diff --git a/.classpath b/.classpath
new file mode 100644
index 000000000..653dfd75c
--- /dev/null
+++ b/.classpath
@@ -0,0 +1,57 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/.github/workflows/AutofixPRnBR.yml b/.github/workflows/AutofixPRnBR.yml
new file mode 100644
index 000000000..05161a869
--- /dev/null
+++ b/.github/workflows/AutofixPRnBR.yml
@@ -0,0 +1,41 @@
+
+---
+# This workflow integrates ShiftLeft NG SAST with GitHub
+# Visit https://docs.shiftleft.io for help
+name: QwietAFPRnBR
+
+on:
+ pull_request:
+ workflow_dispatch:
+ schedule:
+ # * is a special character in YAML so you have to quote this string
+ - cron: '0 11 * * 6'
+jobs:
+ NextGen-Static-Analysis:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ # We are building this application with Java 11
+ - name: Setup Java JDK
+ uses: actions/setup-java@v1.4.3
+ with:
+ java-version: 1.8
+ #- name: Package with maven
+ # run: mvn clean package
+ - name: Download ShiftLeft CLI
+ run: |
+ curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+ - name: Extract branch name
+ shell: bash
+ run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+ id: extract_branch
+ - name: NextGen Static Analysis
+ #run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --app Qwiet-java-GH --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --vcs-prefix-correction "io/shiftleft=src/main/java/" --java --container 18fgsa/s3-resource target/hello-shiftleft-0.0.1.jar
+ run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --app Qwiet-java-GH --container 18fgsa/s3-resource --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }}
+ #run: QWIET_ENABLE_MULTI_LANGUAGE_ANALYSIS=true ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --app Qwiet-Multi-GH --container 18fgsa/s3-resource --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }}
+ env:
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+ SHIFTLEFT_API_HOST: www.shiftleft.io
+ SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443
+ SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443
+
diff --git a/.github/workflows/QwietMLtest.yml b/.github/workflows/QwietMLtest.yml
new file mode 100644
index 000000000..655e41d5f
--- /dev/null
+++ b/.github/workflows/QwietMLtest.yml
@@ -0,0 +1,41 @@
+
+---
+# This workflow integrates ShiftLeft NG SAST with GitHub
+# Visit https://docs.shiftleft.io for help
+name: ShiftLeft
+
+on:
+ pull_request:
+ workflow_dispatch:
+
+jobs:
+ NextGen-Static-Analysis:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ # We are building this application with Java 11
+ - name: Setup Java JDK
+ uses: actions/setup-java@v3
+ with:
+ java-version: 11.0.x
+ distribution: zulu
+ - name: Download ShiftLeft CLI
+ run: |
+ curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+ # ShiftLeft requires Java 1.8. Post the package step override the version
+ - name: Setup Java JDK
+ uses: actions/setup-java@v3
+ with:
+ distribution: zulu
+ java-version: 8
+ - name: Extract branch name
+ shell: bash
+ run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+ id: extract_branch
+ - name: NextGen Static Analysis
+ run: QWIET_ENABLE_MULTI_LANGUAGE_ANALYSIS=true ${GITHUB_WORKSPACE}/sl analyze
+ env:
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+ SHIFTLEFT_API_HOST: www.shiftleft.io
+ SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443
+ SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443
diff --git a/.github/workflows/QwietPRBF.yml b/.github/workflows/QwietPRBF.yml
new file mode 100644
index 000000000..1bf99c4f3
--- /dev/null
+++ b/.github/workflows/QwietPRBF.yml
@@ -0,0 +1,85 @@
+
+---
+# This workflow integrates ShiftLeft NG SAST with GitHub
+# Visit https://docs.shiftleft.io for help
+name: QwietQual
+
+on:
+ pull_request:
+ workflow_dispatch:
+ schedule:
+ # * is a special character in YAML so you have to quote this string
+ - cron: '0 11 * * 6'
+jobs:
+ NextGen-Static-Analysis:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ # We are building this application with Java 11
+ - name: Setup Java JDK
+ uses: actions/setup-java@v3
+ with:
+ distribution: zulu
+ java-version: 11
+ #- name: Package with maven
+ # run: mvn clean package
+ - name: Download ShiftLeft CLI
+ run: |
+ curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+ - name: Extract branch name
+ shell: bash
+ run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+ id: extract_branch
+ - name: NextGen Static Analysis
+ #run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --app Qwiet-java-GH --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --vcs-prefix-correction "io/shiftleft=src/main/java/" --java --container 18fgsa/s3-resource target/hello-shiftleft-0.0.1.jar
+ run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --app Qwiet-javatoo --container 18fgsa/s3-resource --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }}
+ #run: QWIET_ENABLE_MULTI_LANGUAGE_ANALYSIS=true ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --app Qwiet-Multi-GH --container 18fgsa/s3-resource --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }}
+ env:
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN_POC }}
+ SHIFTLEFT_API_HOST: www.shiftleft.io
+ SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443
+ SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443
+ - name: Run Bestfix script to generate report
+ shell: bash
+ if: github.event_name == 'pull_request'
+ run: |
+ git clone https://github.com/gzttech/beautifulspoon.git
+ pip3 install beautifulspoon
+ git clone https://github.com/ShiftLeftSecurity/field-integrations.git
+ pip3 install -r field-integrations/shiftleft-utils/requirements.txt
+ python3 field-integrations/shiftleft-utils/bestfix.py -a ${{ github.event.repository.name }} -o $GITHUB_WORKSPACE/ngsast-bestfix-report.html
+ bspoon $GITHUB_WORKSPACE/ngsast-bestfix-report.html --select body > $GITHUB_WORKSPACE/qwiet.html
+ BESTFIX_OUTPUT=$(cat $GITHUB_WORKSPACE/ngsast-bestfix-report.html)
+ BESTFIX_BODY=$(jq -n --arg body "$BESTFIX_OUTPUT" '{body: $body}')
+
+ url="https://api.github.com/repos/${{ github.repository_owner }}/${{ github.event.repository.name }}/issues/${{github.event.number}}/comments"
