Checkmarx · cx-pedro-lopes · Jun 1, 2021 · May 20, 2021 · May 27, 2021 · May 27, 2021
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -0,0 +1,41 @@
+# This workflow will do a clean install of node dependencies, build the source code and run tests across different versions of node
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
+
+name: Integration Tests
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        #node-version: [10.x, 12.x, 14.x, 15.x]
+        node-version: [ 15.x ]
+        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Copy executable
+        run: cp ./src/main/resources/cx-linux /tmp/
+      - name: Permissions to executable
+        run: sudo chmod 777 /tmp/cx-linux
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v2
+        with:
+          node-version: ${{ matrix.node-version }}
+      - run: npm ci
+      - run: npm run build --if-present
+      - name: Run tests
+        env:
+          CX_CLIENT_ID: ${{ secrets.CLIENT_ID}}
+          CX_CLIENT_SECRET: ${{ secrets.CLIENT_SECRET}}
+          CX_BASE_URI: ${{ secrets.BASE_URI }}
+          PATH_TO_EXECUTABLE: /tmp/cx-linux
+        run: npm test
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -0,0 +1,24 @@
+# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
+# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
+
+name: Node.js Package
+
+on:
+  release:
+    types: [created]
+
+jobs:
+  publish-gpr:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 12
+          registry-url: https://npm.pkg.github.com/
+      - run: npm ci
+      - name: Set up NPM authentication
+        run: echo "//npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }}" >> ~/.npmrc
+      - run: npm publish --access public
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/babel.config.js b/babel.config.js
@@ -0,0 +1,4 @@
+module.exports = {
+    presets: ['@babel/typescript', ['@babel/env', {loose: true}], '@babel/react'],
+    plugins: [['@babel/proposal-class-properties', {loose: true}]]
+};
diff --git a/jest.config.js b/jest.config.js
@@ -0,0 +1,7 @@
+module.exports = {
+  "testMatch": [
+      "**/.tests./**/*.+(ts|tsx)",
+      "**/?(*.)+(spec|test).+(ts|tsx)"
+  ],
+  setupFilesAfterEnv: ['./jest.setup.js']
+};
diff --git a/jest.setup.js b/jest.setup.js
@@ -0,0 +1 @@
+jest.setTimeout(1000000);
diff --git a/mock-results.json b/mock-results.json
@@ -0,0 +1,269 @@
+{
+  "date": "4/21/2021",  
+  "version": "0.0.1",
+  "engines": [
+    "sast",
+    "sca",
+    "kics"
+  ],
+  "results": [        
+    {
+      "id": "12345",
+      "similarityId": -868420736,
+      "vulnerabilityDetails": {
+        "cweId": 602,
+        "owasp2017": "A1"
+      },
+      "severity": "LOW",
+      "firstScanId": "fc6a6e5e-3dab-4b3f-af2b-6dcf446626ef",
+      "firstFoundAt": "2021-03-25T19:09:06Z",
+      "foundAt": "2021-03-25T20:07:30Z",
+      "status": "RECURRENT",
+      "state": "NOT_EXPLOITABLE",
+      "type": "sast",
+      "data": {
+        "queryId": 10526212270892872000,
+        "queryName": "Client Side Only Validation",
+        "group": "VbNet_Low_Visibility",
+        "pathSystemId": "CF0SQeGPoCwKDphvpEFO5OUHZME=",
+        "resultHash": "CF0SQeGPoCwKDphvpEFO5OUHZME=",
+        "languageName": "VbNet",
+        "nodes": [
+          {
+            "column": 15,
+            "fileName": "test.cs",
+            "fullName": "/bookstore/test.php",
+            "length": 14,
+            "line": 1,
+            "methodLine": 1,
+            "name": "bookdetailpage",
+            "domType": "ClassDecl"
+          },
+          {
+            "column": 15,
+            "fileName": "source.cs",
+            "fullName": "/bookstore/src/source.cs",
+            "length": 14,
+            "line": 22,
+            "methodLine": 1,
+            "name": "bookdetailpage",
+            "domType": "ClassDecl"            
+          }
+        ]
+      },
+      "comments": "This is long standing SASt error?"
