diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..e9abcc1d --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,26 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + + - package-ecosystem: "gradle" + directory: "/" + schedule: + interval: "weekly" + + - package-ecosystem: "gitsubmodule" + directory: "/" + schedule: + interval: "weekly" + + - package-ecosystem: "maven" + directory: "/" + schedule: + interval: "weekly" + + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" \ No newline at end of file diff --git a/.github/workflows/cfd-codeql.yml b/.github/workflows/cfd-codeql.yml new file mode 100644 index 00000000..1e318cd6 --- /dev/null +++ b/.github/workflows/cfd-codeql.yml @@ -0,0 +1,88 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ "develop" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "develop" ] + schedule: + - cron: '33 4 * * 6' + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'java' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@18fe527fa8b29f134bb91f32f1a5dc5abb15ed7f + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + #- name: Autobuild + #uses: github/codeql-action/autobuild@18fe527fa8b29f134bb91f32f1a5dc5abb15ed7f + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + - name: Set up JDK 11 + uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc + with: + java-version: '11' + distribution: 'temurin' + - name: Build with Gradle + uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef + with: + gradle-version: 7.2 + arguments: build + build-root-directory: /home/runner/work/Goatlin/Goatlin/packages/clients/android + + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@18fe527fa8b29f134bb91f32f1a5dc5abb15ed7f diff --git a/.github/workflows/cfd-flawfinder.yml b/.github/workflows/cfd-flawfinder.yml new file mode 100644 index 00000000..a49c12df --- /dev/null +++ b/.github/workflows/cfd-flawfinder.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: flawfinder + +on: + push: + branches: [ "develop" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "develop" ] + schedule: + - cron: '27 23 * * 1' + +permissions: + contents: read + + +jobs: + flawfinder: + name: Flawfinder + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + + - name: flawfinder_scan + uses: david-a-wheeler/flawfinder@c57197cd6061453f10a496f30a732bc1905918d1 + with: + arguments: '--sarif ./home/runner/work/Goatlin/Goatlin/packages/clients/android' + output: 'flawfinder_results.sarif' + + + - name: Upload analysis results to GitHub Security tab + uses: github/codeql-action/upload-sarif@18fe527fa8b29f134bb91f32f1a5dc5abb15ed7f + with: + sarif_file: ${{github.workspace}}/flawfinder_results.sarif diff --git a/.github/workflows/cfd-gradle.yml b/.github/workflows/cfd-gradle.yml new file mode 100644 index 00000000..d269d170 --- /dev/null +++ b/.github/workflows/cfd-gradle.yml @@ -0,0 +1,40 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time +# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle + +name: Java CI with Gradle + +on: + push: + branches: [ "develop" ] + pull_request: + branches: [ "develop" ] + +permissions: + contents: read + +jobs: + build: + permissions: + actions: read + contents: read + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + - name: Set up JDK 11 + uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc + with: + java-version: '11' + distribution: 'temurin' + - name: Build with Gradle + uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef + with: + gradle-version: 7.2 + arguments: build + build-root-directory: /home/runner/work/Goatlin/Goatlin/packages/clients/android + + diff --git a/.github/workflows/cfd-mobsfscan.yml b/.github/workflows/cfd-mobsfscan.yml new file mode 100644 index 00000000..b159859f --- /dev/null +++ b/.github/workflows/cfd-mobsfscan.yml @@ -0,0 +1,42 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: MobSF + +on: + push: + branches: [ "develop" ] + pull_request: + branches: [ "develop" ] + schedule: + - cron: '39 8 * * 0' + +permissions: + contents: read + +jobs: + mobile-security: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + + - name: Setup python + uses: actions/setup-python@13ae5bb136fac2878aff31522b9efb785519f984 + with: + python-version: 3.8 + + - name: Run mobsfscan + uses: MobSF/mobsfscan@9bef3983eb13051b2162626717eeaed96c3fbbd7 + with: + args: /home/runner/work/Goatlin/Goatlin/packages/clients/android --sarif --output results.sarif || true + + - name: Upload mobsfscan report + uses: github/codeql-action/upload-sarif@18fe527fa8b29f134bb91f32f1a5dc5abb15ed7f + with: + sarif_file: results.sarif diff --git a/.github/workflows/cfd-scorecard.yml b/.github/workflows/cfd-scorecard.yml new file mode 100644 index 00000000..b5679b03 --- /dev/null +++ b/.github/workflows/cfd-scorecard.yml @@ -0,0 +1,63 @@ +name: Scorecards supply-chain security +on: + # Only the default branch is supported. + branch_protection_rule: + schedule: + - cron: '35 15 * * 5' + push: + branches: [ "develop" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecards analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Used to receive a badge. (Upcoming feature) + id-token: write + # Needs for private repositories. + contents: read + actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d + with: + results_file: results.sarif + results_format: sarif + # root_folder: /home/runner/work/VulnerableAndroidApplication/VulnerableAndroidApplication/MaliciousApplication + # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + + # Publish the results for public repositories to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@18fe527fa8b29f134bb91f32f1a5dc5abb15ed7f # v1.0.26 + with: + sarif_file: results.sarif diff --git a/.github/workflows/cfd-secret-token-leaks.yml b/.github/workflows/cfd-secret-token-leaks.yml new file mode 100644 index 00000000..5828bd8c --- /dev/null +++ b/.github/workflows/cfd-secret-token-leaks.yml @@ -0,0 +1,33 @@ +# This is a basic workflow to help you get started with Actions + +name: Secret-token-leaks + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the "main" branch + push: + branches: [ "develop" ] + pull_request: + branches: [ "develop" ] + +permissions: # added using https://github.com/step-security/secure-workflows + contents: read +jobs: + TruffleHog: + permissions: + actions: read + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + with: + fetch-depth: 0 + - name: TruffleHog OSS + uses: trufflesecurity/trufflehog@a7fc12240f8ce02df55c8b808755088f3b7eec7d + with: + path: ./Goatlin/packages/clients/android + base: ${{ github.event.repository.default_branch }} + head: HEAD + args: --debug + diff --git a/.github/workflows/cfd-semgrep.yml b/.github/workflows/cfd-semgrep.yml new file mode 100644 index 00000000..818d181f --- /dev/null +++ b/.github/workflows/cfd-semgrep.yml @@ -0,0 +1,48 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow file requires a free account on Semgrep.dev to +# manage rules, file ignores, notifications, and more. +# +# See https://semgrep.dev/docs + + +name: Semgrep + +on: + push: + branches: [ "develop" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "develop" ] + schedule: + - cron: '36 15 * * 2' + +permissions: + contents: read + +jobs: + semgrep: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + name: Scan + runs-on: ubuntu-latest + steps: + # Checkout project source + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + + # Scan code using project's configuration on https://semgrep.dev/manage + - uses: returntocorp/semgrep-action@448aa1b48f5a64cf0b4853f4b8c958f86e448267 + with: + publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} + generateSarif: "1" + path: '/home/runner/work/Goatlin/Goatlin/packages/clients/android' + # Upload SARIF file generated in previous step + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@18fe527fa8b29f134bb91f32f1a5dc5abb15ed7f + with: + sarif_file: semgrep.sarif + if: always() diff --git a/packages/clients/android/app/build.gradle b/packages/clients/android/app/build.gradle index 13c88659..7699d52d 100644 --- a/packages/clients/android/app/build.gradle +++ b/packages/clients/android/app/build.gradle @@ -20,11 +20,14 @@ android { proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro' } } + lintOptions { + abortOnError false + } } dependencies { implementation fileTree(dir: 'libs', include: ['*.jar']) - implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk7:$kotlin_version" + implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk8:$kotlin_version" implementation 'com.android.support:appcompat-v7:26.1.0' implementation 'com.android.support:design:26.1.0' implementation 'com.android.support.constraint:constraint-layout:1.1.3' diff --git a/packages/clients/android/build.gradle b/packages/clients/android/build.gradle index 1034ba75..90a92bbb 100644 --- a/packages/clients/android/build.gradle +++ b/packages/clients/android/build.gradle @@ -1,13 +1,13 @@ // Top-level build file where you can add configuration options common to all sub-projects/modules. buildscript { - ext.kotlin_version = '1.3.10' + ext.kotlin_version = '1.7.20' repositories { google() jcenter() } dependencies { - classpath 'com.android.tools.build:gradle:3.4.1' + classpath 'com.android.tools.build:gradle:7.1.1' classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version" // NOTE: Do not place your application dependencies here; they belong diff --git a/packages/clients/android/gradle/wrapper/gradle-wrapper.properties b/packages/clients/android/gradle/wrapper/gradle-wrapper.properties index 7307f150..4d2a3b9e 100644 --- a/packages/clients/android/gradle/wrapper/gradle-wrapper.properties +++ b/packages/clients/android/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ -#Mon Jun 24 17:53:57 WEST 2019 +#Thu Feb 16 21:33:53 IST 2023 distributionBase=GRADLE_USER_HOME +distributionUrl=https\://services.gradle.org/distributions/gradle-7.2-bin.zip distributionPath=wrapper/dists -zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-5.1.1-all.zip +zipStoreBase=GRADLE_USER_HOME