From 73d5967ffbbd6377518bf3ce922932bf53cb8027 Mon Sep 17 00:00:00 2001 From: Stefan Schiller Date: Tue, 25 Jul 2023 10:30:02 +0200 Subject: [PATCH 01/14] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 75548fd..418b9ba 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ This PR adds a new feature to import users from an XML file. Although the code i This repository is supposed to be added as a SonarCloud project for analysis via GitHub actions. -* Fork this project *with all branches* (untick the default checkbox, "Copy the `main`` branch only"). +* Fork this project *with all branches* (untick the default checkbox, "Copy the `main` branch only"). * Go to [sonarcloud.io](https://sonarcloud.io/sessions/new) and sign up with your GitHub account. * Create a new organization under your name if there is none. * Give SonarCloud permission to see the forked repository. From 342c65992f3e2446396fa53432638df2499e9b79 Mon Sep 17 00:00:00 2001 From: Stefan Schiller Date: Tue, 25 Jul 2023 10:36:55 +0200 Subject: [PATCH 02/14] Adjusted formatting --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 418b9ba..5cde37b 100644 --- a/README.md +++ b/README.md @@ -27,9 +27,9 @@ This vulnerability resides within the session cookie handling of the application * Vulnerability Type: Path Injection ([S2083](https://rules.sonarsource.com/java/RSPEC-2083/)) * DeepSAST Dataflow: - * Source: org.springframework.web.context.request.getRemoteUser - * Passthrough: org.apache.tomcat.util.buf.UDecoder.URLDecode - * Sink: cn.hutool.cache.file.LRUFileCache.getFileBytes + * Source: `org.springframework.web.context.request.getRemoteUser` + * Passthrough: `org.apache.tomcat.util.buf.UDecoder.URLDecode` + * Sink: `cn.hutool.cache.file.LRUFileCache.getFileBytes` This vulnerability resides within the code responsible for retrieving user images. The library function `getRemoteUser` is used to retrieve the user-controllable username, which is passed through the `URLDecode` library function. The result is concatenated to a file path, which is passed to the `getFileBytes` library function introducing a path injection vulnerability. @@ -38,7 +38,7 @@ This vulnerability resides within the code responsible for retrieving user image * Vulnerability Type: SQL Injection ([S3649](https://rules.sonarsource.com/java/RSPEC-3649/)) * DeepSAST Dataflow: - * Sink: com.mysql.cj.jdbc.ConnectionImpl.setSavepoint + * Sink: `com.mysql.cj.jdbc.ConnectionImpl.setSavepoint` This PR adds a feature to migrate users from the existing H2 database to MySQL. Although the proposed change does not seem to contain any vulnerabilities, the `setSavepoint` library function is vulnerable to SQL injection if the passed argument is user-controllable. Thus this PR introduces a critical vulnerability due to the usage of the unsafe library function. @@ -46,7 +46,7 @@ This PR adds a feature to migrate users from the existing H2 database to MySQL. * Vulnerability Type: Deserialization ([S5135](https://rules.sonarsource.com/java/RSPEC-5135/)) * DeepSAST Dataflow: - * Sink: ca.odell.glazedlists.impl.io.BeanXMLByteCoder.decode + * Sink: `ca.odell.glazedlists.impl.io.BeanXMLByteCoder.decode` This PR adds a new feature to import users from an XML file. Although the code itself does not seem to contain any vulnerabilities, the `decode` library function is vulnerable to deserialzation if the passed argument is user-controllable. Thus this PR introduces a critical vulnerability due to the usage of the unsafe library function. From 3ca06d44cfd4614ac41e62e3078de32a20c39e17 Mon Sep 17 00:00:00 2001 From: Stefan Schiller Date: Wed, 26 Jul 2023 08:47:22 +0200 Subject: [PATCH 03/14] Update README.md --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5cde37b..c806930 100644 --- a/README.md +++ b/README.md @@ -56,6 +56,8 @@ This PR adds a new feature to import users from an XML file. Although the code i This repository is supposed to be added as a SonarCloud project for analysis via GitHub actions. * Fork this project *with all branches* (untick the default checkbox, "Copy