From 5cf03341e0fd25d17e00713c4123e403181d1655 Mon Sep 17 00:00:00 2001 From: sayoungestguy Date: Sun, 18 Aug 2024 17:09:15 +0800 Subject: [PATCH 1/9] Commit changes to main.yml --- .github/workflows/main.yml | 62 +++++++++++++++++++++++++++++++++++--- pom.xml | 2 ++ 2 files changed, 59 insertions(+), 5 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9506777..7f6b19a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,8 +1,8 @@ -name: Application CI workflow +name: ScaleUp Application CI workflow on: [push, pull_request] jobs: - pipeline: - name: scaleup pipeline + build: + name: Build Stage runs-on: ubuntu-latest if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]') && !contains(github.event.pull_request.title, '[skip ci]') && !contains(github.event.pull_request.title, '[ci skip]')" timeout-minutes: 40 @@ -22,11 +22,63 @@ jobs: java-version: 17 - name: Install Node.js packages run: npm install + - name: Package application + run: npm run java:jar:prod + + backend-test: + name: Backend Test Stage + runs-on: ubuntu-latest + needs: build + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: 17 - name: Run backend test run: | chmod +x mvnw npm run ci:backend:test + + frontend-test: + name: Frontend Test Stage + runs-on: ubuntu-latest + needs: build + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20.15.0 + - name: Install Node.js packages + run: npm install - name: Run frontend test run: npm run ci:frontend:test - - name: Package application - run: npm run java:jar:prod + sonar: + name: Sonar SAST Scan + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + - name: Set up JDK 17 + uses: actions/setup-java@v3 + with: + java-version: 17 + distribution: 'zulu' # Alternative distribution options are available. + - name: Cache SonarCloud packages + uses: actions/cache@v3 + with: + path: ~/.sonar/cache + key: ${{ runner.os }}-sonar + restore-keys: ${{ runner.os }}-sonar + - name: Cache Maven packages + uses: actions/cache@v3 + with: + path: ~/.m2 + key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} + restore-keys: ${{ runner.os }}-m2 + - name: Build and analyze + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=sayoungestguy_scaleup diff --git a/pom.xml b/pom.xml index a23eb31..f31d0b8 100644 --- a/pom.xml +++ b/pom.xml @@ -76,6 +76,8 @@ 4.0.0.4121 2.43.0 2.5.0 + sayoungestguy-2397 + https://sonarcloud.io From 73180f082c0d10d65eb6ab4cfb5befba481288ec Mon Sep 17 00:00:00 2001 From: sayoungestguy Date: Sun, 18 Aug 2024 17:25:01 +0800 Subject: [PATCH 2/9] Changes in pom.xml --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index f31d0b8..f6443e1 100644 --- a/pom.xml +++ b/pom.xml @@ -76,7 +76,7 @@ 4.0.0.4121 2.43.0 2.5.0 - sayoungestguy-2397 + sayoungestguy https://sonarcloud.io From d7b6784ad88cbe7632b37fea90fabae70eded62e Mon Sep 17 00:00:00 2001 From: sayoungestguy Date: Sun, 18 Aug 2024 17:30:49 +0800 Subject: [PATCH 3/9] Changes in sonar settings --- src/main/docker/sonar.yml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/src/main/docker/sonar.yml b/src/main/docker/sonar.yml index 28e6dd1..a12ddce 100644 --- a/src/main/docker/sonar.yml +++ b/src/main/docker/sonar.yml @@ -1,15 +1,15 @@ -# This configuration is intended for development purpose, it's **your** responsibility to harden it for production -name: scaleup -services: - sonar: - container_name: sonarqube - image: sonarqube:10.5.1-community - # Forced authentication redirect for UI is turned off for out of the box experience while trying out SonarQube - # For real use cases delete SONAR_FORCEAUTHENTICATION variable or set SONAR_FORCEAUTHENTICATION=true - environment: - - SONAR_FORCEAUTHENTICATION=false - # If you want to expose these ports outside your dev PC, - # remove the "127.0.0.1:" prefix - ports: - - 127.0.0.1:9001:9000 - - 127.0.0.1:9000:9000 +## This configuration is intended for development purpose, it's **your** responsibility to harden it for production +#name: scaleup +#services: +# sonar: +# container_name: sonarqube +# image: sonarqube:10.5.1-community +# # Forced authentication redirect for UI is turned off for out of the box experience while trying out SonarQube +# # For real use cases delete SONAR_FORCEAUTHENTICATION variable or set SONAR_FORCEAUTHENTICATION=true +# environment: +# - SONAR_FORCEAUTHENTICATION=false +# # If you want to expose these ports outside your dev PC, +# # remove the "127.0.0.1:" prefix +# ports: +# - 127.0.0.1:9001:9000 +# - 127.0.0.1:9000:9000 From ccadc588b1e11b213207fb863b01ad8026c4993f Mon Sep 17 00:00:00 2001 From: sayoungestguy Date: Sun, 18 Aug 2024 18:00:58 +0800 Subject: [PATCH 4/9] Changes in sonar settings --- sonar-project.properties | 86 ++++++++++++++++++++-------------------- 1 file changed, 43 insertions(+), 43 deletions(-) diff --git a/sonar-project.properties b/sonar-project.properties index 2a1f2fd..08e1783 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -1,43 +1,43 @@ -sonar.projectKey = scaleup -sonar.projectName = scaleup generated by jhipster - -# Typescript tests files must be inside sources and tests, otherwise `INFO: Test execution data ignored for 80 unknown files, including:` -# is shown. -sonar.sources = src -sonar.tests = src -sonar.host.url = http://localhost:9001 - -sonar.test.inclusions = src/test/**/*.*, src/main/webapp/app/**/*.spec.ts, src/main/webapp/app/**/*.spec.tsx -sonar.coverage.jacoco.xmlReportPaths = target/site/**/jacoco*.xml -sonar.java.codeCoveragePlugin = jacoco -sonar.junit.reportPaths = target/surefire-reports,target/failsafe-reports -sonar.testExecutionReportPaths = target/test-results/jest/TESTS-results-sonar.xml -sonar.javascript.lcov.reportPaths = target/test-results/lcov.info - -sonar.sourceEncoding = UTF-8 -sonar.exclusions = src/main/webapp/content/**/*.*, src/main/webapp/i18n/*.js, target/classes/static/**/*.* - -sonar.issue.ignore.multicriteria = S1192,S125,S3437,S4502,S4684,S5145,UndocumentedApi - -# Rule https://rules.sonarsource.com/java/RSPEC-3437 is ignored, as a JPA-managed field cannot be transient -sonar.issue.ignore.multicriteria.S3437.resourceKey = src/main/java/**/* -sonar.issue.ignore.multicriteria.S3437.ruleKey = squid:S3437 -# Rule https://rules.sonarsource.com/java/RSPEC-4502 is ignored, as for JWT tokens we are not subject to CSRF attack -sonar.issue.ignore.multicriteria.S4502.resourceKey = src/main/java/**/* -sonar.issue.ignore.multicriteria.S4502.ruleKey = java:S4502 -# Rule https://rules.sonarsource.com/java/RSPEC-4684 -sonar.issue.ignore.multicriteria.S4684.resourceKey = src/main/java/**/* -sonar.issue.ignore.multicriteria.S4684.ruleKey = java:S4684 -# Rule https://rules.sonarsource.com/java/RSPEC-5145 log filter is applied -sonar.issue.ignore.multicriteria.S5145.resourceKey = src/main/java/**/* -sonar.issue.ignore.multicriteria.S5145.ruleKey = javasecurity:S5145 -# Rule https://rules.sonarsource.com/java/RSPEC-1176 is ignored, as we want to follow "clean code" guidelines and classes, methods and -# arguments names should be self-explanatory -sonar.issue.ignore.multicriteria.UndocumentedApi.resourceKey = src/main/java/**/* -sonar.issue.ignore.multicriteria.UndocumentedApi.ruleKey = squid:UndocumentedApi -# Rule https://rules.sonarsource.com/java/RSPEC-1192 -sonar.issue.ignore.multicriteria.S1192.resourceKey = src/main/java/**/CacheConfiguration.java -sonar.issue.ignore.multicriteria.S1192.ruleKey = java:S1192 -# Rule https://rules.sonarsource.com/xml/RSPEC-125 -sonar.issue.ignore.multicriteria.S125.resourceKey = src/main/resources/logback-spring.xml -sonar.issue.ignore.multicriteria.S125.ruleKey = xml:S125 +#sonar.projectKey = scaleup +#sonar.projectName = scaleup generated by jhipster +# +## Typescript tests files must be inside sources and tests, otherwise `INFO: Test execution data ignored for 80 unknown files, including:` +## is shown. +#sonar.sources = src +#sonar.tests = src +#sonar.host.url = http://localhost:9001 +# +#sonar.test.inclusions = src/test/**/*.