From 803e2ae889d9a9872c3f4ec3a0fafd95f127491c Mon Sep 17 00:00:00 2001 From: PavelLinearB <129676672+PavelLinearB@users.noreply.github.com> Date: Sun, 21 May 2023 15:55:25 +0300 Subject: [PATCH 01/22] Update package.json --- package.json | 1 - 1 file changed, 1 deletion(-) diff --git a/package.json b/package.json index 7d5c7c32226..8f6adb419e2 100644 --- a/package.json +++ b/package.json @@ -146,7 +146,6 @@ "html-entities": "^1.3.1", "i18n": "^0.11.1", "js-yaml": "^3.14.0", - "jsonwebtoken": "0.4.0", "jssha": "^3.1.1", "juicy-chat-bot": "~0.7.1", "libxmljs2": "^0.32.0", From bf82f6b45cf205b49aa3e49da6b9144e271dcaa2 Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Sun, 21 May 2023 16:34:15 +0300 Subject: [PATCH 02/22] fixed vulns --- .cm/jit.cm | 75 ++++++++++++++++++++++++++++++++++ data/static/users.yml | 2 - lib/insecurity.ts | 1 - package.json | 3 -- routes/likeProductReviews.ts | 2 +- routes/updateProductReviews.ts | 13 ------ test/smoke/Dockerfile | 1 - 7 files changed, 76 insertions(+), 21 deletions(-) create mode 100644 .cm/jit.cm diff --git a/.cm/jit.cm b/.cm/jit.cm new file mode 100644 index 00000000000..b89a9e0b91c --- /dev/null +++ b/.cm/jit.cm @@ -0,0 +1,75 @@ +manifest: + version: 1.0 +automations: + # Add labels + vulnerabilities: + if: + - {{ sonar.vulnerabilities.count > 0}} + run: + - action: add-label@v1 + args: + label: '🛡️ x {{ sonar.vulnerabilities.count }} Vulnerabilities' + color: {{ colors.E if (sonar.vulnerabilities.rating == 'E') else (colors.C if (sonar.vulnerabilities.rating == 'C' ) else colors.A) }} + security_hotspots: + if: + - {{ sonar.security_hotspots.count > 0}} + run: + - action: add-label@v1 + args: + label: '🌶️ x {{ sonar.security_hotspots.count }} Security Hotspots' + color: {{ colors.E if (sonar.security_hotspots.rating == 'E') else (colors.C if (sonar.security_hotspots.rating == 'C' ) else colors.A) }} + code_smells: + if: + - {{ sonar.code_smells.count > 0}} + run: + - action: add-label@v1 + args: + label: '💩 x {{ sonar.code_smells.count }} Code Smells' + color: {{ colors.E if (sonar.code_smells.rating == 'E') else (colors.C if (sonar.code_smells.rating == 'C' ) else colors.A) }} + bugs: + if: + - {{ sonar.bugs.count > 0}} + run: + - action: add-label@v1 + args: + label: '🐞 x {{ sonar.bugs.count }} Bugs' + color: {{ colors.E if (sonar.bugs.rating == 'E') else (colors.C if (sonar.bugs.rating == 'C' ) else colors.A) }} + + mark_outstanding_pr: + if: + - {{ sonar.bugs.count == 0 }} + - {{ sonar.code_smells.count == 0 }} + - {{ sonar.vulnerabilities.count == 0 }} + - {{ sonar.security_hotspots.count == 0 }} + - {{ sonar.duplications == null or sonar.duplications == 0 }} + run: + - action: add-label@v1 + args: + label: '💯 Safe' + Assign: + # Auto assign Security member + if: + - {{ sonar.code_smells.rating != 'A' or sonar.vulnerabilities.rating != 'A' or sonar.security_hotspots.rating != 'A'}} + run: + - action: add-reviewers@v1 + args: + reviewers: [Dudu-linb] + + jitttt: + if: + - {{ jit.metrics.HIGH > 0}} + run: + - action: add-label@v1 + args: + label: '{{ jit.metrics.HIGH }} high vulns by Jit' + + +sonar: {{ pr | extractSonarFindings }} +#jit: {{ pr | extractJitFindings }} + +colors: + A: '05AA02' + B: 'B6D146' + C: 'EABE05' + D: 'DF8339' + E: 'D4343F' \ No newline at end of file diff --git a/data/static/users.yml b/data/static/users.yml index 24efd550e93..edfe29291bf 100644 --- a/data/static/users.yml +++ b/data/static/users.yml @@ -147,8 +147,6 @@ email: wurstbrot username: wurstbrot password: 'EinBelegtesBrotMitSchinkenSCHINKEN!' - totpSecret: IFTXE3SPOEYVURT2MRYGI52TKJ4HC3KH - key: timo role: 'admin' securityQuestion: id: 1 diff --git a/lib/insecurity.ts b/lib/insecurity.ts index 585ad31ae6a..87776eabf9d 100644 --- a/lib/insecurity.ts +++ b/lib/insecurity.ts @@ -20,7 +20,6 @@ import * as utils from './utils' import * as z85 from 'z85' export const publicKey = fs ? fs.readFileSync('encryptionkeys/jwt.pub', 'utf8') : 'placeholder-public-key' -const privateKey = '-----BEGIN RSA PRIVATE KEY-----\r\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=\r\n-----END RSA PRIVATE KEY-----' interface ResponseWithUser { status: string diff --git a/package.json b/package.json index 8f6adb419e2..e8a5b92f58c 100644 --- a/package.json +++ b/package.json @@ -119,12 +119,10 @@ "cookie-parser": "^1.4.5", "cors": "^2.8.5", "dottie": "^2.0.2", - "download": "^8.0.0", "errorhandler": "^1.5.1", "exif": "^0.6.0", "express": "^4.17.1", "express-ipfilter": "^1.2.0", - "express-jwt": "0.1.3", "express-rate-limit": "^5.3.0", "express-robots-txt": "^0.4.1", "express-security.txt": "^2.0.0", @@ -132,7 +130,6 @@ "file-stream-rotator": "^0.5.7", "file-type": "^16.1.0", "filesniffer": "^1.0.3", - "finale-rest": "^1.1.1", "fs-extra": "^9.0.1", "fuzzball": "^1.3.0", "glob": "^7.1.6", diff --git a/routes/likeProductReviews.ts b/routes/likeProductReviews.ts index f77e28d2a5e..c1518601bba 100644 --- a/routes/likeProductReviews.ts +++ b/routes/likeProductReviews.ts @@ -15,7 +15,7 @@ module.exports = function productReviews () { return (req: Request, res: Response, next: NextFunction) => { const id = req.body.id const user = security.authenticatedUsers.from(req) - db.reviews.findOne({ _id: id }).then((review: Review) => { + db.reviews.findOne({ _id: "a" }).then((review: Review) => { if (!review) { res.status(404).json({ error: 'Not found' }) } else { diff --git a/routes/updateProductReviews.ts b/routes/updateProductReviews.ts index c6d31a3707f..c4e0cf06808 100644 --- a/routes/updateProductReviews.ts +++ b/routes/updateProductReviews.ts @@ -13,19 +13,6 @@ const security = require('../lib/insecurity') // vuln-code-snippet start noSqlReviewsChallenge forgedReviewChallenge module.exports = function productReviews () { return (req: Request, res: Response, next: NextFunction) => { - const user = security.authenticatedUsers.from(req) // vuln-code-snippet vuln-line forgedReviewChallenge - db.reviews.update( // vuln-code-snippet neutral-line forgedReviewChallenge - { _id: req.body.id }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge - { $set: { message: req.body.message } }, - { multi: true } // vuln-code-snippet vuln-line noSqlReviewsChallenge - ).then( - (result: { modified: number, original: Array<{ author: any }> }) => { - challengeUtils.solveIf(challenges.noSqlReviewsChallenge, () => { return result.modified > 1 }) // vuln-code-snippet hide-line - challengeUtils.solveIf(challenges.forgedReviewChallenge, () => { return user?.data && result.original[0] && result.original[0].author !== user.data.email && result.modified === 1 }) // vuln-code-snippet hide-line - res.json(result) - }, (err: unknown) => { - res.status(500).json(err) - }) } } // vuln-code-snippet end noSqlReviewsChallenge forgedReviewChallenge diff --git a/test/smoke/Dockerfile b/test/smoke/Dockerfile index 20df9ef06eb..fee38ec8cca 100644 --- a/test/smoke/Dockerfile +++ b/test/smoke/Dockerfile @@ -1,4 +1,3 @@ -FROM alpine RUN apk add curl From 4bb0105f9a73083baa34d9ed3d6edb1ea521be1f Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 12:04:41 +0300 Subject: [PATCH 03/22] cm ignored accept --- .cm/jit.cm | 64 ++++++++++-------------------------------------------- 1 file changed, 12 insertions(+), 52 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index b89a9e0b91c..c3ad12ca238 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -1,71 +1,31 @@ manifest: version: 1.0 + automations: - # Add labels - vulnerabilities: - if: - - {{ sonar.vulnerabilities.count > 0}} - run: - - action: add-label@v1 - args: - label: '🛡️ x {{ sonar.vulnerabilities.count }} Vulnerabilities' - color: {{ colors.E