diff --git a/.cm/jit-and-sonar.cm b/.cm/jit-and-sonar.cm new file mode 100644 index 00000000000..74d5d893a46 --- /dev/null +++ b/.cm/jit-and-sonar.cm @@ -0,0 +1,106 @@ +# -*- mode: yaml -*- + +manifest: + version: 1.0 + +config: + admin: + users: ['EladKohavi'] + +automations: + mark_bugs: + if: + - {{ sonar.bugs.count > 0 }} + run: + - action: add-label@v1 + args: + label: '{{ sonar.bugs.count }} Bugs 🐞' + color: {{ colors.bugs }} + mark_code_smell: + if: + - {{ sonar.code_smells.count > 0 }} + run: + - action: add-label@v1 + args: + label: '{{ sonar.code_smells.count }} Code Smells 💩' + color: {{ colors.code_smells }} + mark_security_hotspots: + if: + - {{ sonar.security_hotspots.count > 0 }} + run: + - action: add-label@v1 + args: + label: '{{ sonar.security_hotspots.count }} Security hotspots 🌶️' + color: {{ colors.security_hotspots }} + - action: add-reviewers@v1 + args: + reviewers: [Dudu-linb] + mark_outstanding_pr: + if: + - {{ sonar.bugs.count == 0 }} + - {{ sonar.code_smells.count == 0 }} + - {{ sonar.vulnerabilities.count == 0 }} + - {{ sonar.security_hotspots.count == 0 }} + - {{ sonar.duplications == null or sonar.duplications == 0.0 }} + run: + - action: add-label@v1 + args: + label: '✅ Sonar: Clean Code' + color: '0e8a16' + high_duplications: + if: + - {{ sonar.duplications > 40 }} + run: + - action: request-changes@v1 + args: + comment: | + High percentage of duplications in code. Please fix! + - action: add-label@v1 + args: + label: '{{ sonar.duplications }} Duplications 👯' + color: {{ colors.duplications }} + mark_vulnerabilities: + if: + - {{ sonar.vulnerabilities.count > 0 }} + run: + - action: add-label@v1 + args: + label: '{{ sonar.vulnerabilities.count }} Vulnerabilities 🛡️' + color: {{ colors.vulnerabilities }} + jit_vulns: + if: + - {{ jit.metrics.HIGH > 0}} + run: + - action: add-label@v1 + args: + label: '🛡️ x {{ jit.metrics.HIGH }} High vulnerabilities' + - action: add-reviewers@v1 + args: + reviewers: [Dudu-linb] + + jit_secretss: + if: + - {{ jit.vulnerabilities | match(attr='security_control', term='Secret Detection') | some }} + run: + - action: add-label@v1 + args: + label: "🤫 PR with secrets" + + jit_ignores: + if: + - {{ pr.conversations | filter(attr='commenter', term='jit-ci') | map(attr='content') | match(term='#jit_ignore_accept') | some }} + run: + - action: add-label@v1 + args: + label: '🙈 jit_ignore_accept' + + + +sonar: {{ pr | extractSonarFindings }} +jit: {{ pr | extractJitFindings }} +colors: + code_smells: 'D2B48C' + bugs: 'FAA0A0' + vulnerabilities: 'F3E5AB' + security_hotspots: 'F89880' + duplications: 'D7BDE2' diff --git a/data/mongodb.ts b/data/mongodb.ts index a572583ba61..2b027e33dbd 100644 --- a/data/mongodb.ts +++ b/data/mongodb.ts @@ -5,7 +5,15 @@ // @ts-expect-error due to non-existing type definitions for MarsDB import MarsDB = require('marsdb') - +export const SONAR_REGEX = { + BUGS: /\[\d+ Bug[s]?\]/g, + VULNERABILITIES: /\[\d+ Vulnerabilit(?:ies|y)\]/g, + SECURITY_HOTSPOTS: /\[\d+ Security Hotspot[s]?\]/g, + CODE_SMELL: /\[\d+ Code Smell[s]?\]/g, + DUPLICATIONS: /\[(\d+(\.\d+)?|\.\d+)%\]/g, + COVERAGE: /\[(\d+(\.\d+)?|\.\d+)%\]/g, + RATING: /!