diff --git a/.github/workflows/snyk-security-scan.yml b/.github/workflows/snyk-security-scan.yml index d195fb36e3d..9140a950f51 100644 --- a/.github/workflows/snyk-security-scan.yml +++ b/.github/workflows/snyk-security-scan.yml @@ -14,7 +14,7 @@ jobs: # env: # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # SNYK_CFG_ORG: varner-tech-engineering - + # steps: # - name: Checkout code # uses: actions/checkout@v3 @@ -55,24 +55,15 @@ jobs: permissions: contents: write actions: read - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} steps: - name: Checkout code uses: actions/checkout@v4 - - name: Setup Snyk CLI - uses: snyk/actions/setup@master - - - name: Authenticate Snyk CLI - run: snyk auth "${{ secrets.SNYK_TOKEN }}" - - name: Generate SBOM (CycloneDX JSON) - run: | - echo "Generating SBOM with Snyk..." - snyk sbom --format=cyclonedx1.6+json > sbom.cdx.json - echo "SBOM generation completed successfully" - ls -la sbom.cdx.json + uses: anchore/sbom-action@v0 + with: + format: cyclonedx-json + output-file: sbom.cdx.json - name: Upload SBOM artifact uses: actions/upload-artifact@v4 @@ -86,8 +77,8 @@ jobs: with: files: sbom.cdx.json - - name: Display SBOM info - run: | - echo "SBOM generated successfully" - ls -la sbom.cdx.json - echo "SBOM size: $(wc -c < sbom.cdx.json) bytes" \ No newline at end of file + - name: Submit SBOM to Dependency Graph + uses: advanced-security/sbom-dependency-submission-action@v0 + with: + sbom-path: sbom.cdx.json + fail-on-error: true diff --git a/package-lock.json b/package-lock.json index 9e9826e4018..0441867d2c5 100644 --- a/package-lock.json +++ b/package-lock.json @@ -32,6 +32,7 @@ "lodash": "4.17.4", "marked": "0.3.5", "method-override": "latest", + "minimist": "0.0.8", "moment": "2.15.1", "mongodb": "^3.5.9", "mongoose": "4.2.4", @@ -40,6 +41,7 @@ "mysql": "^2.18.1", "npmconf": "0.0.24", "optional": "^0.1.3", + "serialize-javascript": "2.1.1", "st": "0.2.4", "stream-buffers": "^3.0.1", "tap": "^11.1.3", @@ -530,7 +532,7 @@ "node_modules/adm-zip": { "version": "0.4.7", "resolved": "https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.7.tgz", - "integrity": "sha1-hgbCy/HEJs6MjsABdER/1Jtur8E=", + "integrity": "sha512-QHVQ6ekddFaGr9r2hBUC4gPw2wLqMZioXojt9BydQPbSh8us7+Q5xcUCUq+hnh4zAdauV3wqoY0quApjKqrhbA==", "engines": { "node": ">=0.3.0" } @@ -1902,6 +1904,15 @@ "node": ">=6" } }, + "node_modules/coveralls/node_modules/minimist": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", + "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, "node_modules/crc": { "version": "3.2.1", "resolved": "https://registry.npmjs.org/crc/-/crc-3.2.1.tgz", @@ -4878,9 +4889,10 @@ } }, "node_modules/minimist": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz", - "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=" + "version": "0.0.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz", + "integrity": "sha512-miQKw5Hv4NS1Psg2517mV4e4dYNaO3++hjAvLOAzKqZ61rH8NS1SK+vbfBWZ5PY/Me/bEWhUwqMghEW5Fb9T7Q==", + "license": "MIT" }, "node_modules/minipass": { "version": "2.9.0", @@ -10068,6 +10080,16 @@ "node": "*" } }, + "node_modules/rc/node_modules/minimist": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", + "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", + "dev": true, + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, "node_modules/read-only-stream": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/read-only-stream/-/read-only-stream-2.0.0.tgz", @@ -10465,6 +10487,12 @@ "node": ">= 0.8" } }, + "node_modules/serialize-javascript": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.1.tgz", + "integrity": "sha512-MPLPRpD4FNqWq9tTIjYG5LesFouDhdyH0EPY3gVK4DRD5+g4aDqdNSzLIwceulo3Yj+PL1bPh6laE5+H6LTcrQ==", + "license": "BSD-3-Clause" + }, "node_modules/serve-static": { "version": "1.9.3", "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.9.3.tgz", @@ -11708,6 +11736,16 @@ "minimist": "^1.1.0" } }, + "node_modules/subarg/node_modules/minimist": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", + "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", + "dev": true, + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, "node_modules/supports-color": { "version": "5.5.0", "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz", @@ -11868,11 +11906,6 @@ "tap-parser": "bin/cmd.js" } }, - "node_modules/tap/node_modules/minimist": { - "version": "0.0.8", - "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz", - "integrity": "sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0=" - }, "node_modules/tap/node_modules/mkdirp": { "version": "0.5.1", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz", @@ -13523,7 +13556,7 @@ "adm-zip": { "version": "0.4.7", "resolved": "https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.7.tgz", - "integrity": "sha1-hgbCy/HEJs6MjsABdER/1Jtur8E=" + "integrity": "sha512-QHVQ6ekddFaGr9r2hBUC4gPw2wLqMZioXojt9BydQPbSh8us7+Q5xcUCUq+hnh4zAdauV3wqoY0quApjKqrhbA==" }, "agent-base": { "version": "4.3.0", @@ -14705,6 +14738,13 @@ "log-driver": "^1.2.7", "minimist": "^1.2.0", "request": "^2.88.0" + }, + "dependencies": { + "minimist": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", + "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==" + } } }, "crc": { @@ -17166,9 +17206,9 @@ } }, "minimist": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz", - "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=" + "version": "0.0.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz", + "integrity": "sha512-miQKw5Hv4NS1Psg2517mV4e4dYNaO3++hjAvLOAzKqZ61rH8NS1SK+vbfBWZ5PY/Me/bEWhUwqMghEW5Fb9T7Q==" }, "minipass": { "version": "2.9.0", @@ -21004,6 +21044,12 @@ "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.5.tgz", "integrity": "sha512-RZY5huIKCMRWDUqZlEi72f/lmXKMvuszcMBduliQ3nnWbx9X/ZBQO7DijMEYS9EhHBb2qacRUMtC7svLwe0lcw==", "dev": true + }, + "minimist": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", + "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", + "dev": true } } }, @@ -21352,6 +21398,11 @@ } } }, + "serialize-javascript": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.1.tgz", + "integrity": "sha512-MPLPRpD4FNqWq9tTIjYG5LesFouDhdyH0EPY3gVK4DRD5+g4aDqdNSzLIwceulo3Yj+PL1bPh6laE5+H6LTcrQ==" + }, "serve-static": { "version": "1.9.3", "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.9.3.tgz", @@ -22470,6 +22521,14 @@ "dev": true, "requires": { "minimist": "^1.1.0" + }, + "dependencies": { + "minimist": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", + "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", + "dev": true + } } }, "supports-color": { @@ -22530,11 +22589,6 @@ "yapool": "^1.0.0" }, "dependencies": { - "minimist": { - "version": "0.0.8", - "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz", - "integrity": "sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0=" - }, "mkdirp": { "version": "0.5.1", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz", diff --git a/package.json b/package.json index 067b08fdd55..09c30e899f0 100644 --- a/package.json +++ b/package.json @@ -38,6 +38,7 @@ "lodash": "4.17.4", "marked": "0.3.5", "method-override": "latest", + "minimist": "0.0.8", "moment": "2.15.1", "mongodb": "^3.5.9", "mongoose": "4.2.4", @@ -46,6 +47,7 @@ "mysql": "^2.18.1", "npmconf": "0.0.24", "optional": "^0.1.3", + "serialize-javascript": "2.1.1", "st": "0.2.4", "stream-buffers": "^3.0.1", "tap": "^11.1.3", diff --git a/routes/xss-vulnerable.js b/routes/xss-vulnerable.js index af105c7bfaf..890a42e94b9 100644 --- a/routes/xss-vulnerable.js +++ b/routes/xss-vulnerable.js @@ -17,15 +17,15 @@ const { startVulnerableResponse } = require('../service/xssResponder'); // UNSAFE: Direct XSS vulnerability - matches pattern Snyk detects // This is a simple reflected XSS that Snyk should flag -// router.get('/', (req, res) => { -// // Get user input directly from query parameter without sanitization -// // This is the source of the XSS vulnerability -// const userInput = req.query.input || 'No input provided'; +router.get('/', (req, res) => { + // Get user input directly from query parameter without sanitization + // This is the source of the XSS vulnerability + const userInput = req.query.input || 'No input provided'; -// const html = processUserInput(userInput, res); + const html = processUserInput(userInput, res); -// res.send(html); -// }); + res.send(html); +}); function processUserInput(userInput, res) { return `