From f2f3e4e611edbd273816a59601c3fbd3edb8f080 Mon Sep 17 00:00:00 2001 From: Phil Varner Date: Thu, 11 Dec 2025 23:54:52 -0700 Subject: [PATCH 1/3] add new endpoint function --- routes/xss-vulnerable.js | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/routes/xss-vulnerable.js b/routes/xss-vulnerable.js index af105c7bfaf..890a42e94b9 100644 --- a/routes/xss-vulnerable.js +++ b/routes/xss-vulnerable.js @@ -17,15 +17,15 @@ const { startVulnerableResponse } = require('../service/xssResponder'); // UNSAFE: Direct XSS vulnerability - matches pattern Snyk detects // This is a simple reflected XSS that Snyk should flag -// router.get('/', (req, res) => { -// // Get user input directly from query parameter without sanitization -// // This is the source of the XSS vulnerability -// const userInput = req.query.input || 'No input provided'; +router.get('/', (req, res) => { + // Get user input directly from query parameter without sanitization + // This is the source of the XSS vulnerability + const userInput = req.query.input || 'No input provided'; -// const html = processUserInput(userInput, res); + const html = processUserInput(userInput, res); -// res.send(html); -// }); + res.send(html); +}); function processUserInput(userInput, res) { return ` From 1562a642228ca98258f343cccf4b9eac57a329e7 Mon Sep 17 00:00:00 2001 From: Phil Varner Date: Tue, 6 Jan 2026 10:07:05 -0700 Subject: [PATCH 2/3] try sbom --- .github/workflows/snyk-security-scan.yml | 95 ++++++++++++++++-------- 1 file changed, 65 insertions(+), 30 deletions(-) diff --git a/.github/workflows/snyk-security-scan.yml b/.github/workflows/snyk-security-scan.yml index b0634c07157..52d0872d264 100644 --- a/.github/workflows/snyk-security-scan.yml +++ b/.github/workflows/snyk-security-scan.yml @@ -8,42 +8,77 @@ on: workflow_dispatch: jobs: - security-scan: - name: Snyk IaC and Container Scans - runs-on: ubuntu-latest - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - SNYK_CFG_ORG: varner-tech-engineering + # security-scan: + # name: Snyk IaC and Container Scans + # runs-on: ubuntu-latest + # env: + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + # SNYK_CFG_ORG: varner-tech-engineering - steps: - - name: Checkout code - uses: actions/checkout@v3 + # steps: + # - name: Checkout code + # uses: actions/checkout@v3 - - name: Install Terraform - uses: hashicorp/setup-terraform@v2 - with: - terraform_version: 1.5.0 + # - name: Install Terraform + # uses: hashicorp/setup-terraform@v2 + # with: + # terraform_version: 1.5.0 - - name: Install Snyk CLI - run: npm install -g snyk + # - name: Install Snyk CLI + # run: npm install -g snyk - - name: Build Container Image - run: docker build -t nodejs-goof . + # - name: Build Container Image + # run: docker build -t nodejs-goof . - - name: Snyk Container Scan (test + monitor) - continue-on-error: true - run: | - snyk container test nodejs-goof --severity-threshold=high --file=Dockerfile --project-name=ga-container-full --target-reference=nodejs-goof-ga-target --target-name=nodejs-goof || true - snyk container monitor nodejs-goof --file=Dockerfile --project-name=ga-container-full --target-reference=nodejs-goof-ga-target --target-name=nodejs-goof + # - name: Snyk Container Scan (test + monitor) + # continue-on-error: true + # run: | + # snyk container test nodejs-goof --severity-threshold=high --file=Dockerfile --project-name=ga-container-full --target-reference=nodejs-goof-ga-target --target-name=nodejs-goof || true + # snyk container monitor nodejs-goof --file=Dockerfile --project-name=ga-container-full --target-reference=nodejs-goof-ga-target --target-name=nodejs-goof - - name: Snyk IaC Scan - continue-on-error: true - run: snyk iac test vulnerable.tf --report --target-name=nodejs-goof --target-reference=nodejs-goof-ga-target --remote-repo-url=https://github.com/varner-tech/nodejs-goof + # - name: Snyk IaC Scan + # continue-on-error: true + # run: snyk iac test vulnerable.tf --report --target-name=nodejs-goof --target-reference=nodejs-goof-ga-target --remote-repo-url=https://github.com/varner-tech/nodejs-goof - - name: Upload Snyk results as artifact - if: always() + # - name: Upload Snyk results as artifact + # if: always() + # uses: actions/upload-artifact@v4 + # with: + # name: snyk-results + # path: snyk*.json + # if-no-files-found: ignore + + sbom: + name: Generate and Distribute SBOM + # needs: security-scan + runs-on: ubuntu-latest + permissions: + contents: write + actions: read + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Generate SBOM (CycloneDX JSON) + uses: anchore/sbom-action@v0 + with: + format: cyclonedx-json + output-file: sbom.cdx.json + + - name: Upload SBOM artifact uses: actions/upload-artifact@v4 with: - name: snyk-results - path: snyk*.json - if-no-files-found: ignore \ No newline at end of file + name: release-sbom + path: sbom.cdx.json + + - name: Attach SBOM to GitHub Release + if: github.event_name == 'release' + uses: softprops/action-gh-release@v1 + with: + files: sbom.cdx.json + + - name: Submit SBOM to Dependency Graph + uses: advanced-security/sbom-dependency-submission-action@v0 + with: + sbom-path: sbom.cdx.json + fail-on-error: true \ No newline at end of file From a563b06b657904ff457e32a156a1c3671a773b6c Mon Sep 17 00:00:00 2001 From: Phil Varner Date: Tue, 6 Jan 2026 13:28:37 -0700 Subject: [PATCH 3/3] add vulnerable package --- package-lock.json | 90 +++++++++++++++++++++++++++++++++++++---------- package.json | 2 ++ 2 files changed, 74 insertions(+), 18 deletions(-) diff --git a/package-lock.json b/package-lock.json index 9e9826e4018..0441867d2c5 100644 --- a/package-lock.json +++ b/package-lock.json @@ -32,6 +32,7 @@ "lodash": "4.17.4", "marked": "0.3.5", "method-override": "latest", + "minimist": "0.0.8", "moment": "2.15.1", "mongodb": "^3.5.9", "mongoose": "4.2.4", @@ -40,6 +41,7 @@ "mysql": "^2.18.1", "npmconf": "0.0.24", "optional": "^0.1.3", + "serialize-javascript": "2.1.1", "st": "0.2.4", "stream-buffers": "^3.0.1", "tap": "^11.1.3", @@ -530,7 +532,7 @@ "node_modules/adm-zip": { "version": "0.4.7", "resolved": "https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.7.tgz", - "integrity": "sha1-hgbCy/HEJs6MjsABdER/1Jtur8E=", + "integrity": "sha512-QHVQ6ekddFaGr9r2hBUC4gPw2wLqMZioXojt9BydQPbSh8us7+Q5xcUCUq+hnh4zAdauV3wqoY0quApjKqrhbA==", "engines": { "node": ">=0.3.0" } @@ -1902,6 +1904,15 @@ "node": ">=6" } }, + "node_modules/coveralls/node_modules/minimist": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", + "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, "node_modules/crc": { "version": "3.2.1", "resolved": "https://registry.npmjs.org/crc/-/crc-3.2.1.tgz", @@ -4878,9 +4889,10 @@ } }, "node_modules/minimist": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz", - "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=" + "version": "0.0.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz", + "integrity": "sha512-miQKw5Hv4NS1Psg2517mV4e4dYNaO3++hjAvLOAzKqZ61rH8NS1SK+vbfBWZ5PY/Me/bEWhUwqMghEW5Fb9T7Q==", + "license": "MIT" }, "node_modules/minipass": { "version": "2.9.0", @@ -10068,6 +10080,16 @@ "node": "*" } }, + "node_modules/rc/node_modules/minimist": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", + "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", + "dev": true, + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, "node_modules/read-only-stream": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/read-only-stream/-/read-only-stream-2.0.0.tgz", @@ -10465,6 +10487,12 @@ "node": ">= 