From 0283bcffe276b5475f0a6d2599d54be16f866b19 Mon Sep 17 00:00:00 2001 From: "whitesource-bolt-for-github[bot]" <42819689+whitesource-bolt-for-github[bot]@users.noreply.github.com> Date: Fri, 7 Feb 2020 15:40:22 +0000 Subject: [PATCH 01/15] Add .whitesource configuration file --- .whitesource | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 .whitesource diff --git a/.whitesource b/.whitesource new file mode 100644 index 00000000000..e0aaa3e9eba --- /dev/null +++ b/.whitesource @@ -0,0 +1,8 @@ +{ + "checkRunSettings": { + "vulnerableCheckRunConclusionLevel": "failure" + }, + "issueSettings": { + "minSeverityLevel": "LOW" + } +} \ No newline at end of file From cf5fbadb610ff837459c4e19b2bcc1aea94b7f13 Mon Sep 17 00:00:00 2001 From: Techini Date: Fri, 7 Feb 2020 13:35:42 -0500 Subject: [PATCH 02/15] Create .sonarcloud.properties --- .sonarcloud.properties | 1 + 1 file changed, 1 insertion(+) create mode 100644 .sonarcloud.properties diff --git a/.sonarcloud.properties b/.sonarcloud.properties new file mode 100644 index 00000000000..8b137891791 --- /dev/null +++ b/.sonarcloud.properties @@ -0,0 +1 @@ + From 033f7d1564d52013d5dc1db1e49ce3e92d5b7dce Mon Sep 17 00:00:00 2001 From: Techini Date: Fri, 7 Feb 2020 13:58:41 -0500 Subject: [PATCH 03/15] Create secret --- .github/workflows/secret | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 .github/workflows/secret diff --git a/.github/workflows/secret b/.github/workflows/secret new file mode 100644 index 00000000000..5d971588224 --- /dev/null +++ b/.github/workflows/secret @@ -0,0 +1,8 @@ +workflow "Find Secrets" { + on = "push" + resolves = ["max/secret-scan"] +} + +action "max/secret-scan" { + uses = "max/secret-scan@master" +} From 624668fdbaaa727eff40dc60da884987d1392675 Mon Sep 17 00:00:00 2001 From: Techini Date: Fri, 7 Feb 2020 13:59:17 -0500 Subject: [PATCH 04/15] Delete secret --- .github/workflows/secret | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 .github/workflows/secret diff --git a/.github/workflows/secret b/.github/workflows/secret deleted file mode 100644 index 5d971588224..00000000000 --- a/.github/workflows/secret +++ /dev/null @@ -1,8 +0,0 @@ -workflow "Find Secrets" { - on = "push" - resolves = ["max/secret-scan"] -} - -action "max/secret-scan" { - uses = "max/secret-scan@master" -} From 7aa37b566270097d935ac2cb04740af1c7d58af6 Mon Sep 17 00:00:00 2001 From: Techini Date: Sun, 30 Aug 2020 07:24:42 -0400 Subject: [PATCH 05/15] Create codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 62 +++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 00000000000..aa3bb9bf278 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,62 @@ +name: "CodeQL" + +on: + push: + branches: [master] + pull_request: + # The branches below must be a subset of the branches above + branches: [master] + schedule: + - cron: '0 2 * * 5' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + # Override automatic language detection by changing the below list + # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] + language: ['javascript'] + # Learn more... + # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + with: + # We must fetch at least the immediate parents so that if this is + # a pull request then we can checkout the head. + fetch-depth: 2 + + # If this run was triggered by a pull request event, then checkout + # the head of the pull request instead of the merge commit. + - run: git checkout HEAD^2 + if: ${{ github.event_name == 'pull_request' }} + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: ${{ matrix.language }} + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v1 + + # โ„น๏ธ Command-line programs to run using the OS shell. + # ๐Ÿ“š