\[([A-Z])\]/g, +}; const reviews = new MarsDB.Collection('posts') const orders = new MarsDB.Collection('orders') diff --git a/lib/insecurity.ts b/lib/insecurity.ts index 585ad31ae6a..87776eabf9d 100644 --- a/lib/insecurity.ts +++ b/lib/insecurity.ts @@ -20,7 +20,6 @@ import * as utils from './utils' import * as z85 from 'z85' export const publicKey = fs ? fs.readFileSync('encryptionkeys/jwt.pub', 'utf8') : 'placeholder-public-key' -const privateKey = '-----BEGIN RSA PRIVATE KEY-----\r\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=\r\n-----END RSA PRIVATE KEY-----' interface ResponseWithUser { status: string diff --git a/package.json b/package.json index 7d5c7c32226..e8a5b92f58c 100644 --- a/package.json +++ b/package.json @@ -119,12 +119,10 @@ "cookie-parser": "^1.4.5", "cors": "^2.8.5", "dottie": "^2.0.2", - "download": "^8.0.0", "errorhandler": "^1.5.1", "exif": "^0.6.0", "express": "^4.17.1", "express-ipfilter": "^1.2.0", - "express-jwt": "0.1.3", "express-rate-limit": "^5.3.0", "express-robots-txt": "^0.4.1", "express-security.txt": "^2.0.0", @@ -132,7 +130,6 @@ "file-stream-rotator": "^0.5.7", "file-type": "^16.1.0", "filesniffer": "^1.0.3", - "finale-rest": "^1.1.1", "fs-extra": "^9.0.1", "fuzzball": "^1.3.0", "glob": "^7.1.6", @@ -146,7 +143,6 @@ "html-entities": "^1.3.1", "i18n": "^0.11.1", "js-yaml": "^3.14.0", - "jsonwebtoken": "0.4.0", "jssha": "^3.1.1", "juicy-chat-bot": "~0.7.1", "libxmljs2": "^0.32.0", diff --git a/routes/likeProductReviews.ts b/routes/likeProductReviews.ts index f77e28d2a5e..c1518601bba 100644 --- a/routes/likeProductReviews.ts +++ b/routes/likeProductReviews.ts @@ -15,7 +15,7 @@ module.exports = function productReviews () { return (req: Request, res: Response, next: NextFunction) => { const id = req.body.id const user = security.authenticatedUsers.from(req) - db.reviews.findOne({ _id: id }).then((review: Review) => { + db.reviews.findOne({ _id: "a" }).then((review: Review) => { if (!review) { res.status(404).json({ error: 'Not found' }) } else { diff --git a/routes/updateProductReviews.ts b/routes/updateProductReviews.ts index c6d31a3707f..c4e0cf06808 100644 --- a/routes/updateProductReviews.ts +++ b/routes/updateProductReviews.ts @@ -13,19 +13,6 @@ const security = require('../lib/insecurity') // vuln-code-snippet start noSqlReviewsChallenge forgedReviewChallenge module.exports = function productReviews () { return (req: Request, res: Response, next: NextFunction) => { - const user = security.authenticatedUsers.from(req) // vuln-code-snippet vuln-line forgedReviewChallenge - db.reviews.update( // vuln-code-snippet neutral-line forgedReviewChallenge - { _id: req.body.id }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge - { $set: { message: req.body.message } }, - { multi: true } // vuln-code-snippet vuln-line noSqlReviewsChallenge - ).then( - (result: { modified: number, original: Array<{ author: any }> }) => { - challengeUtils.solveIf(challenges.noSqlReviewsChallenge, () => { return result.modified > 1 }) // vuln-code-snippet hide-line - challengeUtils.solveIf(challenges.forgedReviewChallenge, () => { return user?.data && result.original[0] && result.original[0].author !== user.data.email && result.modified === 1 }) // vuln-code-snippet hide-line - res.json(result) - }, (err: unknown) => { - res.status(500).json(err) - }) } } // vuln-code-snippet end noSqlReviewsChallenge forgedReviewChallenge diff --git a/test/smoke/Dockerfile b/test/smoke/Dockerfile index 20df9ef06eb..fee38ec8cca 100644 --- a/test/smoke/Dockerfile +++ b/test/smoke/Dockerfile @@ -1,4 +1,3 @@ -FROM alpine RUN apk add curl