ShiftLeftSecurity · bbrucesnell · Jan 11, 2022 · Jan 11, 2022 · Jan 10, 2023 · Jan 10, 2023
diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml
@@ -0,0 +1,66 @@
+---
+# This workflow integrates qwiet.ai preZero with GitHub
+# Visit https://docs.shiftleft.io for help
+name: qwiet.ai
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  NextGen-Static-Analysis:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Setup Java JDK v11.0.x
+      uses: actions/setup-java@v3
+      with:
+        distribution: zulu
+        java-version: 11.0.x
+
+    - name: Setup Java JDK v8
+      uses: actions/setup-java@v3
+      with:
+        distribution: zulu
+        java-version: 8
+
+    - name: Download ShiftLeft CLI
+      run: |
+        curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+
+    - name: preZero Static Analysis
+      run: |
+        ${GITHUB_WORKSPACE}/sl --version
+        ${GITHUB_WORKSPACE}/sl analyze --strict --wait \
+          --app qwietAI-java-demo \
+          --tag branch=${{ github.head_ref }} \
+          --javasrc --container 18fgsa/s3-resource .
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+        SHIFTLEFT_API_HOST: www.shiftleft.io
+        SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443
+        SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443
+
+  Build-Rules:
+    runs-on: ubuntu-latest
+    permissions: write-all
+    needs: NextGen-Static-Analysis
+    steps:
+    - uses: actions/checkout@v3
+    - name: Download ShiftLeft CLI
+      run: |
+        curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+    - name: Validate Build Rules
+      run: |
+        ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-java-demo \
+            --github-pr-number=${{github.event.number}} \
+            --github-pr-user=${{ github.repository_owner }} \
+            --github-pr-repo=${{ github.event.repository.name }} \
+            --github-token=${{ secrets.GITHUB_TOKEN }}
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+        SHIFTLEFT_API_HOST: www.shiftleft.io
+        SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443
+        SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443
+
+
diff --git a/shiftleft.yml b/shiftleft.yml
@@ -0,0 +1,15 @@
+version: 2
+build_rules:
+  - id: Allow no critical findings
+    severities:
+      - critical
+  - id: Allow one OSS or container finding
+    finding_types:
+      - oss_vuln
+      - container
+    threshold: 1
+  - id: Allow no reachable OSS vulnerability
+    finding_types:
+      - oss_vuln
+    options:
+      reachable: true
diff --git a/src/main/java/io/shiftleft/controller/CustomerController.java b/src/main/java/io/shiftleft/controller/CustomerController.java
@@ -161,62 +161,18 @@ public String index(HttpServletResponse httpResponse, WebRequest request) throws
        * @param request
        * @return
        */
-      private boolean checkCookie(WebRequest request) throws Exception {
+private boolean checkCookie(WebRequest request) throws Exception {
       	try {
-			return request.getHeader("Cookie").startsWith("settings=");
-		}
-		catch (Exception ex)
-		{
-			System.out.println(ex.getMessage());
-		}
-		return false;
-      }
-
-      /**
-       * restores the preferences on the filesystem
-       *
-       * @param httpResponse
-       * @param request
-       * @throws Exception
-       */
-      @RequestMapping(value = "/loadSettings", method = RequestMethod.GET)
-      public void loadSettings(HttpServletResponse httpResponse, WebRequest request) throws Exception {
-        // get cookie values
-        if (!checkCookie(request)) {
-          httpResponse.getOutputStream().println("Error");
-          throw new Exception("cookie is incorrect");
-        }
-        String md5sum = request.getHeader("Cookie").substring("settings=".length(), 41);
-    	ClassPathResource cpr = new ClassPathResource("static");
-    	File folder = new File(cpr.getPath());
-		File[] listOfFiles = folder.listFiles();
-        String filecontent = new String();
-        for (File f : listOfFiles) {
-          // not efficient, i know
-          filecontent = new String();
-          byte[] encoded = Files.readAllBytes(f.toPath());
-          filecontent = new String(encoded, StandardCharsets.UTF_8);
-          if (filecontent.contains(md5sum)) {
-            // this will send me to the developer hell (if exists)
-
-            // encode the file settings, md5sum is removed
-            String s = new String(Base64.getEncoder().encode(filecontent.replace(md5sum, "").getBytes()));
-            // setting the new cookie
-            httpResponse.setHeader("Cookie", "settings=" + s + "," + md5sum);
-            return;
-          }
-        }
+		return request.getHeader("Cookie").startsWith("settings=");
+	}
+	catch (Exception ex)
+	{
+		System.out.println(ex.getMessage());
+	}
+	return false;
       }
 
-
-  /**
-   * Saves the preferences (screen resolution, language..) on the filesystem
-   *
-   * @param httpResponse
-   * @param request
-   * @throws Exception
-   */
-  @RequestMapping(value = "/saveSettings", method = RequestMethod.GET)
+@RequestMapping(value = "/saveSettings", method = RequestMethod.GET)
   public void saveSettings(HttpServletResponse httpResponse, WebRequest request) throws Exception {
     // "Settings" will be stored in a cookie
     // schema: base64(filename,value1,value2...), md5sum(base64(filename,value1,value2...))
@@ -228,8 +184,8 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t
 
     String settingsCookie = request.getHeader("Cookie");
     String[] cookie = settingsCookie.split(",");
-	if(cookie.length<2) {
-	  httpResponse.getOutputStream().println("Malformed cookie");
+if(cookie.length<2) {
+  httpResponse.getOutputStream().println("Malformed cookie");
       throw new Exception("cookie is incorrect");
     }
 
@@ -238,17 +194,17 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t
     // Check md5sum
     String cookieMD5sum = cookie[1];
     String calcMD5Sum = DigestUtils.md5Hex(base64txt);
-	if(!cookieMD5sum.equals(calcMD5Sum))
+if(!cookieMD5sum.equals(calcMD5Sum))
     {
       httpResponse.getOutputStream().println("Wrong md5");
       throw new Exception("Invalid MD5");
     }
 
     // Now we can store on filesystem
     String[] settings = new String(Base64.getDecoder().decode(base64txt)).split(",");
-	// storage will have ClassPathResource as basepath
+// storage will have ClassPathResource as basepath
     ClassPathResource cpr = new ClassPathResource("./static/");
-	  File file = new File(cpr.getPath()+settings[0]);
+  File file = new File(cpr.getPath()+settings[0]);
     if(!file.exists()) {
       file.getParentFile().mkdirs();
     }
@@ -263,6 +219,7 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t
     httpResponse.getOutputStream().println("Settings Saved");
   }
 
+
   /**
    * Debug test for saving and reading a customer
    *