https://git.io/JvXDl + + # โœ๏ธ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 From 8334cfc8549da4dfa64f906685f864f96eb600e6 Mon Sep 17 00:00:00 2001 From: Techini Date: Sat, 5 Dec 2020 18:20:28 -0500 Subject: [PATCH 06/15] Create test-dep-check.yml --- .github/workflows/test-dep-check.yml | 50 ++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 .github/workflows/test-dep-check.yml diff --git a/.github/workflows/test-dep-check.yml b/.github/workflows/test-dep-check.yml new file mode 100644 index 00000000000..052b06ef7ff --- /dev/null +++ b/.github/workflows/test-dep-check.yml @@ -0,0 +1,50 @@ +# This workflow will build a Java project with Maven +# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven + +name: DepCheck + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + - name: Set up JDK 1.8 + uses: actions/setup-java@v1 + with: + java-version: 1.8 + - name: Build with Maven + run: mvn org.owasp:dependency-check-maven:check + - name: Retrieve version + run: | + VERSION=$(git rev-parse --short "$GITHUB_SHA") + echo ::set-env name=TAG_NAME::$VERSION + - name: Create Release + id: create_release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: ${{ env.TAG_NAME }} + release_name: Release ${{ env.TAG_NAME }} + body: | + Java Vulnerable Lab Release ${{ env.TAG_NAME }} + draft: false + prerelease: false + - name: Upload Release Asset + id: upload-release-asset + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps + asset_path: ./target/dependency-check-report.html + asset_name: dependencycheck-report-${{ env.TAG_NAME }}.html + asset_content_type: text/html From 152045b75f9a930b3ead108f9613cfb98b12464e Mon Sep 17 00:00:00 2001 From: Techini Date: Thu, 10 Dec 2020 12:28:34 -0500 Subject: [PATCH 07/15] Create secret-test.yml --- .github/workflows/secret-test.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .github/workflows/secret-test.yml diff --git a/.github/workflows/secret-test.yml b/.github/workflows/secret-test.yml new file mode 100644 index 00000000000..5e3605146ca --- /dev/null +++ b/.github/workflows/secret-test.yml @@ -0,0 +1,17 @@ +# This is a basic workflow to help you get started with Actions + +name: CI + +# Controls when the action will run. +on: + # Triggers the workflow on push or pull request events but only for the master branch + push: + branches: [ master ] + pull_request: + branches: [ master ] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +- name: Secret Scan + uses: max/secret-scan@1.0.0 From 23ab2194c4decf41bd5a86f48bc68c9168d0f8a2 Mon Sep 17 00:00:00 2001 From: Techini Date: Thu, 17 Dec 2020 16:19:27 -0500 Subject: [PATCH 08/15] Create testing-simple-zap.yml --- .github/workflows/testing-simple-zap.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .github/workflows/testing-simple-zap.yml diff --git a/.github/workflows/testing-simple-zap.yml b/.github/workflows/testing-simple-zap.yml new file mode 100644 index 00000000000..352e6452231 --- /dev/null +++ b/.github/workflows/testing-simple-zap.yml @@ -0,0 +1,3 @@ +# This is a basic workflow that is manually triggered +- name: OWASP ZAP Baseline Scan + uses: zaproxy/action-baseline@v0.4.0 From 98850cb9fa7582b1de7f686a1d3b1b58d6a66b05 Mon Sep 17 00:00:00 2001 From: Techini Date: Fri, 8 Jan 2021 14:08:34 -0500 Subject: [PATCH 09/15] Create semgrep --- .../semgrep | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 .github/workflows/name: Semgrep on: [pull_request] jobs: semgrep: runs-on: ubuntu-latest name: Check steps: - uses: actions/checkout@v1 - name: Semgrep id: semgrep uses: returntocorp/semgrep-action@v1 with: config: p/semgrep diff --git a/.github/workflows/name: Semgrep on: [pull_request] jobs: semgrep: