From 2cb1766539602ef746b5fc34a0fdb7eaaa2f87ad Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Wed, 7 Aug 2024 12:14:07 -0400 Subject: [PATCH 01/18] Create trivy.yml --- .github/workflows/trivy.yml | 48 +++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 00000000..e3cf089d --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,48 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: trivy + +on: + push: + branches: [ "master" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "master" ] + schedule: + - cron: '24 17 * * 1' + +permissions: + contents: read + +jobs: + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Build + runs-on: "ubuntu-20.04" + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build an image from Dockerfile + run: | + docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.24.0 + with: + image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' From 8aba91673be42c2894d1fb24668710b5c1ce51bf Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Wed, 7 Aug 2024 12:49:02 -0400 Subject: [PATCH 02/18] chore: Remove unused trivy template and update trivy workflow --- .github/workflows/trivy.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index e3cf089d..7ac4e69a 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -37,8 +37,6 @@ jobs: uses: aquasecurity/trivy-action@0.24.0 with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' - format: 'template' - template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' From 0000110267409ad61347fdc83b8542790770ffad Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Wed, 7 Aug 2024 12:54:21 -0400 Subject: [PATCH 03/18] chore: Update trivy workflow to output results in SARIF format --- .github/workflows/trivy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 7ac4e69a..9b1bf258 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -37,6 +37,7 @@ jobs: uses: aquasecurity/trivy-action@0.24.0 with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' + format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' From 89a6a3a21bb52d8f469f570c83e5157ce26d11fb Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Thu, 15 Aug 2024 13:49:24 -0400 Subject: [PATCH 04/18] chore: Add create product functionality patch task --- .vscode/tasks.json | 11 +++++++++ products_patch.diff | 58 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 .vscode/tasks.json create mode 100644 products_patch.diff diff --git a/.vscode/tasks.json b/.vscode/tasks.json new file mode 100644 index 00000000..d459ec5a --- /dev/null +++ b/.vscode/tasks.json @@ -0,0 +1,11 @@ +{ + "version": "2.0.0", + "tasks": [ + { + "label": "Apply products_patch.diff", + "type": "shell", + "command": "git apply products_patch.diff", + "problemMatcher": [] + } + ] +} \ No newline at end of file diff --git a/products_patch.diff b/products_patch.diff new file mode 100644 index 00000000..a726ab8e --- /dev/null +++ b/products_patch.diff @@ -0,0 +1,58 @@ +diff --git a/model/products.js b/model/products.js +index 6df3f92..9366003 100644 +--- a/model/products.js ++++ b/model/products.js +@@ -49,12 +49,23 @@ function get_purcharsed(username) { + + } + ++function create(product) { ++ var q = "INSERT INTO products(name, description, price) VALUES('" + ++ product.name + "', '" + ++ product.description + "', '" + ++ product.price + ++ "');"; ++ ++ return db.one(q); ++} ++ + var actions = { + "list": list_products, + "getProduct": getProduct, + "search": search, + "purchase": purchase, +- "getPurchased": get_purcharsed ++ "getPurchased": get_purcharsed, ++ "create": create + } + + module.exports = actions; +diff --git a/routes/products.js b/routes/products.js +index 814f834..4d5d1fb 100644 +--- a/routes/products.js ++++ b/routes/products.js +@@ -144,6 +144,24 @@ router.all('/products/buy', function(req, res, next) { + + }); + ++router.all('/products/create', function(req, res, next) { ++ let params = null; ++ if (req.method == "GET"){ ++ params = url.parse(req.url, true).query; ++ } else { ++ params = req.body; ++ } ++ ++ let product = null; ++ product = { ++ name: params.name, ++ description: params.description, ++ price: params.price, ++ image: params.image, ++ username: req.session.user_name ++ } + ++ db_products.create(product) ++}); + + module.exports = router; From e9cb1262269471f7d490cfa50c4a753ccadd7baf Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Tue, 24 Sep 2024 08:48:08 -0400 Subject: [PATCH 05/18] Update trivy.yml --- .github/workflows/trivy.