Test

.github/workflows/snyk-security.yml

@@ -0,0 +1,104 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# A sample workflow which sets up Snyk to analyze the full Snyk platform (Snyk Open Source, Snyk Code,
+# Snyk Container and Snyk Infrastructure as Code)
+# The setup installs the Snyk CLI - for more details on the possible commands
+# check https://docs.snyk.io/snyk-cli/cli-reference
+# The results of Snyk Code are then uploaded to GitHub Security Code Scanning
+#
+# In order to use the Snyk Action you will need to have a Snyk API token.
+# More details in https://github.com/snyk/actions#getting-your-snyk-token
+# or you can signup for free at https://snyk.io/login
+#
+# For more examples, including how to limit scans to only high-severity issues
+# and fail PR checks, see https://github.com/snyk/actions/
+
+
+name: Snyk Security
+
+on:
+  push:
+    branches: ["main" ]
+  pull_request:
+    branches: ["main"]
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  snyk:
+    env:
+      # This is where you will need to introduce the Snyk API token created with your Snyk account
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+    permissions:
+      contents: write # for actions/checkout to fetch code and write bumped version back
+      packages: write
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout code
+        uses: actions/checkout@v4
+
+      - name: setup jdk 8
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'zulu'
+          java-version: 8
+          server-id: github # Value of the distributionManagement/repository/id field of the pom.xml
+          settings-path: ${{ github.workspace }} # location for the settings.xml file
+
+      - name: unit tests
+        run: mvn -B test --file pom.xml
+
+      - name: build the app
+        run: |
+          mvn clean
+          mvn -B install --file pom.xml
+
+      - name: Set up Snyk CLI to check for security issues
+        # Snyk can be used to break the build when it detects security issues.
+        # In this case we want to upload the SAST issues to GitHub Code Scanning
+        uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
+
+        # For Snyk Open Source you must first set up the development environment for your application's dependencies
+        # For example for Node
+        #- uses: actions/setup-node@v4
+        #  with:
+        #    node-version: 20
+
+        # Runs Snyk Code (SAST) analysis and uploads result into GitHub.
+        # Use || true to not fail the pipeline
+
+      - name: Snyk Code test
+        run: snyk code test --debug --org=${{ env.SNYK_ORG_ID }} --sarif > snyk-code.sarif || true
+
+        # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk.
+      - name: Snyk Open Source monitor
+        run: snyk monitor --all-projects --target-reference=cicd || true
+
+        # Runs Snyk Infrastructure as Code (IaC) analysis and uploads result to Snyk.
+        # Use || true to not fail the pipeline.
+      - name: Snyk IaC test and report
+        run: snyk iac test --report --target-reference=cicd || true
+
+        # Push the Snyk Code results into GitHub Code Scanning tab
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: snyk-code.sarif
+
+    #  - name: Automated Github Action Maven Version Bump
+    #    uses: mickem/[email protected]
+
+    #    # Publish the built artifact to the github maven repo
+    #  - name: Publish to GitHub Packages Apache Maven
+    #    env:
+    #      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    #    if: steps.bump.outputs.bumped == false
+    #    run: |
+    #      mvn deploy -s $GITHUB_WORKSPACE/settings.xml

azure-pipelines.yml

@@ -0,0 +1,42 @@
+# Node.js
+# Build a general Node.js project with npm.
+# Add steps that analyze code, save build artifacts, deploy, and more:
+# https://docs.microsoft.com/azure/devops/pipelines/languages/javascript
+
+trigger:
+- main
+
+pool:
+  vmImage: ubuntu-latest
+
+steps:
+- task: NodeTool@0
+  inputs:
+    versionSpec: '20.x'
+  displayName: 'Install Node.js'
+
+- script: |
+    npm install
+    npm run build
+  displayName: 'npm install and build'
+
+  # snyk code
+  - script: snyk code test --sarif-file-output=CodeAnalysisLogs/snyk-code.sarif
+    continueOnError: true
+    displayName: 'snyk code'
+
+  # snyk open source
+  - script: snyk test --all-projects --sarif-file-output=CodeAnalysisLogs/snyk-open-source.sarif
+    continueOnError: true
+    displayName: 'snyk open source'
+
+  # snyk container
+  # NOTE: Change this to your container name
+  - script: snyk container test sebsnyk/juice-shop --file=Dockerfile --sarif-file-output=CodeAnalysisLogs/snyk-container.sarif
+    continueOnError: true
+    displayName: 'snyk container'
+
+  # snyk iac
+  - script: snyk iac test --sarif-file-output=CodeAnalysisLogs/snyk-iac.sarif
+    continueOnError: true
+    displayName: 'snyk iac'

log4shell-goof/log4shell-server/k8s/imagebuild.sh

@@ -8,7 +8,7 @@ else
 fi
 
 echo "📦 Building image ${DOCKER_ACCOUNT}/log4shell-server:latest ..."
-docker build -t ${DOCKER_ACCOUNT}/log4shell-server:latest $MYDIR/..
+docker build --platform linux/arm64 -t ${DOCKER_ACCOUNT}/log4shell-server:latest $MYDIR/..
 echo
 echo "🚚 Pushing image to DockerHub..."
-docker push ${DOCKER_ACCOUNT}/log4shell-server:latest
+docker push --platform linux/arm64 ${DOCKER_ACCOUNT}/log4shell-server:latest

pom.xml

@@ -4,7 +4,7 @@
 
     <groupId>io.github.snyk</groupId>
     <artifactId>java-goof</artifactId>
-    <version>0.0.1-SNAPSHOT</version>
+    <version>0.0.2</version>
     <name>Java Goof</name>
     <description>A collection of vulnerable Java apps</description>
     <url>https://github.com/snyk-labs/java-goof</url>

todolist-goof/k8s/imagebuild.sh

@@ -8,7 +8,7 @@ else
 fi
 
 echo "📦 Building image ${DOCKER_ACCOUNT}/java-goof:latest ..."
-docker build -t ${DOCKER_ACCOUNT}/java-goof:latest $MYDIR/..
+docker build --platform linux/arm64 -t ${DOCKER_ACCOUNT}/java-goof:latest $MYDIR/..
 echo
 echo "🚚 Pushing image to DockerHub..."
-docker push ${DOCKER_ACCOUNT}/java-goof:latest
+docker push --platform linux/arm64 ${DOCKER_ACCOUNT}/java-goof:latest

todolist-goof/pom.xml

@@ -58,8 +58,8 @@
                     <version>3.2</version>
                     <configuration>
                         <verbose>true</verbose>
-                        <source>1.7</source>
-                        <target>1.7</target>
+                        <source>1.8</source>
+                        <target>1.8</target>
                         <showWarnings>true</showWarnings>
                     </configuration>
                 </plugin>

todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/api/TodoRepository.java

@@ -83,4 +83,11 @@ public interface TodoRepository {
      */
     void remove(final Todo todo);
 
+    /**
+     * Wibble a todo.
+     *
+     * @param todo the todo to wibble
+     */
+    void wibble(final Todo todo);
+
 }

todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/TodoRepositoryImpl.java

@@ -94,4 +94,12 @@ public void remove(final Todo todo) {
         entityManager.remove(t);
     }
 
+    /**
+     * {@inheritDoc}
+     */
+    public void wibble(final Todo todo) {
+        Todo t = entityManager.find(Todo.class, todo.getId());
+        entityManager.remove(t);
+    }
+
 }

todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/impl/TodoServiceImpl.java

@@ -89,4 +89,5 @@ public Todo create(final Todo todo) {
     public void remove(final Todo todo) {
         todoRepository.remove(todo);
     }
+
 }