Triage2

.github/workflows/main.yml

@@ -0,0 +1,54 @@
+# This is a basic workflow to help you get started with Actions
+name: CxFlow
+
+# Controls when the action will run. Triggers the workflow on push or pull request
+# events but only for the master branch
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v2
+
+      # Cxflow Action
+      - name: Checkmarx CxFlow Action
+        # You may pin to the exact commit or the version.
+        # uses: checkmarx-ts/checkmarx-cxflow-github-action@95d2a8c86d754ddbccc638a7e1bb8e99a8d2244f
+        uses: checkmarx-ts/checkmarx-cxflow-github-action@v1.1
+        with:
+          scanners: sast
+          # Provide Checkmarx URL
+          checkmarx_url: ${{secrets.CHECKMARX_URL}}
+          # Provide team
+          team: /CxServer
+          # Provide Checkmarx Username
+          checkmarx_username: ${{secrets.CHECKMARX_USERNAME}}
+          # Provide Checkmarx Password
+          checkmarx_password: ${{secrets.CHECKMARX_PASSWORD}}
+          # Provide Checkmarx Client Secret
+          checkmarx_client_secret: ${{secrets.CHECKMARX_CLIENT_SECRET}}
+          # Select a Checkmarx Project
+          project: WebGoat-GitHub-action
+          # Select an Application Name used by downstream bug tracker systems
+          app: WebGoat
+          # Select a Checkmarx Preset
+          #preset: # optional, default is Checkmarx Default
+          # Break build based on Checkmarx findings?
+          #break_build: # optional
+          # Incremental Scans?
+          incremental: true
+          # GitHub API Token (note: you don't have to create secrets.GITHUB_TOKEN, it is created automatically and will not appear in your repo's custom secrets)
+          github_token: ${{secrets.GITHUB_TOKEN}}
+          # extra parameters
+          params: --bug-tracker=jira --config=cx.config --repo-name=WebGoat --branch=master --jira.url=${{secrets.JIRA_URL}} --jira.username=${{secrets.JIRA_USER}} --jira.token=${{secrets.JIRA_TOKEN}}

Dockerfile.dockerfile

@@ -0,0 +1,20 @@
+# Use an official Node.js runtime as the parent image
+FROM node:16
+
+# Set the working directory in the container
+WORKDIR /usr/src/app
+
+# Copy the package.json and package-lock.json to the working directory
+COPY package*.json ./
+
+# Install the app dependencies inside the container
+RUN npm install
+
+# Copy the rest of the application code into the container
+COPY . .
+
+# Specify the port the app runs on
+EXPOSE 3000
+
+# Define the command to run the app
+CMD ["node", "app.js"]

README

@@ -1,6 +1,7 @@
 ***************************** Webgoat.NET **********************************
 * Source Code: https://github.com/jerryhoff/WebGoat.NET
 * Download zip: https://github.com/jerryhoff/WebGoat.NET/zipball/master
+*adding an additional line to kick off a scan.
 ****************************************************************************
 
 This web application is a learning platform that attempts to teach about

WebGoat/AddNewUser.aspx.cs

@@ -9,7 +9,7 @@
 using System.Web.UI.HtmlControls;
 using System.Web.UI.WebControls;
 using System.Web.UI.WebControls.WebParts;
-
+// adding a comment
 namespace OWASP.WebGoat.NET
 {
 	public partial class AddNewUser : System.Web.UI.Page

WebGoat/App_Code/DB/MySqlDbProvider.cs

@@ -347,24 +347,13 @@ public string GetPasswordByEmail(string email)
             string result = string.Empty;
             try
             {
-
                 using (MySqlConnection connection = new MySqlConnection(_connectionString))
                 {
-                    //get data
-                    string sql = "select * from CustomerLogin where email = '" + email + "';";
-                    MySqlDataAdapter da = new MySqlDataAdapter(sql, connection);
-                    DataSet ds = new DataSet();
-                    da.Fill(ds);
-
-                    //check if email address exists
-                    if (ds.Tables[0].Rows.Count == 0)
-                    {
-                        result = "Email Address Not Found!";
-                    }
-
-                    string encoded_password = ds.Tables[0].Rows[0]["Password"].ToString();
-                    string decoded_password = Encoder.Decode(encoded_password);
-                    result = decoded_password;
+                    string sql = "select * from CustomerLogin where email = @Email;";
+                    MySqlCommand command = new MySqlCommand(sql, connection);
+                    command.Parameters.AddWithValue("@Email", email);
+
+                    // continue with executing the query
                 }
             }
             catch (Exception ex)

WebGoat/Code/DatabaseUtilities.cs

@@ -9,6 +9,8 @@
 using System.Configuration;
 using Mono.Data.Sqlite;
 
+//adding comment
+
 namespace OWASP.WebGoat.NET
 {
 	public class DatabaseUtilities
@@ -250,4 +252,4 @@ public DataTable GetPostingByID(int id)
 		}
 
 	}
-}
+}

cx.config

@@ -0,0 +1,34 @@
+{
+  "application": "WebGoat",
+  "branches": ["develop", "master"],
+  "bugTracker": "JIRA",
+  "jira": {
+	"project": "WEBGOAT",
+	"issue_type": "Bug",
+	"opened_status": ["Open","Reopen"],
+	"closed_status": ["Closed","Done"],
+	"open_transition": "Reopen Issue",
+	"close_transition": "Close Issue",
+	"close_transition_field": "resolution",
+	"close_transition_value": "Done",
+	"priorities": {
+	  "High": "High",
+	  "Medium": "Medium",
+	  "Low": "Low"
+	},
+	"fields": [
+	  {
+		"type": "result",
+		"name": "application",
+		"jira_field_name": "Application",
+		"jira_field_type": "label"
+	  },
+	  {
+		"type": "result",
+		"name": "category",
+		"jira_field_name": "Category",
+		"jira_field_type": "label"
+	  }
+	]
+  }
+}