Demo dev

.github/workflows/synopsys-ast.yml

@@ -0,0 +1,77 @@
+name: Synopsys Security Testing for Black Duck
+
+on:
+  push:
+    branches: [ master ]
+
+  pull_request:
+    branches: [ master ]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Java JDK
+        uses: actions/setup-java@v3
+        with:
+          java-version: 11
+          distribution: microsoft
+          cache: maven
+      - name: Synopsys Action Black Duck
+        uses: synopsys-sig/synopsys-action@v1.2.0
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+          blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }}
+          blackduck_url: ${{ secrets.BLACKDUCK_URL }}
+          blackduck_scan_full: false
+          blackduck_automation_fixpr: false
+          blackduck_automation_prcomment: true
+          # Optional parameter, but usually specified - the location of the Synopsys Bridge software
+          # The Synopsys Bridge software distribution is platform specific - this must match the host OS
+          # of your runner. For example in this case, we are using the latest version for Linux.
+          #bridge_download_url: ${{ env.LINUX_BRIDGE_URL }}
+        env:
+      #    DETECT_PROJECT_NAME: ${{ vars.BLACKDUCK_PROJECT }}
+      #    DETECT_PROJECT_VERSION_NAME: demo-dev
+          BLACKDUCK_TRUST_CERT: true
+          #DETECT_BLACKDUCK_RAPID_COMPARE_MODE: BOM_COMPARE_STRICT
+      - name: Synopsys Action Polaris
+        uses: synopsys-sig/synopsys-action@main
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+          polaris_serverUrl: ${{ secrets.POLARIS_SERVER_URL }}
+          polaris_accessToken: ${{ secrets.POLARIS_ACCESS_TOKEN }}
+          polaris_application_name: ${{ vars.POLARIS_APPLICATION_NAME }}
+          polaris_project_name: ${{ vars.POLARIS_PROJECT_NAME }}
+          polaris_assessment_types: ${{ vars.POLARIS_ASSESSMENT_TYPES }}
+          # Waiting for automation
+          #polaris_automation_fixpr: false
+          #polaris_automation_prcomment: true
+          # Optional parameter, but usually specified - the location of the Synopsys Bridge software
+          # The Synopsys Bridge software distribution is platform specific - this must match the host OS
+          # of your runner. For example in this case, we are using the latest version for Linux.
+          #bridge_download_url: ${{ env.LINUX_BRIDGE_URL }}
+      #- name: Synopsys Action Coverity
+      #  uses: synopsys-sig/synopsys-action@v1.1.0
+      #  with:
+      #    github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      #    coverity_url: ${{ secrets.COVERITY_URL }}
+      #    coverity_user: ${{ secrets.COVERITY_USER }}
+      #    coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }}
+      #    coverity_project_name: ${{ vars.COVERITY_PROJECT_NAME }}
+      #    coverity_stream_name: ${{ github.event.repository.name }}-${{ github.base_ref }}
+          # Optionally you may specify the ID number of a saved view to apply as a "break the build" policy.
+          # If any defects are found within this view when applied to the project, the build will be failed
+          # with an exit code.
+          #coverity_policy_view: 100001
+          # Below fields are optional
+          #coverity_repository_name: ${{ secrets.COVERITY_REPOSITORY_NAME }}
+          #coverity_branch_name: ${{ secrets.COVERITY_BRANCH_NAME }}

README.md

@@ -1,3 +1,5 @@
+# Target Project for Synopsys Github Actions Test
+
 # Java Sec Code
 
 

src/main/java/org/joychou/RMI/Server.java

@@ -20,7 +20,7 @@ public static void main(String args[]) {
             LocateRegistry.createRegistry(1099);
             Registry registry = LocateRegistry.getRegistry();
             registry.bind("Hello", stub);
-            System.out.println("绑定1099端口成功");
+            System.out.println("绑定1099端口成功. It is probably saying successful creation of registory.");
         } catch (Exception e) {
             System.err.println("Server exception: " + e.toString());
             e.printStackTrace();

src/main/java/org/joychou/synopsys-action-demo/ForwardNullExample.java

@@ -0,0 +1,15 @@
+public class ForwardNullExample {
+    public static Object callA() {
+        // This causes a FORWARD_NULL defect report
+        return testA(null);
+    }
+
+    public static Object callB() {
+        // No defect report
+        return testA(new Object());
+    }
+
+    public static String testA(Object o) {
+        return o.toString();
+    }
+}

src/main/java/org/joychou/synopsys-action-demo/HelloWorld.java

@@ -0,0 +1,8 @@
+public class HelloWorld {
+    public static void main(String[] args) {
+        //String secret = "It's a secret to everybody.";
+        //try { javax.crypto.spec.SecretKeySpec keyspec = new javax.crypto.spec.SecretKeySpec(secret.getBytes("UTF-8"), "AES"); }
+        //catch (Exception e) { System.out.println("Something went wrong."); }
+        System.out.println("Hello World!");
+    }
+}

src/main/java/org/joychou/synopsys-action-demo/NullReturnsExample.java

@@ -0,0 +1,18 @@
+public class NullReturnsExample {
+    static int count = 0;
+
+    public static Object returnA() {
+        return null;
+    }
+    public static Object returnB() {
+        return new Object();
+    }
+    public static void testA() {
+        // This demonstrates a very straightforward null-return bug
+        returnA().toString();
+    }
+    public static void testB() {
+        // no bug here
+        returnB().toString();
+    }
+}

src/main/java/org/joychou/synopsys-action-demo/ReverseNullExample.java

@@ -0,0 +1,18 @@
+public class ReverseNullExample {
+    public static Object callA(Object o) {
+        return "hi";
+    }
+    public static Object callB(Object o) {
+        return o.toString();
+    }
+
+    public static String testA(Object o) {
+        // callB dereferences o, making the later check a bug
+        // if this were callA, no bug would be reported here.
+        System.out.println(callB(o));
+        if( o == null ) {
+            System.out.println("It's null");
+        }
+        return "done";
+    }
+}