Added mao's scanning actions from FINOS security scanning

.github/workflows/acceptable-licenses.txt

@@ -0,0 +1,50 @@
+<name>3-Clause BSD License</name>
+<name>Apache 2.0</name>
+<name>Apache 2</name>
+<name>Apache License 2.0</name>
+<name>Apache License, 2.0</name>
+<name>Apache License, Version 2.0</name>
+<name>Apache License, version 2.0</name>
+<name>Apache-2.0</name>
+<name>Apple License</name>
+<name>BSD 2-Clause</name>
+<name>BSD License 3</name>
+<name>BSD-2-Clause</name>
+<name>BSD-3-Clause</name>
+<name>Bouncy Castle Licence</name>
+<name>CC0</name>
+<name>CDDL + GPLv2 with classpath exception</name>
+<name>CDDL 1.1</name>
+<name>CDDL+GPL License</name>
+<name>CDDL/GPLv2+CE</name>
+<name>COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0</name>
+<name>Dual license consisting of the CDDL v1.1 and GPL v2</name>
+<name>EDL 1.0</name>
+<name>EPL 2.0</name>
+<name>Eclipse Distribution License - v 1.0</name>
+<name>Eclipse Public License - v 1.0</name>
+<name>Eclipse Public License - v 2.0</name>
+<name>Eclipse Public License v2.0</name>
+<name>GNU Lesser General Public License</name>
+<name>GPL2 w/ CPE</name>
+<name>LGPL 2.1</name>
+<name>MIT License</name>
+<name>MIT license</name>
+<name>MPL 1.1</name>
+<name>Modified BSD</name>
+<name>Prior BSD License</name>
+<name>Public Domain, per Creative Commons CC0</name>
+<name>Public Domain</name>
+<name>Similar to Apache License but with the acknowledgment clause removed</name>
+<name>The Apache License, Version 2.0</name>
+<name>The Apache Software License, Version 2.0</name>
+<name>The BSD License</name>
+<name>The GNU Lesser General Public License, Version 2.1</name>
+<name>The MIT License (MIT)</name>
+<name>The MIT License</name>
+<name>Unicode/ICU License</name>
+<name>Universal Permissive License, Version 1.0</name>
+<name>W3C license</name>
+<name>jQuery license</name>
+<name>MIT</name>
+<name>MIT-0</name>

.github/workflows/allow-list.xml

@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress>
+        <notes><![CDATA[
+        Only applies to using spring-web, we barely use this.
+        ]]></notes>
+        <gav>org.springframework:spring-web:5.3.25</gav>
+        <cve>CVE-2016-1000027</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Only applies to Safari, which we don't use.  I guess may be a problem if running in prod on OSX-x86?
+        ]]></notes>
+        <cve>CVE-2011-1797</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+         Reminder Bot: Doesn't affect SUTime, which is what we're using
+        ]]></notes>
+        <cve>CVE-2022-0239</cve>
+        <cve>CVE-2021-3878</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Only applies in converting XML to JSON, which we don't use, and we don't use the library for that either (hutool)
+        ]]></notes>
+        <cve>CVE-2022-45688</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        YAML parsing only done for loading spring config.  Never for user-originated data.
+        ]]></notes>
+        <cve>CVE-2022-3064</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Parsing with Stax API. But we get data from trusted source (Microsoft Teams) so I'm going to suppress.
+        ]]></notes>
+        <cve>CVE-2022-40152</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Only applies to spring web doing deserializion of untrusted classes.
+        ]]></notes>
+        <cve>CVE-2016-1000027</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Spel expressions can only be injected by developers/deployers, who should know better. Ignoring this.
+        ]]></notes>
+        <cve>CVE-2023-20863</cve>
+    </suppress>
+
+</suppressions>
+

.github/workflows/cve-scanning.yml

@@ -0,0 +1,28 @@
+name: Maven CVE Scanning
+
+on:
+  pull_request:
+    paths:
+      - 'pom.xml'
+      - '.github/workflows/cve-scanning.yml'
+  push:
+    paths:
+      - 'pom.xml'
+      - '.github/workflows/cve-scanning.yml'
+    schedule:
+      # Run every day at 5am and 5pm
+      - cron: '0 5,17 * * *'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up JDK 11
+        uses: actions/setup-java@v3
+        with:
+          java-version: '11'
+          distribution: 'adopt'
+      - name: Build with Maven
+        run: mvn install org.owasp:dependency-check-maven:check -DskipTests -DfailBuildOnCVSS=8 -DsuppressionFile=".github/workflows/allow-list.xml"

