Updating Actions and source headers

Author: kadraman

.github/workflows/azurewebapp.yml .github/workflows/azure_webapp.yml.github/workflows/azurewebapp.yml renamed to .github/workflows/azure_webapp.yml

@@ -1,7 +1,14 @@
 # Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy
 # More GitHub Actions for Azure: https://github.com/Azure/actions
 
-name: Build and deploy Node.js app to Azure Web App
+name: Build and Deploy to Azurepermissions:
+    # required for all workflows
+    security-events: write
+    # required to fetch internal or private CodeQL packs
+    packages: read
+    # only required for workflows in private repositories
+    actions: read
+    contents: read
 
 on:
   push:

.github/workflows/codeql.yml

@@ -0,0 +1,116 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL Advanced"
+
+on:
+  # Triggers the workflow on push or pull request events but only for the main or develop branches
+  push:
+    paths-ignore:
+      - '.github/**/**'
+      - 'Jenkinsfile'
+      - '.gitlab-ci.yml'
+      - 'azure-pipelines.yml'
+      - 'bin/**'
+      - 'data/**'
+      - 'etc/**'
+      - 'tests/**'
+      - '*.md'
+      - 'LICENSE'
+    #branches-ignore:
+    #  - main
+    #  - develop
+    branches:
+      - '**'        # matches every branch
+  pull_request:
+    branches: [ main, develop ]
+    
+jobs:
+  analyze:
+    # only run this job if the repository is origin 'kadraman/InsecureRestAPI not forked repositories
+    if: ${{ github.repository == 'kadraman/InsecureRestAPI' }}
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: actions
+          build-mode: none
+        - language: javascript-typescript
+          build-mode: none
+        # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+        # Use `c-cpp` to analyze code written in C, C++ or both
+        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Add any setup steps before running the `github/codeql-action/init` action.
+    # This includes steps like installing compilers or runtimes (`actions/setup-node`
+    # or others). This is typically only required for manual builds.
+    # - name: Setup runtime (example)
+    #   uses: actions/setup-example@v1
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+    - if: matrix.build-mode == 'manual'
+      shell: bash
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        echo '  make bootstrap'
+        echo '  make release'
+        exit 1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/debricked.yml

@@ -0,0 +1,67 @@
+
+# Create GitHub Action Secrets for your version of the application:
+#   DEBRICKEN_TOKEN should be an API Access Token from your Debricked tenant.
+
+name: OSS SCA with Debricked
+permissions:
+    # required for all workflows
+    security-events: write
+    # required to fetch internal or private CodeQL packs
+    packages: read
+    # only required for workflows in private repositories
+    actions: read
+    contents: read
+    
+on:
+  # Triggers the workflow on push or pull request events but only for the main and dev branches
+  push:
+    paths:
+      - '**/package.json'
+    branches:
+      - '**'        # matches every branch
+  pull_request:
+    branches: [ main, develop ]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+    inputs:
+      runDebrickedScan:
+        description: 'Carry out SCA scan using Debricked'
+        required: true
+        default: 'true'
+
+# Global environment variables
+env:
+  DEFAULT_APP_NAME: "InsecureRestAPI"
+
+jobs:
+
+  Debricked-SCA:
+    runs-on: ubuntu-latest
+    if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runDebrickedScan == 'true') }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          # Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
+          fetch-depth: 2
+      # Java is required to run the various Fortify utilities.
+      # Setup JDK 11 on host
+      - uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '11'
+      # Install Fortify (if required)
+      - name: Setup Fortify tools
+        uses: fortify/github-action/setup@v1.2.2
+        with:
+          export-path: true
+          fcli: latest
+      # Run debricked scan    
+      - name: Download Debricked CLI
+        run: curl -L https://github.com/debricked/cli/releases/latest/download/cli_linux_x86_64.tar.gz | tar -xz debricked
+      - name: Run Debricked scan  
+        run: ./debricked scan -r "${APP_NAME}" --access-token="${DEBRICKED_TOKEN}"  -e "*/**.lock" -e "**/build/classes/test/**" -e "**/target/classes/test-classes/**" .
+        env:
+          APP_NAME: ${{ env.DEFAULT_APP_NAME }}
+          DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}

.github/workflows/fod.yml

@@ -27,8 +27,17 @@ permissions:
 on:
   # Triggers the workflow on push or pull request events but only for the main or develop branches
   push:
-    paths:
-      - 'src/**'
+    paths-ignore:
+      - '.github/**/**'
+      - 'Jenkinsfile'
+      - '.gitlab-ci.yml'
+      - 'azure-pipelines.yml'
+      - 'bin/**'
+      - 'data/**'
+      - 'etc/**'
+      - 'tests/**'
+      - '*.md'
+      - 'LICENSE'
     #branches-ignore:
     #  - main
     #  - develop
@@ -59,10 +68,10 @@ on:
 
 # Global environment variables
 env:
-  DEFAULT_APP_NAME: "IWA-API-Node"
+  DEFAULT_APP_NAME: "InsecureRestAPI"
   DEFAULT_SOURCE_DIR: "."
   AZURE_WEBAPP_NAME: insecureapi
-  NODE_VERSION: 18
+  NODE_VERSION: 20
 
 jobs:
 