runs-on: ubuntu-latest name: Check steps: - uses: actions/checkout@v1 - name: Semgrep id: semgrep uses: returntocorp/semgrep-action@v1 with: config: p/semgrep b/.github/workflows/name: Semgrep on: [pull_request] jobs: semgrep: runs-on: ubuntu-latest name: Check steps: - uses: actions/checkout@v1 - name: Semgrep id: semgrep uses: returntocorp/semgrep-action@v1 with: config: p/semgrep new file mode 100644 index 00000000000..0f1bdc192dc --- /dev/null +++ b/.github/workflows/name: Semgrep on: [pull_request] jobs: semgrep: runs-on: ubuntu-latest name: Check steps: - uses: actions/checkout@v1 - name: Semgrep id: semgrep uses: returntocorp/semgrep-action@v1 with: config: p/semgrep @@ -0,0 +1,13 @@ +name: Semgrep +on: [pull_request] +jobs: + semgrep: + runs-on: ubuntu-latest + name: Check + steps: + - uses: actions/checkout@v1 + - name: Semgrep + id: semgrep + uses: returntocorp/semgrep-action@v1 + with: + config: p/r2c From 03e39229e32ac62fa1b6edfa0d868667ae27cd2b Mon Sep 17 00:00:00 2001 From: Techini Date: Fri, 8 Jan 2021 14:11:02 -0500 Subject: [PATCH 10/15] Delete testing-simple-zap.yml --- .github/workflows/testing-simple-zap.yml | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 .github/workflows/testing-simple-zap.yml diff --git a/.github/workflows/testing-simple-zap.yml b/.github/workflows/testing-simple-zap.yml deleted file mode 100644 index 352e6452231..00000000000 --- a/.github/workflows/testing-simple-zap.yml +++ /dev/null @@ -1,3 +0,0 @@ -# This is a basic workflow that is manually triggered -- name: OWASP ZAP Baseline Scan - uses: zaproxy/action-baseline@v0.4.0 From 6fb2a9bbb31aa6d02aaa51d562c5abcc216402c0 Mon Sep 17 00:00:00 2001 From: Techini Date: Fri, 8 Jan 2021 14:11:14 -0500 Subject: [PATCH 11/15] Delete test-dep-check.yml --- .github/workflows/test-dep-check.yml | 50 ---------------------------- 1 file changed, 50 deletions(-) delete mode 100644 .github/workflows/test-dep-check.yml diff --git a/.github/workflows/test-dep-check.yml b/.github/workflows/test-dep-check.yml deleted file mode 100644 index 052b06ef7ff..00000000000 --- a/.github/workflows/test-dep-check.yml +++ /dev/null @@ -1,50 +0,0 @@ -# This workflow will build a Java project with Maven -# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven - -name: DepCheck - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - -jobs: - build: - - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - name: Set up JDK 1.8 - uses: actions/setup-java@v1 - with: - java-version: 1.8 - - name: Build with Maven - run: mvn org.owasp:dependency-check-maven:check - - name: Retrieve version - run: | - VERSION=$(git rev-parse --short "$GITHUB_SHA") - echo ::set-env name=TAG_NAME::$VERSION - - name: Create Release - id: create_release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ env.TAG_NAME }} - release_name: Release ${{ env.TAG_NAME }} - body: | - Java Vulnerable Lab Release ${{ env.TAG_NAME }} - draft: false - prerelease: false - - name: Upload Release Asset - id: upload-release-asset - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps - asset_path: ./target/dependency-check-report.html - asset_name: dependencycheck-report-${{ env.TAG_NAME }}.html - asset_content_type: text/html From d1acbee4df9f59ded166015d18e15c0b997bcbd2 Mon Sep 17 00:00:00 2001 From: Techini Date: Fri, 8 Jan 2021 14:11:33 -0500 Subject: [PATCH 12/15] Delete semgrep --- .../semgrep | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 .github/workflows/name: Semgrep on: [pull_request] jobs: semgrep: runs-on: ubuntu-latest name: Check steps: - uses: actions/checkout@v1 - name: Semgrep id: semgrep uses: returntocorp/semgrep-action@v1 with: config: p/semgrep diff --git