.github/workflows/license-check.yml

@@ -0,0 +1,52 @@
+name: License Scanning for Maven
+
+on:
+  schedule:
+    - cron: '0 8,18 * * 1-5'
+  push:
+    paths:
+      - 'maven/pom.xml'
+      - '.github/workflows/license-check.yml'
+      - '.github/workflows/acceptable-licenses.txt'
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Cache Maven dependencies
+      uses: actions/cache@v2
+      env:
+        cache-name: cache-mvn-modules
+      with:
+        path: ~/.m2
+        key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/pom.xml') }}
+        restore-keys: |
+          ${{ runner.os }}-build-${{ env.cache-name }}-
+          ${{ runner.os }}-build-
+          ${{ runner.os }}-
+    - name: Set up JDK 17
+      uses: actions/setup-java@v3
+      with:
+        java-version: 17
+        distribution: 'adopt'
+    - name: Install XQ
+      run: pip install xq
+    - name: Download deps and plugins
+      run: mvn de.qaware.maven:go-offline-maven-plugin:resolve-dependencies
+    - name: Build 
+      run: mvn install -DskipTests
+    - name: License XML report
+      run: |
+        mvn org.codehaus.mojo:license-maven-plugin:2.0.0:aggregate-download-licenses
+    - name: Validate XML report
+      run: |
+        ALLOW_LICENSES=`cat .github/workflows/acceptable-licenses.txt | sed "s|<name>|name='|" | sed "s|</name>|' |" | tr -s '\n' '~' | sed 's/\~/or /g' `
+        xq "//dependency[count(licenses/license[${ALLOW_LICENSES}])=0]" target/generated-resources/aggregate-licenses.xml  > target/license-issues.xml
+        LINES_FOUND=`cat target/license-issues.xml | grep "<result>" | wc -l`
+        if [ $LINES_FOUND -gt 0 ]; then cat target/license-issues.xml ; exit -1; fi
+    - name: Upload license XML Issues
+      uses: actions/upload-artifact@v3
+      with:
+        name: license-xml-report
+        path: 'target/license-issues.xml' 

.github/workflows/licenses-config-file.xml

@@ -0,0 +1,18 @@
+<!-- Checkout docs on https://www.mojohaus.org/license-maven-plugin/download-licenses-mojo.html#licensesConfigFile -->
+<licenseSummary>
+  <dependencies>
+    <dependency>
+      <groupId>org.openapitools</groupId>
+      <artifactId>jackson-databind-nullable</artifactId>
+      <matchLicenses>
+        <!-- Match an empty list of licenses -->
+      </matchLicenses>
+      <licenses>
+        <license>
+          <name>Apache 2.0</name>
+          <url>https://github.com/OpenAPITools/jackson-databind-nullable/blob/master/LICENSE</url>
+        </license>
+      </licenses>
+    </dependency>
+  </dependencies>
+</licenseSummary>

.github/workflows/semgrep.yml

@@ -0,0 +1,15 @@
+name: Static code analysis (SemGrep)
+
+on: [push, pull_request]
+
+jobs:
+  semgrep:
+    name: run-semgrep
+    runs-on: ubuntu-20.04
+    container:
+      image: returntocorp/semgrep
+    steps:
+    - uses: actions/checkout@v3
+    - run: semgrep scan --error --config auto
+      env:
+        SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}

libs/chat-workflow/src/main/java/org/finos/springbot/workflow/actions/form/TableAddRow.java

@@ -45,6 +45,7 @@ public void acceptFormAction(FormAction ea) {
 	}
 
 
+	// nosemgrep
 	@SuppressWarnings("unchecked")
 	protected void addNewRowAction(FormAction ea, String verb) {
 		String tableLocation = verb.substring(0, verb.length() - DO_SUFFIX.length()-1);
@@ -63,7 +64,7 @@ protected void addNewRowAction(FormAction ea, String verb) {
 		rh.accept(wr);
 	}
 
-
+	// nosemgrep
 	protected void newRowFormAction(FormAction ea, String verb) {
 		Map<String, Object> ej = ea.getData();
 		Object workflowObject = ej.get(WorkResponse.OBJECT_KEY);

libs/chat-workflow/src/main/java/org/finos/springbot/workflow/actions/form/TableDeleteRows.java

@@ -28,6 +28,7 @@ public TableDeleteRows(ErrorHandler errorHandler, ResponseHandlers rh) {
 	}
 
 
+	// nosemgrep
 	@SuppressWarnings("unchecked")
 	@Override
 	public void acceptFormAction(FormAction ea) {

libs/chat-workflow/src/main/java/org/finos/springbot/workflow/actions/form/TableEditRow.java

