Skip to content

Commit

Permalink
Use the Veracode CLI for scanning
Browse files Browse the repository at this point in the history
  • Loading branch information
@antfie
antfie committed Apr 19, 2024
1 parent 17502df commit 811865e
Show file tree
Hide file tree
Showing 2 changed files with 187 additions and 20 deletions.
192 changes: 181 additions & 11 deletions sast_baseline.json
View file
Original file line number Diff line number Diff line change
@@ -1,24 +1,194 @@
{
"_links": {
"root": {
"href": "/"
"href": "/",
"name": "",
"templated": false
},
"self": {
"href": "/scans/931578cc-b3cd-44f0-95af-40acb61b0475/findings"
"href": "/scans/4c11321d-b017-4179-bf84-f39b5034260b/findings",
"name": "",
"templated": false
},
"help": {
"href": "https://help.veracode.com/reader/tS9CaFwL4_lbIEWWomsJoA/ovfZGgu96UINQxIuTqRDwg"
"href": "https://help.veracode.com/reader/tS9CaFwL4_lbIEWWomsJoA/ovfZGgu96UINQxIuTqRDwg",
"name": "",
"templated": false
},
"create": {
"href": "",
"name": "",
"templated": false
},
"start": {
"href": "",
"name": "",
"templated": false
},
"details": {
"href": "",
"name": "",
"templated": false
},
"upload": {
"href": "",
"name": "",
"templated": false
},
"cancel": {
"href": "",
"name": "",
"templated": false
}
},
"scan_id": "931578cc-b3cd-44f0-95af-40acb61b0475",
"scan_id": "4c11321d-b017-4179-bf84-f39b5034260b",
"scan_status": "SUCCESS",
"message": "Scan successful. Results size: 42 bytes",
"message": "Scan successful. Results size: 4331 bytes",
"modules": [
"veracode.zip_htmlgocode.veracodegen.htmla.goa"
"veracode-auto-pack-scan_health-go.zip_htmlgocode.veracodegen.htmla.goa",
"JS files within veracode-auto-pack-scan_health-go.zip"
],
"modules_count": 2,
"findings": [
{
"title": "hash",
"issue_id": 1000,
"gob": "B",
"severity": 3,
"issue_type_id": "taint",
"issue_type": "URL Redirection to Untrusted Site ('Open Redirect')",
"cwe_id": "601",
"display_text": "\u003cspan\u003eThis call to hash() contains a URL redirection to untrusted site flaw. Writing untrusted input into a URL value could cause the web application to redirect the request to the specified URL, leading to phishing attempts to steal user credentials.\u003c/span\u003e \u003cspan\u003eAlways validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. \u003c/span\u003e \u003cspan\u003eReferences: \u003ca href=\"https://cwe.mitre.org/data/definitions/601.html\"\u003eCWE\u003c/a\u003e \u003ca href=\"https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e",
"files": {
"source_file": {
"file": "scan_health/dist/coverage.html",
"line": 5754,
"function_name": "select",
"qualified_function_name": "select",
"function_prototype": "select(: any, : any, ...) : any",
"scope": "UNKNOWN"
}
},
"flaw_match": {
"procedure_hash": "4107151812",
"prototype_hash": "2184253894",
"flaw_hash": "3734439054",
"flaw_hash_count": 1,
"flaw_hash_ordinal": 1,
"cause_hash": "2866949028",
"cause_hash_count": 1,
"cause_hash_ordinal": 1,
"cause_hash2": "1522093433",
"cause_hash2_ordinal": "5"
},
"stack_dumps": {
"stack_dump": [
{
"Frame": [
{
"FrameId": "0",
"FunctionName": "select",
"SourceFile": "scan_health/dist/coverage.html",
"SourceLine": "5753",
"SourceFileId": "2",
"StatementText": {},
"QualifiedFunctionName": "select",
"FunctionPrototype": "select(: any, : any, ...) : any"
},
{
"FrameId": "1",
"FunctionName": "select",
"SourceFile": "scan_health/dist/coverage.html",
"SourceLine": "5753",
"SourceFileId": "2",
"StatementText": {},
"VarNames": "/**X-VC scoperef targetid=\"28302\" */part/**X-VC /scoperef */",
"QualifiedFunctionName": "select",
"FunctionPrototype": "select(: any, : any, ...) : any"
},
{
"FrameId": "2",
"FunctionName": "select",
"SourceFile": "scan_health/dist/coverage.html",
"SourceLine": "5751",
"SourceFileId": "2",
"StatementText": {},
"VarNames": "/**X-VC scoperef targetid=\"28302\" */part/**X-VC /scoperef */",
"QualifiedFunctionName": "select",
"FunctionPrototype": "select(: any, : any, ...) : any"
},
{
"FrameId": "3",
"FunctionName": "select",
"SourceFile": "scan_health/dist/coverage.html",
"SourceLine": "5745",
"SourceFileId": "2",
"StatementText": {},
"VarNames": "/**X-VC defscope id=\"28302\" */var part : any/**X-VC /defscope */",
"QualifiedFunctionName": "select",
"FunctionPrototype": "select(: any, : any, ...) : any"
},
{
"FrameId": "4",
"FunctionName": "lambda_1",
"SourceFile": "scan_health/dist/coverage.html",
"SourceLine": "5760",
"SourceFileId": "2",
"StatementText": {},
"VarNames": "/**X-VC scoperef targetid=\"28420\" */location/**X-VC /scoperef */",
"QualifiedFunctionName": "lambda_1",
"FunctionPrototype": "lambda_1(: any, ...) : any"
},
{
"FrameId": "5",
"FunctionName": "!main",
"SourceFile": "UNKNOWN",
"SourceLine": "-1",
"SourceFileId": "-1",
"StatementText": {},
"VarNames": "/**X-VC scoperef targetid=\"28487\" */window/**X-VC /scoperef */",
"QualifiedFunctionName": "!main",
"FunctionPrototype": "!main() : void"
},
{
"FrameId": "6",
"FunctionName": "!main",
"SourceFile": "UNKNOWN",
"SourceLine": "-1",
"SourceFileId": "-1",
"StatementText": {},
"VarNames": "/**X-VC scoperef targetid=\"26997\" */Window/**X-VC /scoperef */",
"QualifiedFunctionName": "!main",
"FunctionPrototype": "!main() : void"
},
{
"FrameId": "7",
"FunctionName": "!main",
"SourceFile": "UNKNOWN",
"SourceLine": "-1",
"SourceFileId": "-1",
"StatementText": {},
"VarNames": "/**X-VC scoperef targetid=\"27073\" */t301/**X-VC /scoperef */",
"QualifiedFunctionName": "!main",
"FunctionPrototype": "!main() : void"
},
{
"FrameId": "8",
"FunctionName": "!main",
"SourceFile": "UNKNOWN",
"SourceLine": "-1",
"SourceFileId": "-1",
"StatementText": {},
"VarNames": "/**X-VC scoperef targetid=\"27073\" */t301/**X-VC /scoperef */",
"QualifiedFunctionName": "!main",
"FunctionPrototype": "!main() : void"
}
]
}
]
},
"flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/601.html"
}
],
"modules_count": 1,
"findings": [],
"selected_modules": [],
"pipeline_scan": "23.11.0-0",
"dev_stage": "DEVELOPMENT"
"selected_modules": []
}
15 changes: 6 additions & 9 deletions scripts/scan.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,6 @@ mkdir -p scan
rm -f -- scan/veracode.zip