+    },
+    {
+      "id": "12345",
+      "similarityId": -868420736,
+      "vulnerabilityDetails": {
+        "cweId": 602,
+        "owasp2017": "A1"
+      },
+      "severity": "LOW",
+      "firstScanId": "fc6a6e5e-3dab-4b3f-af2b-6dcf446626ef",
+      "firstFoundAt": "2021-03-25T19:09:06Z",
+      "foundAt": "2021-03-25T20:07:30Z",
+      "status": "NEW",
+      "state": "NOT_EXPLOITABLE",
+      "type": "sast",
+      "data": {
+        "queryId": 10526212270892872000,
+        "queryName": "Jeff Major Issue",
+        "group": "VbNet_Low_Visibility",
+        "pathSystemId": "CF0SQeGPoCwKDphvpEFO5OUHZME=",
+        "resultHash": "CF0SQeGPoCwKDphvpEFO5OUHZME=",
+        "languageName": "Java",
+        "nodes": [
+          {
+            "column": 15,
+            "fileName": "BookDetail.aspx",
+            "fullName": "/bookstore/BookDetail.aspx",
+            "length": 14,
+            "line": 68,
+            "methodLine": 1,
+            "name": "bookdetailpage",
+            "domType": "ClassDecl",
+            "nodeSystemId": "fTPHOKt18pwXgBGUaMx8XV7rL5s=",
+            "nodeHash": "fTPHOKt18pwXgBGUaMx8XV7rL5s="
+          }
+        ]
+      },
+      "comments": "This is long standing SASt error?"
+    },
+    {
+      "id": "12345",
+      "similarityId": -868420736,
+      "vulnerabilityDetails": {
+        "cweId": 602,
+        "owasp2017": "A1"
+      },
+      "severity": "HIGH",
+      "firstScanId": "fc6a6e5e-3dab-4b3f-af2b-6dcf446626ef",
+      "firstFoundAt": "2021-03-25T19:09:06Z",
+      "foundAt": "2021-03-25T20:07:30Z",
+      "status": "NEW",
+      "state": "NOT_EXPLOITABLE",
+      "type": "sast",
+      "data": {
+        "queryId": 10526212270892872000,
+        "queryName": "SQL Injection",
+        "group": "VbNet_Low_Visibility",
+        "pathSystemId": "CF0SQeGPoCwKDphvpEFO5OUHZME=",
+        "resultHash": "CF0SQeGPoCwKDphvpEFO5OUHZME=",
+        "languageName": "VbNet",
+        "nodes": [
+          {
+            "column": 15,
+            "fileName": "BookDetail.aspx",
+            "fullName": "/bookstore/BookDetail.aspx",
+            "length": 14,
+            "line": 90,
+            "methodLine": 1,
+            "name": "bookdetailpage",
+            "domType": "ClassDecl",
+            "nodeSystemId": "fTPHOKt18pwXgBGUaMx8XV7rL5s=",
+            "nodeHash": "fTPHOKt18pwXgBGUaMx8XV7rL5s="
+          }
+        ]
+      },
+      "comments": "This another error we created for testing."
+    },
+    {
+      "id": "12345",
+      "similarityId": -868420736,
+      "vulnerabilityDetails": {
+        "cweId": 602,
+        "owasp2017": "A1"
+      },
+      "severity": "MEDIUM",
+      "firstScanId": "fc6a6e5e-3dab-4b3f-af2b-6dcf446626ef",
+      "firstFoundAt": "2021-03-25T19:09:06Z",
+      "foundAt": "2021-03-25T20:07:30Z",
+      "status": "RECURRENT",
+      "state": "NOT_EXPLOITABLE",
+      "type": "sast",
+      "data": {
+        "queryId": 10526212270892872000,
+        "queryName": "XSS",
+        "group": "VbNet_Low_Visibility",
+        "pathSystemId": "CF0SQeGPoCwKDphvpEFO5OUHZME=",
+        "resultHash": "CF0SQeGPoCwKDphvpEFO5OUHZME=",
+        "languageName": "VbNet",
+        "nodes": [
+          {
+            "column": 15,
+            "fileName": "StoreFront.aspx",
+            "fullName": "/bookstore/StoreFront.aspx",
+            "length": 14,
+            "line": 44,
+            "methodLine": 1,
+            "name": "bookdetailpage",
+            "domType": "ClassDecl",
+            "nodeSystemId": "fTPHOKt18pwXgBGUaMx8XV7rL5s=",
+            "nodeHash": "fTPHOKt18pwXgBGUaMx8XV7rL5s="
+          }
+        ]
+      },
+      "comments": "The alternative test page."