+
+ curl -s -X POST \
+ -H "Accept: application/vnd.github+json" \
+ -H "Authorization: Bearer ${GH_API_TOKEN}" \
+ -d "${BESTFIX_BODY}" \
+ "${url}"
+ env:
+ GH_API_TOKEN: ${{ secrets.API_TOKEN }}
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN_POC }}
+ Build-Rules:
+ runs-on: ubuntu-latest
+ needs: NextGen-Static-Analysis
+ steps:
+ - uses: actions/checkout@v3
+ - name: Download ShiftLeft CLI
+ run: |
+ curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+ - name: Validate Build Rules
+ run: |
+ ${GITHUB_WORKSPACE}/sl check-analysis --app Qwiet-javatoo \
+ --github-pr-number=${{github.event.number}} \
+ --github-pr-user=${{ github.repository_owner }} \
+ --github-pr-repo=${{ github.event.repository.name }} \
+ --github-token=${{ secrets.GITHUB_TOKEN }}
+ env:
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+ SHIFTLEFT_API_HOST: www.shiftleft.io
+ SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443
+ SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443
+
diff --git a/.github/workflows/TSdemo.yml b/.github/workflows/TSdemo.yml
new file mode 100644
index 000000000..7484846cd
--- /dev/null
+++ b/.github/workflows/TSdemo.yml
@@ -0,0 +1,59 @@
+
+---
+# This workflow integrates ShiftLeft NG SAST with GitHub
+# Visit https://docs.shiftleft.io for help
+name: QwietTest
+
+on:
+ pull_request:
+ workflow_dispatch:
+ schedule:
+ # * is a special character in YAML so you have to quote this string
+ - cron: '0 11 * * 6'
+jobs:
+ NextGen-Static-Analysis:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ # We are building this application with Java 11
+ - name: Setup Java JDK
+ uses: actions/setup-java@v1.4.3
+ with:
+ java-version: 1.8
+ - name: Package with maven
+ run: mvn clean package
+ - name: Download ShiftLeft CLI
+ run: |
+ curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+ - name: Extract branch name
+ shell: bash
+ run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+ id: extract_branch
+ - name: NextGen Static Analysis
+ run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app Qwiet-java-GH --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --vcs-prefix-correction "io/shiftleft=src/main/java/" --java --container 18fgsa/s3-resource target/hello-shiftleft-0.0.1.jar
+ env:
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN0 }}
+ SHIFTLEFT_API_HOST: www.shiftleft.io
+ SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443
+ SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443
+ Build-Rules:
+ runs-on: ubuntu-latest
+ needs: NextGen-Static-Analysis
+ steps:
+ - uses: actions/checkout@v3
+ - name: Download ShiftLeft CLI
+ run: |
+ curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+ - name: Validate Build Rules
+ run: |
+ ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-java-demo \
+ --github-pr-number=${{github.event.number}} \
+ --github-pr-user=${{ github.repository_owner }} \
+ --github-pr-repo=${{ github.event.repository.name }} \
+ --github-token=${{ secrets.GITHUB_TOKEN }}
+ env:
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN0 }}
+ SHIFTLEFT_API_HOST: www.shiftleft.io
+ SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443
+ SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443
+
diff --git a/.github/workflows/TestSecTab.yml b/.github/workflows/TestSecTab.yml
new file mode 100644
index 000000000..d5095ad50
--- /dev/null
+++ b/.github/workflows/TestSecTab.yml
@@ -0,0 +1,68 @@
+# This workflow integrates QwietAI preZero SAST with GitHub and exports SARIF results to the Security Tab
+name: QwietAFPRnBR2
+
+on:
+ pull_request:
+ workflow_dispatch:
+ schedule:
+ # * is a special character in YAML so you have to quote this string
+ - cron: '0 11 * * 6'
+
+permissions:
+ security-events: write # Ensure proper permissions to upload SARIF results
+
+jobs:
+ QwietAI-preZero-Analysis:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+
+ - name: Setup Java JDK v8
+ uses: actions/setup-java@v3
+ with:
+ distribution: zulu
+ java-version: 8
+
+ - name: Download QwietAI CLI
+ run: |
+ curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+
+ - name: Extract branch name
+ shell: bash
+ run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+ id: extract_branch
+
+ - name: QwietAI preZero Analysis
+ run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app Qwietjavatab --verbose --container 18fgsa/s3-resource --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} . -- --exclude common.py,export2.py,export3.py,export4.py
+ env:
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+ SHIFTLEFT_API_HOST: www.shiftleft.io
+ SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443
+ SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443
+
+ - name: Download export.py and requirements.txt
+ run: |
+ curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/export.py
+ curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/config.py
+ curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/common.py
+ curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/requirements.txt
+ - name: Verify export.py file exists
+ run: |
+ ls -la ${GITHUB_WORKSPACE}
+
+ - name: Install Python dependencies
+ run: |
+ python3 -m pip install --upgrade pip
+ python3 -m pip install -r requirements.txt
+
+ - name: Run export.py and generate SARIF report
+ run: |
+ #APP_NAME=${{ github.event.repository.name }}
+ python3 ${GITHUB_WORKSPACE}/export.py -f sarif -a Qwietjavatab
+ env:
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+
+ - name: Upload SARIF file to GitHub Security Tab
+ uses: github/codeql-action/upload-sarif@v3 # Updated to v3
+ with:
+ sarif_file: ./ngsast-report-Qwietjavatab.sarif # Correct dynamic path for SARIF output
diff --git a/.github/workflows/dockerpreZero.yml b/.github/workflows/dockerpreZero.yml
new file mode 100644
index 000000000..8eb9e5e36
--- /dev/null
+++ b/.github/workflows/dockerpreZero.yml
@@ -0,0 +1,27 @@
+---
+name: QwietPoCDocker
+
+on:
+ pull_request:
+ workflow_dispatch:
+ schedule:
+ # * is a special character in YAML so you have to quote this string
+ - cron: '0 11 * * 6'
+
+jobs:
+ NextGen-Static-Analysis:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ - name: Run preZero Scan with ShiftLeft
+ shell: bash
+ run: |
+ docker run --platform linux/amd64 --rm -t \
+ --name slcore \
+ -e SHIFTLEFT_ACCESS_TOKEN="$SHIFTLEFT_ACCESS_TOKEN" \
+ -v "${{ github.workspace }}:/app" \
+ -v /tmp:/tmp \
+ shiftleft/core:latest \
+ sl analyze --verbose --wait --app "javadockerscan" --container 18fgsa/s3-resource /app
+env:
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
diff --git a/.github/workflows/poc.yml b/.github/workflows/poc.yml
new file mode 100644
index 000000000..594c89e45
--- /dev/null
+++ b/.github/workflows/poc.yml
@@ -0,0 +1,112 @@
+
+---
+# This workflow integrates ShiftLeft NG SAST with GitHub
+# Visit https://docs.shiftleft.io for help
+name: QwietPoC
+
+on:
+ pull_request:
+ workflow_dispatch:
+ schedule:
+ # * is a special character in YAML so you have to quote this string
+ - cron: '0 11 * * 6'
+jobs:
+ NextGen-Static-Analysis:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ # We are building this application with Java 11
+ - name: Setup Java JDK
+ uses: actions/setup-java@v3
+ with:
+ distribution: zulu
+ java-version: 11
+ #- name: Package with maven
+ # run: mvn clean package
+ - name: Download ShiftLeft CLI
+ run: |
+ curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+ - name: Extract branch name
+ shell: bash
+ run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+ id: extract_branch
+ - name: NextGen Static Analysis
+ #run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --app Qwiet-java-GH --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --vcs-prefix-correction "io/shiftleft=src/main/java/" --java --container 18fgsa/s3-resource target/hello-shiftleft-0.0.1.jar
+ run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --app QwietAI-MultiLang --container 18fgsa/s3-resource --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }}
+ #run: QWIET_ENABLE_MULTI_LANGUAGE_ANALYSIS=true ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --app Qwiet-Multi-GH --container 18fgsa/s3-resource --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }}
+ env:
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN_POC }}
+ SHIFTLEFT_API_HOST: www.shiftleft.io
+ SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443
+ SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443
+ - name: Run Bestfix script to generate report
+ shell: bash
+ if: github.event_name == 'pull_request'
+ run: |
+ git clone https://github.com/gzttech/beautifulspoon.git
+ pip3 install beautifulspoon
+ git clone https://github.com/ShiftLeftSecurity/field-integrations.git
+ pip3 install -r field-integrations/shiftleft-utils/requirements.txt
+ python3 field-integrations/shiftleft-utils/bestfix.py -a ${{ github.event.repository.name }} -o $GITHUB_WORKSPACE/ngsast-bestfix-report.html
+ bspoon $GITHUB_WORKSPACE/ngsast-bestfix-report.html --select body > $GITHUB_WORKSPACE/qwiet.html
+ BESTFIX_OUTPUT=$(cat $GITHUB_WORKSPACE/ngsast-bestfix-report.html)
+ BESTFIX_BODY=$(jq -n --arg body "$BESTFIX_OUTPUT" '{body: $body}')
+
+ url="https://api.github.com/repos/${{ github.repository_owner }}/${{ github.event.repository.name }}/issues/${{github.event.number}}/comments"
+
+ curl -s -X POST \
+ -H "Accept: application/vnd.github+json" \
+ -H "Authorization: Bearer ${GH_API_TOKEN}" \
+ -d "${BESTFIX_BODY}" \
+ "${url}"
+ env:
+ GH_API_TOKEN: ${{ secrets.API_TOKEN }}
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN_POC }}
+ - name: Download export.py and requirements.txt
+ run: |
+ curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/export.py
+ curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/config.py
+ curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/common.py
+ curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/requirements.txt
+ - name: Verify export.py file exists
+ run: |
+ ls -la ${GITHUB_WORKSPACE}
+
+ - name: Install Python dependencies
+ run: |
+ python3 -m pip install --upgrade pip
+ python3 -m pip install -r requirements.txt
+
+ - name: Run export.py and generate SARIF report
+ run: |
+ #APP_NAME=${{ github.event.repository.name }}
+ python3 ${GITHUB_WORKSPACE}/export.py -f sarif -a QwietAI-MultiLang
+ env:
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN_POC }}
+
+ - name: Upload SARIF file to GitHub Security Tab
+ uses: github/codeql-action/upload-sarif@v3 # Updated to v3
+ with:
+ sarif_file: ./ngsast-report-QwietAI-MultiLang.sarif # Correct dynamic path for SARIF output
+
+ Build-Rules:
+ runs-on: ubuntu-latest
+ needs: NextGen-Static-Analysis
+ steps:
+ - uses: actions/checkout@v3
+ - name: Download ShiftLeft CLI
+ run: |
+ curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+ - name: Validate Build Rules
+ run: |
+ ${GITHUB_WORKSPACE}/sl check-analysis --app QwietAI-MultiLang \
+ --github-pr-number=${{github.event.number}} \
+ --github-pr-user=${{ github.repository_owner }} \
+ --github-pr-repo=${{ github.event.repository.name }} \
+ --github-token=${{ secrets.GITHUB_TOKEN }}
+ env:
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN_POC }}
+ SHIFTLEFT_API_HOST: www.shiftleft.io
+ SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443
+ SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443
+
diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml
new file mode 100644
index 000000000..26556934e
--- /dev/null
+++ b/.github/workflows/shiftleft.yml
@@ -0,0 +1,60 @@
+---
+# This workflow integrates qwiet.ai preZero with GitHub
+# Visit https://docs.shiftleft.io for help
+name: qwiet.ai
+
+on:
+ pull_request:
+ workflow_dispatch:
+
+jobs:
+ NextGen-Static-Analysis:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ - name: Setup Java JDK v11.0.x
+ uses: actions/setup-java@v3
+ with:
+ distribution: zulu
+ java-version: 11.0.x
+
+ - name: Download ShiftLeft CLI
+ run: |
+ curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+
+ - name: preZero Static Analysis
+ run: |
+ ${GITHUB_WORKSPACE}/sl --version
+ ${GITHUB_WORKSPACE}/sl analyze --strict --wait \
+ --app shiftleft-java-demo \
+ --tag branch=${{ github.head_ref }} \
+ --javasrc --container 18fgsa/s3-resource .