echo -e "${CYAN}Packaging for SAST scanning...${NC}"
go mod vendor
cd ..
zip -r scan_health/scan/veracode.zip scan_health -i "*.go" -i "**go.mod" -i "**go.sum"
cd scan_health


echo -e "\n${CYAN}Downloading the Veracode CLI...${NC}"
cd scan
set +e # Ignore failure which happens if the CLI is the current latest version
Expand All @@ -27,8 +20,12 @@ set -e
cd ..


echo -e "\n${CYAN}Packaging for SAST scanning...${NC}"
./scan/veracode package --trust --source . --output scan/


echo -e "\n${CYAN}SAST Scanning with Veracode...${NC}"
./scan/veracode static scan --baseline-file sast_baseline.json --results-file dist/sast_results.json scan/veracode.zip
./scan/veracode static scan --baseline-file sast_baseline.json --results-file dist/sast_results.json scan/veracode-auto-pack-scan_health-go.zip


echo -e "\n${CYAN}Container scanning with Veracode...${NC}"
Expand All @@ -40,5 +37,5 @@ docker scout cves antfie/scan_health


echo -e "\n${CYAN}Generating SBOMs...${NC}"
./scan/veracode sbom --type archive --source scan/veracode.zip --output dist/src.sbom.json
./scan/veracode sbom --type archive --source scan/veracode-auto-pack-scan_health-go.zip --output dist/src.sbom.json
./scan/veracode sbom --type image --source antfie/scan_health:latest --output dist/container.sbom.json

0 comments on commit 811865e

Please sign in to comment.