0.8" } }, + "node_modules/serialize-javascript": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.1.tgz", + "integrity": "sha512-MPLPRpD4FNqWq9tTIjYG5LesFouDhdyH0EPY3gVK4DRD5+g4aDqdNSzLIwceulo3Yj+PL1bPh6laE5+H6LTcrQ==", + "license": "BSD-3-Clause" + }, "node_modules/serve-static": { "version": "1.9.3", "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.9.3.tgz", @@ -11708,6 +11736,16 @@ "minimist": "^1.1.0" } }, + "node_modules/subarg/node_modules/minimist": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", + "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", + "dev": true, + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, "node_modules/supports-color": { "version": "5.5.0", "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz", @@ -11868,11 +11906,6 @@ "tap-parser": "bin/cmd.js" } }, - "node_modules/tap/node_modules/minimist": { - "version": "0.0.8", - "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz", - "integrity": "sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0=" - }, "node_modules/tap/node_modules/mkdirp": { "version": "0.5.1", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz", @@ -13523,7 +13556,7 @@ "adm-zip": { "version": "0.4.7", "resolved": "https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.7.tgz", - "integrity": "sha1-hgbCy/HEJs6MjsABdER/1Jtur8E=" + "integrity": "sha512-QHVQ6ekddFaGr9r2hBUC4gPw2wLqMZioXojt9BydQPbSh8us7+Q5xcUCUq+hnh4zAdauV3wqoY0quApjKqrhbA==" }, "agent-base": { "version": "4.3.0", @@ -14705,6 +14738,13 @@ "log-driver": "^1.2.7", "minimist": "^1.2.0", "request": "^2.88.0" + }, + "dependencies": { + "minimist": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", + "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==" + } } }, "crc": { @@ -17166,9 +17206,9 @@ } }, "minimist": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz", - "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=" + "version": "0.0.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz", + "integrity": "sha512-miQKw5Hv4NS1Psg2517mV4e4dYNaO3++hjAvLOAzKqZ61rH8NS1SK+vbfBWZ5PY/Me/bEWhUwqMghEW5Fb9T7Q==" }, "minipass": { "version": "2.9.0", @@ -21004,6 +21044,12 @@ "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.5.tgz", "integrity": "sha512-RZY5huIKCMRWDUqZlEi72f/lmXKMvuszcMBduliQ3nnWbx9X/ZBQO7DijMEYS9EhHBb2qacRUMtC7svLwe0lcw==", "dev": true + }, + "minimist": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", + "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", + "dev": true } } }, @@ -21352,6 +21398,11 @@ } } }, + "serialize-javascript": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.1.tgz", + "integrity": "sha512-MPLPRpD4FNqWq9tTIjYG5LesFouDhdyH0EPY3gVK4DRD5+g4aDqdNSzLIwceulo3Yj+PL1bPh6laE5+H6LTcrQ==" + }, "serve-static": { "version": "1.9.3", "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.9.3.tgz", @@ -22470,6 +22521,14 @@ "dev": true, "requires": { "minimist": "^1.1.0" + }, + "dependencies": { + "minimist": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", + "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", + "dev": true + } } }, "supports-color": { @@ -22530,11 +22589,6 @@ "yapool": "^1.0.0" }, "dependencies": { - "minimist": { - "version": "0.0.8", - "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz", - "integrity": "sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0=" - }, "mkdirp": { "version": "0.5.1", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz", diff --git a/package.json b/package.json index 067b08fdd55..09c30e899f0 100644 --- a/package.json +++ b/package.json @@ -38,6 +38,7 @@ "lodash": "4.17.4", "marked": "0.3.5", "method-override": "latest", + "minimist": "0.0.8", "moment": "2.15.1", "mongodb": "^3.5.9", "mongoose": "4.2.4", @@ -46,6 +47,7 @@ "mysql": "^2.18.1", "npmconf": "0.0.24", "optional": "^0.1.3", + "serialize-javascript": "2.1.1", "st": "0.2.4", "stream-buffers": "^3.0.1", "tap": "^11.1.3",