+ env:
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+ SHIFTLEFT_API_HOST: www.shiftleft.io
+ SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443
+ SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443
+
+ Build-Rules:
+ runs-on: ubuntu-latest
+ permissions: write-all
+ needs: NextGen-Static-Analysis
+ steps:
+ - uses: actions/checkout@v3
+ - name: Download ShiftLeft CLI
+ run: |
+ curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+ - name: Validate Build Rules
+ run: |
+ ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-java-demo \
+ --github-pr-number=${{github.event.number}} \
+ --github-pr-user=${{ github.repository_owner }} \
+ --github-pr-repo=${{ github.event.repository.name }} \
+ --github-token=${{ secrets.GITHUB_TOKEN }}
+ env:
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+ SHIFTLEFT_API_HOST: www.shiftleft.io
+ SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443
+ SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443
+
+
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
new file mode 100644
index 000000000..790332ec5
--- /dev/null
+++ b/.github/workflows/test.yml
@@ -0,0 +1,61 @@
+
+---
+# This workflow integrates ShiftLeft NG SAST with GitHub
+# Visit https://docs.shiftleft.io for help
+name: QwietTestNT
+
+on:
+ pull_request:
+ workflow_dispatch:
+ schedule:
+ # * is a special character in YAML so you have to quote this string
+ - cron: '0 11 * * 6'
+jobs:
+ NextGen-Static-Analysis:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ # We are building this application with Java 11
+ - name: Setup Java JDK
+ uses: actions/setup-java@v1.4.3
+ with:
+ java-version: 1.8
+ #- name: Package with maven
+ # run: mvn clean package
+ - name: Download ShiftLeft CLI
+ run: |
+ curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+ - name: Extract branch name
+ shell: bash
+ run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+ id: extract_branch
+ - name: NextGen Static Analysis
+ #run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --app Qwiet-java-GH --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --vcs-prefix-correction "io/shiftleft=src/main/java/" --java --container 18fgsa/s3-resource target/hello-shiftleft-0.0.1.jar
+ run: |
+ QWIET_EXTERNAL_SECRETS=true QWIET_ENABLE_MULTI_LANGUAGE_ANALYSIS=true ${GITHUB_WORKSPACE}/sl analyze --app Qwiet-java-GH --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }}
+ env:
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+ SHIFTLEFT_API_HOST: www.shiftleft.io
+ SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443
+ SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443
+ Build-Rules:
+ runs-on: ubuntu-latest
+ needs: NextGen-Static-Analysis
+ steps:
+ - uses: actions/checkout@v3
+ - name: Download ShiftLeft CLI
+ run: |
+ curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+ - name: Validate Build Rules
+ run: |
+ ${GITHUB_WORKSPACE}/sl check-analysis --app Qwiet-java-GH \
+ --github-pr-number=${{github.event.number}} \
+ --github-pr-user=${{ github.repository_owner }} \
+ --github-pr-repo=${{ github.event.repository.name }} \
+ --github-token=${{ secrets.GITHUB_TOKEN }}
+ env:
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+ SHIFTLEFT_API_HOST: www.shiftleft.io
+ SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443
+ SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443
+
diff --git a/.harness/Build_shiftleft_java_demo_1696867748935-pr-trigger-input-set-1696867749886.yaml b/.harness/Build_shiftleft_java_demo_1696867748935-pr-trigger-input-set-1696867749886.yaml
new file mode 100644
index 000000000..9f2763149
--- /dev/null
+++ b/.harness/Build_shiftleft_java_demo_1696867748935-pr-trigger-input-set-1696867749886.yaml
@@ -0,0 +1,14 @@
+inputSet:
+ name: Build_shiftleft_java_demo_1696867748935-pr-trigger-input-set
+ identifier: Build_shiftleft_java_demo_1696867748935prtriggerinputset
+ orgIdentifier: default
+ projectIdentifier: QwietjavaHarness
+ pipeline:
+ identifier: Build_shiftleft_java_demo_1696867748935
+ properties:
+ ci:
+ codebase:
+ build:
+ type: PR
+ spec:
+ number: <+trigger.prNumber>
diff --git a/.harness/Build_shiftleft_java_demo_1696867748935-push-trigger-input-set-1696867750867.yaml b/.harness/Build_shiftleft_java_demo_1696867748935-push-trigger-input-set-1696867750867.yaml
new file mode 100644
index 000000000..1a1cc5a60
--- /dev/null
+++ b/.harness/Build_shiftleft_java_demo_1696867748935-push-trigger-input-set-1696867750867.yaml
@@ -0,0 +1,14 @@
+inputSet:
+ name: Build_shiftleft_java_demo_1696867748935-push-trigger-input-set
+ identifier: Build_shiftleft_java_demo_1696867748935pushtriggerinputset
+ orgIdentifier: default
+ projectIdentifier: QwietjavaHarness
+ pipeline:
+ identifier: Build_shiftleft_java_demo_1696867748935
+ properties:
+ ci:
+ codebase:
+ build:
+ type: branch
+ spec:
+ branch: <+trigger.branch>
diff --git a/.harness/Build_shiftleft_java_demo_1696878707672-pr-trigger-input-set-1696878708669.yaml b/.harness/Build_shiftleft_java_demo_1696878707672-pr-trigger-input-set-1696878708669.yaml
new file mode 100644
index 000000000..20ebf2a73
--- /dev/null
+++ b/.harness/Build_shiftleft_java_demo_1696878707672-pr-trigger-input-set-1696878708669.yaml
@@ -0,0 +1,14 @@
+inputSet:
+ name: Build_shiftleft_java_demo_1696878707672-pr-trigger-input-set
+ identifier: Build_shiftleft_java_demo_1696878707672prtriggerinputset
+ orgIdentifier: default
+ projectIdentifier: QwietjavaHarn
+ pipeline:
+ identifier: Build_shiftleft_java_demo_1696878707672
+ properties:
+ ci:
+ codebase:
+ build:
+ type: PR
+ spec:
+ number: <+trigger.prNumber>
diff --git a/.harness/Build_shiftleft_java_demo_1696878707672-push-trigger-input-set-1696878709630.yaml b/.harness/Build_shiftleft_java_demo_1696878707672-push-trigger-input-set-1696878709630.yaml
