From 2b99f4b8cac08e306185658e5a3baeb9eeb019b7 Mon Sep 17 00:00:00 2001 From: rakeshkumar1019 Date: Thu, 21 Mar 2024 17:31:16 +0530 Subject: [PATCH 1/7] WEBUI-1377: integrate veracode in github action --- .github/workflows/veracode.yml | 145 ++++++++++++++++++--------------- 1 file changed, 81 insertions(+), 64 deletions(-) diff --git a/.github/workflows/veracode.yml b/.github/workflows/veracode.yml index 9b3ab5e9d3..beea194ca9 100644 --- a/.github/workflows/veracode.yml +++ b/.github/workflows/veracode.yml @@ -12,8 +12,8 @@ on: # The branches below must be a subset of the branches above branches: [ "maintenance-3.0.x" ] schedule: - # At 01:00 on Sunday - - cron: '0 1 * * SUN' + # At 20:00 every day + - cron: '0 20 * * *' workflow_call: inputs: branch: @@ -48,13 +48,13 @@ permissions: jobs: # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter - sast-scan: + sast-scan-build: # The type of runner that the job will run on permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest + runs-on: [self-hosted, master] steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps @@ -65,7 +65,7 @@ jobs: - uses: actions/setup-node@v1 with: registry-url: ${{ env.NPM_REPOSITORY }} - node-version: 14 + node-version: 18 scope: '@nuxeo' - uses: actions/setup-java@v2 @@ -113,6 +113,19 @@ jobs: echo "ELEMENTS_HELPERS=$(npm pack 2>&1 | tail -1)" >> $GITHUB_ENV popd popd + + - name: add .npmrc + run: | + pushd /tmp/_temp/ + rm .npmrc + touch .npmrc + popd + echo ' + packages.nuxeo.com/repository/npm-public/:_auth=${NODE_AUTH_TOKEN} + @nuxeo:registry=https://packages.nuxeo.com/repository/npm-public/ + always-auth=true + ' >> /tmp/_temp/.npmrc + - name: Link elements to Web UI run: | npm install --no-package-lock --@nuxeo:registry="${{ env.NPM_REPOSITORY }}" nuxeo-elements/core/${ELEMENTS_CORE} @@ -130,64 +143,68 @@ jobs: ' > ~/.m2/settings.xml - - name: Nuxeo package build - run: mvn install -DskipInstall - - name: Archive packages + + - name: Delete Node Modules + run: | + rm -rf node_modules + rm -rf packages/nuxeo-designer-catalog/node_modules + rm -rf packages/nuxeo-web-ui-ftest/node_modules + rm -rf plugin/a11y/node_modules + + - name: Delete Test Folders + run: | + rm -rf nuxeo-elements/testing-helpers/ + rm -rf nuxeo-elements/ui/test/ + rm -rf nuxeo-elements/storybook/ + rm -rf ftest/ + rm -rf plugin/ + rm -rf scripts/ + rm -rf test/ + rm -rf packages/nuxeo-web-ui-ftest/ + + - name: Install zip + run: apt-get install zip + + - name: Zip nuxeo-web-ui + run: | + echo nuxeo-web-ui-${{ steps.get-tag.outputs.TAG }}.zip + zip -r nuxeo-web-ui.zip * + + - name: Upload ZIP as artifact uses: actions/upload-artifact@v2 with: - name: packages - path: | - plugin/web-ui/marketplace/target/nuxeo-web-ui-marketplace-*.zip - - # download the Veracode Static Analysis Pipeline scan jar - - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip - - run: unzip -o pipeline-scan-LATEST.zip - - name: Code Scanning - id: code_scanning - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --summary_output=true --file plugin/web-ui/marketplace/target/nuxeo-web-ui-marketplace-*.zip - continue-on-error: true - - name: Convert pipeline scan output to SARIF format - id: convert - uses: Veracode/veracode-pipeline-scan-results-to-sarif@v1.0.5 - with: - pipeline-results-json: results.json - output-results-sarif: veracode-results.sarif - finding-rule-level: "4:3:0" - - name: Upload SARIF file to repository - uses: github/codeql-action/upload-sarif@v2 - with: - # Path to SARIF file relative to the root of the repository - sarif_file: veracode-results.sarif - - name: Slack notification - if: (github.event_name == 'pull_request' || github.event_name == 'schedule') - uses: slackapi/slack-github-action@v1.23.0 - env: - REPO_URL: ${{ github.server_url }}/${{ github.repository }} - SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} - with: - channel-id: ${{ env.SLACK_CHANNEL_ID }} - payload: | - { - "text": "<${{ env.REPO_URL }}/actions/runs/${{ github.run_id }}|Code scanning> ${{ steps.code_scanning.outcome }} in nuxeo/nuxeo-web-ui <${{ env.REPO_URL }}/commit/${{ github.sha }}|${{ github.ref_name }}>", - "blocks": [ - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": "<${{ env.REPO_URL }}/actions/runs/${{ github.run_id }}|Code scanning> ${{ job.status }} in nuxeo/nuxeo-WEB-UI <${{ env.REPO_URL }}/commit/${{ github.sha }}|${{ github.ref_name }}>" - } - } - ] - } - - name: Send scan result summary to slack - uses: crederauk/slack-workflow-summary@v1.2.2 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} - - name: Send scan result file to slack - uses: adrey/slack-file-upload-action@master - with: - token: ${{ secrets.SLACK_BOT_TOKEN }} - path: results.txt - channel: ${{ secrets.SLACK_CHANNEL_ID }} + name: nuxeo-web-ui + path: nuxeo-web-ui.zip + + sast-scan: + needs: sast-scan-build + permissions: + contents: read + security-events: write + actions: read + runs-on: ubuntu-latest + steps: + - name: Download artifact + uses: actions/download-artifact@v2 + with: + name: nuxeo-web-ui + path: . + + - name: List downloaded artifact + run: | + ls -l + pwd + + - name: Veracode Upload And Scan + uses: veracode/veracode-uploadandscan-action@0.2.6 + with: + appname: 'Nuxeo Web UI' + createprofile: false + filepath: 'nuxeo-web-ui.zip' + vid: '${{ secrets.VERACODE_SECRET_API_ID }}' + vkey: '${{ secrets.VERACODE_SECRET_KEY }}' + sandboxname: 'master' + scantimeout: 600 + include: '*.war, *.zip, *.js, *.html, *.css, *.json' + criticality: 'High' + includenewmodules: 'true' \ No newline at end of file From c87a5e4b18f901d1e9114bdc7e0f0772c0cd6f51 Mon Sep 17 00:00:00 2001 From: alokhyland Date: Tue, 14 May 2024 13:59:05 +0530 Subject: [PATCH 2/7] WEBUI-1511: Own Code Static Scan : Open Redirect --- elements/routing.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/elements/routing.js b/elements/routing.js index 6585010dea..1f7e5ece4e 100644 --- a/elements/routing.js +++ b/elements/routing.js @@ -196,7 +196,7 @@ app.router = { } const isFullpath = /^http(s)?:\/\//.test(path); if (isFullpath) { - window.location = path; + window.location = encodeURI(path); } else { page(path); } From 4f5e5dcff5758baedbc1d9bce0f1b0186f44bebf Mon Sep 17 00:00:00 2001 From: alokhyland Date: Thu, 16 May 2024 14:15:56 +0530 Subject: [PATCH 3/7] WEBUI-1511: Own Code Static Scan : Open Redirect-2 --- elements/routing.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/elements/routing.js b/elements/routing.js index 1f7e5ece4e..6585010dea 100644 --- a/elements/routing.js +++ b/elements/routing.js @@ -196,7 +196,7 @@ app.router = { } const isFullpath = /^http(s)?:\/\//.test(path); if (isFullpath) { - window.location = encodeURI(path); + window.location = path; } else { page(path); } From 04130e118c5c24933f76995f17b123cfb81769d6 Mon Sep 17 00:00:00 2001 From: alokhyland Date: Fri, 17 May 2024 13:53:20 +0530 Subject: [PATCH 4/7] WEBUI-1511: Own Code Static Scan : Open Redirect-3 --- elements/routing.js | 1 + 1 file changed, 1 insertion(+) diff --git a/elements/routing.js b/elements/routing.js index 6585010dea..864e1ff88d 100644 --- a/elements/routing.js +++ b/elements/routing.js @@ -16,6 +16,7 @@ See the License for the specific language governing permissions and limitations under the License. */ import page from '@nuxeo/page/page.mjs'; +import { escapeHTML } from '@nuxeo/nuxeo-ui-elements/widgets/nuxeo-selectivity.js'; const { app } = Nuxeo.UI; From 3e919b9be7cd793401b6a2326eb94bdb42232873 Mon Sep 17 00:00:00 2001 From: alokhyland Date: Mon, 20 May 2024 17:58:11 +0530 Subject: [PATCH 5/7] WEBUI-1511: Own Code Static Scan : Open Redirect-4 --- elements/routing.js | 1 - 1 file changed, 1 deletion(-) diff --git a/elements/routing.js b/elements/routing.js index 864e1ff88d..6585010dea 100644 --- a/elements/routing.js +++ b/elements/routing.js @@ -16,7 +16,6 @@ See the License for the specific language governing permissions and limitations under the License. */ import page from '@nuxeo/page/page.mjs'; -import { escapeHTML } from '@nuxeo/nuxeo-ui-elements/widgets/nuxeo-selectivity.js'; const { app } = Nuxeo.UI; From dcd0bab264e621745512237c79608ea52b73921d Mon Sep 17 00:00:00 2001 From: alokhyland Date: Thu, 6 Jun 2024 17:45:55 +0530 Subject: [PATCH 6/7] trigger-scan 1 --- index.html | 1 + 1 file changed, 1 insertion(+) diff --git a/index.html b/index.html index 4d6fd00122..f16f5d2bbc 100644 --- a/index.html +++ b/index.html @@ -149,6 +149,7 @@ From ecf3c0a6c5bb0033d2287e115aa503fadaa32d77 Mon Sep 17 00:00:00 2001 From: alokhyland Date: Mon, 10 Jun 2024 15:40:07 +0530 Subject: [PATCH 7/7] changes in index.html --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index f16f5d2bbc..4bae2e4ea8 100644 --- a/index.html +++ b/index.html @@ -149,7 +149,7 @@