diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 00000000..b14319af --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,83 @@ +on: + pull_request: + branches: [main] + workflow_dispatch: + + + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-java@v3 + with: + distribution: 'zulu' + java-version: 8 + - name: Cache Maven packages + uses: actions/cache@v3 + with: + path: ~/.m2 + key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} + - name: Build with Maven + run: mvn clean package + + - uses: actions/upload-artifact@v3 + with: + name: verademo.war + path: target/verademo.war + + pipeline_scan: + needs: build + runs-on: ubuntu-latest + name: pipeline scan + steps: + - name: checkout repo + uses: actions/checkout@v3 + + - name: get archive + uses: actions/download-artifact@v3 + with: + name: verademo.war + - name: pipeline-scan action step + id: pipelien-scan + uses: veracode/Veracode-pipeline-scan-action@esd-true + with: + vid: ${{ secrets.VID }} + vkey: ${{ secrets.VKEY }} + file: "verademo.war" + request_policy: "VeraDemo Policy" + debug: 1 + fail_build: false + + veracode-fix: + runs-on: ubuntu-latest + needs: pipeline_scan + name: create fixes + permissions: write-all + steps: + - name: checkout repo + uses: actions/checkout@v3 + + - name: get flaw file + uses: actions/download-artifact@v3 + with: + name: Veracode Pipeline-Scan Results + + - name: Create fixes from static findings + id: convert + uses: Veracode/veracode-fix@main + with: + inputFile: results.json + vid: ${{ secrets.VID }} + vkey: ${{ secrets.VKEY }} + source_base_path_1: "com/:src/main/java/com/" + source_base_path_2: "WEB-INF:src/main/webapp/WEB-INF" + language: java + cwe: 89,117 + fixType: 'single' + debug: false + prComment: true + files: 'changed' + codeSuggestion: false + createPR: true diff --git a/README.md b/README.md index 6608da02..4c38a106 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ### :information_source: Notice -This project is intentionally vulnerable! It contains known vulnerabilities and security errors in its code and is meant as an example project for software security scanning tools such as Veracode. Please do not report vulnerabilities in this project; the odds are they’re there on purpose :) . +This project is intentionally vulnerable! It contains known vulnerabilities and security errors in its code and is meant as an example project for software security scanning tools such as Veracode. Please do not report vulnerabilities in this project; the odds are they’re there on purpose . ## About @@ -54,4 +54,4 @@ To run the container for local development run this: docker run --rm -it -p 127.0.0.1:8080:8080 --entrypoint bash -v "$(pwd)/app:/app" verademo ``` -You will then need to manually run the two commands within `/entrypoint.sh`. The first starts the DB in the background whereas the second compiles and runs the application. Typically a container shouldn't have multiple services but this was done for convenience. \ No newline at end of file +You will then need to manually run the two commands within `/entrypoint.sh`. The first starts the DB in the background whereas the second compiles and runs the application. Typically a container shouldn't have multiple services but this was done for convenience.