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 9b1bf258..767454a9 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -41,6 +41,10 @@ jobs: output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' + - uses: actions/cache@v3 + with: + path: 'trivy-results.sarif' + - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: From 75c3dbac12a9a639f6f2464f936cd5498f4644db Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Tue, 24 Sep 2024 08:52:51 -0400 Subject: [PATCH 06/18] Update trivy.yml --- .github/workflows/trivy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 767454a9..8d77a259 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -43,6 +43,7 @@ jobs: - uses: actions/cache@v3 with: + key: 'results.sarif' path: 'trivy-results.sarif' - name: Upload Trivy scan results to GitHub Security tab From 1b091f498a250be30e1967e1d68603a18abe6775 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Tue, 24 Sep 2024 08:57:14 -0400 Subject: [PATCH 07/18] Update trivy.yml --- .github/workflows/trivy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 8d77a259..bd576cf2 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -41,9 +41,9 @@ jobs: output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' - - uses: actions/cache@v3 + - uses: actions/upload-artifact@v4 with: - key: 'results.sarif' + name: 'results.sarif' path: 'trivy-results.sarif' - name: Upload Trivy scan results to GitHub Security tab From d9d7030c18b0b88cf6e8e0f892f5eaa2762ab254 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Tue, 24 Sep 2024 09:10:05 -0400 Subject: [PATCH 08/18] Enhance trivy.yml to modify SARIF output for Dockerfile locations --- .github/workflows/trivy.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index bd576cf2..3620d7a0 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -41,6 +41,22 @@ jobs: output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' + + - uses: actions/github-script@v7 + with: + script: | + const fs = require('fs'); + const sarif = fs.readFileSync('trivy-results.sarif', 'utf8'); + const results = JSON.parse(sarif); + results.runs.forEach(run => { + run.results.forEach(result => { + result.locations.forEach(location => { + location.physicalLocation.artifactLocation.uri = 'Dockerfile'; + }); + }); + }); + fs.writeFileSync('trivy-results.sarif', JSON.stringify(results, null, 2)); + - uses: actions/upload-artifact@v4 with: name: 'results.sarif' From 32037bc3db2697a8147d9af741e3c17be76f3198 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Tue, 24 Sep 2024 09:12:02 -0400 Subject: [PATCH 09/18] Set file permissions for SARIF output file --- .github/workflows/trivy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 3620d7a0..da6ebfd0 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -41,6 +41,8 @@ jobs: output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' + - name: Set file permissions + run: chmod 666 trivy-results.sarif - uses: actions/github-script@v7 with: From 9a9cda63bca56e6d6be6be9c443edba88d9d7b7c Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Tue, 24 Sep 2024 09:48:34 -0400 Subject: [PATCH 10/18] Add debugging steps before setting file permissions for SARIF output --- .github/workflows/trivy.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index da6ebfd0..f8b4ec63 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -41,8 +41,9 @@ jobs: output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' - - name: Set file permissions - run: chmod 666 trivy-results.sarif + - run: id + - run: ls -la trivy-results.sarif + - run: chmod 666 trivy-results.sarif - uses: actions/github-script@v7 with: From 95291081ba8ab179dc127409bb0626e8890e2d3d Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Tue, 24 Sep 2024 10:24:59 -0400 Subject: [PATCH 11/18] Use sudo to set file permissions for SARIF output --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index f8b4ec63..3bdd3e30 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -43,7 +43,7 @@ jobs: - run: id - run: ls -la trivy-results.sarif - - run: chmod 666 trivy-results.sarif + - run: sudo chmod 666 trivy-results.sarif - uses: actions/github-script@v7 with: From 020f31d71cabe92b46f0d5e2ee51354f32b47141 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Tue, 24 Sep 2024 10:28:04 -0400 Subject: [PATCH 12/18] Update Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 42f52410..55c35ac8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM node:19.4.0-bullseye-slim +FROM node:19.3.0-bullseye-slim LABEL maintainer="Daniel GarcĂ­a (cr0hn) cr0hn@cr0hn.com" From c96e6c9e7adcdefbdc37aa91b7407baa69815d87 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Tue, 24 Sep 2024 10:29:37 -0400 Subject: [PATCH 13/18] Remove unnecessary debug commands from trivy.yml --- .github/workflows/trivy.