new file mode 100644
index 000000000..da043653d
--- /dev/null
+++ b/.harness/Build_shiftleft_java_demo_1696878707672-push-trigger-input-set-1696878709630.yaml
@@ -0,0 +1,14 @@
+inputSet:
+ name: Build_shiftleft_java_demo_1696878707672-push-trigger-input-set
+ identifier: Build_shiftleft_java_demo_1696878707672pushtriggerinputset
+ orgIdentifier: default
+ projectIdentifier: QwietjavaHarn
+ pipeline:
+ identifier: Build_shiftleft_java_demo_1696878707672
+ properties:
+ ci:
+ codebase:
+ build:
+ type: branch
+ spec:
+ branch: <+trigger.branch>
diff --git a/.harness/pipelines/shiftleft-java-demo-1696867734408.yaml b/.harness/pipelines/shiftleft-java-demo-1696867734408.yaml
new file mode 100644
index 000000000..fa2e49bc2
--- /dev/null
+++ b/.harness/pipelines/shiftleft-java-demo-1696867734408.yaml
@@ -0,0 +1,33 @@
+pipeline:
+ identifier: Build_shiftleft_java_demo_1696867748935
+ name: Build shiftleft-java-demo
+ orgIdentifier: default
+ projectIdentifier: QwietjavaHarness
+ properties:
+ ci:
+ codebase:
+ build: <+input>
+ connectorRef: account.Github_OAuth_1696007572273
+ repoName: shiftleft-java-demo
+ stages:
+ - stage:
+ identifier: build
+ name: build
+ spec:
+ cloneCodebase: true
+ execution:
+ steps:
+ - step:
+ identifier: echo
+ name: echo
+ spec:
+ command: echo hello world
+ timeout: ""
+ type: Run
+ platform:
+ arch: Amd64
+ os: Linux
+ runtime:
+ spec: {}
+ type: Cloud
+ type: CI
diff --git a/.harness/pipelines/shiftleft-java-demo-1696878690934.yaml b/.harness/pipelines/shiftleft-java-demo-1696878690934.yaml
new file mode 100644
index 000000000..426d84590
--- /dev/null
+++ b/.harness/pipelines/shiftleft-java-demo-1696878690934.yaml
@@ -0,0 +1,33 @@
+pipeline:
+ identifier: Build_shiftleft_java_demo_1696878707672
+ name: Build shiftleft-java-demo
+ orgIdentifier: default
+ projectIdentifier: QwietjavaHarn
+ properties:
+ ci:
+ codebase:
+ build: <+input>
+ connectorRef: account.Github_OAuth_1696007572273
+ repoName: shiftleft-java-demo
+ stages:
+ - stage:
+ identifier: build
+ name: build
+ spec:
+ cloneCodebase: true
+ execution:
+ steps:
+ - step:
+ identifier: echo
+ name: echo
+ spec:
+ command: echo hello world
+ timeout: ""
+ type: Run
+ platform:
+ arch: Amd64
+ os: Linux
+ runtime:
+ spec: {}
+ type: Cloud
+ type: CI
diff --git a/.project b/.project
new file mode 100644
index 000000000..28f34d02d
--- /dev/null
+++ b/.project
@@ -0,0 +1,34 @@
+
+
+ shiftleft-java-demo
+
+
+
+
+
+ org.eclipse.jdt.core.javabuilder
+
+
+
+
+ org.eclipse.m2e.core.maven2Builder
+
+
+
+
+
+ org.eclipse.jdt.core.javanature
+ org.eclipse.m2e.core.maven2Nature
+
+
+
+ 1707854009467
+
+ 30
+
+ org.eclipse.core.resources.regexFilterMatcher
+ node_modules|\.git|__CREATED_BY_JAVA_LANGUAGE_SERVER__
+
+
+
+
diff --git a/.settings/org.eclipse.core.resources.prefs b/.settings/org.eclipse.core.resources.prefs
new file mode 100644
index 000000000..abdea9ac0
--- /dev/null
+++ b/.settings/org.eclipse.core.resources.prefs
@@ -0,0 +1,4 @@
+eclipse.preferences.version=1
+encoding//src/main/java=UTF-8
+encoding//src/main/resources=UTF-8
+encoding/=UTF-8
diff --git a/.settings/org.eclipse.jdt.apt.core.prefs b/.settings/org.eclipse.jdt.apt.core.prefs
new file mode 100644
index 000000000..d4313d4b2
--- /dev/null
+++ b/.settings/org.eclipse.jdt.apt.core.prefs
@@ -0,0 +1,2 @@
+eclipse.preferences.version=1
+org.eclipse.jdt.apt.aptEnabled=false
diff --git a/.settings/org.eclipse.jdt.core.prefs b/.settings/org.eclipse.jdt.core.prefs
new file mode 100644
index 000000000..1b6e1ef22
--- /dev/null
+++ b/.settings/org.eclipse.jdt.core.prefs
@@ -0,0 +1,9 @@
+eclipse.preferences.version=1
+org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.8
+org.eclipse.jdt.core.compiler.compliance=1.8
+org.eclipse.jdt.core.compiler.problem.enablePreviewFeatures=disabled
+org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning
+org.eclipse.jdt.core.compiler.problem.reportPreviewFeatures=ignore
+org.eclipse.jdt.core.compiler.processAnnotations=disabled
+org.eclipse.jdt.core.compiler.release=disabled
+org.eclipse.jdt.core.compiler.source=1.8
diff --git a/.settings/org.eclipse.m2e.core.prefs b/.settings/org.eclipse.m2e.core.prefs
new file mode 100644
index 000000000..f897a7f1c
--- /dev/null
+++ b/.settings/org.eclipse.m2e.core.prefs
@@ -0,0 +1,4 @@
+activeProfiles=
+eclipse.preferences.version=1
+resolveWorkspaceProjects=true
+version=1
diff --git a/Test/.gitignore b/Test/.gitignore
new file mode 100644
index 000000000..5ff6309b7
--- /dev/null
+++ b/Test/.gitignore
@@ -0,0 +1,38 @@
+target/
+!.mvn/wrapper/maven-wrapper.jar
+!**/src/main/**/target/
+!**/src/test/**/target/
+
+### IntelliJ IDEA ###
+.idea/modules.xml
+.idea/jarRepositories.xml
+.idea/compiler.xml
+.idea/libraries/
+*.iws
+*.iml
+*.ipr
+
+### Eclipse ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+
+### NetBeans ###
+/nbproject/private/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
+build/
+!**/src/main/**/build/
+!**/src/test/**/build/
+
+### VS Code ###
+.vscode/
+
+### Mac OS ###
+.DS_Store
\ No newline at end of file
diff --git a/Test/pom.xml b/Test/pom.xml
new file mode 100644
index 000000000..e546ce6f3
--- /dev/null
+++ b/Test/pom.xml
@@ -0,0 +1,17 @@
+
+
+ 4.0.0
+
+ org.example
+ Test
+ 1.0-SNAPSHOT
+
+
+ 20
+ 20
+ UTF-8
+
+
+
\ No newline at end of file
diff --git a/Test/src/main/java/org/example/Main.java b/Test/src/main/java/org/example/Main.java
new file mode 100644
index 000000000..a02700ff9
--- /dev/null
+++ b/Test/src/main/java/org/example/Main.java
@@ -0,0 +1,17 @@
+package org.example;
+
+//TIP To Run code, press or
+// click the icon in the gutter.