@@ -45,6 +45,7 @@ public void acceptFormAction(FormAction in) {
 		}
 	}
 
+	// nosemgrep
 	protected void updateData(FormAction in, String verb) {
 		String tableLocation = verb.substring(0, verb.length() - UPDATE_SUFFIX.length()-1);
 		tableLocation = fixSpel(tableLocation);
@@ -66,6 +67,7 @@ protected void updateData(FormAction in, String verb) {
 		rh.accept(wr);
 	}
 
+	// nosemgrep
 	protected void createEditForm(FormAction in, String verb) {
 		String tableLocation = verb.substring(0, verb.length() - EDIT_SUFFIX.length()-1);
 		tableLocation = fixSpel(tableLocation);

libs/chat-workflow/src/main/java/org/finos/springbot/workflow/data/DataHandlerConfig.java

@@ -71,6 +71,7 @@ public static List<VersionSpace> scanForWorkClasses(ApplicationContext ac) {
 			.map(bd -> bd.getBeanClassName()) 
 			.map(s -> {
 				try {
+					// nosemgrep
 					return Class.forName(s);
 				} catch (ClassNotFoundException e) {
 					LOG.error("Couldn't instantiate: "+s, e);

libs/chat-workflow/src/main/java/org/finos/springbot/workflow/data/EntityJsonConverter.java

@@ -52,6 +52,7 @@ public String writeValue(Object ej) {
 	public Object fromJson(String formId, Object json) {
 		Class<?> c;
 		try {
+			// nosemgrep
 			c = Class.forName(formId);
 		} catch (ClassNotFoundException e1) {
 			throw new UnsupportedOperationException("Couldn't get class: " + formId);

libs/chat-workflow/src/main/java/org/finos/springbot/workflow/form/FormConverter.java

@@ -47,6 +47,7 @@ public Object convert(Map<String, Object> formValues, String type) throws ClassN
 		// attempt to cast the result.  
 		Class<?> c = null;
 		try {
+			// nosemgrep
 			c = Class.forName(type);
 		} catch (Exception e1) {
 			LOG.debug("Couldn't convert {} ",formValues, e1);

libs/chat-workflow/src/main/java/org/finos/springbot/workflow/java/resolvers/ResolverConfig.java

@@ -12,6 +12,7 @@
 import org.finos.springbot.workflow.content.UnorderedList;
 import org.finos.springbot.workflow.content.Word;
 import org.finos.springbot.workflow.history.AllHistory;
+import org.finos.springbot.workflow.java.mapping.ChatHandlerExecutor;
 import org.springframework.beans.factory.BeanFactory;
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -32,33 +33,46 @@ public class ResolverConfig {
 	 */
 	@Bean
 	public WorkflowResolverFactory springBeanResolver() {
-		return action -> {
-			return new WorkflowResolver() {
+		return new WorkflowResolverFactory() {
+
+			@Override
+			public int getOrder() {
+				return LOW_PRIORITY;
+			}
 
-				@Override
-				public boolean canResolve(MethodParameter mp) {
-					try {
-						Class<?> c = mp.getParameterType();
-						context.getBean(c);
-						return true;
-					} catch (NoSuchBeanDefinitionException e) {
-						return false;
+			@Override
+			public WorkflowResolver createResolver(ChatHandlerExecutor che) {
+				return new WorkflowResolver() {
+
+					@Override
+					public boolean canResolve(MethodParameter mp) {
+						try {
+							Class<?> c = mp.getParameterType();
+							context.getBean(c);
+							return true;
+						} catch (NoSuchBeanDefinitionException e) {
+							return false;
+						}
 					}
-				}
 
-				@Override
-				public Optional<Object> resolve(MethodParameter mp) {
-					try {
-
-						Class<?> c = mp.getParameterType();
-						Object bean = context.getBean(c);
-						return Optional.of(bean);
-					} catch (NoSuchBeanDefinitionException e) {
-						return Optional.empty();
+					@Override
+					public Optional<Object> resolve(MethodParameter mp) {
+						try {
+
+							Class<?> c = mp.getParameterType();
+							Object bean = context.getBean(c);
+							return Optional.of(bean);
+						} catch (NoSuchBeanDefinitionException e) {
+							return Optional.empty();
+						}
 					}
-				}
-			};
+
+
+				};
+			}
 		};
+
+
 	}
 
 	@Bean

libs/symphony-bdk/symphony-bdk-chat-workflow-spring-boot-starter/src/main/java/org/finos/springbot/symphony/form/SymphonyFormConverter.java

@@ -16,6 +16,7 @@ public SymphonyFormConverter(ObjectMapper om) {
 	public Object convert(Map<String, Object> formValues, String type) throws ClassNotFoundException {
 		if (formValues.containsKey("entity.formdata")) {
 			try {
+				// nosemgrep
 				Class<?> c = Class.forName(type);
 				return om.convertValue(formValues.get("entity.formdata"), c);
 			} catch (Exception e1) {