diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 00000000..11b35b43 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,55 @@ +# This is a basic workflow to help you get started with Actions +name: CxFlow + +# Controls when the action will run. Triggers the workflow on push or pull request +# events but only for the master branch +# comment +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + + # Cxflow Action + - name: Checkmarx CxFlow Action + # You may pin to the exact commit or the version. + # uses: checkmarx-ts/checkmarx-cxflow-github-action@95d2a8c86d754ddbccc638a7e1bb8e99a8d2244f + uses: checkmarx-ts/checkmarx-cxflow-github-action@v1.1 + with: + scanners: sast + # Provide Checkmarx URL + checkmarx_url: ${{secrets.CHECKMARX_URL}} + # Provide team + team: /CxServer + # Provide Checkmarx Username + checkmarx_username: ${{secrets.CHECKMARX_USERNAME}} + # Provide Checkmarx Password + checkmarx_password: ${{secrets.CHECKMARX_PASSWORD}} + # Provide Checkmarx Client Secret + checkmarx_client_secret: ${{secrets.CHECKMARX_CLIENT_SECRET}} + # Select a Checkmarx Project + project: WebGoat-GitHub-action + # Select an Application Name used by downstream bug tracker systems + app: WebGoat + # Select a Checkmarx Preset + #preset: # optional, default is Checkmarx Default + # Break build based on Checkmarx findings? + #break_build: # optional + # Incremental Scans? + incremental: true + # GitHub API Token (note: you don't have to create secrets.GITHUB_TOKEN, it is created automatically and will not appear in your repo's custom secrets) + github_token: ${{secrets.GITHUB_TOKEN}} + # extra parameters + params: --bug-tracker=jira --config=cx.config --repo-name=WebGoat --branch=master --jira.url=${{secrets.JIRA_URL}} --jira.username=${{secrets.JIRA_USER}} --jira.token=${{secrets.JIRA_TOKEN}} diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 00000000..2b37e7d1 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,3 @@ +{ + "CheckmarxSecurityChampion.key": "sk-proj-pNHtnWny3bvPN2slWbeNT3BlbkFJ7HTv6G6iIJ4xsMW8uWgR" +} \ No newline at end of file diff --git a/Dockerfile.dockerfile b/Dockerfile.dockerfile new file mode 100644 index 00000000..9802a862 --- /dev/null +++ b/Dockerfile.dockerfile @@ -0,0 +1,20 @@ +# Use an official Node.js runtime as the parent image +FROM node:16 + +# Set the working directory in the container +WORKDIR /usr/src/app + +# Copy the package.json and package-lock.json to the working directory +COPY package*.json ./ + +# Install the app dependencies inside the container +RUN npm install + +# Copy the rest of the application code into the container +COPY . . + +# Specify the port the app runs on +EXPOSE 3000 + +# Define the command to run the app +CMD ["node", "app.js"] diff --git a/README b/README index a5ce616c..796d4e2b 100644 --- a/README +++ b/README @@ -1,6 +1,7 @@ ***************************** Webgoat.NET ********************************** * Source Code: https://github.com/jerryhoff/WebGoat.NET * Download zip: https://github.com/jerryhoff/WebGoat.NET/zipball/master +*adding an additional line to kick off a scan. **************************************************************************** This web application is a learning platform that attempts to teach about diff --git a/WebGoat/AddNewUser.aspx.cs b/WebGoat/AddNewUser.aspx.cs index 363be276..077ada1e 100644 --- a/WebGoat/AddNewUser.aspx.cs +++ b/WebGoat/AddNewUser.aspx.cs @@ -9,7 +9,7 @@ using System.Web.UI.HtmlControls; using System.Web.UI.WebControls; using System.Web.UI.WebControls.WebParts; - +// adding a comment namespace OWASP.WebGoat.NET { public partial class AddNewUser : System.Web.UI.Page diff --git a/WebGoat/Code/DatabaseUtilities.cs b/WebGoat/Code/DatabaseUtilities.cs index c91f1042..9b83332c 100644 --- a/WebGoat/Code/DatabaseUtilities.cs +++ b/WebGoat/Code/DatabaseUtilities.cs @@ -9,6 +9,8 @@ using System.Configuration; using Mono.Data.Sqlite; +//adding comment + namespace OWASP.WebGoat.NET { public class DatabaseUtilities @@ -250,4 +252,4 @@ public DataTable GetPostingByID(int id) } } -} \ No newline at end of file +} diff --git a/cx.config b/cx.config new file mode 100644 index 00000000..d46b2030 --- /dev/null +++ b/cx.config @@ -0,0 +1,34 @@ +{ + "application": "WebGoat", + "branches": ["develop", "master"], + "bugTracker": "JIRA", + "jira": { + "project": "WEBGOAT", + "issue_type": "Bug", + "opened_status": ["Open","Reopen"], + "closed_status": ["Closed","Done"], + "open_transition": "Reopen Issue", + "close_transition": "Close Issue", + "close_transition_field": "resolution", + "close_transition_value": "Done", + "priorities": { + "High": "High", + "Medium": "Medium", + "Low": "Low" + }, + "fields": [ + { + "type": "result", + "name": "application", + "jira_field_name": "Application", + "jira_field_type": "label" + }, + { + "type": "result", + "name": "category", + "jira_field_name": "Category", + "jira_field_type": "label" + } + ] + } +}