Skip to content

Add ShiftLeft build rules #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add ShiftLeft build rules #10

wants to merge 1 commit into from

Conversation

@ongamse
Copy link
Owner

@ongamse ongamse commented May 16, 2023

Qwiet LogoQwiet Logo

This pull request enables build rules. You can read more about build rules here. The build rules are controlled by the shiftleft.yml file in the repository.

Visit app.shiftleft.io to see the security findings for this repository.

We've done a few things on your behalf

  • Forked this demo application
  • Generated a unique secret SHIFTLEFT_ACCESS_TOKEN to allow GitHub Actions in this repository to communicate with the Qwiet (Shiftleft) API
  • Committed a GitHub Action that will invoke Qwiet preZero's Static Application Security Testing (SAST) on all future pull requests on this repository
  • Created this pull request that demonstrates build rules. It also adds a status check that displays the result of the GitHub Action

Questions? Comments? Want to learn more? Get in touch with us or check out our documentation.

@github-actions
Copy link

github-actions bot commented May 16, 2023

Qwiet LogoQwiet Logo

Checking analysis of application shiftleft-csharp-demo against 3 build rules.

Using sl version 0.9.1864 (4b01eafd05a25c8d3a6ebf380e512aa47bc78c41).

Checking findings on scan 2.

Results per rule:

  • Allow no critical findings: FAIL
    (5 matched vulnerabilities; configured threshold is 0).

    Findings:

        ID   CVSS    Rating    CVE              Title                                                                                                                                                     
       1    9.8   critical   CVE-2018-1285    Apache log4net before 2.0.10 does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in a…
      10    9.8   critical   CVE-2021-26701   .NET Core Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-24112.                                                                  
     331    9.0   critical                    Directory Traversal: Attacker-controlled Data as File Path in CustomersController.Get                                                                   
     332    9.0   critical                    Directory Traversal: Attacker-controlled Data as File Path via value in CustomersController.Serialization                                             
     333    9.0   critical                    SQL Injection: Attacker-controlled Data Used in SQL Query via sql in CustomersController.Get                                                          
     Severity rating   Count 
     Critical              5 
     High                  0 
     Medium                0 
     Low                   0 
     Finding Type   Count 
     Vuln               3 
     Oss_vuln           2 
     Category              Count 
     Directory Traversal       2 
     SQL Injection             1 
     CVE              Count 
     CVE-2021-26701       1 
     CVE-2018-1285        1 
     OWASP 2021 Category         Count 
     A01-Broken-Access-Control       2 
     A03-Injection                   1 

  • Allow one OSS or container finding: FAIL
    (7 matched vulnerabilities; configured threshold is 1).

    First 5 findings:

       ID   CVSS    Rating    CVE              Title                                                                                                                                                      
      1    9.8   critical   CVE-2018-1285    Apache log4net before 2.0.10 does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in ap…
     10    9.8   critical   CVE-2021-26701   .NET Core Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-24112.                                                                   
      3    7.5     high     CVE-2018-8292    An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Informa…
      4    7.5     high     CVE-2018-0764    Microsoft .NET Framework 1.1, 2.0, 3.0, 3.5, 3.5.1, 4, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 5.7 and .NET Core 1.0. 1.1 and 2.0 allow a denial of servi…
      6    7.5     high     CVE-2018-0765    A denial of service vulnerability exists when .NET and .NET Core improperly process XML documents, aka ".NET and .NET Core Denial of Service Vulnerability…
     Severity rating   Count 
     Critical              2 
     High                  3 
     Medium                2 
     Low                   0 
     CVE              Count 
     CVE-2022-41064       1 
     CVE-2022-34716       1 
     CVE-2021-26701       1 
     CVE-2018-8292        1 
     CVE-2018-1285        1 
     CVE-2018-0765        1 
     CVE-2018-0764        1 

  • Allow no reachable OSS vulnerability: pass
    (0 matched vulnerabilities; configured threshold is 0).

2 rules failed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ongamse