diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
index 6f1b2757..3906b5eb 100644
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -1,7 +1,7 @@
# These are supported funding model platforms
github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
-patreon: # Replace with a single Patreon username
+patreon: thomaswoehlke
open_collective: # Replace with a single Open Collective username
ko_fi: # Replace with a single Ko-fi username
tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
diff --git a/.github/workflows/codacy-analysis.yml b/.github/workflows/codacy-analysis.yml
index c9e3e9c8..145992ac 100644
--- a/.github/workflows/codacy-analysis.yml
+++ b/.github/workflows/codacy-analysis.yml
@@ -8,11 +8,11 @@
name: Codacy Security Scan
-on:
+on:
push:
- branches: [ "master", "main" ]
+ branches: [ 'master', 'heroku-deployment', 'branch-2.3-MVC' ]
pull_request:
- branches: [ "master", "main" ]
+ branches: [ 'master', 'heroku-deployment', 'branch-2.3-MVC' ]
jobs:
codacy-security-scan:
@@ -22,7 +22,7 @@ jobs:
# Checkout the repository to the GitHub Actions runner
- name: Checkout code
uses: actions/checkout@v2
-
+
# Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
- name: Run Codacy Analysis CLI
uses: codacy/codacy-analysis-cli-action@1.0.0
@@ -36,7 +36,7 @@ jobs:
# Force 0 exit code to allow SARIF file generation
# This will handover control about PR rejection to the GitHub side
max-allowed-issues: 2147483647
-
+
# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
uses: github/codeql-action/upload-sarif@v1
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 4f01cf2b..d5c52c5c 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -7,10 +7,10 @@ name: "CodeQL"
on:
push:
- branches: [master]
+ branches: [ 'master', 'heroku-deployment', 'branch-2.3-MVC' ]
pull_request:
# The branches below must be a subset of the branches above
- branches: [master]
+ branches: [ 'master', 'heroku-deployment', 'branch-2.3-MVC' ]
schedule:
- cron: '0 19 * * 2'
@@ -47,7 +47,7 @@ jobs:
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
- # By default, queries listed here will override any specified in a config file.
+ # By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main
diff --git a/.github/workflows/fortify-analysis.yml b/.github/workflows/fortify-analysis.yml
index 41738e05..323d0bd0 100644
--- a/.github/workflows/fortify-analysis.yml
+++ b/.github/workflows/fortify-analysis.yml
@@ -1,4 +1,4 @@
-################################################################################################################################################
+################################################################################################################################################
# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,#
# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial #
# or contact our sales team, visit microfocus.com/appsecurity. #
@@ -14,17 +14,17 @@
name: Fortify on Demand Scan
# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time
-on:
+on:
workflow_dispatch:
push:
- branches: [master]
+ branches: [ 'master', 'heroku-deployment', 'branch-2.3-MVC' ]
pull_request:
# The branches below must be a subset of the branches above
- branches: [master]
-
+ branches: [ 'master', 'heroku-deployment', 'branch-2.3-MVC' ]
+
jobs:
FoD-SAST-Scan:
- # Use the appropriate runner for building your source code.
+ # Use the appropriate runner for building your source code.
# TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax.
runs-on: ubuntu-latest
@@ -37,27 +37,27 @@ jobs:
fetch-depth: 2
# If this run was triggered by a pull request event, then checkout the head of the pull request instead of the merge commit.
- run: git checkout HEAD^2
- if: ${{ github.event_name == 'pull_request' }}
+ if: ${{ github.event_name == 'pull_request' }}
# Java 8 required by ScanCentral Client and FoD Uploader(Univeral CI Tool)
- name: Setup Java
uses: actions/setup-java@v1
with:
- java-version: 13
-
+ java-version: 15
+
# Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
# TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
# ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle).
# ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner.
# ScanCentral has additional options that should be set for PHP and Python projects
# For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
- # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/
+ # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/
- name: Download Fortify ScanCentral Client
uses: fortify/gha-setup-scancentral-client@v1
- name: Package Code + Dependencies
run: scancentral package $PACKAGE_OPTS -o package.zip
env:
PACKAGE_OPTS: "-bt mvn"
-
+
# Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java
# TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints:
# Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used).