+public class Main {
+ public static void main(String[] args) {
+ //TIP Press with your caret at the highlighted text
+ // to see how IntelliJ IDEA suggests fixing it.
+ System.out.printf("Hello and welcome!");
+
+ for (int i = 1; i <= 5; i++) {
+ //TIP Press to start debugging your code. We have set one breakpoint
+ // for you, but you can always add more by pressing .
+ System.out.println("i = " + i);
+ }
+ }
+}
\ No newline at end of file
diff --git a/WORKSPACE b/WORKSPACE
new file mode 100644
index 000000000..8b1378917
--- /dev/null
+++ b/WORKSPACE
@@ -0,0 +1 @@
+
diff --git a/maven.sh b/maven.sh
new file mode 100644
index 000000000..b0a124252
--- /dev/null
+++ b/maven.sh
@@ -0,0 +1,17 @@
+mvn_version=${mvn_version:-3.8.5}
+url="http://www.mirrorservice.org/sites/ftp.apache.org/maven/maven-3/${mvn_version}/binaries/apache-maven-${mvn_version}-bin.tar.gz"
+install_dir="/opt/maven"
+
+mkdir ${install_dir}
+curl -fsSL ${url} | tar zx --strip-components=1 -C ${install_dir}
+cat << EOF > /etc/profile.d/maven.sh
+#!/bin/sh
+export MAVEN_HOME=${install_dir}
+export M2_HOME=${install_dir}
+export M2=${install_dir}/bin
+export PATH=${install_dir}/bin:$PATH
+EOF
+source /etc/profile.d/maven.sh
+echo maven installed to ${install_dir}
+mvn --version
+mvn clean package
diff --git a/ngsast.yaml b/ngsast.yaml
new file mode 100644
index 000000000..44b74ee82
--- /dev/null
+++ b/ngsast.yaml
@@ -0,0 +1,11 @@
+ngsast:
+- app:
+ name: helloshiftleft-spring-app
+ additional-findings:
+ - hsl-secrets
+ policy: io.shiftleft/helloshiftleft
+ language: JAVA
+additional-findings:
+ hsl-secrets:
+ entropy: 0.5
+ name: secrets
diff --git a/ngsast.yml b/ngsast.yml
new file mode 100644
index 000000000..b291c0338
--- /dev/null
+++ b/ngsast.yml
@@ -0,0 +1,25 @@
+ngsast:
+ - app:
+ name: Java_CLI
+ language: JAVA # change to your app's language
+ policy: io.shiftleft/Java_CLI
+ - default:
+ policy: io.shiftleft/defaultWithDict
+ additional-findings:
+ - hsl-js-secrets
+ #policy: io.shiftleft/helloshiftleft # change this policy name to the one you'd like to use for this app
+ #- app:
+ # name: helloshiftleft-js
+ # language: JAVASCRIPT # change to your app's language
+
+ #- default:
+ # policy: io.shiftleft/defaultWithDict
+additional-findings:
+ hsl-js-secrets:
+ name: secrets
+ entropy: 1.00
+ include:
+ - "**/*.properties"
+ - src/**
+ exclude:
+ - src/test/**
\ No newline at end of file
diff --git a/shiftleft.yml b/shiftleft.yml
new file mode 100644
index 000000000..9258e2a14
--- /dev/null
+++ b/shiftleft.yml
@@ -0,0 +1,22 @@
+version: 2 # implies that check-analysis v2 should be used and therefore
+ # the --v2 flag can be omitted when running sl check-analysis
+build_rules:
+- id: Allow no critical findings
+ finding_types:
+ - vuln
+ severities:
+ - critical
+ threshold: 0
+ options:
+ num_findings: 10 # Return 10 sast findings
+- id: Allow one OSS or container finding
+ finding_types:
+ - oss_vuln
+ - container
+ threshold: 1
+- id: Allow no reachable OSS vulnerability
+ finding_types:
+ - oss_vuln
+ - container
+ options:
+ reachable: true
diff --git a/src/main/java/io/shiftleft/controller/CustomerController.java b/src/main/java/io/shiftleft/controller/CustomerController.java
index 40e1c4917..b13ba0d07 100644
--- a/src/main/java/io/shiftleft/controller/CustomerController.java
+++ b/src/main/java/io/shiftleft/controller/CustomerController.java
@@ -1,222 +1,6 @@
package io.shiftleft.controller;
-import io.shiftleft.model.Account;
-import io.shiftleft.model.Address;
-import java.io.BufferedReader;
-import java.io.BufferedWriter;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.math.BigInteger;
-import java.nio.charset.StandardCharsets;
-import java.nio.file.Files;
-import java.nio.file.Paths;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.util.Arrays;
-import java.util.Base64;
-import java.util.Date;
-import java.util.HashSet;
-import java.util.List;
-
-import java.util.Set;
-import javax.annotation.PostConstruct;
-import javax.servlet.http.HttpServletResponse;
-import org.apache.commons.codec.digest.DigestUtils;
-import org.apache.http.HttpHeaders;
-import org.apache.http.auth.AuthenticationException;
-import org.apache.http.auth.UsernamePasswordCredentials;
-import org.apache.http.client.ClientProtocolException;
-import org.apache.http.client.methods.CloseableHttpResponse;
-import org.apache.http.client.methods.HttpPost;
-import org.apache.http.entity.StringEntity;
-import org.apache.http.impl.auth.BasicScheme;
-import org.apache.http.impl.client.CloseableHttpClient;
-import org.apache.http.impl.client.HttpClients;
-import org.joda.time.DateTime;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.PropertySource;
-import org.springframework.core.env.Environment;
-import org.springframework.core.io.ClassPathResource;
-import org.springframework.http.HttpStatus;
-import org.springframework.util.FileCopyUtils;
-import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.RestController;
-import org.springframework.web.context.request.WebRequest;
-
-import com.ulisesbocchio.jasyptspringboot.annotation.EnableEncryptableProperties;
-
-import io.shiftleft.data.DataLoader;
-import io.shiftleft.exception.CustomerNotFoundException;
-import io.shiftleft.exception.InvalidCustomerRequestException;
