From 43e079d3fc56770a8c75edfca471ad576d4b642a Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Wed, 16 Mar 2022 12:16:05 -0400 Subject: [PATCH 1/7] adding ShiftLeft build rules --- shiftleft.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 shiftleft.yml diff --git a/shiftleft.yml b/shiftleft.yml new file mode 100644 index 00000000..220d4baf --- /dev/null +++ b/shiftleft.yml @@ -0,0 +1,12 @@ +build_rules: + - id: allow-zero-findings + finding_types: + - vuln + - secret + - insight + - "*" + severity: + - SEVERITY_MEDIUM_IMPACT + - SEVERITY_HIGH_IMPACT + - SEVERITY_LOW_IMPACT + threshold: 0 \ No newline at end of file From 252ba930d81fe27764630a520d2a4e2a44b3418d Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Wed, 16 Mar 2022 12:16:05 -0400 Subject: [PATCH 2/7] adding ShiftLeft GitHub action --- .github/workflows/shiftleft.yml | 74 +++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 .github/workflows/shiftleft.yml diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml new file mode 100644 index 00000000..863aa44d --- /dev/null +++ b/.github/workflows/shiftleft.yml @@ -0,0 +1,74 @@ +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: windows-latest + + steps: + - uses: actions/checkout@v2 + - name: Setup .NET + uses: actions/setup-dotnet@v1 + with: + dotnet-version: 5.0.x + - name: Download ShiftLeft CLI + run: | + Invoke-WebRequest -Uri 'https://cdn.shiftleft.io/download/sl-latest-windows-x64.zip' -OutFile sl.zip + Expand-Archive -Path sl.zip -DestinationPath . + + - name: Build web api + run: dotnet build netcoreWebapi + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: Analyze with NextGen Static Analysis + run: .\sl analyze --strict --app shiftleft-csharp-demo --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --csharp --dotnet --cpg netcoreWebapi/netcoreWebapi.csproj + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + + - name: Create status check + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + URL: https://app.shiftleft.io/findingsSummary/shiftleft-csharp-demo?apps=shiftleft-csharp-demo&isApp=1 + run: | + $params = @{ + Uri = "https://api.github.com/repos/$ENV:GITHUB_REPOSITORY/check-runs" + Headers = @{ + 'Authorization' = "Bearer $ENV:GITHUB_TOKEN" + 'Accept' = 'application/vnd.github.antiope-preview+json' + } + Method = 'POST' + Body = "{`"name`": `"ShiftLeft NextGen Static Analysis`", `"head_sha`": `"$ENV:GITHUB_REF`", `"external_id`": `"shiftleft-csharp-demo`", `"details_url`": `"$ENV:URL`", `"status`": `"completed`", `"conclusion`": `"action_required`", `"output`": {`"title`": `"ShiftLeft NextGen Static Analysis Findings`", `"summary`": `"Visit $ENV:URL for the findings`"}}" + ContentType = 'application/json' + } + Invoke-RestMethod @params + + Build-Rules: + runs-on: windows-latest + needs: NextGen-Static-Analysis + steps: + - uses: actions/checkout@v2 + - name: Download ShiftLeft CLI + run: | + Invoke-WebRequest -Uri 'https://cdn.shiftleft.io/download/sl-latest-windows-x64.zip' -OutFile sl.zip + Expand-Archive -Path sl.zip -DestinationPath . + - name: Validate Build Rules + run: | + .\sl check-analysis --app shiftleft-csharp-demo ` + --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" ` + --report ` + --github-pr-number=${{github.event.number}} ` + --github-pr-user=${{ github.repository_owner }} ` + --github-pr-repo=${{ github.event.repository.name }} ` + --github-token=${{ secrets.GITHUB_TOKEN }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + From 795991086d7629e9e731691991e38c4becde9c33 Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Wed, 16 Mar 2022 12:17:20 -0400 Subject: [PATCH 3/7] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7df0aab5..804e7420 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# ShiftLeft C# Demo +# ShiftLeft C# Demo - Chuck B. This repository contains a vulnerable .NET application that is used in automated demos on shiftleft.io It is derived from: https://github.com/ShiftLeftSecurity/shiftleft-csharp-example From 351b34f6ee1de005e0f429b8892acdc8955c0c2b Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Mon, 21 Mar 2022 09:10:47 -0400 Subject: [PATCH 4/7] Update shiftleft.yml Commented out insights and * --- shiftleft.