From 931fe0f676c6af68628e2ece96f68ea0c80df848 Mon Sep 17 00:00:00 2001 From: Seth Tisue Date: Fri, 31 May 2024 09:44:57 -0500 Subject: [PATCH 1/3] SCA 24.2.0 (was 23.1.1) --- .github/workflows/fortify.yml | 16 ++++++++-------- fortify.sbt | 4 ++-- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/fortify.yml b/.github/workflows/fortify.yml index 057e2d8..03e9dd6 100644 --- a/.github/workflows/fortify.yml +++ b/.github/workflows/fortify.yml @@ -29,7 +29,7 @@ jobs: cache-name: fortify with: path: ./Fortify - key: fortify-23.1.1 + key: fortify-24.2.0 # https://github.com/gruntwork-io/fetch - uses: Homebrew/actions/setup-homebrew@master @@ -50,21 +50,21 @@ jobs: - name: Install Fortify run: | if [[ ! -d Fortify ]] ; then - GITHUB_OAUTH_TOKEN=${{secrets.FORTIFY_INSTALLER_TOKEN}} fetch --repo="https://github.com/lightbend/scala-fortify" --tag="23.1.1_linux_x64" --release-asset="Fortify_SCA_23.1.1_linux_x64.run" . - chmod +x Fortify_SCA_23.1.1_linux_x64.run + GITHUB_OAUTH_TOKEN=${{secrets.FORTIFY_INSTALLER_TOKEN}} fetch --repo="https://github.com/lightbend/scala-fortify" --tag="24.2.0_linux_x64" --release-asset="Fortify_SCA_24.2.0_linux_x64.run" . + chmod +x Fortify_SCA_24.2.0_linux_x64.run mkdir Fortify - echo installdir=`pwd`/Fortify/Fortify_SCA_23.1.1 > Fortify_SCA_23.1.1_linux_x64.run.options - echo fortify_license_path=`pwd`/fortify.license >> Fortify_SCA_23.1.1_linux_x64.run.options - ./Fortify_SCA_23.1.1_linux_x64.run --mode unattended + echo installdir=`pwd`/Fortify/Fortify_SCA_24.2.0 > Fortify_SCA_24.2.0_linux_x64.run.options + echo fortify_license_path=`pwd`/fortify.license >> Fortify_SCA_24.2.0_linux_x64.run.options + ./Fortify_SCA_24.2.0_linux_x64.run --mode unattended # download the Scala security rules; VersionTests makes sure they're the ones we expect - ./Fortify/Fortify_SCA_23.1.1/bin/fortifyupdate + ./Fortify/Fortify_SCA_24.2.0/bin/fortifyupdate fi - name: Test run: | sbt ++${{matrix.scala}} compile rm -f target/vulnerabilities-actual.txt - ./Fortify/Fortify_SCA_23.1.1/bin/sourceanalyzer \ + ./Fortify/Fortify_SCA_24.2.0/bin/sourceanalyzer \ -b akka-http-webgoat \ -logfile target/scan.log \ -scan \ diff --git a/fortify.sbt b/fortify.sbt index e491483..96bc37b 100644 --- a/fortify.sbt +++ b/fortify.sbt @@ -1,10 +1,10 @@ // enable the plugin addCompilerPlugin( - "com.lightbend" %% "scala-fortify" % "1.1.0" + "com.lightbend" %% "scala-fortify" % "1.1.1-RC1" cross CrossVersion.patch) // configure the plugin scalacOptions ++= Seq( - "-P:fortify:scaversion=23.1", + "-P:fortify:scaversion=24.2", "-P:fortify:build=akka-http-webgoat" ) From ac0d03cb7ffe57a9ab89207826d30e83f274822a Mon Sep 17 00:00:00 2001 From: Seth Tisue Date: Fri, 31 May 2024 09:49:39 -0500 Subject: [PATCH 2/3] wip --- vulnerabilities-3.x.txt | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/vulnerabilities-3.x.txt b/vulnerabilities-3.x.txt index e456216..9951886 100644 --- a/vulnerabilities-3.x.txt +++ b/vulnerabilities-3.x.txt @@ -164,23 +164,3 @@ Routes.scala(51) : ->ProcessBuilder.!!(this) Routes.scala(139) : <=> (this) Routes.scala(139) : <->akka.http.webgoat.Routes$commandInjectionFromCookie$lzyINIT1$$anonfun$1$$anonfun$1.innerinit^(0->this) Routes.scala(138) : ->akka.http.webgoat.Routes$commandInjectionFromCookie$lzyINIT1$$anonfun$1.apply(0) - -[3C19C215BE7A8DF59CD47FC24DAF64B0 : low : Code Correctness : Constructor Invokes Overridable Function : structural ] - BootWebGoat.scala(16) - Function: akka.http.webgoat.BootWebGoat.BootWebGoat [BootWebGoat.scala(11)] - Function: akka.http.webgoat.BootWebGoat.system [BootWebGoat.scala(12)] - -[3C19C215BE7A8DF59CD47FC24DAF64B1 : low : Code Correctness : Constructor Invokes Overridable Function : structural ] - BootWebGoat.scala(16) - Function: akka.http.webgoat.BootWebGoat.BootWebGoat [BootWebGoat.scala(11)] - Function: akka.http.webgoat.BootWebGoat.system [BootWebGoat.scala(12)] - -[3C19C215BE7A8DF59CD47FC24DAF64B2 : low : Code Correctness : Constructor Invokes Overridable Function : structural ] - BootWebGoat.scala(21) - Function: akka.http.webgoat.BootWebGoat.BootWebGoat [BootWebGoat.scala(11)] - Function: akka.http.webgoat.BootWebGoat.system [BootWebGoat.scala(12)] - -[3C19C215BE7A8DF59CD47FC24DAF64B3 : low : Code Correctness : Constructor Invokes Overridable Function : structural ] - BootWebGoat.scala(33) - Function: akka.http.webgoat.BootWebGoat.BootWebGoat [BootWebGoat.scala(11)] - Function: akka.http.webgoat.BootWebGoat.system [BootWebGoat.scala(12)] From 2f59e6a661581d8fe163b097e2d51356a52034c1 Mon Sep 17 00:00:00 2001 From: Seth Tisue Date: Fri, 31 May 2024 09:54:10 -0500 Subject: [PATCH 3/3] wip --- vulnerabilities-2.13.x.txt | 3 --- 1 file changed, 3 deletions(-) diff --git a/vulnerabilities-2.13.x.txt b/vulnerabilities-2.13.x.txt index e6975d2..2ca6224 100644 --- a/vulnerabilities-2.13.x.txt +++ b/vulnerabilities-2.13.x.txt @@ -189,6 +189,3 @@ Routes.scala(51) : ->ProcessBuilder.!!(this) Routes.scala(139) : <=> (this) Routes.scala(139) : <->akka.http.webgoat.Routes$$anonfun$commandInjectionFromCookie$2.innerinit^(0->this) Routes.scala(138) : ->akka.http.webgoat.Routes$$anonfun$commandInjectionFromCookie$1.apply(0) - -[C28720E53777D9E9CB1598CACD02F9E7 : low : J2EE Bad Practices : Leftover Debug Code : structural ] - BootWebGoat.scala(11)