From f60c83cb41073e11ac8010b2d1d0be1cb9d8de53 Mon Sep 17 00:00:00 2001 From: 5arV Date: Tue, 23 Nov 2021 13:45:12 +0100 Subject: [PATCH 01/16] Create main.yml --- .github/workflows/main.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..86fb439 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,31 @@ +# This is a basic workflow to help you get started with Actions + +name: CI + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the master branch + push: + branches: [ master ] + pull_request: + branches: [ master ] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: zaproxy/action-baseline@v0.6.1 + + # Runs a single command using the runners shell + - name: ZAP Scan + with: + target: 'http://localhost:8080/login' From 31c69db3f4dc0835ca156557136e4fedd06ae43b Mon Sep 17 00:00:00 2001 From: 5arV Date: Tue, 23 Nov 2021 13:48:35 +0100 Subject: [PATCH 02/16] Update main.yml --- .github/workflows/main.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 86fb439..589ef9d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -23,9 +23,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: zaproxy/action-baseline@v0.6.1 - - # Runs a single command using the runners shell - name: ZAP Scan + uses: zaproxy/action-baseline@v0.6.1 with: target: 'http://localhost:8080/login' From 851316607cb9408b2c23e39fb06e5039daa04965 Mon Sep 17 00:00:00 2001 From: 5arV Date: Tue, 23 Nov 2021 14:02:57 +0100 Subject: [PATCH 03/16] Update main.yml --- .github/workflows/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 589ef9d..cd461bc 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -22,6 +22,8 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: + - name: start application + run: javac com.zuehlke.securesoftwaredevelopment.SecureSoftwareDevelopmentApplication # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - name: ZAP Scan uses: zaproxy/action-baseline@v0.6.1 From 63cc6c20b2e4857ef74a3e0204d03d7a514f3033 Mon Sep 17 00:00:00 2001 From: 5arV Date: Tue, 23 Nov 2021 14:05:22 +0100 Subject: [PATCH 04/16] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index cd461bc..58322d1 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -23,7 +23,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: - name: start application - run: javac com.zuehlke.securesoftwaredevelopment.SecureSoftwareDevelopmentApplication + run: javac com.zuehlke.securesoftwaredevelopment.SecureSoftwareDevelopmentApplication.java # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - name: ZAP Scan uses: zaproxy/action-baseline@v0.6.1 From 1474631065ad4032a35b80d9839568b81ade7487 Mon Sep 17 00:00:00 2001 From: 5arV Date: Tue, 23 Nov 2021 14:08:22 +0100 Subject: [PATCH 05/16] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 58322d1..aaeb566 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -23,7 +23,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: - name: start application - run: javac com.zuehlke.securesoftwaredevelopment.SecureSoftwareDevelopmentApplication.java + run: javac com/zuehlke/securesoftwaredevelopment/SecureSoftwareDevelopmentApplication.java # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - name: ZAP Scan uses: zaproxy/action-baseline@v0.6.1 From 25e4c73a4a0c88b76890d2606556b8044fe36c4e Mon Sep 17 00:00:00 2001 From: 5arV Date: Tue, 23 Nov 2021 14:40:54 +0100 Subject: [PATCH 06/16] Update main.yml --- .github/workflows/main.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index aaeb566..521ef80 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -22,8 +22,11 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: - - name: start application - run: javac com/zuehlke/securesoftwaredevelopment/SecureSoftwareDevelopmentApplication.java + - name: maven build + run: mvn clean install + - name: maven deploy + run: mvn spring-boot:run + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - name: ZAP Scan uses: zaproxy/action-baseline@v0.6.1 From 7835c8d885b075ee4bc86de84e0bbf2dbf72d820 Mon Sep 17 00:00:00 2001 From: 5arV Date: Tue, 23 Nov 2021 14:45:46 +0100 Subject: [PATCH 07/16] Update main.yml --- .github/workflows/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 521ef80..07dd9ac 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -22,6 +22,8 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: + - name: check directory + run: dir - name: maven build run: mvn clean install - name: maven deploy From 6f4a9915b7e61e6dbec583e4e1d6e1d81c2519b5 Mon Sep 17 00:00:00 2001 From: 5arV Date: Tue, 23 Nov 2021 14:49:49 +0100 Subject: [PATCH 08/16] Update main.yml --- .github/workflows/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 07dd9ac..5c95656 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -22,8 +22,8 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: - - name: check directory - run: dir + - name: change dir + run: projekat - name: maven build run: mvn clean install - name: maven deploy From 5b9c2e480d1a757b425c21bca309f87c7a5c3a67 Mon Sep 17 00:00:00 2001 From: 5arV Date: Tue, 23 Nov 2021 14:50:14 +0100 Subject: [PATCH 09/16] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 5c95656..5e87beb 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -23,7 +23,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: - name: change dir - run: projekat + run: cd projekat - name: maven build run: mvn clean install - name: maven deploy From 17e1c3404f875bb377312260e08696c756d10304 Mon Sep 17 00:00:00 2001 From: 5arV Date: Tue, 23 Nov 2021 14:53:57 +0100 Subject: [PATCH 10/16] Update main.yml --- .github/workflows/main.