-import io.shiftleft.model.Customer;
-import io.shiftleft.repository.CustomerRepository;
-
-import org.springframework.web.util.HtmlUtils;
-
-/**
- * Customer Controller exposes a series of RESTful endpoints
- */
-
-@Configuration
-@EnableEncryptableProperties
-@PropertySource({ "classpath:config/application-sfdc.properties" })
-@RestController
-public class CustomerController {
-
- @Autowired
- private CustomerRepository customerRepository;
-
- @Autowired
- Environment env;
-
- private static Logger log = LoggerFactory.getLogger(CustomerController.class);
-
- @PostConstruct
- public void init() {
- log.info("Start Loading SalesForce Properties");
- log.info("Url is {}", env.getProperty("sfdc.url"));
- log.info("UserName is {}", env.getProperty("sfdc.username"));
- log.info("Password is {}", env.getProperty("sfdc.password"));
- log.info("End Loading SalesForce Properties");
- }
-
- private void dispatchEventToSalesForce(String event)
- throws ClientProtocolException, IOException, AuthenticationException {
- CloseableHttpClient client = HttpClients.createDefault();
- HttpPost httpPost = new HttpPost(env.getProperty("sfdc.url"));
- httpPost.setEntity(new StringEntity(event));
- UsernamePasswordCredentials creds = new UsernamePasswordCredentials(env.getProperty("sfdc.username"),
- env.getProperty("sfdc.password"));
- httpPost.addHeader(new BasicScheme().authenticate(creds, httpPost, null));
-
- CloseableHttpResponse response = client.execute(httpPost);
- log.info("Response from SFDC is {}", response.getStatusLine().getStatusCode());
- client.close();
- }
-
- /**
- * Get customer using id. Returns HTTP 404 if customer not found
- *
- * @param customerId
- * @return retrieved customer
- */
- @RequestMapping(value = "/customers/{customerId}", method = RequestMethod.GET)
- public Customer getCustomer(@PathVariable("customerId") Long customerId) {
-
- /* validate customer Id parameter */
- if (null == customerId) {
- throw new InvalidCustomerRequestException();
- }
-
- Customer customer = customerRepository.findOne(customerId);
- if (null == customer) {
- throw new CustomerNotFoundException();
- }
-
- Account account = new Account(4242l,1234, "savings", 1, 0);
- log.info("Account Data is {}", account);
- log.info("Customer Data is {}", customer);
-
- try {
- dispatchEventToSalesForce(String.format(" Customer %s Logged into SalesForce", customer));
- } catch (Exception e) {
- log.error("Failed to Dispatch Event to SalesForce . Details {} ", e.getLocalizedMessage());
-
- }
-
- return customer;
- }
-
- /**
- * Handler for / loads the index.tpl
- * @param httpResponse
- * @param request
- * @return
- * @throws IOException
- */
- @RequestMapping(value = "/", method = RequestMethod.GET)
- public String index(HttpServletResponse httpResponse, WebRequest request) throws IOException {
- ClassPathResource cpr = new ClassPathResource("static/index.html");
- String ret = "";
- try {
- byte[] bdata = FileCopyUtils.copyToByteArray(cpr.getInputStream());
- ret= new String(bdata, StandardCharsets.UTF_8);
- } catch (IOException e) {
- //LOG.warn("IOException", e);
- }
- return ret;
- }
-
- /**
- * Check if settings= is present in cookie
- * @param request
- * @return
- */
- private boolean checkCookie(WebRequest request) throws Exception {
- try {
- return request.getHeader("Cookie").startsWith("settings=");
- }
- catch (Exception ex)
- {
- System.out.println(ex.getMessage());
- }
- return false;
- }
-
- /**
- * restores the preferences on the filesystem
- *
- * @param httpResponse
- * @param request
- * @throws Exception
- */
- @RequestMapping(value = "/loadSettings", method = RequestMethod.GET)
- public void loadSettings(HttpServletResponse httpResponse, WebRequest request) throws Exception {
- // get cookie values
- if (!checkCookie(request)) {
- httpResponse.getOutputStream().println("Error");
- throw new Exception("cookie is incorrect");
- }
- String md5sum = request.getHeader("Cookie").substring("settings=".length(), 41);
- ClassPathResource cpr = new ClassPathResource("static");
- File folder = new File(cpr.getPath());
- File[] listOfFiles = folder.listFiles();
- String filecontent = new String();
- for (File f : listOfFiles) {
- // not efficient, i know
- filecontent = new String();
- byte[] encoded = Files.readAllBytes(f.toPath());
- filecontent = new String(encoded, StandardCharsets.UTF_8);
- if (filecontent.contains(md5sum)) {
- // this will send me to the developer hell (if exists)
-
- // encode the file settings, md5sum is removed
- String s = new String(Base64.getEncoder().encode(filecontent.replace(md5sum, "").getBytes()));
- // setting the new cookie
- httpResponse.setHeader("Cookie", "settings=" + s + "," + md5sum);
- return;
- }
- }
- }
-
-
- /**
- * Saves the preferences (screen resolution, language..) on the filesystem
- *
- * @param httpResponse
- * @param request
- * @throws Exception
- */
- @RequestMapping(value = "/saveSettings", method = RequestMethod.GET)
+@RequestMapping(value = "/saveSettings", method = RequestMethod.GET)
public void saveSettings(HttpServletResponse httpResponse, WebRequest request) throws Exception {
// "Settings" will be stored in a cookie
// schema: base64(filename,value1,value2...), md5sum(base64(filename,value1,value2...))