*, src/main/webapp/app/**/*.spec.ts, src/main/webapp/app/**/*.spec.tsx +#sonar.coverage.jacoco.xmlReportPaths = target/site/**/jacoco*.xml +#sonar.java.codeCoveragePlugin = jacoco +#sonar.junit.reportPaths = target/surefire-reports,target/failsafe-reports +#sonar.testExecutionReportPaths = target/test-results/jest/TESTS-results-sonar.xml +#sonar.javascript.lcov.reportPaths = target/test-results/lcov.info +# +#sonar.sourceEncoding = UTF-8 +#sonar.exclusions = src/main/webapp/content/**/*.*, src/main/webapp/i18n/*.js, target/classes/static/**/*.* +# +#sonar.issue.ignore.multicriteria = S1192,S125,S3437,S4502,S4684,S5145,UndocumentedApi +# +## Rule https://rules.sonarsource.com/java/RSPEC-3437 is ignored, as a JPA-managed field cannot be transient +#sonar.issue.ignore.multicriteria.S3437.resourceKey = src/main/java/**/* +#sonar.issue.ignore.multicriteria.S3437.ruleKey = squid:S3437 +## Rule https://rules.sonarsource.com/java/RSPEC-4502 is ignored, as for JWT tokens we are not subject to CSRF attack +#sonar.issue.ignore.multicriteria.S4502.resourceKey = src/main/java/**/* +#sonar.issue.ignore.multicriteria.S4502.ruleKey = java:S4502 +## Rule https://rules.sonarsource.com/java/RSPEC-4684 +#sonar.issue.ignore.multicriteria.S4684.resourceKey = src/main/java/**/* +#sonar.issue.ignore.multicriteria.S4684.ruleKey = java:S4684 +## Rule https://rules.sonarsource.com/java/RSPEC-5145 log filter is applied +#sonar.issue.ignore.multicriteria.S5145.resourceKey = src/main/java/**/* +#sonar.issue.ignore.multicriteria.S5145.ruleKey = javasecurity:S5145 +## Rule https://rules.sonarsource.com/java/RSPEC-1176 is ignored, as we want to follow "clean code" guidelines and classes, methods and +## arguments names should be self-explanatory +#sonar.issue.ignore.multicriteria.UndocumentedApi.resourceKey = src/main/java/**/* +#sonar.issue.ignore.multicriteria.UndocumentedApi.ruleKey = squid:UndocumentedApi +## Rule https://rules.sonarsource.com/java/RSPEC-1192 +#sonar.issue.ignore.multicriteria.S1192.resourceKey = src/main/java/**/CacheConfiguration.java +#sonar.issue.ignore.multicriteria.S1192.ruleKey = java:S1192 +## Rule https://rules.sonarsource.com/xml/RSPEC-125 +#sonar.issue.ignore.multicriteria.S125.resourceKey = src/main/resources/logback-spring.xml +#sonar.issue.ignore.multicriteria.S125.ruleKey = xml:S125 From c23734ee7fe858bd95afc0b6149fb6a8af7a9ddd Mon Sep 17 00:00:00 2001 From: sayoungestguy Date: Sun, 18 Aug 2024 18:44:33 +0800 Subject: [PATCH 5/9] Add Synk Vulnerability Scanning --- .github/workflows/main.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 7f6b19a..792ae61 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -56,6 +56,7 @@ jobs: sonar: name: Sonar SAST Scan runs-on: ubuntu-latest + needs: [backend-test, frontend-test] steps: - uses: actions/checkout@v3 with: @@ -82,3 +83,20 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=sayoungestguy_scaleup + snyk: + name: Vulnerability Scanning with Synk + needs: [backend-test, frontend-test] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/maven@master + continue-on-error: true # To make sure that SARIF upload gets called + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --sarif-file-output=snyk.sarif + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif From 9dfeb26868f4aee213bd2a50a6a05cc07d1adc41 Mon Sep 17 00:00:00 2001 From: sayoungestguy Date: Sun, 18 Aug 2024 19:24:22 +0800 Subject: [PATCH 6/9] Add ESLint to Ci pipeline --- .github/workflows/main.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 792ae61..7e5b8d8 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -100,3 +100,33 @@ jobs: uses: github/codeql-action/upload-sarif@v2 with: sarif_file: snyk.sarif + eslint: + name: ESLint Code Quality + runs-on: ubuntu-latest + needs: [backend-test, frontend-test] + steps: + - name: Checkout Code + uses: actions/checkout@v4 + + - name: Set up Node.js + uses: actions/setup-node@v4 + with: + node-version: 20.15.0 + + - name: Install Node.js packages + run: npm install + - name: Install ESLint + run: npm install eslint --save-dev + + - name: Run ESLint + run: | + npx eslint . -f json -o eslint-report.json + npx eslint . -f html -o eslint-report.html + + - name: Upload ESLint Report + uses: actions/upload-artifact@v4 + with: + name: eslint-report + path: | + eslint-report.json + eslint-report.html From 17c620d1ee5c098e96e1689baf8753b0cc7869f4 Mon Sep 17 00:00:00 2001 From: sayoungestguy Date: Sun, 18 Aug 2024 20:42:52 +0800 Subject: [PATCH 7/9] Integrate DAST OWASP Scan --- .github/workflows/main.yml | 28 +++++++++++++++++++++++----- script/zap-script.sh | 6 ++++++ 2 files changed, 29 insertions(+), 5 deletions(-) create mode 100644 script/zap-script.sh diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 7e5b8d8..3c94b6b 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -97,7 +97,7 @@ jobs: with: args: --sarif-file-output=snyk.sarif - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: snyk.sarif eslint: @@ -107,12 +107,10 @@ jobs: steps: - name: Checkout Code uses: actions/checkout@v4 - - name: Set up Node.js uses: actions/setup-node@v4 with: node-version: 20.15.0 - - name: Install Node.js packages run: npm install - name: Install ESLint @@ -128,5 +126,25 @@ jobs: with: name: eslint-report path: | - eslint-report.json - eslint-report.html + ./eslint-report.json + ./eslint-report.html + dast-scan: + name: DAST OWASP ZAP Scans + runs-on: ubuntu-latest + needs: [backend-test, frontend-test] + strategy: + matrix: + node-version: [20.x] + steps: + - uses: actions/checkout@v2 + - name: Change script permission + run: | + chmod +x scripts/zap-script.sh + - name: ZAP scan + run: scripts/zap-script.sh + - name: Archive production artifacts + uses: actions/upload-artifact@v2 + with: + name: zap report + path: | + ./zap_baseline_report.html diff --git a/script/zap-script.sh b/script/zap-script.sh new file mode 100644 index 0000000..ee1f8ff --- /dev/null +++ b/script/zap-script.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +docker pull zaproxy/zap-stable +docker run -i zaproxy/zap-stable zap-baseline.py -t "https://kenken64.github.io/bitcoin-order-app/" -l PASS > zap_baseline_report.html + +echo $? > /dev/null From dc7e1a7aa0eba424a790a02d680c944c5d425129 Mon Sep 17 00:00:00 2001 From: sayoungestguy Date: Sun, 18 Aug 2024 21:04:11 +0800 Subject: [PATCH 8/9] Remove Synk Sarif and Script debug --- .github/workflows/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3c94b6b..4c8d481 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -96,10 +96,10 @@ jobs: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: args: --sarif-file-output=snyk.sarif - - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: snyk.sarif + # - name: Upload result to GitHub Code Scanning + # uses: github/codeql-action/upload-sarif@v3 + # with: + # sarif_file: snyk.sarif eslint: name: ESLint Code Quality runs-on: ubuntu-latest @@ -139,7 +139,7 @@ jobs: - uses: actions/checkout@v2 - name: Change script permission run: | - chmod +x scripts/zap-script.sh + chmod +x script/zap-script.sh - name: ZAP scan run: scripts/zap-script.sh - name: Archive production artifacts From 01e1a4c9d993895ef7cc910924b00af0a6e3ad86 Mon Sep 17 00:00:00 2001 From: sayoungestguy Date: Sun, 18 Aug 2024 21:18:10 +0800 Subject: [PATCH 9/9] Debugging zap scan --- .github/workflows/main.yml | 2 +- script/zap-script.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4c8d481..21c59e4 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -141,7 +141,7 @@ jobs: run: | chmod +x script/zap-script.sh - name: ZAP scan - run: scripts/zap-script.sh + run: script/zap-script.sh - name: Archive production artifacts uses: actions/upload-artifact@v2 with: diff --git a/script/zap-script.sh b/script/zap-script.sh index ee1f8ff..27dcb74 100644 --- a/script/zap-script.sh +++ b/script/zap-script.sh @@ -1,6 +1,6 @@ #!/bin/bash docker pull zaproxy/zap-stable -docker run -i zaproxy/zap-stable zap-baseline.py -t "https://kenken64.github.io/bitcoin-order-app/" -l PASS > zap_baseline_report.html +docker run -i zaproxy/zap-stable zap-baseline.py -t "https://github.com/sayoungestguy/scaleup" -l PASS > zap_baseline_report.html echo $? > /dev/null