    steps:
+      - name: Download artifact sbom
+        uses: actions/download-artifact@v4
+        with:
+          name: sbom-${{matrix.project}}
+          path: ./sboms-${{matrix.project}}
+
+      - name: Download artifact sbom-docker
+        uses: actions/download-artifact@v4
+        with:
+          name: sbom-${{matrix.project}}-docker
+          path: ./sboms-${{matrix.project}}
+
+      - name: Merge previously generated sboms
+        run: |
+          cyclonedx merge --input-files sboms-${{matrix.project}}/${{ matrix.project }}_bom.json sboms-${{matrix.project}}/${{ matrix.project }}-docker_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }} --version ${{ github.run_number }} --group devsecops-exercises
+
+      - name: upload Artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-${{matrix.project}}-merged
+          path: ${{ matrix.project }}_merged_sbom.json
+          retention-days: 5
+          if-no-files-found: error
diff --git a/.github/workflows/vuln_man_solved.yml b/.github/workflows/vuln_man_solved.yml
@@ -8,6 +8,7 @@ jobs:
   sbom:
     name: Generate app SBOM
     runs-on: ubuntu-latest
+
     strategy:
       fail-fast: false
       matrix:
@@ -20,7 +21,6 @@ jobs:
           - project: dvna
             cdx_spec_version: "1.5"
             cdx_image:  quay.io/pluribus_one/sbom_vex_scanner@sha256:4c93316f95a2fe12bd2683ec34ff36d8e3a29501c797fb4825e7e510bab29ce3
-
     container:
       image: ${{matrix.cdx_image}}
 
@@ -52,6 +52,7 @@ jobs:
     name: Generate docker SBOM
     runs-on: ubuntu-latest
     container: quay.io/pluribus_one/sbom_vex_scanner@sha256:4c93316f95a2fe12bd2683ec34ff36d8e3a29501c797fb4825e7e510bab29ce3
+
     strategy:
       fail-fast: false
       matrix:
@@ -85,6 +86,7 @@ jobs:
           -o "${{ matrix.project }}-docker_bom.json"
           ${{ matrix.project }}:latest
 
+
       - name: upload Artifacts
         uses: actions/upload-artifact@v4
         with:
@@ -93,6 +95,7 @@ jobs:
           retention-days: 5
           if-no-files-found: error
 
+
 ## Exercise Merge multiple SBOMs
   merge-sbom:
     name: Merge previously generated SBOM

diff --git a/README.md b/README.md
@@ -101,6 +101,7 @@ Le applicazioni vulnerabili che abbiamo esposto in questa repository sono prese
 https://owasp.org/www-project-vulnerable-web-applications-directory/
 
 
+
 # Follow Us on Security News
 Restate aggiornati con le ultime news su temi di cybersecurity, effettuando la subscribe al seguente link:  
-https://davideariu.substack.com/
+https://davideariu.substack.com/