if (sonar.vulnerabilities.rating == 'E') else (colors.C if (sonar.vulnerabilities.rating == 'C' ) else colors.A) }} - security_hotspots: - if: - - {{ sonar.security_hotspots.count > 0}} - run: - - action: add-label@v1 - args: - label: '🌶️ x {{ sonar.security_hotspots.count }} Security Hotspots' - color: {{ colors.E if (sonar.security_hotspots.rating == 'E') else (colors.C if (sonar.security_hotspots.rating == 'C' ) else colors.A) }} - code_smells: + jit_vulns: if: - - {{ sonar.code_smells.count > 0}} - run: - - action: add-label@v1 - args: - label: '💩 x {{ sonar.code_smells.count }} Code Smells' - color: {{ colors.E if (sonar.code_smells.rating == 'E') else (colors.C if (sonar.code_smells.rating == 'C' ) else colors.A) }} - bugs: - if: - - {{ sonar.bugs.count > 0}} + - {{ jit.metrics.HIGH > 0}} run: - action: add-label@v1 args: - label: '🐞 x {{ sonar.bugs.count }} Bugs' - color: {{ colors.E if (sonar.bugs.rating == 'E') else (colors.C if (sonar.bugs.rating == 'C' ) else colors.A) }} - - mark_outstanding_pr: - if: - - {{ sonar.bugs.count == 0 }} - - {{ sonar.code_smells.count == 0 }} - - {{ sonar.vulnerabilities.count == 0 }} - - {{ sonar.security_hotspots.count == 0 }} - - {{ sonar.duplications == null or sonar.duplications == 0 }} - run: - - action: add-label@v1 - args: - label: '💯 Safe' - Assign: - # Auto assign Security member - if: - - {{ sonar.code_smells.rating != 'A' or sonar.vulnerabilities.rating != 'A' or sonar.security_hotspots.rating != 'A'}} - run: + label: '{{ jit.metrics.HIGH }} High vulnerabilities' - action: add-reviewers@v1 args: reviewers: [Dudu-linb] - - jitttt: + + jit_ignores: if: - - {{ jit.metrics.HIGH > 0}} + -{{ has_ignored_accept }} run: - action: add-label@v1 args: - label: '{{ jit.metrics.HIGH }} high vulns by Jit' + label: 'jit_ignore_accept' + +jit: {{ pr | extractJitFindings }} +has_ignored_accept: {{ jit_reviews | map(attr='conversations') | map(attr='content') | match(term='#jit_ignore_accept') | some }} -sonar: {{ pr | extractSonarFindings }} -#jit: {{ pr | extractJitFindings }} +jit_reviews: {{ pr.reviews | filter(attr='commenter', term='jit-ci') }} colors: A: '05AA02' From 43882b98a7fd38436480356d49f2801385794eac Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 12:12:36 +0300 Subject: [PATCH 04/22] cm ignored accept2 --- .cm/jit.cm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index c3ad12ca238..88bfa5ec9d5 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -15,7 +15,7 @@ automations: jit_ignores: if: - -{{ has_ignored_accept }} + -{{ jit_reviews | map(attr='conversations') | map(attr='content') | match(term='#jit_ignore_accept') | some }} run: - action: add-label@v1 args: @@ -23,7 +23,7 @@ automations: jit: {{ pr | extractJitFindings }} -has_ignored_accept: {{ jit_reviews | map(attr='conversations') | map(attr='content') | match(term='#jit_ignore_accept') | some }} +# has_ignored_accept: {{ jit_reviews | map(attr='conversations') | map(attr='content') | match(term='#jit_ignore_accept') | some }} jit_reviews: {{ pr.reviews | filter(attr='commenter', term='jit-ci') }} From 8b00d4d7bdb6be0364e1ee7905b71f21f07c2a45 Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 12:23:08 +0300 Subject: [PATCH 05/22] cm ignored accept3 --- .cm/jit.cm | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index 88bfa5ec9d5..eaeaa0de75a 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -15,7 +15,7 @@ automations: jit_ignores: if: - -{{ jit_reviews | map(attr='conversations') | map(attr='content') | match(term='#jit_ignore_accept') | some }} + -{{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | some }} run: - action: add-label@v1 args: @@ -23,9 +23,7 @@ automations: jit: {{ pr | extractJitFindings }} -# has_ignored_accept: {{ jit_reviews | map(attr='conversations') | map(attr='content') | match(term='#jit_ignore_accept') | some }} - -jit_reviews: {{ pr.reviews | filter(attr='commenter', term='jit-ci') }} +jit_conversations: {{ pr.reviews | filter(attr='commenter', term='jit-ci') | map(attr='conversations') }} colors: A: '05AA02' From 2f6c057199ac35cdaff256941ff66c72f1226281 Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 12:41:35 +0300 Subject: [PATCH 06/22] cm ignored accept4 --- .cm/jit.cm | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index eaeaa0de75a..50ec1f165ea 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -23,11 +23,4 @@ automations: jit: {{ pr | extractJitFindings }} -jit_conversations: {{ pr.reviews | filter(attr='commenter', term='jit-ci') | map(attr='conversations') }} - -colors: - A: '05AA02' - B: 'B6D146' - C: 'EABE05' - D: 'DF8339' - E: 'D4343F' \ No newline at end of file +jit_conversations: {{ pr.conversations | filter(attr='commenter', term='jit-ci') }} \ No newline at end of file From 89dce43be7c015010bc7ab2a7bffcca962c557a9 Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 12:47:47 +0300 Subject: [PATCH 07/22] cm ignored accept4 --- .cm/jit.cm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index 50ec1f165ea..1a3ea220700 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -15,7 +15,7 @@ automations: jit_ignores: if: - -{{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | some }} + - {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | some }} run: - action: add-label@v1 args: From 32c3dee8b3747bde60d1924521914308aa6c225c Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 12:52:50 +0300 Subject: [PATCH 08/22] cm ignored accept5 --- .cm/jit.cm | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.cm/jit.cm b/.cm/jit.cm index 1a3ea220700..8f0c370c8dd 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -21,6 +21,18 @@ automations: args: label: 'jit_ignore_accept' + show_changed_files: + if: + - true + run: + - action: add-comment@v1 + args: + comment: | + 1 {{ jit_conversations | dump | safe }} + 2 {{ jit_conversations | map(attr='content') | dump | safe }} + 3 {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | dump | safe }} + 4 {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | some | dump | safe }} + jit: {{ pr | extractJitFindings }} jit_conversations: {{ pr.conversations | filter(attr='commenter', term='jit-ci') }} \ No newline at end of file From 0c9fdf32eaf046e794c0ade5480e3dbcec135df2 Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 12:55:04 +0300 Subject: [PATCH 09/22] cm ignored accept --- .cm/jit.cm | 77 ++++++++++++++---------------------------------------- 1 file changed, 20 insertions(+), 57 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index b89a9e0b91c..8f0c370c8dd 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -1,75 +1,38 @@ manifest: version: 1.0 + automations: - # Add labels - vulnerabilities: - if: - - {{ sonar.vulnerabilities.count > 0}} - run: - - action: add-label@v1 - args: - label: '🛡️ x {{ sonar.vulnerabilities.count }} Vulnerabilities' - color: {{ colors.E if (sonar.vulnerabilities.rating == 'E') else (colors.C if (sonar.vulnerabilities.rating == 'C' ) else colors.A) }} - security_hotspots: + jit_vulns: if: - - {{ sonar.security_hotspots.count > 0}} + - {{ jit.metrics.HIGH > 0}} run: - action: add-label@v1 args: - label: '🌶️ x {{ sonar.security_hotspots.count }} Security Hotspots' - color: {{ colors.E if (sonar.security_hotspots.rating == 'E') else (colors.C if (sonar.security_hotspots.rating == 'C' ) else colors.A) }} - code_smells: - if: - - {{ sonar.code_smells.count > 0}} - run: - - action: add-label@v1 + label: '{{ jit.metrics.HIGH }} High vulnerabilities' + - action: add-reviewers@v1 args: - label: '💩 x {{ sonar.code_smells.count }} Code Smells' - color: {{ colors.E if (sonar.code_smells.rating == 'E') else (colors.C if (sonar.code_smells.rating == 'C' ) else colors.A) }} - bugs: + reviewers: [Dudu-linb] + + jit_ignores: if: - - {{ sonar.bugs.count > 0}} + - {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | some }} run: - action: add-label@v1 args: - label: '🐞 x {{ sonar.bugs.count }} Bugs' - color: {{ colors.E if (sonar.bugs.rating == 'E') else (colors.C if (sonar.bugs.rating == 'C' ) else colors.A) }} + label: 'jit_ignore_accept' - mark_outstanding_pr: + show_changed_files: if: - - {{ sonar.bugs.count == 0 }} - - {{ sonar.code_smells.count == 0 }} - - {{ sonar.vulnerabilities.count == 0 }} - - {{ sonar.security_hotspots.count == 0 }} - - {{ sonar.duplications == null or sonar.duplications == 0 }} - run: - - action: add-label@v1 - args: - label: '💯 Safe' - Assign: - # Auto assign Security member - if: - - {{ sonar.code_smells.rating != 'A' or sonar.vulnerabilities.rating != 'A' or sonar.security_hotspots.rating != 'A'}} + - true run: - - action: add-reviewers@v1 + - action: add-comment@v1 args: - reviewers: [Dudu-linb] - - jitttt: - if: - - {{ jit.metrics.HIGH > 0}} - run: - - action: add-label@v1 - args: - label: '{{ jit.metrics.HIGH }} high vulns by Jit' - + comment: | + 1 {{ jit_conversations | dump | safe }} + 2 {{ jit_conversations | map(attr='content') | dump | safe }} + 3 {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | dump | safe }} + 4 {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | some | dump | safe }} -sonar: {{ pr | extractSonarFindings }} -#jit: {{ pr | extractJitFindings }} +jit: {{ pr | extractJitFindings }} -colors: - A: '05AA02' - B: 'B6D146' - C: 'EABE05' - D: 'DF8339' - E: 'D4343F' \ No newline at end of file +jit_conversations: {{ pr.conversations | filter(attr='commenter', term='jit-ci') }} \ No newline at end of file From 4ae68c1e4660e35a62901f0e2dc1d4aa9c235af0 Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 13:22:40 +0300 Subject: [PATCH 10/22] cm ignored accept2 --- .cm/jit.cm | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index 8f0c370c8dd..1a3ea220700 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -21,18 +21,6 @@ automations: args: label: 'jit_ignore_accept' - show_changed_files: - if: - - true - run: - - action: add-comment@v1 - args: - comment: | - 1 {{ jit_conversations | dump | safe }} - 2 {{ jit_conversations | map(attr='content') | dump | safe }} - 3 {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | dump | safe }} - 4 {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | some | dump | safe }} - jit: {{ pr | extractJitFindings }} jit_conversations: {{ pr.conversations | filter(attr='commenter', term='jit-ci') }} \ No newline at end of file From fd348f7a3ae166d85163af7fbd3be3a22990388c Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 13:27:35 +0300 Subject: [PATCH 11/22] cm ignored accept0 --- .cm/jit.cm | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index 8f0c370c8dd..1a3ea220700 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -21,18 +21,6 @@ automations: args: label: 'jit_ignore_accept' - show_changed_files: - if: - - true - run: - - action: add-comment@v1 - args: - comment: | - 1 {{ jit_conversations | dump | safe }} - 2 {{ jit_conversations | map(attr='content') | dump | safe }} - 3 {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | dump | safe }} - 4 {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | some | dump | safe }} - jit: {{ pr | extractJitFindings }} jit_conversations: {{ pr.conversations | filter(attr='commenter', term='jit-ci') }} \ No newline at end of file From 0a8ae9e62ad542a0353009da14b93c089107370c Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 14:33:25 +0300 Subject: [PATCH 12/22] cm ignored accept0 --- .cm/jit.cm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index 1a3ea220700..79f80d72b5a 