@@ -144,11 +153,10 @@ jobs:
           FOD_RELEASE: ${{ format('{0}{1}:{2}', env.DEFAULT_APP_NAME, vars.FORTIFY_APP_NAME_POSTFIX, github.ref_name) }}
           # DO_SETUP: true
           # SETUP_ACTION: https://scm.my.org/shared-repos/fcli-actions/setup.yaml
-          SETUP_EXTRA_OPTS: ${{ format('--copy-from "{0}" --sdlc-status Development --app-owner {1} --assessment-type "{2}"', env.FOD_PARENT_RELEASE, vars.FOD_DEFAULT_OWNER, vars.FOD_DEFAULT_ASSESSMENT_TYPE) }} 
-          #SETUP_EXTRA_OPTS: "--use-aviator --technology-stack=JS/TS/HTML"
+          SETUP_EXTRA_OPTS: ${{ format('--copy-from "{0}" --sdlc-status Development --app-owner {1} --assessment-type "{2}" --user-aviator --technology-stack=JS/TS/HTML', env.FOD_PARENT_RELEASE, vars.FOD_DEFAULT_OWNER, vars.FOD_DEFAULT_ASSESSMENT_TYPE) }} 
           # SC_CLIENT_VERSION: 24.4.1
           # DO_PACKAGE_DEBUG: true
-          PACKAGE_EXTRA_OPTS: "-bt none -oss"
+          PACKAGE_EXTRA_OPTS: "-bt none"
           # FOD_SAST_SCAN_EXTRA_OPTS:
           # DO_WAIT: true
           DO_POLICY_CHECK: false # we will do this later after SCA and DAST scan

.gitignore

@@ -139,3 +139,4 @@ dist
 logs
 email-db.json
 iwa.db
+*.fpr

Dockerfile

@@ -24,10 +24,9 @@ RUN npm install
 # Bundle app source
 ADD dist ./
 COPY config ./config/
-COPY mongodb ./mongodb/
 
-# Make port 3000 available to the world outside this container
-EXPOSE 3000
+# Make port 5000 available to the world outside this container
+EXPOSE 5000
 
 CMD [ "node", "index.js" ]
 

Makefile

@@ -0,0 +1,73 @@
+-include .env
+
+ROOT_DIR := $(abspath $(dir $(lastword $(MAKEFILE_LIST)))/..)
+ROOT_DIR := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
+PROJECT := InsecureRestAPI
+PROJECTS := $(shell ls . | grep project)
+VERSION ?= $(shell git describe --tags --always --dirty --match=v* 2> /dev/null || echo "1.0.0")
+COMMIT := $(shell git log -1 --pretty=format:"%H")
+
+FLASK_APP := iwa
+FLASK := FLASK_APP=$(FLASK_APP) .venv/bin/flask
+
+SAST_DEFAULT_OPTS := -Dcom.fortify.sca.ProjectRoot=.fortify -b "$(PROJECT)"
+SAST_TRANSLATE_OPTS := $(SAST_DEFAULT_OPTS) .
+SAST_SCAN_OPTS := $(SAST_DEFAULT_OPTS)
+
+.PHONY: default
+default: help
+
+# generate help info from comments
+.PHONY: help
+help: ## help information about make commands
+	@grep -h -P '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+
+.PHONY: version
+version: ## display the version of the service
+	@echo $(VERSION)
+
+.PHONY: build
+build:  ## build the project
+	@echo "Building $(PROJECT)..."
+	npm build
+
+.PHONY: build-docker
+build-docker: ## build the project as a docker image
+	docker build -f Dockerfile -t $(PROJECT):$(VERSION) .
+
+.PHONY: run
+run: ## run the project
+	@echo "Running $(PROJECT)..."
+	npm run dev
+
+.PHONY: run-production
+run-production: ## run the project in production mode
+	@echo "Running $(PROJECT) in production mode..."
+	npm run start
+
+.PHONY: test
+test: ## run unit tests for the project
+	@echo "Testing $(PROJECT)..."
+	npm run test
+
+.PHONY: clean
+clean: ## remove temporary files
+	rm -rf instance node-modules .fortify *.lock *.fpr
+
+.PHONY: sast-scan
+sast-scan: ## run OpenText static application security testing
+	@echo "Running OpenText static application security testing..."
+	@sourceanalyzer $(SAST_DEFAULT_OPTS) -clean
+	@sourceanalyzer $(SAST_TRANSLATE_OPTS)
+	@sourceanalyzer $(SAST_SCAN_OPTS) -scan \
+		-rules $(ROOT_DIR)/etc/sast-custom-rules/example-custom-rules.xml \
+		-filter $(ROOT_DIR)/etc/sast-filters/example-filter.txt \
+		-build-project "$(PROJECT)" -build-version "$(VERSION)" -build-label "SNAPSHOT" \
+		-f "$(PROJECT).fpr"
+	@FPRUtility -information -analyzerIssueCounts -project "$(PROJECT).fpr"
+
+.PHONY: sca-scan
+sca-scan: ## run OpenText software composition analysis
+	@echo "Running OpenText software composition analysis..."
+	@debricked scan . -r $(PROJECT) -c $(COMMIT) -t $(DEBRICKED_TOKEN)
+