@@ -228,8 +12,8 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t
String settingsCookie = request.getHeader("Cookie");
String[] cookie = settingsCookie.split(",");
- if(cookie.length<2) {
- httpResponse.getOutputStream().println("Malformed cookie");
+if(cookie.length<2) {
+ httpResponse.getOutputStream().println("Malformed cookie");
throw new Exception("cookie is incorrect");
}
@@ -238,7 +22,7 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t
// Check md5sum
String cookieMD5sum = cookie[1];
String calcMD5Sum = DigestUtils.md5Hex(base64txt);
- if(!cookieMD5sum.equals(calcMD5Sum))
+if(!cookieMD5sum.equals(calcMD5Sum))
{
httpResponse.getOutputStream().println("Wrong md5");
throw new Exception("Invalid MD5");
@@ -246,9 +30,17 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t
// Now we can store on filesystem
String[] settings = new String(Base64.getDecoder().decode(base64txt)).split(",");
- // storage will have ClassPathResource as basepath
+// storage will have ClassPathResource as basepath
ClassPathResource cpr = new ClassPathResource("./static/");
- File file = new File(cpr.getPath()+settings[0]);
+
+ // Whitelist the filename to prevent directory traversal
+ String filename = settings[0];
+ if(!filename.matches("[a-zA-Z0-9._-]+")) {
+ httpResponse.getOutputStream().println("Invalid filename");
+ throw new Exception("Filename contains invalid characters");
+ }
+
+ File file = new File(cpr.getPath()+filename);
if(!file.exists()) {
file.getParentFile().mkdirs();
}
@@ -262,129 +54,3 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t
fos.close();
httpResponse.getOutputStream().println("Settings Saved");
}
-
- /**
- * Debug test for saving and reading a customer
- *
- * @param firstName String
- * @param lastName String
- * @param dateOfBirth String
- * @param ssn String
- * @param tin String
- * @param phoneNumber String
- * @param httpResponse
- * @param request
- * @return String
- * @throws IOException
- */
- @RequestMapping(value = "/debug", method = RequestMethod.GET)
- public String debug(@RequestParam String customerId,
- @RequestParam int clientId,
- @RequestParam String firstName,
- @RequestParam String lastName,
- @RequestParam String dateOfBirth,
- @RequestParam String ssn,
- @RequestParam String socialSecurityNum,
- @RequestParam String tin,
- @RequestParam String phoneNumber,
- HttpServletResponse httpResponse,
- WebRequest request) throws IOException{
-
- // empty for now, because we debug
- Set accounts1 = new HashSet();
- //dateofbirth example -> "1982-01-10"
- Customer customer1 = new Customer(customerId, clientId, firstName, lastName, DateTime.parse(dateOfBirth).toDate(),
- ssn, socialSecurityNum, tin, phoneNumber, new Address("Debug str",
- "", "Debug city", "CA", "12345"),
- accounts1);
-
- customerRepository.save(customer1);
- httpResponse.setStatus(HttpStatus.CREATED.value());
- httpResponse.setHeader("Location", String.format("%s/customers/%s",
- request.getContextPath(), customer1.getId()));
-
- return customer1.toString().toLowerCase().replace("script","");
- }
-
- /**
- * Debug test for saving and reading a customer
- *
- * @param firstName String
- * @param httpResponse
- * @param request
- * @return void
- * @throws IOException
- */
- @RequestMapping(value = "/debugEscaped", method = RequestMethod.GET)
- public void debugEscaped(@RequestParam String firstName, HttpServletResponse httpResponse,
- WebRequest request) throws IOException{
- String escaped = HtmlUtils.htmlEscape(firstName);
- System.out.println(escaped);
- httpResponse.getOutputStream().println(escaped);
- }
- /**
- * Gets all customers.
- *
- * @return the customers
- */
- @RequestMapping(value = "/customers", method = RequestMethod.GET)
- public List getCustomers() {
- return (List) customerRepository.findAll();
- }
-
- /**
- * Create a new customer and return in response with HTTP 201
- *
- * @param the
- * customer
- * @return created customer
- */
- @RequestMapping(value = { "/customers" }, method = { RequestMethod.POST })
- public Customer createCustomer(@RequestParam Customer customer, HttpServletResponse httpResponse,
- WebRequest request) {
-
- Customer createdcustomer = null;
- createdcustomer = customerRepository.save(customer);
- httpResponse.setStatus(HttpStatus.CREATED.value());
- httpResponse.setHeader("Location",
- String.format("%s/customers/%s", request.getContextPath(), customer.getId()));
-
- return createdcustomer;
- }
-
- /**
- * Update customer with given customer id.
- *
- * @param customer
- * the customer
- */
- @RequestMapping(value = { "/customers/{customerId}" }, method = { RequestMethod.PUT })
- public void updateCustomer(@RequestBody Customer customer, @PathVariable("customerId") Long customerId,
- HttpServletResponse httpResponse) {
-
- if (!customerRepository.exists(customerId)) {
- httpResponse.setStatus(HttpStatus.NOT_FOUND.value());
- } else {
- customerRepository.save(customer);
- httpResponse.setStatus(HttpStatus.NO_CONTENT.value());
- }
- }
-
- /**
- * Deletes the customer with given customer id if it exists and returns
- * HTTP204.
- *
- * @param customerId
- * the customer id
- */
- @RequestMapping(value = "/customers/{customerId}", method = RequestMethod.DELETE)
- public void removeCustomer(@PathVariable("customerId") Long customerId, HttpServletResponse httpResponse) {
-
- if (customerRepository.exists(customerId)) {
- customerRepository.delete(customerId);
- }
-
- httpResponse.setStatus(HttpStatus.NO_CONTENT.value());
- }
-
-}