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 3bdd3e30..78f1ee35 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -41,8 +41,6 @@ jobs: output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' - - run: id - - run: ls -la trivy-results.sarif - run: sudo chmod 666 trivy-results.sarif - uses: actions/github-script@v7 From 4f9c8cb438a930ad46168c4fbfbd462b9469d334 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Fri, 27 Sep 2024 14:48:49 -0400 Subject: [PATCH 14/18] Create codacy.yml --- .github/workflows/codacy.yml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .github/workflows/codacy.yml diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml new file mode 100644 index 00000000..178d41d0 --- /dev/null +++ b/.github/workflows/codacy.yml @@ -0,0 +1,32 @@ +name: Codacy Security Scan + +on: + push: + branches: [ "master", "main" ] + pull_request: + branches: [ "master", "main" ] + +jobs: + codacy-security-scan: + name: Codacy Security Scan + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@main + + - name: Run Codacy Analysis CLI + uses: codacy/codacy-analysis-cli-action@master + with: + output: results.sarif + format: sarif + # Adjust severity of non-security issues + gh-code-scanning-compat: true + # Force 0 exit code to allow SARIF file generation + # This will hand over control about PR rejection to the GitHub side + max-allowed-issues: 2147483647 + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@main + with: + sarif_file: results.sarif From aca5ab58803400d6a8222081105ef232d17d38f0 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Fri, 27 Sep 2024 17:07:44 -0400 Subject: [PATCH 15/18] Update codacy.yml --- .github/workflows/codacy.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml index 178d41d0..1f896d94 100644 --- a/.github/workflows/codacy.yml +++ b/.github/workflows/codacy.yml @@ -24,7 +24,14 @@ jobs: # Force 0 exit code to allow SARIF file generation # This will hand over control about PR rejection to the GitHub side max-allowed-issues: 2147483647 - + tool: issues + + # archive the SARIF file generated in the previous step + - name: Archive SARIF results file + uses: actions/upload-artifact@v4 + with: + path: results.sarif + # Upload the SARIF file generated in the previous step - name: Upload SARIF results file uses: github/codeql-action/upload-sarif@main From 7e0669cf8ef832196f404b8bd981e4c4183556bb Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Mon, 30 Sep 2024 18:18:28 -0400 Subject: [PATCH 16/18] Create lscpu.yml --- .github/lscpu.yml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 .github/lscpu.yml diff --git a/.github/lscpu.yml b/.github/lscpu.yml new file mode 100644 index 00000000..d9c509e2 --- /dev/null +++ b/.github/lscpu.yml @@ -0,0 +1,9 @@ +name: Get CPU Info + +on: workflow_dispatch + +jobs: + lscpu: + runs-on: ubuntu-latest + steps: + - run: lscpu From 952adb061efb2104ab0483aa522880b722b7495f Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Mon, 30 Sep 2024 18:18:58 -0400 Subject: [PATCH 17/18] Delete .github/lscpu.yml --- .github/lscpu.yml | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 .github/lscpu.yml diff --git a/.github/lscpu.yml b/.github/lscpu.yml deleted file mode 100644 index d9c509e2..00000000 --- a/.github/lscpu.yml +++ /dev/null @@ -1,9 +0,0 @@ -name: Get CPU Info - -on: workflow_dispatch - -jobs: - lscpu: - runs-on: ubuntu-latest - steps: - - run: lscpu From e4eff27b03cb70efb01ed527efafd1d66f5b2604 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Mon, 30 Sep 2024 18:19:08 -0400 Subject: [PATCH 18/18] Create lscpu.yml --- .github/workflows/lscpu.yml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 .github/workflows/lscpu.yml diff --git a/.github/workflows/lscpu.yml b/.github/workflows/lscpu.yml new file mode 100644 index 00000000..d9c509e2 --- /dev/null +++ b/.github/workflows/lscpu.yml @@ -0,0 +1,9 @@ +name: Get CPU Info + +on: workflow_dispatch + +jobs: + lscpu: + runs-on: ubuntu-latest + steps: + - run: lscpu