the `main` branch only"). +* Go to the `Actions` tab of your forked repository and enable workflows by selecting `I understand my workflows, go ahead and enable them`. +* Go to the `Pull requests` tab and create a new PR from the `introduce-user-migration-feature` and `allow-imports` branch to the `main` branch of your fork. Be careful that, by default, the PR targets the upstream repository. * Go to [sonarcloud.io](https://sonarcloud.io/sessions/new) and sign up with your GitHub account. * Create a new organization under your name if there is none. * Give SonarCloud permission to see the forked repository. @@ -63,7 +65,7 @@ This repository is supposed to be added as a SonarCloud project for analysis via * Go to `Administration` -> `Analysis Method` and uncheck `Automatic Analysis`. * Select `Set up analysis via other methods` -> `With GitHub Actions`. * Add the displayed GitHub Secret to your repository. - * The `pom.xml` does not need to be adjusted. - * Update the `.github/workflows/build.yml` file in the main branch with the displayed content and ensure that the `java-version` is set to `17`. + * Update the `sonar.organization` value in the `pom.xml` file. + * Copy & paste the displayed content to `.github/workflows/build.yml` and set the `java-version` to `17`. The first two issues will be displayed on the `main` branch and the other two issues on distinct Pull Requests. From 82e35ac7e1ba82b8732cd7816c28a948f93a0254 Mon Sep 17 00:00:00 2001 From: Stefan Schiller <110469906+stefan-schiller-sonarsource@users.noreply.github.com> Date: Wed, 26 Jul 2023 15:41:41 +0200 Subject: [PATCH 04/14] Update README.md --- README.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c806930..6aa15b3 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ This PR adds a feature to migrate users from the existing H2 database to MySQL. * DeepSAST Dataflow: * Sink: `ca.odell.glazedlists.impl.io.BeanXMLByteCoder.decode` -This PR adds a new feature to import users from an XML file. Although the code itself does not seem to contain any vulnerabilities, the `decode` library function is vulnerable to deserialzation if the passed argument is user-controllable. Thus this PR introduces a critical vulnerability due to the usage of the unsafe library function. +This PR adds a new feature to import users from an XML file. Although the code itself does not seem to contain any vulnerabilities, the `decode` library function is vulnerable to deserialization if the passed argument is user-controllable. Thus this PR introduces a critical vulnerability due to the usage of the unsafe library function. ## Setup instructions @@ -57,7 +57,6 @@ This repository is supposed to be added as a SonarCloud project for analysis via * Fork this project *with all branches* (untick the default checkbox, "Copy the `main` branch only"). * Go to the `Actions` tab of your forked repository and enable workflows by selecting `I understand my workflows, go ahead and enable them`. -* Go to the `Pull requests` tab and create a new PR from the `introduce-user-migration-feature` and `allow-imports` branch to the `main` branch of your fork. Be careful that, by default, the PR targets the upstream repository. * Go to [sonarcloud.io](https://sonarcloud.io/sessions/new) and sign up with your GitHub account. * Create a new organization under your name if there is none. * Give SonarCloud permission to see the forked repository. @@ -67,5 +66,18 @@ This repository is supposed to be added as a SonarCloud project for analysis via * Add the displayed GitHub Secret to your repository. * Update the `sonar.organization` value in the `pom.xml` file. * Copy & paste the displayed content to `.github/workflows/build.yml` and set the `java-version` to `17`. +* On your GitHub repository: Go to the `Pull requests` tab and create a new PR from the `introduce-user-migration-feature` and `allow-imports` branches to the `main` branch of your fork. Be careful that, by default, the PR targets the upstream repository. The first two issues will be displayed on the `main` branch and the other two issues on distinct Pull Requests. + +## Real-World Examples + +This table contains examples of DeepSAST findings in real-world projects: + +| Link | Lang | Project | Issue type | Comment | +| --- | --- | --- | --- | --- | +| [SonarCloud](https://sonarcloud.io/project/issues?id=org.monarchinitiative.exomiser:exomiser&open=AYaYnkzfchh4gFFcKnDe) | Java | Small open-source | Log Injection | Dataflow with passthrough | +| [SonarCloud](https://sonarcloud.io/project/issues?id=dmatej_glassfish&open=AYX94MJvhKb2vw3fmeKu) | Java | Eclipse Glassfish | Path Injection | Innocent looking sink | +| [SonarCloud](https://sonarcloud.io/project/issues?id=siguser_benchmarkjava-gh&open=AYjEl06qrBlwzkIdugy7) | Java | OWASP Benchmark | SQL Injection | Rare sink, popular benchmark | +| [SonarCloud](https://sonarcloud.io/project/issues?id=lightswitch05_zwave-js-ui&open=AYaUAEYH58jG26HSBsPN) | TS | Medium open-source | File Delete | Simple, critical issue in TS | +| [SonarCloud](https://sonarcloud.io/project/issues?id=Visclo96_spring-boot&open=AYbbZ3D1FcQgtBJC0HXd) | Java | Spring Boot | Deserialize | Simple issue, popular project | From 691db542e5135deb5fb15dba380fc9a3221f5558 Mon Sep 17 00:00:00 2001 From: Manish Kapur <135046685+manish-kapur-sonarsource@users.noreply.github.com> Date: Fri, 28 Jul 2023 14:34:57 -0500 Subject: [PATCH 05/14] Update README.md --- README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 6aa15b3..fae20c4 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Storyboard -The goal of this demo is to show the DeepSAST capabilities of the Java engine. We want to highlight that the usage of external libraries can introduce severe security vulnerabilities, which can be detected by Deep SAST. +The goal of this demo is to show the deeper SAST capabilities of the Java engine. We want to highlight that the usage of external libraries can introduce severe security vulnerabilities, which can be detected by Deep SAST. The demo is a fictive Spring application implementing different functionalities which are vulnerable to security issues detected by our engine. All of these issues contain at least one step where the data flow: @@ -10,14 +10,14 @@ The demo is a fictive Spring application implementing different functionalities 2. passes through a library, or 3. ends in a dangerous sink within a library. -Thus these issues are only detected because of the DeepSAST feature of the engine. +Thus these issues are only detected because of the deeper SAST feature of the engine. There are four issues: two of these are already committed to the main branch of the application. Additionally, there are two pending pull requests (PR), which each introduce another vulnerability. For these issues, the chosen examples aim to demonstrate that the proposed source code in the PR does not look dangerous or security-sensitive and would likely be merged. ### Issue 1 - Session Cookie Handling (main branch) * Vulnerability Type: Deserialization ([S5135](https://rules.sonarsource.com/java/RSPEC-5135/)) -* DeepSAST Dataflow: +* Deeper SAST Dataflow: * Passthrough: `org.apache.commons.codec.binary.Base64.decodeBase64` This vulnerability resides within the session cookie handling of the application. A vulnerability is introduced by deserializing user-controllable data from a header (`Session-Auth`), which can be exploited to execute arbitrary code. The data provided in the header is passed through the `decodeBase64` library function before being deserialized. @@ -26,7 +26,7 @@ This vulnerability resides within the session cookie handling of the application ### Issue 2 - User Images (main branch) * Vulnerability Type: Path Injection ([S2083](https://rules.sonarsource.com/java/RSPEC-2083/)) -* DeepSAST Dataflow: +* Deeper SAST Dataflow: * Source: `org.springframework.web.context.request.getRemoteUser` * Passthrough: `org.apache.tomcat.util.buf.UDecoder.URLDecode` * Sink: `cn.hutool.cache.file.LRUFileCache.getFileBytes` @@ -37,7 +37,7 @@ This vulnerability resides within the code responsible