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 5e87beb..a14edb9 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -22,8 +22,12 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: - - name: change dir - run: cd projekat + - uses: actions/checkout@v2 + - name: Set up JDK 11 + uses: actions/setup-java@v2 + with: + java-version: '11' + distribution: 'adopt' - name: maven build run: mvn clean install - name: maven deploy From dac531e9c51454f5a6e5ca19d7579ace9ac0e7ce Mon Sep 17 00:00:00 2001 From: 5arV Date: Tue, 23 Nov 2021 15:31:33 +0100 Subject: [PATCH 11/16] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a14edb9..121a7c5 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -31,7 +31,7 @@ jobs: - name: maven build run: mvn clean install - name: maven deploy - run: mvn spring-boot:run + run: mvn spring-boot:run & # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - name: ZAP Scan From 28e4b65115a794dc2b27712b237d0efb90bf1421 Mon Sep 17 00:00:00 2001 From: 5arV Date: Tue, 23 Nov 2021 16:12:30 +0100 Subject: [PATCH 12/16] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 121a7c5..a1f4c56 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -35,6 +35,6 @@ jobs: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - name: ZAP Scan - uses: zaproxy/action-baseline@v0.6.1 + uses: zaproxy/action-full-scan@v0.3.0 with: target: 'http://localhost:8080/login' From 68a2b5560c8a9cdd9472c279bdaa986ce069ae67 Mon Sep 17 00:00:00 2001 From: 5arV Date: Tue, 23 Nov 2021 19:02:33 +0100 Subject: [PATCH 13/16] Create zapconfig.context --- zapconfig.context | 77 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 zapconfig.context diff --git a/zapconfig.context b/zapconfig.context new file mode 100644 index 0000000..b958aa3 --- /dev/null +++ b/zapconfig.context @@ -0,0 +1,77 @@ + + + + Default Context + + true + + Db + Db.CouchDB + Db.Firebird + Db.HypersonicSQL + Db.IBM DB2 + Db.Microsoft Access + Db.Microsoft SQL Server + Db.MongoDB + Db.MySQL + Db.Oracle + Db.PostgreSQL + Db.SAP MaxDB + Db.SQLite + Db.Sybase + Language + Language.ASP + Language.C + Language.JSP/Servlet + Language.Java + Language.JavaScript + Language.PHP + Language.Python + Language.Ruby + Language.XML + OS + OS.Linux + OS.MacOS + OS.Windows + SCM + SCM.Git + SCM.SVN + WS + WS.Apache + WS.IIS + WS.Tomcat + + + org.zaproxy.zap.model.StandardParameterParser + {"kvps":"&","kvs":"=","struct":[]} + + + org.zaproxy.zap.model.StandardParameterParser + {"kvps":"&","kvs":"=","struct":[]} + + + 2 +
+ http://localhost:8080/ + username={%username%}&password={%password%} + http://localhost:8080/login +
+ + + 0;true;YnJ1Y2U=;2;YnJ1Y2U=~d2F5bmU=~ + + 0 + + 0 + + + 0 + +
+ + AND + -1 + + + + From a975f66eaacc4cbd5d750d420dfaa8ddd84ccabc Mon Sep 17 00:00:00 2001 From: 5arV Date: Tue, 23 Nov 2021 19:04:33 +0100 Subject: [PATCH 14/16] Update main.yml --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a1f4c56..80a7a70 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -38,3 +38,4 @@ jobs: uses: zaproxy/action-full-scan@v0.3.0 with: target: 'http://localhost:8080/login' + cmd_options: '-n zapconfig.context' From c905a3eee80bed4738dd75b334e9b31e48f3add1 Mon Sep 17 00:00:00 2001 From: 5arV Date: Tue, 23 Nov 2021 19:18:25 +0100 Subject: [PATCH 15/16] Update zapconfig.context --- zapconfig.context | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/zapconfig.context b/zapconfig.context index b958aa3..58658ca 100644 --- a/zapconfig.context +++ b/zapconfig.context @@ -52,15 +52,15 @@ 2
- http://localhost:8080/ + http://localhost:8080/perform-login username={%username%}&password={%password%} - http://localhost:8080/login + http://localhost:8080/perform-login
- 0;true;YnJ1Y2U=;2;YnJ1Y2U=~d2F5bmU=~ + 14;true;YnJ1Y2U=;2;YnJ1Y2U=~d2F5bmU=~ - 0 + 14 0 From 12cf08e00e461ae9be14db7dbd6e368b77e3ff72 Mon Sep 17 00:00:00 2001 From: 5arV Date: Tue, 23 Nov 2021 19:27:12 +0100 Subject: [PATCH 16/16] Update zapconfig.context --- zapconfig.context | 1 + 1 file changed, 1 insertion(+) diff --git a/zapconfig.context b/zapconfig.context index 58658ca..5f91e85 100644 --- a/zapconfig.context +++ b/zapconfig.context @@ -4,6 +4,7 @@ Default Context true + http://localhost:8080.* Db Db.CouchDB