a/.github/workflows/name: Semgrep on: [pull_request] jobs: semgrep: runs-on: ubuntu-latest name: Check steps: - uses: actions/checkout@v1 - name: Semgrep id: semgrep uses: returntocorp/semgrep-action@v1 with: config: p/semgrep b/.github/workflows/name: Semgrep on: [pull_request] jobs: semgrep: runs-on: ubuntu-latest name: Check steps: - uses: actions/checkout@v1 - name: Semgrep id: semgrep uses: returntocorp/semgrep-action@v1 with: config: p/semgrep deleted file mode 100644 index 0f1bdc192dc..00000000000 --- a/.github/workflows/name: Semgrep on: [pull_request] jobs: semgrep: runs-on: ubuntu-latest name: Check steps: - uses: actions/checkout@v1 - name: Semgrep id: semgrep uses: returntocorp/semgrep-action@v1 with: config: p/semgrep +++ /dev/null @@ -1,13 +0,0 @@ -name: Semgrep -on: [pull_request] -jobs: - semgrep: - runs-on: ubuntu-latest - name: Check - steps: - - uses: actions/checkout@v1 - - name: Semgrep - id: semgrep - uses: returntocorp/semgrep-action@v1 - with: - config: p/r2c From 746df196a437d65931519e776b0e07ccc80b5ac3 Mon Sep 17 00:00:00 2001 From: Techini Date: Fri, 8 Jan 2021 14:11:45 -0500 Subject: [PATCH 13/15] Delete secret-test.yml --- .github/workflows/secret-test.yml | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 .github/workflows/secret-test.yml diff --git a/.github/workflows/secret-test.yml b/.github/workflows/secret-test.yml deleted file mode 100644 index 5e3605146ca..00000000000 --- a/.github/workflows/secret-test.yml +++ /dev/null @@ -1,17 +0,0 @@ -# This is a basic workflow to help you get started with Actions - -name: CI - -# Controls when the action will run. -on: - # Triggers the workflow on push or pull request events but only for the master branch - push: - branches: [ master ] - pull_request: - branches: [ master ] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -- name: Secret Scan - uses: max/secret-scan@1.0.0 From 2ef20d36717c270ac7a4eb55031f398cf1a6e84e Mon Sep 17 00:00:00 2001 From: Techini Date: Fri, 8 Jan 2021 14:12:22 -0500 Subject: [PATCH 14/15] Delete greetings.yml --- .github/workflows/greetings.yml | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 .github/workflows/greetings.yml diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml deleted file mode 100644 index 5cf9d4b8161..00000000000 --- a/.github/workflows/greetings.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: Greetings - -on: [pull_request, issues] - -jobs: - greeting: - runs-on: ubuntu-latest - steps: - - uses: actions/first-interaction@v1 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - issue-message: 'Thanks a lot for opening your first issue with us! ๐Ÿงก We''ll get back to you shortly! โณ If it was a _Support Request_, please consider asking on the [community chat](../#troubleshooting-) next time! ๐Ÿ’ฌ' - pr-message: 'Thanks a lot for your contribution! ๐Ÿ’– This seems to be you first PR! ๐ŸŒ  If it''s getting merged & complies with our [contribution guidelines](../blob/master/CONTRIBUTING.md), you are probably eligible to some free stickers! ๐ŸŽ' From 64e79096feebb38dd06d69bfd0fdd001625d8271 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sat, 9 Jan 2021 08:09:59 +0000 Subject: [PATCH 15/15] fix: package.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749 - https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-1056752 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 10783c46ab2..ec35534f4b6 100644 --- a/package.json +++ b/package.json @@ -130,7 +130,7 @@ "sequelize": "^5.21.3", "sequelize-noupdate-attributes": "^1.0.0", "serve-index": "^1.9.1", - "socket.io": "^2.3.0", + "socket.io": "^3.0.0", "sqlite3": "^4.1.1", "svg-captcha": "^1.4.0", "swagger-ui-express": "^4.1.2",