+    },
+
+        {
+          "id": "12346",
+          "type": "dependency",
+          "similarityId": "?? Null currently CVE?",
+          "vulnerabilityMetadata": {
+            "cvssScore": 7.5,
+            "cveName": "CVE-2014-0114",
+            "cweId": 20,
+            "cvss*": "any cvss calc values"
+          },
+          "severity": "INFO",
+          "firstScanId": "fc6a6e5e-3dab-4b3f-af2b-6dcf446626ef",
+          "firstFoundAt": "2021-03-25T19:09:06Z",
+          "foundAt": "2021-03-25T20:07:30Z",
+          "status": "RECURRENT",
+          "state": "CONFIRMED",          
+          "data": {
+            "description": "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.3, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.",
+            "recommendations": "",
+            "packageId": "Maven-commons-beanutils:commons-beanutils-1.8.3",
+            "recommendedVersion": "1.9.4",
+            "exploitableMethods": [
+              ""
+            ],
+            "packagePublishDate": "2014-04-30T10:49:00Z",
+            "packageData": [
+              {
+                "url": "https://issues.apache.org/jira/browse/BEANUTILS-520",
+                "type": "Issue",
+                "comment": "Apache Commons BeanUtils"
+              },
+              {
+                "url": "https://github.com/apache/commons-beanutils/pull/7",
+                "type": "Pull request",
+                "comment": ""
+              }
+            ]
+          },
+          "comments": "href to comments?"
+        },    
+        {
+          "id": "12347",
+          "similarityId": "-1",
+          "vulnerabilityDetails": {
+            "royaltyFree": "Free",
+            "copyrightRiskScore": "3",
+            "linking": "NonViral",
+            "copyLeft": "NoCopyleft",
+            "patentRiskScore": "3"
+          },
+          "severity": "LOW",
+          "firstScanId": "fc6a6e5e-3dab-4b3f-af2b-6dcf446626ef",
+          "firstFoundAt": "2021-03-25T19:09:06Z",
+          "foundAt": "2021-03-25T20:07:30Z",
+          "status": "RECURRENT",
+          "state": "CONFIRMED",
+          "type": "license",
+          "data": {
+            "queryId": "Unknown-abbrev-1.0.9-ISC",
+            "queryName": "ISC",
+            "queryUrl": "https://opensource.org/licenses/ISC",
+            "packageType": "Npm",
+            "packageUrl": "https://www.npmjs.com/package/abbrev/v/1.0.9"
+          },
+          "comments": "href to comments?"
+        },
+        {
+          "id": "12348",
+          "type": "infrastructure",
+          "similarityId": "80c80ca05c3cd6fdddc808e042d3a404aee120a7419d89649c909409d6235614",
+          "vulnerabilityDetails": {
+            "tbd": "tbd"
+          },
+          "severity": "MEDIUM",
+          "firstScanId": "fc6a6e5e-3dab-4b3f-af2b-6dcf446626ef",
+          "firstFoundAt": "2021-03-25T19:09:06Z",
+          "foundAt": "2021-03-25T20:07:30Z",
+          "status": "RECURRENT",
+          "state": "NOT_EXPLOITABLE",
+          "data": {
+            "queryId": "a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b",
+            "queryName": "AD Admin Not Configured For SQL Server",
+            "group": "Build Process",
+            "queryUrl": "https://docs.docker.com/engine/reference/builder/#entrypoint",
+            "fileName": "/terraform/azure/sql.tf",
+            "line": 9,
+            "platform": "Terraform",
+            "issueType": "IncorrectValue",
+            "searchKey": "FROM={{alpine:3.12.0}}.{{CMD /entrypoint.sh && crond -l 2 -f}}",
+            "searchValue": "",
+            "expectedValue": "FROM={{alpine:3.12.0}}.{{CMD /entrypoint.sh && crond -l 2 -f}} is in the JSON Notation",
+            "actualValue": "FROM={{alpine:3.12.0}}.{{CMD /entrypoint.sh && crond -l 2 -f}} isn't in the JSON Notation",
+            "value": null,
+            "description": "Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments"
+          },
+          "comments": "href to comments?"
+        }
+  ]
+}