for retrieving user image ### Issue 3 - User Migration (PR 1 - Introduce user migration feature) * Vulnerability Type: SQL Injection ([S3649](https://rules.sonarsource.com/java/RSPEC-3649/)) -* DeepSAST Dataflow: +* Deeper SAST Dataflow: * Sink: `com.mysql.cj.jdbc.ConnectionImpl.setSavepoint` This PR adds a feature to migrate users from the existing H2 database to MySQL. Although the proposed change does not seem to contain any vulnerabilities, the `setSavepoint` library function is vulnerable to SQL injection if the passed argument is user-controllable. Thus this PR introduces a critical vulnerability due to the usage of the unsafe library function. @@ -45,7 +45,7 @@ This PR adds a feature to migrate users from the existing H2 database to MySQL. ### Issue 4 - XML User Import (PR 2 - Allow the import of users) * Vulnerability Type: Deserialization ([S5135](https://rules.sonarsource.com/java/RSPEC-5135/)) -* DeepSAST Dataflow: +* Deeper SAST Dataflow: * Sink: `ca.odell.glazedlists.impl.io.BeanXMLByteCoder.decode` This PR adds a new feature to import users from an XML file. Although the code itself does not seem to contain any vulnerabilities, the `decode` library function is vulnerable to deserialization if the passed argument is user-controllable. Thus this PR introduces a critical vulnerability due to the usage of the unsafe library function. @@ -72,7 +72,7 @@ The first two issues will be displayed on the `main` branch and the other two is ## Real-World Examples -This table contains examples of DeepSAST findings in real-world projects: +This table contains examples of deeper SAST findings in real-world projects: | Link | Lang | Project | Issue type | Comment | | --- | --- | --- | --- | --- | From 8e005eaa054ec3f56655fe2975a0ac7b3aca293b Mon Sep 17 00:00:00 2001 From: Manish Kapur <135046685+manish-kapur-sonarsource@users.noreply.github.com> Date: Fri, 28 Jul 2023 14:36:11 -0500 Subject: [PATCH 06/14] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fae20c4..e50d925 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Storyboard -The goal of this demo is to show the deeper SAST capabilities of the Java engine. We want to highlight that the usage of external libraries can introduce severe security vulnerabilities, which can be detected by Deep SAST. +The goal of this demo is to show the deeper SAST capabilities of the Java engine. We want to highlight that the usage of external libraries can introduce severe security vulnerabilities, which can be detected by deeper SAST. The demo is a fictive Spring application implementing different functionalities which are vulnerable to security issues detected by our engine. All of these issues contain at least one step where the data flow: From d9934bb98c9f565791d1f42e6e5b07a6911c4946 Mon Sep 17 00:00:00 2001 From: Stefan Schiller Date: Sun, 30 Jul 2023 14:31:39 +0200 Subject: [PATCH 07/14] Remove workflow --- .github/workflows/build.yml | 37 ------------------------------------- README.md | 2 +- 2 files changed, 1 insertion(+), 38 deletions(-) delete mode 100644 .github/workflows/build.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index de05388..0000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: SonarCloud -on: - push: - branches: - - main - pull_request: - types: [opened, synchronize, reopened] -jobs: - build: - name: Build and analyze - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - - name: Set up JDK 11 - uses: actions/setup-java@v3 - with: - java-version: 17 - distribution: 'zulu' # Alternative distribution options are available. - - name: Cache SonarCloud packages - uses: actions/cache@v3 - with: - path: ~/.sonar/cache - key: ${{ runner.os }}-sonar - restore-keys: ${{ runner.os }}-sonar - - name: Cache Maven packages - uses: actions/cache@v3 - with: - path: ~/.m2 - key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} - restore-keys: ${{ runner.os }}-m2 - - name: Build and analyze - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=SonarSourceResearch_DeepSAST_Demo diff --git a/README.md b/README.md index