endorlabs · Copilot · Dec 9, 2025 · Dec 9, 2025 · Dec 9, 2025 · Dec 9, 2025
diff --git a/.DS_Store b/.DS_Store
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,26 @@
+# Maven
+target/
+pom.xml.tag
+pom.xml.releaseBackup
+pom.xml.versionsBackup
+pom.xml.next
+release.properties
+dependency-reduced-pom.xml
+buildNumber.properties
+.mvn/timing.properties
+.mvn/wrapper/maven-wrapper.jar
+
+# IDE
+.idea/
+*.iml
+.vscode/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Logs
+*.log
diff --git a/SCAN_REPORT.md b/SCAN_REPORT.md
@@ -0,0 +1,90 @@
+# Endor Labs Vulnerability Scan Report
+
+## Scan Details
+
+- **Repository**: endorlabs/app-java-demo
+- **Scan Date**: 2025-12-09
+- **Scan Tool**: Endor Labs MCP / endorctl CLI
+- **Scan Types**: Vulnerabilities, Secrets, Dependencies
+
+## Scan Execution
+
+### Scan Attempts
+
+Multiple attempts were made to run the scan using:
+
+1. **Endor Labs MCP server tools** (`endor-labs-scan`)
+   - Status: ❌ Request timed out
+   - Attempted scan types: vulnerabilities, secrets, dependencies
+   - Note: MCP server experiencing timeout issues
+
+2. **endorctl CLI**
+   - Status: ⚠️ Requires authentication credentials
+   - Available at: `/usr/local/bin/endorctl`
+   - Requires: API key, API secret, and namespace
+
+### Scan Script
+
+A scan script has been created at `run-endor-scan.sh` that can be executed when authentication credentials are available:
+
+```bash
+./run-endor-scan.sh
+```
+
+Or using endorctl directly:
+
+```bash
+endorctl scan \
+    --path /home/runner/work/app-java-demo/app-java-demo \
+    --namespace release-test \
+    --dependencies \
+    --secrets \
+    --output-type summary
+```
+
+## Dependencies Scanned
+
+The following dependencies from `pom.xml` are included in the scan:
+
+### Potentially Vulnerable Dependencies
+
+1. **org.apache.commons:commons-text:1.9**
+   - Ecosystem: maven
+   - Known issues: May have vulnerabilities in older versions
+
+2. **mysql:mysql-connector-java:5.1.42**
+   - Ecosystem: maven
+   - Known issues: Older version, check for CVEs
+
+3. **org.apache.logging.log4j:log4j-core:2.3**
+   - Ecosystem: maven
+   - **CRITICAL**: Very old version, likely affected by Log4Shell (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832)
+   - Recommendation: Upgrade to 2.17.1 or later
+
+4. **org.jboss.weld:weld-core:1.1.33.Final**
+   - Ecosystem: maven
+   - Very old version from 2014
+
+5. **com.mchange:c3p0:0.9.5.2**
+   - Ecosystem: maven
+   - Check for known vulnerabilities
+
+6. **org.mockito:mockito-core:2.28.2**
+   - Ecosystem: maven
+   - Relatively old version
+
+## Recommendations
+
+1. **Immediate Action**: Upgrade log4j-core from 2.3 to 2.17.1 or later to address Log4Shell vulnerabilities
+2. **Review**: Check all other dependencies for known CVEs
+3. **Regular Scans**: Set up automated scanning in CI/CD pipeline
+4. **Secrets**: Scan git history for accidentally committed secrets
+5. **SAST**: Consider enabling SAST scanning for code vulnerabilities
+
+## Next Steps
+
+1. Run the scan with proper authentication credentials
+2. Review detailed findings
+3. Create tickets to address vulnerabilities
+4. Implement dependency updates
+5. Set up continuous vulnerability monitoring
diff --git a/SECURITY_SCANNING.md b/SECURITY_SCANNING.md
@@ -0,0 +1,75 @@
+# Endor Labs Vulnerability Scanning
+
+This repository is configured for security vulnerability scanning using Endor Labs.
