diff --git a/sast_baseline.json b/sast_baseline.json index 0c14ed6..e48affe 100644 --- a/sast_baseline.json +++ b/sast_baseline.json @@ -1,24 +1,194 @@ { "_links": { "root": { - "href": "/" + "href": "/", + "name": "", + "templated": false }, "self": { - "href": "/scans/931578cc-b3cd-44f0-95af-40acb61b0475/findings" + "href": "/scans/4c11321d-b017-4179-bf84-f39b5034260b/findings", + "name": "", + "templated": false }, "help": { - "href": "https://help.veracode.com/reader/tS9CaFwL4_lbIEWWomsJoA/ovfZGgu96UINQxIuTqRDwg" + "href": "https://help.veracode.com/reader/tS9CaFwL4_lbIEWWomsJoA/ovfZGgu96UINQxIuTqRDwg", + "name": "", + "templated": false + }, + "create": { + "href": "", + "name": "", + "templated": false + }, + "start": { + "href": "", + "name": "", + "templated": false + }, + "details": { + "href": "", + "name": "", + "templated": false + }, + "upload": { + "href": "", + "name": "", + "templated": false + }, + "cancel": { + "href": "", + "name": "", + "templated": false } }, - "scan_id": "931578cc-b3cd-44f0-95af-40acb61b0475", + "scan_id": "4c11321d-b017-4179-bf84-f39b5034260b", "scan_status": "SUCCESS", - "message": "Scan successful. Results size: 42 bytes", + "message": "Scan successful. Results size: 4331 bytes", "modules": [ - "veracode.zip_htmlgocode.veracodegen.htmla.goa" + "veracode-auto-pack-scan_health-go.zip_htmlgocode.veracodegen.htmla.goa", + "JS files within veracode-auto-pack-scan_health-go.zip" + ], + "modules_count": 2, + "findings": [ + { + "title": "hash", + "issue_id": 1000, + "gob": "B", + "severity": 3, + "issue_type_id": "taint", + "issue_type": "URL Redirection to Untrusted Site ('Open Redirect')", + "cwe_id": "601", + "display_text": "\u003cspan\u003eThis call to hash() contains a URL redirection to untrusted site flaw. Writing untrusted input into a URL value could cause the web application to redirect the request to the specified URL, leading to phishing attempts to steal user credentials.\u003c/span\u003e \u003cspan\u003eAlways validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. \u003c/span\u003e \u003cspan\u003eReferences: \u003ca href=\"https://cwe.mitre.org/data/definitions/601.html\"\u003eCWE\u003c/a\u003e \u003ca href=\"https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "scan_health/dist/coverage.html", + "line": 5754, + "function_name": "select", + "qualified_function_name": "select", + "function_prototype": "select(: any, : any, ...) : any", + "scope": "UNKNOWN" + } + }, + "flaw_match": { + "procedure_hash": "4107151812", + "prototype_hash": "2184253894", + "flaw_hash": "3734439054", + "flaw_hash_count": 1, + "flaw_hash_ordinal": 1, + "cause_hash": "2866949028", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "1522093433", + "cause_hash2_ordinal": "5" + }, + "stack_dumps": { + "stack_dump": [ + { + "Frame": [ + { + "FrameId": "0", + "FunctionName": "select", + "SourceFile": "scan_health/dist/coverage.html", + "SourceLine": "5753", + "SourceFileId": "2", + "StatementText": {}, + "QualifiedFunctionName": "select", + "FunctionPrototype": "select(: any, : any, ...) : any" + }, + { + "FrameId": "1", + "FunctionName": "select", + "SourceFile": "scan_health/dist/coverage.html", + "SourceLine": "5753", + "SourceFileId": "2", + "StatementText": {}, + "VarNames": "/**X-VC scoperef targetid=\"28302\" */part/**X-VC /scoperef */", + "QualifiedFunctionName": "select", + "FunctionPrototype": "select(: any, : any, ...) : any" + }, + { + "FrameId": "2", + "FunctionName": "select", + "SourceFile": "scan_health/dist/coverage.html", + "SourceLine": "5751", + "SourceFileId": "2", + "StatementText": {}, + "VarNames": "/**X-VC scoperef targetid=\"28302\" */part/**X-VC /scoperef */", + "QualifiedFunctionName": "select", + "FunctionPrototype": "select(: any, : any, ...) : any" + }, + { + "FrameId": "3", + "FunctionName": "select", + "SourceFile": "scan_health/dist/coverage.html", + "SourceLine": "5745", + "SourceFileId": "2", + "StatementText": {}, + "VarNames": "/**X-VC defscope id=\"28302\" */var part : any/**X-VC /defscope */", + "QualifiedFunctionName": "select", + "FunctionPrototype": "select(: any, : any, ...) : any" + }, + { + "FrameId": "4", + "FunctionName": "lambda_1", + "SourceFile": "scan_health/dist/coverage.html", + "SourceLine": "5760", + "SourceFileId": "2", + "StatementText": {}, + "VarNames": "/**X-VC scoperef targetid=\"28420\" */location/**X-VC /scoperef */", + "QualifiedFunctionName": "lambda_1", + "FunctionPrototype": "lambda_1(: any, ...) : any" + }, + { + "FrameId": "5", + "FunctionName": "!main", + "SourceFile": "UNKNOWN", + "SourceLine": "-1", + "SourceFileId": "-1", + "StatementText": {}, + "VarNames": "/**X-VC scoperef targetid=\"28487\" */window/**X-VC /scoperef */", + "QualifiedFunctionName": "!main", + "FunctionPrototype": "!main() : void" + }, + { + "FrameId": "6", + "FunctionName": "!main", + "SourceFile": "UNKNOWN", + "SourceLine": "-1", + "SourceFileId": "-1", + "StatementText": {}, + "VarNames": "/**X-VC scoperef targetid=\"26997\" */Window/**X-VC /scoperef */", + "QualifiedFunctionName": "!main", + "FunctionPrototype": "!main() : void" + }, + { + "FrameId": "7", + "FunctionName": "!main", + "SourceFile": "UNKNOWN", + "SourceLine": "-1", + "SourceFileId": "-1", + "StatementText": {}, + "VarNames": "/**X-VC scoperef targetid=\"27073\" */t301/**X-VC /scoperef */", + "QualifiedFunctionName": "!main", + "FunctionPrototype": "!main() : void" + }, + { + "FrameId": "8", + "FunctionName": "!main", + "SourceFile": "UNKNOWN", + "SourceLine": "-1", + "SourceFileId": "-1", + "StatementText": {}, + "VarNames": "/**X-VC scoperef targetid=\"27073\" */t301/**X-VC /scoperef */", + "QualifiedFunctionName": "!main", + "FunctionPrototype": "!main() : void" + } + ] + } + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/601.html" + } ], - "modules_count": 1, - "findings": [], - "selected_modules": [], - "pipeline_scan": "23.11.0-0", - "dev_stage": "DEVELOPMENT" + "selected_modules": [] } \ No newline at end of file diff --git a/scripts/scan.sh b/scripts/scan.sh index e1ad7c5..6e5df92 100755 --- a/scripts/scan.sh +++ b/scripts/scan.sh @@ -12,13 +12,6 @@ mkdir -p scan rm -f -- scan/veracode.zip -echo -e "${CYAN}Packaging for SAST scanning...${NC}" -go mod vendor -cd .. -zip -r scan_health/scan/veracode.zip scan_health -i "*.go" -i "**go.mod" -i "**go.sum" -cd scan_health - - echo -e "\n${CYAN}Downloading the Veracode CLI...${NC}" cd scan set +e # Ignore failure which happens if the CLI is the current latest version @@ -27,8 +20,12 @@ set -e cd .. +echo -e "\n${CYAN}Packaging for SAST scanning...${NC}" +./scan/veracode package --trust --source . --output scan/ + + echo -e "\n${CYAN}SAST Scanning with Veracode...${NC}" -./scan/veracode static scan --baseline-file sast_baseline.json --results-file dist/sast_results.json scan/veracode.zip +./scan/veracode static scan --baseline-file sast_baseline.json --results-file dist/sast_results.json scan/veracode-auto-pack-scan_health-go.zip echo -e "\n${CYAN}Container scanning with Veracode...${NC}" @@ -40,5 +37,5 @@ docker scout cves antfie/scan_health echo -e "\n${CYAN}Generating SBOMs...${NC}" -./scan/veracode sbom --type archive --source scan/veracode.zip --output dist/src.sbom.json +./scan/veracode sbom --type archive --source scan/veracode-auto-pack-scan_health-go.zip --output dist/src.sbom.json ./scan/veracode sbom --type image --source antfie/scan_health:latest --output dist/container.sbom.json \ No newline at end of file