@@ -66,8 +66,8 @@ jobs:
uses: fortify/gha-setup-fod-uploader@v1
- name: Perform SAST Scan
run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES"
- env:
- FOD_TENANT: ${{ secrets.FOD_TENANT }}
+ env:
+ FOD_TENANT: ${{ secrets.FOD_TENANT }}
FOD_USER: ${{ secrets.FOD_USER }}
FOD_PAT: ${{ secrets.FOD_PAT }}
FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }}
@@ -75,7 +75,7 @@ jobs:
FOD_API_URL: "https://api.ams.fortify.com/"
FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf"
FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})'
-
+
# Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
# TODO: Review Action inputs. For most users, these will be the same as used in the Perform SAST Scan step.
- name: Download Results
@@ -87,7 +87,7 @@ jobs:
password: ${{ secrets.FOD_PAT }}
release-id: ${{ secrets.FOD_RELEASE_ID }}
output: ./sarif/output.sarif
-
+
# Import Fortify on Demand results to GitHub Security Code Scanning
- name: Import Results
uses: github/codeql-action/upload-sarif@v1
diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
index 9e7d0305..55a97902 100644
--- a/.github/workflows/maven.yml
+++ b/.github/workflows/maven.yml
@@ -5,9 +5,9 @@ name: Java CI with Maven
on:
push:
- branches: [ master ]
+ branches: [ 'master', 'heroku-deployment', 'branch-2.3-MVC' ]
pull_request:
- branches: [ master ]
+ branches: [ 'master', 'heroku-deployment', 'branch-2.3-MVC' ]
jobs:
build:
@@ -16,9 +16,9 @@ jobs:
steps:
- uses: actions/checkout@v2
- - name: Set up JDK 13
+ - name: Set up JDK 15
uses: actions/setup-java@v1
with:
- java-version: 13
+ java-version: 15
- name: Build with Maven
run: ./mvnw -B -DskipTests clean dependency:purge-local-repository dependency:resolve dependency:resolve-plugins dependency:sources dependency:tree package spring-boot:repackage site --file pom.xml
diff --git a/.github/workflows/ossar-analysis.yml b/.github/workflows/ossar-analysis.yml
index 84e84392..dc0408ad 100644
--- a/.github/workflows/ossar-analysis.yml
+++ b/.github/workflows/ossar-analysis.yml
@@ -5,9 +5,9 @@ name: OSSAR
on:
push:
- branches: [ master ]
+ branches: [ 'master', 'heroku-deployment', 'branch-2.3-MVC' ]
pull_request:
- branches: [ master ]
+ branches: [ 'master', 'heroku-deployment', 'branch-2.3-MVC' ]
jobs:
OSSAR-Scan:
diff --git a/.github/workflows/veracode-analysis.yml b/.github/workflows/veracode-analysis.yml
index a270e0e1..f3f9f12e 100644
--- a/.github/workflows/veracode-analysis.yml
+++ b/.github/workflows/veracode-analysis.yml
@@ -6,9 +6,9 @@ name: Veracode Static Analysis Pipeline Scan
# events but only for the master branch
on:
push:
- branches: [ master ]
+ branches: [ 'master', 'heroku-deployment', 'branch-2.3-MVC' ]
pull_request:
- branches: [ master ]
+ branches: [ 'master', 'heroku-deployment', 'branch-2.3-MVC' ]
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
@@ -17,7 +17,7 @@ jobs:
# The type of runner that the job will run on
runs-on: ubuntu-latest
steps:
-
+
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps
- uses: actions/checkout@v2
with:
@@ -28,28 +28,28 @@ jobs:
files: /
recursive: true
dest: veracode-pipeline-scan-results-to-sarif.zip
-
+
- uses: actions/upload-artifact@v1
with:
name: my-artifact
path: veracode-pipeline-scan-results-to-sarif.zip
-
+
# download the Veracode Static Analysis Pipeline scan jar
- uses: wei/curl@master
with:
args: -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- run: unzip -o pipeline-scan-LATEST.zip
-
+
- uses: actions/setup-java@v1
with:
- java-version: 13
+ java-version: 15
- run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-pipeline-scan-results-to-sarif.zip
continue-on-error: true
- uses: actions/upload-artifact@v1
with:
name: ScanResults
path: results.json
- - name: Convert pipeline scan output to SARIF format
+ - name: Convert pipeline scan output to SARIF format
id: convert
uses: veracode/veracode-pipeline-scan-results-to-sarif@master
with:
diff --git a/.github/workflows/xanitizer-analysis.yml b/.github/workflows/xanitizer-analysis.yml
new file mode 100644
index 00000000..a6d0d53a
--- /dev/null
+++ b/.github/workflows/xanitizer-analysis.yml
@@ -0,0 +1,86 @@
+# This workflow downloads and installs the latest version of Xanitizer, builds your project, runs a Xanitizer security analysis on it,
+# and then archives the findings list reports and uploads the findings into the GitHub code scanning alert section of your repository.
