From e4b4eda7f863c49b31b002aa5ae44667cb8a080d Mon Sep 17 00:00:00 2001
From: Brian Cipollone
<40029762+brian-cipollone-sonarsource@users.noreply.github.com>
Date: Thu, 2 Feb 2023 09:28:59 -0600
Subject: [PATCH 01/20] Update pom.xml
---
pom.xml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/pom.xml b/pom.xml
index 39be106..206c82b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -14,6 +14,8 @@
11
training:security
Java Web App
+ sonarcloud-demos
+ https://sonarcloud.io
From 77d430492bfe31b4114c53f0674ce9238a503a9e Mon Sep 17 00:00:00 2001
From: Brian Cipollone
<40029762+brian-cipollone-sonarsource@users.noreply.github.com>
Date: Thu, 2 Feb 2023 09:36:56 -0600
Subject: [PATCH 02/20] Create build.yml
---
.github/workflows/build.yml | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
create mode 100644 .github/workflows/build.yml
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000..153dc78
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,36 @@
+name: SonarCloud
+on:
+ push:
+ branches:
+ - main
+ pull_request:
+ types: [opened, synchronize, reopened]
+jobs:
+ build:
+ name: Build and analyze
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ with:
+ fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+ - name: Set up JDK 11
+ uses: actions/setup-java@v1
+ with:
+ java-version: 11
+ - name: Cache SonarCloud packages
+ uses: actions/cache@v1
+ with:
+ path: ~/.sonar/cache
+ key: ${{ runner.os }}-sonar
+ restore-keys: ${{ runner.os }}-sonar
+ - name: Cache Maven packages
+ uses: actions/cache@v1
+ with:
+ path: ~/.m2
+ key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+ restore-keys: ${{ runner.os }}-m2
+ - name: Build and analyze
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
+ SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+ run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=SonarCloud-Demos_demo-java-security
From 365c271e7a33c5cf86b454fcbf82fb18078d69ba Mon Sep 17 00:00:00 2001
From: Brian Cipollone
<40029762+brian-cipollone-sonarsource@users.noreply.github.com>
Date: Thu, 2 Feb 2023 09:58:56 -0600
Subject: [PATCH 03/20] Update README.md
---
README.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/README.md b/README.md
index 7a0d8b7..c9f5cde 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,7 @@
# Demo - Java Security
+[](https://sonarcloud.io/summary/new_code?id=SonarCloud-Demos_demo-java-security)
+
## Use case
This example demonstrates:
- Vulnerabilities
From e33945f1faca4df1cc0e4287606db22421eea75a Mon Sep 17 00:00:00 2001
From: Brian Cipollone
<40029762+brian-cipollone-sonarsource@users.noreply.github.com>
Date: Fri, 3 Feb 2023 11:53:48 -0600
Subject: [PATCH 04/20] Update HomeServlet.java
---
src/main/java/demo/security/servlet/HomeServlet.java | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/main/java/demo/security/servlet/HomeServlet.java b/src/main/java/demo/security/servlet/HomeServlet.java
index fac56e5..8ca0a64 100644
--- a/src/main/java/demo/security/servlet/HomeServlet.java
+++ b/src/main/java/demo/security/servlet/HomeServlet.java
@@ -22,6 +22,10 @@ protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
String name = request.getParameter("name").trim();
response.setContentType("text/html");
+ writeResponse(name);
+ }
+
+ protected void writeResponse(String name) throws IOException {
PrintWriter out = response.getWriter();
out.print("Hello "+name+ "
");
out.close();
@@ -29,7 +33,6 @@ protected void doGet(HttpServletRequest request,
protected void doPost(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
- // TODO Auto-generated method stub
