Skip to content

Commit

Permalink
Feature/security scanning (#697)
Browse files Browse the repository at this point in the history
* Add FINOS Security Actions (#693)

* add security scanning action

* add dependecycheck

* add renovate.json + change analyze to aggregate

* change action to also trigger on PR

Co-authored-by: Maurizio Pillitu <maoo@finos.org>

* Add renovate.json (#696)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Fix security scanning issues

Fix a security scanning reported issue in PresentationMLParser.java

Update semgrep config to ignore files in template and example folders

Use dashboardapproval feature from renovate bot

* Remove check on push action, keep it only for pull request

Ignore two issues detected in the code

* Ignore false positive CVE and non-fix-version CVE

Co-authored-by: Juan Estrella <juan.estrella@finos.org>
Co-authored-by: Maurizio Pillitu <maoo@finos.org>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
  • Loading branch information
4 people authored Dec 5, 2022
1 parent 2245c64 commit 15cf3ad
Show file tree
Hide file tree
Showing 10 changed files with 141 additions and 2 deletions.
3 changes: 3 additions & 0 deletions .github/renovate.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
"dependencyDashboardApproval": true
}
27 changes: 27 additions & 0 deletions .github/workflows/cve-scanning-gradle.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: CVE Scanning for Gradle

on:
schedule:
- cron: '0 8,18 * * 1-5'
pull_request:
branches: [ main ]
paths:
- '**/build.gradle'
- 'allow-list.xml'
- '.github/workflows/cve-scanning-gradle.yml'

jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up JDK 11
uses: actions/setup-java@v3
with:
java-version: '8'
distribution: 'adopt'
- name: Build with Gradle
run: ./gradlew build
- name: CVEs
run: ./gradlew dependencyCheckAggregate

15 changes: 15 additions & 0 deletions .github/workflows/semgrep.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
name: Static code analysis

on: [pull_request]

jobs:
semgrep:
name: run-semgrep
runs-on: ubuntu-20.04
container:
image: returntocorp/semgrep
steps:
- uses: actions/checkout@v3
- run: semgrep scan --error --config auto
env:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
29 changes: 29 additions & 0 deletions .semgrepignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# Common large paths
symphony-bdk-examples/
templates/

# Common test paths
test/

# Semgrep rules folder
.semgrep


# generic.secrets.security.detected-aws-session-token.detected-aws-session-token
# AWS Session Token detected
# Details: https://sg.run/DoRW

# 30┆ final String appSessionToken = ...;
# ⋮┆----------------------------------------
# 40┆ final String appSessionToken = ...;
symphony-bdk-core/src/main/java/com/symphony/bdk/core/auth/impl/AbstractOboAuthenticator.java

# problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1
# Detects direct creations of SSLConnectionSocketFactories that don't disallow SSL v2, SSL v3,
# and TLS v1. SSLSocketFactory can be used to validate the identity of the HTTPS server
# against a list of trusted certificates. These protocols are deprecated due to POODLE, man in
# the middle attacks, and other vulnerabilities.
# Details: https://sg.run/l25E

# 240┆ SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext);
symphony-bdk-http/symphony-bdk-http-jersey2/src/main/java/com/symphony/bdk/http/jersey2/ApiClientBuilderJersey2.java
49 changes: 49 additions & 0 deletions allow-list.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
Testing false positive, transitive dependency from mockserver-netty
]]></notes>
<gav>org.apache.commons:commons-text:1.9</gav>
<cve>CVE-2022-42889</cve>
</suppress>
<suppress>
<notes><![CDATA[
No fix available
]]></notes>
<gav>org.yaml:snakeyaml:1.30</gav>
<cve>CVE-2022-25857</cve>
<cve>CVE-2022-38751</cve>
<cve>CVE-2022-38749</cve>
<cve>CVE-2022-38752</cve>
<cve>CVE-2022-41854</cve>
<cve>CVE-2022-38750</cve>
<cve>CVE-2022-1471</cve>
</suppress>
<suppress>
<notes><![CDATA[
No fix available
]]></notes>
<gav>org.yaml:snakeyaml:1.31</gav>
<cve>CVE-2022-38751</cve>
<cve>CVE-2022-38752</cve>
<cve>CVE-2022-41854</cve>
<cve>CVE-2022-1471</cve>
</suppress>
<suppress>
<notes><![CDATA[
Testing false positives by suppressing a CVE
https://github.com/jeremylong/DependencyCheck/issues/4528 (Do not use deprecated method)
]]></notes>
<gav>org.springframework.security:spring-security-crypto:5.7.5</gav>
<cve>CVE-2020-5408</cve>
</suppress>
<suppress>
<notes><![CDATA[
Testing false positives by suppressing a CVE
https://github.com/spring-projects/spring-framework/issues/24434 (Do not expose HttpInvoker)
]]></notes>
<gav>org.springframework:spring-web:5.3.24</gav>
<cve>CVE-2016-1000027</cve>
</suppress>
</suppressions>
6 changes: 6 additions & 0 deletions build.gradle
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
plugins {
id "io.codearte.nexus-staging" version "0.22.0"
id "org.owasp.dependencycheck" version "7.3.2"
}

ext.projectVersion = '2.12.0-SNAPSHOT'
Expand Down Expand Up @@ -48,3 +49,8 @@ nexusStaging {
repositories {
mavenCentral()
}

dependencyCheck {
failBuildOnCVSS=5
suppressionFile="./allow-list.xml"
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ plugins {
id 'java'
id 'jacoco'
id "com.github.ben-manes.versions"
id 'project-report'
}

repositories {
Expand Down
8 changes: 8 additions & 0 deletions renovate.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base",
":dependencyDashboardApproval"
],
"prHourlyLimit": 1
}
4 changes: 2 additions & 2 deletions symphony-bdk-bom/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ repositories {

dependencies {
// import Spring Boot's BOM
api platform('org.springframework.boot:spring-boot-dependencies:2.7.5')
api platform('org.springframework.boot:spring-boot-dependencies:2.7.6')
// import Jackson's BOM
api platform('com.fasterxml.jackson:jackson-bom:2.13.4.20221013')
// define all our dependencies versions
Expand Down Expand Up @@ -87,7 +87,7 @@ dependencies {
api 'org.junit.jupiter:junit-jupiter:5.8.2'
api 'org.junit.jupiter:junit-jupiter-engine:5.8.2'
api 'com.tngtech.archunit:archunit-junit5:0.22.0'
api 'org.mock-server:mockserver-netty:5.12.0'
api 'org.mock-server:mockserver-netty:5.14.0'
api 'org.mockito:mockito-core:4.5.1'
api 'org.mockito:mockito-junit-jupiter:4.5.1'
api 'org.assertj:assertj-core:3.22.0'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ public static String getTextContent(String presentationML) throws PresentationML
@SneakyThrows
private static DocumentBuilder initBuilder() {
final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
return factory.newDocumentBuilder();
}

Expand Down

0 comments on commit 15cf3ad

Please sign in to comment.