e50d925..ad2b66c 100644 --- a/README.md +++ b/README.md @@ -65,7 +65,7 @@ This repository is supposed to be added as a SonarCloud project for analysis via * Select `Set up analysis via other methods` -> `With GitHub Actions`. * Add the displayed GitHub Secret to your repository. * Update the `sonar.organization` value in the `pom.xml` file. - * Copy & paste the displayed content to `.github/workflows/build.yml` and set the `java-version` to `17`. + * Create a new file`.github/workflows/build.yml`, copy & paste the displayed content to it and set the `java-version` to `17`. * On your GitHub repository: Go to the `Pull requests` tab and create a new PR from the `introduce-user-migration-feature` and `allow-imports` branches to the `main` branch of your fork. Be careful that, by default, the PR targets the upstream repository. The first two issues will be displayed on the `main` branch and the other two issues on distinct Pull Requests. From 75552605100c07263e1f700241e831c15ed32cb3 Mon Sep 17 00:00:00 2001 From: Manish Kapur <135046685+manish-kapur-sonarsource@users.noreply.github.com> Date: Tue, 1 Aug 2023 17:49:52 -0500 Subject: [PATCH 08/14] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ad2b66c..7fa9144 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Storyboard -The goal of this demo is to show the deeper SAST capabilities of the Java engine. We want to highlight that the usage of external libraries can introduce severe security vulnerabilities, which can be detected by deeper SAST. +The goal of this demo is to show the Sonar deeper SAST capabilities of the Java engine. We want to highlight that the usage of external libraries can introduce severe security vulnerabilities, which can be detected by Sonar deeper SAST. The demo is a fictive Spring application implementing different functionalities which are vulnerable to security issues detected by our engine. All of these issues contain at least one step where the data flow: @@ -10,7 +10,7 @@ The demo is a fictive Spring application implementing different functionalities 2. passes through a library, or 3. ends in a dangerous sink within a library. -Thus these issues are only detected because of the deeper SAST feature of the engine. +Thus these issues are only detected because of the deeper SAST feature of the Sonar engine. There are four issues: two of these are already committed to the main branch of the application. Additionally, there are two pending pull requests (PR), which each introduce another vulnerability. For these issues, the chosen examples aim to demonstrate that the proposed source code in the PR does not look dangerous or security-sensitive and would likely be merged. From 3b2b6a106d7ecb4065c98e57de892b064d3a1205 Mon Sep 17 00:00:00 2001 From: Stefan Schiller Date: Wed, 2 Aug 2023 08:57:36 +0200 Subject: [PATCH 09/14] Update README.md --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 7fa9144..5550679 100644 --- a/README.md +++ b/README.md @@ -65,7 +65,8 @@ This repository is supposed to be added as a SonarCloud project for analysis via * Select `Set up analysis via other methods` -> `With GitHub Actions`. * Add the displayed GitHub Secret to your repository. * Update the `sonar.organization` value in the `pom.xml` file. - * Create a new file`.github/workflows/build.yml`, copy & paste the displayed content to it and set the `java-version` to `17`. + * Create a new file`.github/workflows/build.yml`, copy & paste the displayed content to it. + * Set the `java-version` in the `build.yml` file to `17`. * On your GitHub repository: Go to the `Pull requests` tab and create a new PR from the `introduce-user-migration-feature` and `allow-imports` branches to the `main` branch of your fork. Be careful that, by default, the PR targets the upstream repository. The first two issues will be displayed on the `main` branch and the other two issues on distinct Pull Requests. From 65ba0f1f5168fbe8b8ce75e90a2c4da7ed580735 Mon Sep 17 00:00:00 2001 From: Stefan Schiller <110469906+stefan-schiller-sonarsource@users.noreply.github.com> Date: Tue, 8 Aug 2023 19:32:30 +0200 Subject: [PATCH 10/14] Update README.md --- README.md | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/README.md b/README.md index 5550679..fc4c188 100644 --- a/README.md +++ b/README.md @@ -70,15 +70,3 @@ This repository is supposed to be added as a SonarCloud project for analysis via * On your GitHub repository: Go to the `Pull requests` tab and create a new PR from the `introduce-user-migration-feature` and `allow-imports` branches to the `main` branch of your fork. Be careful that, by default, the PR targets the upstream repository. The first two issues will be displayed on the `main` branch and the other two issues on distinct Pull Requests. - -## Real-World Examples - -This table contains examples of deeper SAST findings in real-world projects: - -| Link | Lang | Project | Issue type | Comment | -| --- | --- | --- | --- | --- | -| [SonarCloud](https://sonarcloud.io/project/issues?id=org.monarchinitiative.exomiser:exomiser&open=AYaYnkzfchh4gFFcKnDe) | Java | Small open-source | Log Injection | Dataflow with passthrough | -| [SonarCloud](https://sonarcloud.io/project/issues?id=dmatej_glassfish&open=AYX94MJvhKb2vw3fmeKu) | Java | Eclipse Glassfish | Path Injection | Innocent looking sink | -| [SonarCloud](https://sonarcloud.io/project/issues?id=siguser_benchmarkjava-gh&open=AYjEl06qrBlwzkIdugy7) | Java | OWASP Benchmark | SQL Injection | Rare sink, popular benchmark | -| [SonarCloud](https://sonarcloud.io/project/issues?id=lightswitch05_zwave-js-ui&open=AYaUAEYH58jG26HSBsPN) | TS | Medium open-source | File Delete | Simple, critical issue in TS | -| [SonarCloud](https://sonarcloud.io/project/issues?id=Visclo96_spring-boot&open=AYbbZ3D1FcQgtBJC0HXd) | Java | Spring Boot | Deserialize | Simple issue, popular project | From 9b94aec0be405b8557b44e574e3e812d70948d47 Mon Sep 17 00:00:00 2001 From: Stefan Schiller <110469906+stefan-schiller-sonarsource@users.noreply.github.com> Date: Tue, 8 Aug 2023 20:44:22 +0200 Subject: [PATCH 11/14] Update README.md --- README.md | 45 ++++++++++++++++++++++----------------------- 1 file changed, 22 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index fc4c188..fd81185 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,29 @@ # deeper-sast-demo -## Storyboard - The goal of this demo is to show the Sonar deeper SAST capabilities of the Java engine. We want to highlight that the usage of external libraries can introduce severe security vulnerabilities, which can be detected by Sonar deeper SAST. +## Setup instructions + +This repository is supposed to be added as a SonarCloud project for analysis via GitHub actions. + +* Fork this project *with all branches* (untick the default checkbox, "Copy the `main` branch only"). +* Go to the `Actions` tab of your forked repository and enable workflows by selecting `I understand my workflows, go ahead and enable them`. +* Go to [sonarcloud.io](https://sonarcloud.io/sessions/new) and sign up with your GitHub account. +* Create a new organization under your name if there is none. +* Give SonarCloud permission to see the forked repository. +* Add your repository as a new Project. +* Go to `Administration` -> `Analysis Method` and uncheck `Automatic Analysis`. +* Select `Set up analysis via other methods` -> `With GitHub Actions`. + * Add the displayed GitHub Secret to your repository. + * Update the `sonar.organization` value in the `pom.xml` file. + * Create a new file`.github/workflows/build.yml`, copy & paste the displayed content to it. + * Set the `java-version` in the `build.yml` file to `17`. +* On your GitHub repository: Go to the `Pull requests` tab and create a new PR from the `introduce-user-migration-feature` and `allow-imports` branches to the `main` branch of your fork. Be careful that, by default, the PR targets the upstream repository. + +The first two issues will be displayed on the `main` branch and the other two issues on distinct Pull Requests. + +## Storyboard + The demo is a fictive Spring application implementing different