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/shiftleft.yml b/shiftleft.yml index 220d4baf..495d08ec 100644 --- a/shiftleft.yml +++ b/shiftleft.yml @@ -3,10 +3,10 @@ build_rules: finding_types: - vuln - secret - - insight - - "*" +# - insight +# - "*" severity: - SEVERITY_MEDIUM_IMPACT - SEVERITY_HIGH_IMPACT - SEVERITY_LOW_IMPACT - threshold: 0 \ No newline at end of file + threshold: 0 From ed70063cbb869c62434135033fa28b992bab6564 Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Tue, 22 Mar 2022 12:12:07 -0400 Subject: [PATCH 5/7] Create CustomersController.cs --- netcoreWebapi/Controllers/CustomersController.cs | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/netcoreWebapi/Controllers/CustomersController.cs b/netcoreWebapi/Controllers/CustomersController.cs index 86854152..39f7ef71 100644 --- a/netcoreWebapi/Controllers/CustomersController.cs +++ b/netcoreWebapi/Controllers/CustomersController.cs @@ -96,8 +96,17 @@ public JsonResult Get(string sql) { const string connection = @"Data Source=MyData;Initial Catalog=Product;Trusted_Connection=true"; var conn = new SqlConnection(connection); - string query = "INSERT INTO customers " + sql; + /* Vulnerable Code Block + string query = "INSERT INTO customers" + sql; var command = new SqlCommand(query, conn); + */ + + // **************************************************** + //Remediated Code Block + string query = "INSERT INTO customers @sql"; + var command = new SqlCommand(query, conn); + command.Parameters.AddwithValue("@slq", sql); + // **************************************************** int result = command.ExecuteNonQuery(); return Json(string.Format("Result: {0}", result)); } From e06fb7e52f86f60472dd4595103e16d466ba1ebf Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Tue, 22 Mar 2022 13:00:59 -0400 Subject: [PATCH 6/7] Update CustomersController.cs --- netcoreWebapi/Controllers/CustomersController.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/netcoreWebapi/Controllers/CustomersController.cs b/netcoreWebapi/Controllers/CustomersController.cs index 39f7ef71..c5a77007 100644 --- a/netcoreWebapi/Controllers/CustomersController.cs +++ b/netcoreWebapi/Controllers/CustomersController.cs @@ -105,7 +105,7 @@ public JsonResult Get(string sql) //Remediated Code Block string query = "INSERT INTO customers @sql"; var command = new SqlCommand(query, conn); - command.Parameters.AddwithValue("@slq", sql); + command.Parameters.AddWithValue("@slq", sql); // **************************************************** int result = command.ExecuteNonQuery(); return Json(string.Format("Result: {0}", result)); From 77664da2f453bbefe3cf07ecc88c2ef48bf84d17 Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Tue, 22 Mar 2022 13:39:58 -0400 Subject: [PATCH 7/7] Update CustomersController.cs --- netcoreWebapi/Controllers/CustomersController.cs | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/netcoreWebapi/Controllers/CustomersController.cs b/netcoreWebapi/Controllers/CustomersController.cs index c5a77007..dfb3ea9f 100644 --- a/netcoreWebapi/Controllers/CustomersController.cs +++ b/netcoreWebapi/Controllers/CustomersController.cs @@ -96,16 +96,15 @@ public JsonResult Get(string sql) { const string connection = @"Data Source=MyData;Initial Catalog=Product;Trusted_Connection=true"; var conn = new SqlConnection(connection); - /* Vulnerable Code Block + // ************************************************** Vulnerable Code Block string query = "INSERT INTO customers" + sql; var command = new SqlCommand(query, conn); - */ - // **************************************************** - //Remediated Code Block - string query = "INSERT INTO customers @sql"; - var command = new SqlCommand(query, conn); - command.Parameters.AddWithValue("@slq", sql); + // ************************************************** + // ************************************************** Remediated Code Block + //string query = "INSERT INTO customers @sql"; + //var command = new SqlCommand(query, conn); + //command.Parameters.AddWithValue("@slq", sql); // **************************************************** int result = command.ExecuteNonQuery(); return Json(string.Format("Result: {0}", result));