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -23,4 +23,4 @@ automations: jit: {{ pr | extractJitFindings }} -jit_conversations: {{ pr.conversations | filter(attr='commenter', term='jit-ci') }} \ No newline at end of file +jit_conversations: {{ pr.conversations | filter(attr='commenter', term='jit-ci') }} From 273dcbc7bee27758a51ee38e938cd078bcd34621 Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 14:45:20 +0300 Subject: [PATCH 13/22] cm ignored accept0 --- .cm/jit.cm | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index 79f80d72b5a..c0914d9a6f3 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -15,12 +15,10 @@ automations: jit_ignores: if: - - {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | some }} + - {{ pr.conversations | filter(attr='commenter', term='jit-ci') | map(attr='content') | match(term='#jit_ignore_accept') | some }} run: - action: add-label@v1 args: label: 'jit_ignore_accept' jit: {{ pr | extractJitFindings }} - -jit_conversations: {{ pr.conversations | filter(attr='commenter', term='jit-ci') }} From 6df1227618b981a6e584ea9050efab2f2da2e016 Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 14:53:08 +0300 Subject: [PATCH 14/22] cm jit dump --- .cm/jit.cm | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.cm/jit.cm b/.cm/jit.cm index c0914d9a6f3..b415de12bfe 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -21,4 +21,13 @@ automations: args: label: 'jit_ignore_accept' + show_changed_files: + if: + - true + run: + - action: add-comment@v1 + args: + comment: | + 1 {{ jit | dump | safe }} + jit: {{ pr | extractJitFindings }} From e5b00ae81acd323b619ef90b1bbb4784918a01ea Mon Sep 17 00:00:00 2001 From: PavelLinearB <129676672+PavelLinearB@users.noreply.github.com> Date: Mon, 22 May 2023 16:33:35 +0300 Subject: [PATCH 15/22] Update jit.cm --- .cm/jit.cm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index b415de12bfe..ed154313ad0 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -8,7 +8,7 @@ automations: run: - action: add-label@v1 args: - label: '{{ jit.metrics.HIGH }} High vulnerabilities' + label: '🛡️ x {{ jit.metrics.HIGH }} High vulnerabilities' - action: add-reviewers@v1 args: reviewers: [Dudu-linb] From a5f954b100f696f419c7f1da952d85135f7477ff Mon Sep 17 00:00:00 2001 From: PavelLinearB <129676672+PavelLinearB@users.noreply.github.com> Date: Mon, 22 May 2023 16:34:22 +0300 Subject: [PATCH 16/22] Update jit.cm --- .cm/jit.cm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index ed154313ad0..cb97ebd6146 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -19,7 +19,7 @@ automations: run: - action: add-label@v1 args: - label: 'jit_ignore_accept' + label: '🙈 jit_ignore_accept' show_changed_files: if: From 4f5f6c54a86632bc1de1f25ed830f7bb4e0b048f Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Tue, 23 May 2023 10:58:38 +0300 Subject: [PATCH 17/22] Jit find secrets --- .cm/jit.cm | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index b415de12bfe..1e605de5969 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -15,13 +15,21 @@ automations: jit_ignores: if: - - {{ pr.conversations | filter(attr='commenter', term='jit-ci') | map(attr='content') | match(term='#jit_ignore_accept') | some }} + - {{ pr.conversations | match(attr='commenter', term='jit-ci') | some }} + run: + - action: add-label@v1 + args: + label: "🤫 PR with secrets" + + jit_secretss: + if: + - {{ jit.vulnerabilities | filter(attr='security_control', term='Secret Detection') | map(attr='content') | match(term='#jit_ignore_accept') | some }} run: - action: add-label@v1 args: label: 'jit_ignore_accept' - show_changed_files: + debug: if: - true run: From 00b092cf1dd4188ffc6ce5884c37d17e963edf22 Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Tue, 23 May 2023 11:00:41 +0300 Subject: [PATCH 18/22] Jit find secrets --- .cm/jit.cm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index 2e13ec994c3..ada93463bf2 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -13,7 +13,7 @@ automations: args: reviewers: [Dudu-linb] - jit_ignores: + jit_secretss: if: - {{ pr.conversations | match(attr='commenter', term='jit-ci') | some }} run: @@ -21,7 +21,7 @@ automations: args: label: "🤫 PR with secrets" - jit_secretss: + jit_ignores: if: - {{ jit.vulnerabilities | filter(attr='security_control', term='Secret Detection') | map(attr='content') | match(term='#jit_ignore_accept') | some }} run: From ee82a093259785fbbc7d7bc423edd885bdf762af Mon Sep 17 00:00:00 2001 From: PavelLinearB <129676672+PavelLinearB@users.noreply.github.com> Date: Tue, 23 May 2023 11:17:54 +0300 Subject: [PATCH 19/22] Update jit.cm --- .cm/jit.cm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index ada93463bf2..0ee42e46428 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -15,7 +15,7 @@ automations: jit_secretss: if: - - {{ pr.conversations | match(attr='commenter', term='jit-ci') | some }} + - {{ jit.vulnerabilities | match(attr='security_control', term='Secret Detection') | some }} run: - action: add-label@v1 args: @@ -23,7 +23,7 @@ automations: jit_ignores: if: - - {{ jit.vulnerabilities | filter(attr='security_control', term='Secret Detection') | map(attr='content') | match(term='#jit_ignore_accept') | some }} + - {{ pr.conversations | filter(attr='commenter', term='jit-ci') | map(attr='content') | match(term='#jit_ignore_accept') | some }} run: - action: add-label@v1 args: From 254299d87c5f8081cc7194d2124e7a4d479d5ff9 Mon Sep 17 00:00:00 2001 From: Yeela Lifshitz <52451294+yeelali14@users.noreply.github.com> Date: Mon, 29 May 2023 15:26:05 +0300 Subject: [PATCH 20/22] Update and rename jit.cm to jit-and-sonar.cm --- .cm/jit-and-sonar.cm | 100 +++++++++++++++++++++++++++++++++++++++++++ .cm/jit.cm | 41 ------------------ 2 files changed, 100 insertions(+), 41 deletions(-) create mode 100644 .cm/jit-and-sonar.cm delete mode 100644 .cm/jit.cm diff --git a/.cm/jit-and-sonar.cm b/.cm/jit-and-sonar.cm new file mode 100644 index 00000000000..c89c506f971 --- /dev/null +++ b/.cm/jit-and-sonar.cm @@ -0,0 +1,100 @@ +# -*- mode: yaml -*- + +manifest: + version: 1.0 + +config: + admin: + users: ['EladKohavi'] + +automations: + mark_bugs: + if: + - {{ sonar.bugs.count > 0 }} + run: + - action: add-label@v1 + args: + label: '{{ sonar.bugs.count }} Bugs 🐞' + color: {{ colors.bugs }} + mark_code_smell: + if: + - {{ sonar.code_smells.count > 0 }} + run: + - action: add-label@v1 + args: + label: '{{ sonar.code_smells.count }} Code Smells 💩' + color: {{ colors.code_smells }} + mark_security_hotspots: + if: + - {{ sonar.security_hotspots.count > 0 }} + run: + - action: add-label@v1 + args: + label: '{{ sonar.security_hotspots.count }} Security hotspots 🌶️' + color: {{ colors.security_hotspots }} + - action: add-reviewers@v1 + args: + reviewers: [Dudu-linb] + mark_outstanding_pr: + if: + - {{ sonar.bugs.count == 0 }} + - {{ sonar.code_smells.count == 0 }} + - {{ sonar.vulnerabilities.count == 0 }} + - {{ sonar.security_hotspots.count == 0 }} + - {{ sonar.duplications == null or sonar.duplications == 0.0 }} + run: + - action: add-label@v1 + args: + label: '✅ Sonar: Clean Code' + color: 'ABEBC6' + high_duplications: + if: + - {{ sonar.duplications > 40 }} + run: + - action: request-changes@v1 + args: + comment: | + High percentage of duplications in code. Please fix! + - action: add-label@v1 + args: + label: '{{ sonar.duplications }} Duplications 👯' + color: {{ colors.duplications }} + mark_vulnerabilities: + if: + - {{ sonar.vulnerabilities.count > 0 }} + run: + - action: add-label@v1 + args: + label: '{{ sonar.vulnerabilities.count }} Vulnerabilities 🛡️' + color: {{ colors.vulnerabilities }} + jit_vulns: + if: + - {{ jit.metrics.HIGH > 0}} + run: + - action: add-label@v1 + args: + label: '🛡️ x {{ jit.metrics.HIGH }} High vulnerabilities' + - action: add-reviewers@v1 + args: + reviewers: [Dudu-linb] + + jit_secretss: + if: + - {{ jit.vulnerabilities | match(attr='security_control', term='Secret Detection') | some }} + run: + - action: add-label@v1 + args: + label: "🤫 PR with secrets" + + jit_ignores: + if: + - {{ pr.conversations | filter(attr='commenter', term='jit-ci') | map(attr='content') | match(term='#jit_ignore_accept') | some }} + run: + - action: add-label@v1 + args: + label: '🙈 jit_ignore_accept' + + + +sonar: {{ pr | extractSonarFindings }} +jit: {{ pr | extractJitFindings }} diff --git a/.cm/jit.cm b/.cm/jit.cm deleted file mode 100644 index 0ee42e46428..00000000000 --- a/.cm/jit.cm +++ /dev/null @@ -1,41 +0,0 @@ -manifest: - version: 1.0 - -automations: - jit_vulns: - if: - - {{ jit.metrics.HIGH > 0}} - run: - - action: add-label@v1 - args: - label: '🛡️ x {{ jit.metrics.HIGH }} High vulnerabilities' - - action: add-reviewers@v1 - args: - reviewers: [Dudu-linb] - - jit_secretss: - if: - - {{ jit.vulnerabilities | match(attr='security_control', term='Secret Detection') | some }} - run: - - action: add-label@v1 - args: - label: "🤫 PR with secrets" - - jit_ignores: - if: - - {{ pr.conversations | filter(attr='commenter', term='jit-ci') | map(attr='content') | match(term='#jit_ignore_accept') | some }} - run: - - action: add-label@v1 - args: - label: '🙈 jit_ignore_accept' - - debug: - if: - - true - run: - - action: add-comment@v1 - args: - comment: | - 1 {{ jit | dump | safe }} - -jit: {{ pr | extractJitFindings }} From 0c236174fb23042f3a5f81d0e7de7be88d43becf Mon Sep 17 00:00:00 2001 From: Yeela Lifshitz <52451294+yeelali14@users.noreply.github.com> Date: Mon, 29 May 2023 15:38:08 +0300 Subject: [PATCH 21/22] Update jit-and-sonar.cm --- .cm/jit-and-sonar.cm | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.cm/jit-and-sonar.cm b/.cm/jit-and-sonar.cm index c89c506f971..74d5d893a46 100644 --- a/.cm/jit-and-sonar.cm +++ b/.cm/jit-and-sonar.cm @@ -46,7 +46,7 @@ automations: - action: add-label@v1 args: label: '✅ Sonar: Clean Code' - color: 'ABEBC6' + color: '0e8a16' high_duplications: if: - {{ sonar.duplications > 40 }} @@ -98,3 +98,9 @@ automations: sonar: {{ pr | extractSonarFindings }} jit: {{ pr | extractJitFindings }} +colors: + code_smells: 'D2B48C' + bugs: 'FAA0A0' + vulnerabilities: 'F3E5AB' + security_hotspots: 'F89880' + duplications: 'D7BDE2' From 1c7d50cfb2ed6fabc80156fb6e473e41eda288d8 Mon Sep 17 00:00:00 2001 From: Elad Kohavi Date: Mon, 29 May 2023 16:38:52 +0300 Subject: [PATCH 22/22] Changes from demo --- data/mongodb.ts | 10 +++++++++- data/static/users.yml | 2 ++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/data/mongodb.ts b/data/mongodb.ts index a572583ba61..2b027e33dbd 100644 --- a/data/mongodb.ts +++ b/data/mongodb.ts @@ -5,7 +5,15 @@ // @ts-expect-error due to non-existing type definitions for MarsDB import MarsDB = require('marsdb') - +export const SONAR_REGEX = { + BUGS: /\[\d+ Bug[s]?\]/g, + VULNERABILITIES: /\[\d+ Vulnerabilit(?:ies|y)\]/g, + SECURITY_HOTSPOTS: /\[\d+ Security Hotspot[s]?\]/g, + CODE_SMELL: /\[\d+ Code Smell[s]?\]/g, + DUPLICATIONS: /\[(\d+(\.\d+)?|\.\d+)%\]/g, + COVERAGE: /\[(\d+(\.\d+)?|\.\d+)%\]/g, + RATING: /!\[([A-Z])\]/g, +}; const reviews = new MarsDB.Collection('posts') const orders = new MarsDB.Collection('orders') diff --git a/data/static/users.yml b/data/static/users.yml index edfe29291bf..24efd550e93 100644 --- a/data/static/users.yml +++ b/data/static/users.yml @@ -147,6 +147,8 @@ email: wurstbrot username: wurstbrot password: 'EinBelegtesBrotMitSchinkenSCHINKEN!' + totpSecret: IFTXE3SPOEYVURT2MRYGI52TKJ4HC3KH + key: timo role: 'admin' securityQuestion: id: 1