New vulns #2

.cm/SecurityManager.cm

@@ -0,0 +1,36 @@
+manifest:
+  version: 1.0
+
+automations:
+  debug:
+    if:
+      - true
+    run:
+      - action: add-comment@v1
+        args:
+          comment: |
+            PR: {{ pr | dump | safe }}
+
+  Security_comment:
+    if:
+      - {{ jit.metrics.HIGH > 0 }}
+      - {{ pr.conversations | filter(attr='commenter', term='gitstream-cm') | filter (attr='content', term='This PR failed due to High severity vulnerability finding, if you don't fix it please select:') | nope }}
+    run:
+      - action: add-comment@v1
+        args:
+          comment: |
+            This PR failed due to High severity vulnerability finding, if you don't fix it please select:
+            - [ ] I need help with that fix.
+            - [ ] I want to accept the risk, please approve.     
+            - [ ] This is false positive, please approve.
+            - [ ] This is a test / simulator environment, please exclude.
+
+  Security_comment_response:
+    if:
+      - {{ pr.conversations | filter(attr='commenter', term='gitstream-cm') | filter (attr='content', term='- [x] I need help with that fix.') | some}}
+    run:
+      - action: add-label@v1
+        args:
+          label: "Fix pending"
+
+jit: {{ pr | extractJitFindings }}

.cm/jit-and-sonar.cm

@@ -0,0 +1,106 @@
+# -*- mode: yaml -*-
+
+manifest:
+  version: 1.0
+
+config:
+  admin:
+    users: ['EladKohavi']
+
+automations:
+  mark_bugs:
+    if:
+      - {{ sonar.bugs.count > 0 }}
+    run: 
+      - action: add-label@v1
+        args:
+          label: '{{ sonar.bugs.count }} Bugs 🐞'
+          color: {{ colors.bugs }}
+  mark_code_smell:
+    if:
+      - {{ sonar.code_smells.count > 0 }}
+    run: 
+      - action: add-label@v1
+        args:
+          label: '{{ sonar.code_smells.count }} Code Smells 💩'
+          color: {{ colors.code_smells }}
+  mark_security_hotspots:
+    if:
+      - {{ sonar.security_hotspots.count > 0 }}
+    run: 
+      - action: add-label@v1
+        args:
+          label: '{{ sonar.security_hotspots.count }} Security hotspots 🌶️'
+          color: {{ colors.security_hotspots }}
+      - action: add-reviewers@v1
+        args:
+          reviewers: [Dudu-linb]
+  mark_outstanding_pr:
+    if:
+      - {{ sonar.bugs.count == 0 }}
+      - {{ sonar.code_smells.count == 0 }}
+      - {{ sonar.vulnerabilities.count == 0 }}
+      - {{ sonar.security_hotspots.count == 0 }}
+      - {{ sonar.duplications == null or sonar.duplications == 0.0 }}
+    run: 
+      - action: add-label@v1
+        args:
+          label: '✅ Sonar: Clean Code'
+          color: '0e8a16'
+  high_duplications:
+    if:
+      - {{ sonar.duplications > 40 }}
+    run:
+      - action: request-changes@v1
+        args:
+          comment: |
+            High percentage of duplications in code. Please fix!
+      - action: add-label@v1
+        args:
+          label: '{{ sonar.duplications }} Duplications 👯'
+          color: {{ colors.duplications }}
+  mark_vulnerabilities:
+    if:
+      - {{ sonar.vulnerabilities.count > 0 }}
+    run: 
+      - action: add-label@v1
+        args:
+          label: '{{ sonar.vulnerabilities.count }} Vulnerabilities 🛡️'
+          color: {{ colors.vulnerabilities }}
+  jit_vulns:
+    if:
+      - {{ jit.metrics.HIGH > 0}}
+    run:
+      - action: add-label@v1
+        args:
+          label: '🛡️ x {{ jit.metrics.HIGH }} High vulnerabilities'
+      - action: add-reviewers@v1
+        args:
+          reviewers: [Dudu-linb]
+
+  jit_secretss:
+    if:
+      - {{ jit.vulnerabilities | match(attr='security_control', term='Secret Detection') | some }}
+    run:
+      - action: add-label@v1
+        args:
+          label: "🤫 PR with secrets"
+
+  jit_ignores:
+    if:
+      - {{ pr.conversations | reject(attr='commenter', term='jit-ci') | map(attr='content') | match(term='#jit_ignore_accept') | some }}
+    run:
+      - action: add-label@v1
+        args:
+          label: '🙈 jit_ignore_accept'
+
+
+
+sonar: {{ pr | extractSonarFindings }}
+jit: {{ pr | extractJitFindings }}
+colors:
+  code_smells: 'D2B48C'
+  bugs: 'FAA0A0'
+  vulnerabilities: 'F3E5AB'
+  security_hotspots: 'F89880'
+  duplications: 'D7BDE2'

README.md

@@ -325,3 +325,5 @@ OWASP Juice Shop and any contributions are Copyright © by Bjoern Kimminich & th
 2014-2023.
 
 ![Juice Shop Logo](https://raw.githubusercontent.com/bkimminich/juice-shop/master/frontend/src/assets/public/images/JuiceShop_Logo_400px.png)
+123456🙈🤫 
+Update!

package.json

@@ -146,7 +146,6 @@
     "html-entities": "^1.3.1",
     "i18n": "^0.11.1",
     "js-yaml": "^3.14.0",
-    "jsonwebtoken": "0.4.0",
     "jssha": "^3.1.1",
     "juicy-chat-bot": "~0.7.1",
     "libxmljs2": "^0.32.0",