diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000..7e1d058
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,39 @@
+name: SonarCloud
+on:
+ workflow_dispatch:
+ push:
+ branches:
+ - main
+ - feature*
+ pull_request:
+ types: [opened, synchronize, reopened]
+jobs:
+ build:
+ name: Build and analyze
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ with:
+ fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+ - name: Set up JDK 17
+ uses: actions/setup-java@v3
+ with:
+ java-version: 17
+ distribution: 'zulu'
+ - name: Cache SonarCloud packages
+ uses: actions/cache@v3
+ with:
+ path: ~/.sonar/cache
+ key: ${{ runner.os }}-sonar
+ restore-keys: ${{ runner.os }}-sonar
+ - name: Cache Maven packages
+ uses: actions/cache@v3
+ with:
+ path: ~/.m2
+ key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+ restore-keys: ${{ runner.os }}-m2
+ - name: Build and analyze
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
+ SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+ run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=SonarCloud-Demos_demo-java-security
diff --git a/.gitignore b/.gitignore
index a12c01a..9aa1aa1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,3 +27,6 @@ hs_err_pid*
.idea/
.vscode/
java-security.iml
+
+# SonarQube for IDE
+.sonarlint/
\ No newline at end of file
diff --git a/README.md b/README.md
index bc47ede..f27ac69 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,11 @@
# Demo - Java Security
+
+SonarQube:
[](https://nautilus.sonarqube.org/dashboard?id=demo%3Ajava-security) [](https://nautilus.sonarqube.org/dashboard?id=demo%3Ajava-security) [](https://nautilus.sonarqube.org/dashboard?id=demo%3Ajava-security) [](https://nautilus.sonarqube.org/dashboard?id=demo%3Ajava-security) [](https://nautilus.sonarqube.org/dashboard?id=demo%3Ajava-security)
+
+SonarCloud:
+[](https://sonarcloud.io/summary/new_code?id=SonarCloud-Demos_demo-java-security)
+
## Use case
This example demonstrates:
- Vulnerabilities
diff --git a/pom.xml b/pom.xml
index 69c66c6..e90e298 100644
--- a/pom.xml
+++ b/pom.xml
@@ -10,10 +10,12 @@
http://maven.apache.org
UTF-8
- 11
- 11
+ 17
+ 17
training:security
Java Web App
+ sonarcloud-demos
+ https://sonarcloud.io
@@ -75,6 +77,11 @@
+
+ org.apache.maven.plugins
+ maven-war-plugin
+ 3.3.1
+
org.jacoco
jacoco-maven-plugin
@@ -105,7 +112,7 @@
org.sonarsource.scanner.maven
sonar-maven-plugin
- 3.9.1.2184
+ 3.11.0.3922
org.apache.maven.plugins
diff --git a/s3649JavaSqlInjectionConfig.json b/s3649JavaSqlInjectionConfig.json
deleted file mode 100644
index 29b5406..0000000
--- a/s3649JavaSqlInjectionConfig.json
+++ /dev/null
@@ -1,23 +0,0 @@
-{
- "sources": [
- {
- "methodId": "training.security.Insecure#getInput(Ljava/lang/String;)Ljava/lang/String;"
- }
- ],
- "sanitizers": [
- {
- "methodId": "training.security.Insecure#verifyData(Ljava/lang/String;)V",
- "args": [
- 1
- ]
- }
- ],
- "sinks": [
- {
- "methodId": "training.security.Insecure#storeData(Ljava/lang/String;)V",
- "args": [
- 1
- ]
- }
- ]
-}
diff --git a/src/main/java/demo/security/servlet/HomeServlet.java b/src/main/java/demo/security/servlet/HomeServlet.java
index fac56e5..9cd2286 100644
--- a/src/main/java/demo/security/servlet/HomeServlet.java
+++ b/src/main/java/demo/security/servlet/HomeServlet.java
@@ -22,6 +22,10 @@ protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
String name = request.getParameter("name").trim();
response.setContentType("text/html");
+ writeResponse(response, name);
+ }
+
+ protected void writeResponse(HttpServletResponse response, String name) throws IOException {
PrintWriter out = response.getWriter();
out.print("Hello "+name+ "
");
out.close();
@@ -29,7 +33,6 @@ protected void doGet(HttpServletRequest request,
protected void doPost(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
- // TODO Auto-generated method stub
doGet(request, response);
}
diff --git a/src/main/secrets/Secrets.java b/src/main/secrets/Secrets.java
new file mode 100644
index 0000000..fe07c40
--- /dev/null
+++ b/src/main/secrets/Secrets.java
@@ -0,0 +1,10 @@
+import java.util.logging.Logger;
+
+public class Secrets {
+ private static Logger logger = Logger.getLogger(Secrets.class.getName());
+ public static void main(String[] args) {
+ String password = "MyCustomSecret_123";
+ logger.println(password);
+ }
+
+}
diff --git a/src/main/secrets/secrets.js b/src/main/secrets/secrets.js
new file mode 100644
index 0000000..e682b12
--- /dev/null
+++ b/src/main/secrets/secrets.js
@@ -0,0 +1,3 @@
+var secret = "MyCustomSecret_123"
+
+console.log(secret)
\ No newline at end of file
diff --git a/src/main/secrets/secrets.py b/src/main/secrets/secrets.py
new file mode 100644
index 0000000..46f3bb2
--- /dev/null
+++ b/src/main/secrets/secrets.py
@@ -0,0 +1,2 @@
+secret_key = "MyCustomSecret_123"
+print(secret_key)
\ No newline at end of file