+
+## Available Scanning Methods
+
+### 1. Using the Endor Labs MCP Server Tools
+
+The Endor Labs MCP (Model Context Protocol) server provides programmatic access to scan functionality:
+
+- `endor-labs-scan`: Scans a project for security issues including:
+  - Vulnerabilities in code
+  - Dependencies with security issues  
+  - Leaked secrets
+
+- `endor-labs-check_dependency_for_vulnerabilities`: Checks a specific dependency for vulnerabilities
+
+- `endor-labs-get_endor_vulnerability`: Retrieves vulnerability information from the Endor database
+
+### 2. Using the endorctl CLI
+
+The `endorctl` command-line tool is available for manual scans:
+
+```bash
+# Run a comprehensive security scan
+./run-endor-scan.sh
+```
+
+Or manually:
+
+```bash
+# Build the project first
+mvn clean compile
+
+# Run the scan
+endorctl scan \
+    --path . \
+    --namespace release-test \
+    --dependencies \
+    --secrets \
+    --output-type summary
+```
+
+### 3. Using GitHub Actions
+
+The repository includes a GitHub Actions workflow (`.github/workflows/main.yml`) that runs Endor Labs scans automatically using the `endorlab/github-action`.
+
+## Scan Types
+
+- **Dependencies**: Scans dependencies for known vulnerabilities
+- **Secrets**: Scans for leaked secrets in code and git history
+- **Vulnerabilities**: Scans code for security vulnerabilities
+
+## Authentication
+
+Endor Labs scanning requires authentication credentials:
+
+- `ENDOR_API`: API URL (default: https://api.endorlabs.com)
+- `ENDOR_API_KEY`: API key for authentication
+- `ENDOR_API_SECRET`: API secret for authentication  
+- `ENDOR_NAMESPACE`: Namespace (default: release-test)
+
+These can be provided via environment variables or command-line flags.
+
+## Dependencies in This Project
+
+This Java Maven project includes several dependencies that should be scanned:
+
+- `org.apache.commons:commons-text:1.9`
+- `mysql:mysql-connector-java:5.1.42`
+- `org.apache.logging.log4j:log4j-core:2.3`
+- `com.mchange:c3p0:0.9.5.2`
+- And others (see `pom.xml`)
+
+Some of these dependencies may have known vulnerabilities and should be regularly scanned.
diff --git a/run-endor-scan.sh b/run-endor-scan.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+# Endor Labs Security Scan Script
+# This script runs vulnerability scanning using Endor Labs tools
+
+set -e
+
+REPO_PATH="${REPO_PATH:-$(cd "$(dirname "$0")" && pwd)}"
+NAMESPACE="${ENDOR_NAMESPACE:-release-test}"
+
+echo "=========================================="
+echo "Endor Labs Vulnerability Scan"
+echo "=========================================="
+echo "Repository: $REPO_PATH"
+echo "Namespace: $NAMESPACE"
+echo ""
+
+# Check if endorctl is available
+if ! command -v endorctl &> /dev/null; then
+    echo "Error: endorctl is not installed"
+    echo "Please install endorctl before running this script"
+    exit 1
+fi
+
+# Build the project first
+echo "Step 1: Building the project..."
+cd "$REPO_PATH"
+mvn clean compile
+
+echo ""
+echo "Step 2: Running Endor Labs security scan..."
+echo "Scan types: vulnerabilities, secrets, dependencies"
+echo ""
+
+# Run the scan with endorctl
+# Note: This requires proper authentication credentials to be set
+# via environment variables or command-line flags:
+# - ENDOR_API or --api
+# - ENDOR_API_KEY or --api-key
+# - ENDOR_API_SECRET or --api-secret
+# - ENDOR_NAMESPACE or --namespace
+
+endorctl scan \
+    --path "$REPO_PATH" \
+    --namespace "$NAMESPACE" \
+    --dependencies \
+    --secrets \
+    --ghactions \
+    --output-type summary
+
+echo ""
+echo "Scan completed successfully!"