functionalities which are vulnerable to security issues detected by our engine. All of these issues contain at least one step where the data flow: 1. originates from a user-controllable source within a library, @@ -49,24 +69,3 @@ This PR adds a feature to migrate users from the existing H2 database to MySQL. * Sink: `ca.odell.glazedlists.impl.io.BeanXMLByteCoder.decode` This PR adds a new feature to import users from an XML file. Although the code itself does not seem to contain any vulnerabilities, the `decode` library function is vulnerable to deserialization if the passed argument is user-controllable. Thus this PR introduces a critical vulnerability due to the usage of the unsafe library function. - - -## Setup instructions - -This repository is supposed to be added as a SonarCloud project for analysis via GitHub actions. - -* Fork this project *with all branches* (untick the default checkbox, "Copy the `main` branch only"). -* Go to the `Actions` tab of your forked repository and enable workflows by selecting `I understand my workflows, go ahead and enable them`. -* Go to [sonarcloud.io](https://sonarcloud.io/sessions/new) and sign up with your GitHub account. -* Create a new organization under your name if there is none. -* Give SonarCloud permission to see the forked repository. -* Add your repository as a new Project. -* Go to `Administration` -> `Analysis Method` and uncheck `Automatic Analysis`. -* Select `Set up analysis via other methods` -> `With GitHub Actions`. - * Add the displayed GitHub Secret to your repository. - * Update the `sonar.organization` value in the `pom.xml` file. - * Create a new file`.github/workflows/build.yml`, copy & paste the displayed content to it. - * Set the `java-version` in the `build.yml` file to `17`. -* On your GitHub repository: Go to the `Pull requests` tab and create a new PR from the `introduce-user-migration-feature` and `allow-imports` branches to the `main` branch of your fork. Be careful that, by default, the PR targets the upstream repository. - -The first two issues will be displayed on the `main` branch and the other two issues on distinct Pull Requests. From 22a98a1c7042c4a42df2d10eef68b1a8b8ce39e0 Mon Sep 17 00:00:00 2001 From: Antonio Bordes Date: Thu, 5 Oct 2023 11:45:27 +0200 Subject: [PATCH 12/14] Update pom.xml --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 7ca5e0c..68974ff 100644 --- a/pom.xml +++ b/pom.xml @@ -15,7 +15,7 @@ deeper-sast-demo 17 - sonarsourceresearch + Test-MG https://sonarcloud.io From 2b37b70d555dc4714fa18a83fc357922c545dfde Mon Sep 17 00:00:00 2001 From: Antonio Bordes Date: Thu, 5 Oct 2023 11:48:29 +0200 Subject: [PATCH 13/14] Create build.yml --- .github/workflows/build.yml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/build.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..efa4594 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,37 @@ +name: SonarCloud +on: + push: + branches: + - main + pull_request: + types: [opened, synchronize, reopened] +jobs: + build: + name: Build and analyze + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + - name: Set up JDK 17 + uses: actions/setup-java@v3 + with: + java-version: 17 + distribution: 'zulu' # Alternative distribution options are available. + - name: Cache SonarCloud packages + uses: actions/cache@v3 + with: + path: ~/.sonar/cache + key: ${{ runner.os }}-sonar + restore-keys: ${{ runner.os }}-sonar + - name: Cache Maven packages + uses: actions/cache@v3 + with: + path: ~/.m2 + key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} + restore-keys: ${{ runner.os }}-m2 + - name: Build and analyze + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=abordes96_deeper-sast-demo From 6f73eeac54e57030dca4c3b6038eff8fcc261ea7 Mon Sep 17 00:00:00 2001 From: Antonio Bordes Date: Thu, 5 Oct 2023 11:48:55 +0200 Subject: [PATCH 14/14] Update pom.xml --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 68974ff..9e94f8a 100644 --- a/pom.xml +++ b/pom.xml @@ -15,7 +15,7 @@ deeper-sast-demo 17 - Test-MG + test-mg https://sonarcloud.io