+#
+# Documentation for the `RIGS-IT/xanitizer-action` is located here: https://github.com/RIGS-IT/xanitizer-action
+#
+# To use this basic workflow, you will need to complete the following setup steps:
+#
+# 1. The underlying Xanitizer, used in this workflow, needs a separate license file.
+# Licenses are free of charge for open source projects and for educational usage.
+# To get more information about the Xanitizer licenses and how to obtain a license file,
+# please consult https://www.xanitizer.com/xanitizer-pricing/.
+#
+# 2. The content of the license file has to be stored as a GitHub secret (e.g. XANITIZER_LICENSE) on this repository.
+# Please consult https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details.
+#
+# 3. Reference the GitHub secret in the step using the `RIGS-IT/xanitizer-action` GitHub action.
+# Example:
+# - name: Xanitizer Security Analysis
+# uses: RIGS-IT/xanitizer-action@v1
+# with:
+# license: ${{ secrets.XANITIZER_LICENSE }}
+#
+# 4. As a static application security testing (SAST) tool,
+# Xanitizer requires that all dependencies of the artifacts being analyzed can be resolved successfully.
+# So you have to install all used libraries and build your project before running the security analysis,
+# e.g. via `mvn compile` for Java or `npm install` for JavaScript
+
+name: "Xanitizer Security Analysis"
+
+on:
+ # Run the workflow on each push
+ push:
+ # Run the workflow each day at 5 am
+ # schedule:
+ # - cron: '0 5 * * *'
+ # Run the workflow manually
+ workflow_dispatch:
+
+jobs:
+ xanitizer-security-analysis:
+ # Xanitizer runs on ubuntu-latest and windows-latest.
+ runs-on: ubuntu-latest
+
+ steps:
+ # Check out the repository
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ # Set up the correct Java version for your project
+ # Please comment out, if your project does not contain Java source code.
+ - name: Set up JDK 15
+ uses: actions/setup-java@v1
+ with:
+ java-version: 15
+
+ # Compile the code for Java projects and get all libraries, e.g. via Maven
+ # Please adapt, if your project uses another build system to compile Java source code.
+ # Please comment out, if your project does not contain Java source code.
+ - name: Compile Java code
+ run: ./mvnw -B -DskipTests clean dependency:purge-local-repository dependency:resolve dependency:resolve-plugins dependency:sources dependency:tree package spring-boot:repackage site --file pom.xml
+
+ # Install all dependent libraries for JavaScript/TypeScript projects, e.g. via npm
+ # Please adapt to run `npm install` in the correct directories.
+ # Please adapt, if your project uses another package manager for getting JavaScript libraries.
+ # Please comment out, if your project does not use a package manager for getting JavaScript libraries.
+ #- name: Install JavaScript libraries
+ # run: npm install
+
+ # Run the security analysis with default settings
+ - name: Xanitizer Security Analysis
+ uses: RIGS-IT/xanitizer-action@v1
+ with:
+ license: ${{ secrets.XANITIZER_LICENSE }}
+
+ # Archiving the findings list reports
+ - uses: actions/upload-artifact@v2
+ with:
+ name: Xanitizer-Reports
+ path: |
+ *-Findings-List.pdf
+ *-Findings-List.sarif
+
+ # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action
+ - uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: Xanitizer-Findings-List.sarif
diff --git a/.idea/compiler.xml b/.idea/compiler.xml
index 3ba69115..88d5208f 100644
--- a/.idea/compiler.xml
+++ b/.idea/compiler.xml
@@ -3,13 +3,19 @@
-
+
+
+
+
+
+
+