doGet(request, response);
}
From 9527d618bb802e72143274c1394ae861f13e8086 Mon Sep 17 00:00:00 2001
From: Brian Cipollone
<40029762+brian-cipollone-sonarsource@users.noreply.github.com>
Date: Mon, 6 Feb 2023 15:24:50 -0600
Subject: [PATCH 05/20] Update HomeServlet.java
---
src/main/java/demo/security/servlet/HomeServlet.java | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/main/java/demo/security/servlet/HomeServlet.java b/src/main/java/demo/security/servlet/HomeServlet.java
index 8ca0a64..9cd2286 100644
--- a/src/main/java/demo/security/servlet/HomeServlet.java
+++ b/src/main/java/demo/security/servlet/HomeServlet.java
@@ -22,10 +22,10 @@ protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
String name = request.getParameter("name").trim();
response.setContentType("text/html");
- writeResponse(name);
+ writeResponse(response, name);
}
- protected void writeResponse(String name) throws IOException {
+ protected void writeResponse(HttpServletResponse response, String name) throws IOException {
PrintWriter out = response.getWriter();
out.print("Hello "+name+ "
");
out.close();
From 74537f8bd9da058ef522974d330b05aebc396ec0 Mon Sep 17 00:00:00 2001
From: Brian Cipollone
<40029762+brian-cipollone-sonarsource@users.noreply.github.com>
Date: Wed, 3 May 2023 11:59:44 -0500
Subject: [PATCH 06/20] Delete s3649JavaSqlInjectionConfig.json
---
s3649JavaSqlInjectionConfig.json | 23 -----------------------
1 file changed, 23 deletions(-)
delete mode 100644 s3649JavaSqlInjectionConfig.json
diff --git a/s3649JavaSqlInjectionConfig.json b/s3649JavaSqlInjectionConfig.json
deleted file mode 100644
index 29b5406..0000000
--- a/s3649JavaSqlInjectionConfig.json
+++ /dev/null
@@ -1,23 +0,0 @@
-{
- "sources": [
- {
- "methodId": "training.security.Insecure#getInput(Ljava/lang/String;)Ljava/lang/String;"
- }
- ],
- "sanitizers": [
- {
- "methodId": "training.security.Insecure#verifyData(Ljava/lang/String;)V",
- "args": [
- 1
- ]
- }
- ],
- "sinks": [
- {
- "methodId": "training.security.Insecure#storeData(Ljava/lang/String;)V",
- "args": [
- 1
- ]
- }
- ]
-}
From 182fd252730a4b5fc782cb25797fdc4149625e63 Mon Sep 17 00:00:00 2001
From: robbiebise <118204121+robbiebise@users.noreply.github.com>
Date: Mon, 29 Apr 2024 12:16:48 -0500
Subject: [PATCH 07/20] Update build.yml
update to java 17
---
.github/workflows/build.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 153dc78..5b83e1e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -13,10 +13,10 @@ jobs:
- uses: actions/checkout@v2
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- - name: Set up JDK 11
+ - name: Set up JDK 17
uses: actions/setup-java@v1
with:
- java-version: 11
+ java-version: 17
- name: Cache SonarCloud packages
uses: actions/cache@v1
with:
From 5690e6ffc2789f1025402ab2a51105757685a9fa Mon Sep 17 00:00:00 2001
From: robbiebise <118204121+robbiebise@users.noreply.github.com>
Date: Mon, 29 Apr 2024 13:09:25 -0500
Subject: [PATCH 08/20] Update pom.xml
---
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index 206c82b..3b02cdd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -79,7 +79,7 @@
org.sonarsource.scanner.maven
sonar-maven-plugin
- 3.9.1.2184
+ 3.11.0.3922
From 609fedd2d3aea17538e219c1dcab3130db715c4f Mon Sep 17 00:00:00 2001
From: robbiebise <118204121+robbiebise@users.noreply.github.com>
Date: Mon, 29 Apr 2024 13:11:38 -0500
Subject: [PATCH 09/20] Update build.yml
---
.github/workflows/build.yml | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5b83e1e..2453690 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -5,26 +5,27 @@ on:
- main
pull_request:
types: [opened, synchronize, reopened]
+ workflow_run:
jobs:
build:
name: Build and analyze
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Set up JDK 17
- uses: actions/setup-java@v1
+ uses: actions/setup-java@v3
with:
java-version: 17
- name: Cache SonarCloud packages
- uses: actions/cache@v1
+ uses: actions/cache@v3
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Cache Maven packages
- uses: actions/cache@v1
+ uses: actions/cache@v3
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
From 7852c6178aa72b7a81a0d39fd1b7b5a267ba9d13 Mon Sep 17 00:00:00 2001
From: robbiebise <118204121+robbiebise@users.noreply.github.com>
Date: Mon, 29 Apr 2024 13:12:18 -0500
Subject: [PATCH 10/20] Update build.yml
---
.github/workflows/build.yml | 1 -
1 file changed, 1 deletion(-)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2453690..1742298 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -5,7 +5,6 @@ on:
- main
pull_request:
types: [opened, synchronize, reopened]
- workflow_run:
jobs:
build:
name: Build and analyze
From b6e34ed6aa002ea8bdbc623f9a93f3fdb416ee23 Mon Sep 17 00:00:00 2001
From: Robbie Bise
Date: Mon, 29 Apr 2024 12:13:02 -0500
Subject: [PATCH 11/20] add workflow run for manual CI trigger
---
.github/workflows/build.yml | 1 +
src/main/java/demo/security/util/DBUtils.java | 6 ++++--
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 1742298..ded45ce 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,5 +1,6 @@
name: SonarCloud
on:
+ workflow_run:
push:
branches:
- main
diff --git a/src/main/java/demo/security/util/DBUtils.java b/src/main/java/demo/security/util/DBUtils.java
index dbac2ca..8010355 100644
--- a/src/main/java/demo/security/util/DBUtils.java
+++ b/src/main/java/demo/security/util/DBUtils.java
@@ -15,8 +15,10 @@ public DBUtils() throws SQLException {
public List findUsers(String user) throws Exception {
String query = "SELECT userid FROM users WHERE username = '" + user + "'";
- Statement statement = connection.createStatement();
- ResultSet resultSet = statement.executeQuery(query);
+ ResultSet resultSet;
+ try (Statement statement = connection.createStatement()) {
+ resultSet = statement.executeQuery(query);
+ }
List users = new ArrayList();
while (resultSet.next()){
users.add(resultSet.getString(0));
From 309c2792cba6cb16a991f59c543b97c0af213752 Mon Sep 17 00:00:00 2001
From: Robbie Bise
Date: Mon, 29 Apr 2024 12:14:49 -0500
Subject: [PATCH 12/20] revert
---
src/main/java/demo/security/util/DBUtils.java | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/main/java/demo/security/util/DBUtils.java b/src/main/java/demo/security/util/DBUtils.java
index 8010355..dbac2ca 100644
--- a/src/main/java/demo/security/util/DBUtils.java
+++ b/src/main/java/demo/security/util/DBUtils.java
@@ -15,10 +15,8 @@ public DBUtils() throws SQLException {
public List findUsers(String user) throws Exception {
String query = "SELECT userid FROM users WHERE username = '" + user + "'";
- ResultSet resultSet;
- try (Statement statement = connection.createStatement()) {
- resultSet = statement.executeQuery(query);
- }
+ Statement statement = connection.createStatement();
+ ResultSet resultSet = statement.executeQuery(query);
List users = new ArrayList();
while (resultSet.next()){
users.add(resultSet.getString(0));
From 2c88e2078ae2402ad029ddbf96686016b5b22360 Mon Sep 17 00:00:00 2001
From: Robbie Bise
Date: Mon, 29 Apr 2024 14:44:36 -0500
Subject: [PATCH 13/20] add dist
---
.github/workflows/build.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ded45ce..3925e23 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -18,6 +18,7 @@ jobs:
uses: actions/setup-java@v3
with:
java-version: 17
+ distribution: 'zulu'
- name: Cache SonarCloud packages
uses: actions/cache@v3
with:
From f4b7f5d655a63fef582c870992602dd709dadd7e Mon Sep 17 00:00:00 2001
From: Robbie Bise
Date: Mon, 29 Apr 2024 14:55:15 -0500
Subject: [PATCH 14/20] fix dispatch
---
.github/workflows/build.yml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 3925e23..98c2b5d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,6 +1,6 @@
name: SonarCloud
-on:
- workflow_run:
+on:
+ workflow_dispatch:
push:
branches:
- main
@@ -35,4 +35,4 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=SonarCloud-Demos_demo-java-security
+ run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=SonarCloud-Demos_demo-java-security
\ No newline at end of file
From 79f65f9c77fe90f9172132b90edb5a3d9b4d0454 Mon Sep 17 00:00:00 2001
From: Robbie Bise
Date: Mon, 29 Apr 2024 14:58:31 -0500
Subject: [PATCH 15/20] upgrade war plugin
---
pom.xml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/pom.xml b/pom.xml
index 3b02cdd..d8701bb 100644
--- a/pom.xml
+++ b/pom.xml
@@ -54,6 +54,11 @@
+
+ org.apache.maven.plugins
+ maven-war-plugin
+ 3.3.1
+
org.jacoco
jacoco-maven-plugin
From 5db3fd5106eaf1121c04e3ec1936c71ef258a75b Mon Sep 17 00:00:00 2001
From: Robbie Bise
Date: Mon, 29 Apr 2024 15:01:59 -0500
Subject: [PATCH 16/20] upgrade java verison
---
pom.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pom.xml b/pom.xml
index d8701bb..6c17931 100644
--- a/pom.xml
+++ b/pom.xml
@@ -10,8 +10,8 @@
http://maven.apache.org
UTF-8
- 11
- 11
+ 17
+ 17
training:security
Java Web App
sonarcloud-demos
From 95daf345f3e4c6b6a6b347b3908e2d72c7859d40 Mon Sep 17 00:00:00 2001
From: Robbie Bise
Date: Mon, 29 Apr 2024 15:03:02 -0500
Subject: [PATCH 17/20] pom changes
---
pom.xml | 6 ------
1 file changed, 6 deletions(-)
diff --git a/pom.xml b/pom.xml
index 6c17931..82a97d1 100644
--- a/pom.xml
+++ b/pom.xml
@@ -54,12 +54,6 @@
-
- org.apache.maven.plugins
- maven-war-plugin
- 3.3.1
-
-
org.jacoco
jacoco-maven-plugin
0.8.8
From 0929a62e77148d818193e1d143e5ffd2923ebf05 Mon Sep 17 00:00:00 2001
From: Robbie Bise
Date: Mon, 29 Apr 2024 15:04:09 -0500
Subject: [PATCH 18/20] pom changes
---
pom.xml | 1 +
1 file changed, 1 insertion(+)
diff --git a/pom.xml b/pom.xml
index 82a97d1..f3fb13a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -54,6 +54,7 @@
+
org.jacoco
jacoco-maven-plugin
0.8.8
From 426541846987fdaeeef85eefd8dcf458aeb7fde6 Mon Sep 17 00:00:00 2001
From: Robbie Bise
Date: Mon, 29 Apr 2024 15:04:09 -0500
Subject: [PATCH 19/20] pom changes
---
pom.xml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/pom.xml b/pom.xml
index f3fb13a..6c17931 100644
--- a/pom.xml
+++ b/pom.xml
@@ -54,6 +54,11 @@
+
+ org.apache.maven.plugins
+ maven-war-plugin
+ 3.3.1
+
org.jacoco
jacoco-maven-plugin
From 723e1d60ea504718abde893ef27b55f5428c9061 Mon Sep 17 00:00:00 2001
From: Cole Gannaway
<156719330+cole-gannaway-sonarsource@users.noreply.github.com>
Date: Fri, 16 Aug 2024 11:06:12 -0500
Subject: [PATCH 20/20] added ability to trigger pipelines on feature branches
as well
---
.github/workflows/build.yml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 98c2b5d..7e1d058 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -4,6 +4,7 @@ on:
push:
branches:
- main
+ - feature*
pull_request:
types: [opened, synchronize, reopened]
jobs:
@@ -35,4 +36,4 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=SonarCloud-Demos_demo-java-security
\ No newline at end of file
+ run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=SonarCloud-Demos_demo-java-security