diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml new file mode 100644 index 000000000..1f896d944 --- /dev/null +++ b/.github/workflows/codacy.yml @@ -0,0 +1,39 @@ +name: Codacy Security Scan + +on: + push: + branches: [ "master", "main" ] + pull_request: + branches: [ "master", "main" ] + +jobs: + codacy-security-scan: + name: Codacy Security Scan + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@main + + - name: Run Codacy Analysis CLI + uses: codacy/codacy-analysis-cli-action@master + with: + output: results.sarif + format: sarif + # Adjust severity of non-security issues + gh-code-scanning-compat: true + # Force 0 exit code to allow SARIF file generation + # This will hand over control about PR rejection to the GitHub side + max-allowed-issues: 2147483647 + tool: issues + + # archive the SARIF file generated in the previous step + - name: Archive SARIF results file + uses: actions/upload-artifact@v4 + with: + path: results.sarif + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@main + with: + sarif_file: results.sarif diff --git a/.github/workflows/lscpu.yml b/.github/workflows/lscpu.yml new file mode 100644 index 000000000..d9c509e23 --- /dev/null +++ b/.github/workflows/lscpu.yml @@ -0,0 +1,9 @@ +name: Get CPU Info + +on: workflow_dispatch + +jobs: + lscpu: + runs-on: ubuntu-latest + steps: + - run: lscpu diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 000000000..78f1ee359 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,69 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: trivy + +on: + push: + branches: [ "master" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "master" ] + schedule: + - cron: '24 17 * * 1' + +permissions: + contents: read + +jobs: + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Build + runs-on: "ubuntu-20.04" + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build an image from Dockerfile + run: | + docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.24.0 + with: + image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - run: sudo chmod 666 trivy-results.sarif + + - uses: actions/github-script@v7 + with: + script: | + const fs = require('fs'); + const sarif = fs.readFileSync('trivy-results.sarif', 'utf8'); + const results = JSON.parse(sarif); + results.runs.forEach(run => { + run.results.forEach(result => { + result.locations.forEach(location => { + location.physicalLocation.artifactLocation.uri = 'Dockerfile'; + }); + }); + }); + fs.writeFileSync('trivy-results.sarif', JSON.stringify(results, null, 2)); + + - uses: actions/upload-artifact@v4 + with: + name: 'results.sarif' + path: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' diff --git a/.vscode/tasks.json b/.vscode/tasks.json new file mode 100644 index 000000000..d459ec5a4 --- /dev/null +++ b/.vscode/tasks.json @@ -0,0 +1,11 @@ +{ + "version": "2.0.0", + "tasks": [ + { + "label": "Apply products_patch.diff", + "type": "shell", + "command": "git apply products_patch.diff", + "problemMatcher": [] + } + ] +} \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 42f524102..55c35ac85 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM node:19.4.0-bullseye-slim +FROM node:19.3.0-bullseye-slim LABEL maintainer="Daniel GarcĂ­a (cr0hn) cr0hn@cr0hn.com" diff --git a/products_patch.diff b/products_patch.diff new file mode 100644 index 000000000..a726ab8ed --- /dev/null +++ b/products_patch.diff @@ -0,0 +1,58 @@ +diff --git a/model/products.js b/model/products.js +index 6df3f92..9366003 100644 +--- a/model/products.js ++++ b/model/products.js +@@ -49,12 +49,23 @@ function get_purcharsed(username) { + + } + ++function create(product) { ++ var q = "INSERT INTO products(name, description, price) VALUES('" + ++ product.name + "', '" + ++ product.description + "', '" + ++ product.price + ++ "');"; ++ ++ return db.one(q); ++} ++ + var actions = { + "list": list_products, + "getProduct": getProduct, + "search": search, + "purchase": purchase, +- "getPurchased": get_purcharsed ++ "getPurchased": get_purcharsed, ++ "create": create + } + + module.exports = actions; +diff --git a/routes/products.js b/routes/products.js +index 814f834..4d5d1fb 100644 +--- a/routes/products.js ++++ b/routes/products.js +@@ -144,6 +144,24 @@ router.all('/products/buy', function(req, res, next) { + + }); + ++router.all('/products/create', function(req, res, next) { ++ let params = null; ++ if (req.method == "GET"){ ++ params = url.parse(req.url, true).query; ++ } else { ++ params = req.body; ++ } ++ ++ let product = null; ++ product = { ++ name: params.name, ++ description: params.description, ++ price: params.price, ++ image: params.image, ++ username: req.session.user_name ++ } + ++ db_products.create(product) ++}); + + module.exports = router;