From a91071bc59e8a5b88930929af4798aef542545f9 Mon Sep 17 00:00:00 2001 From: Ilan Torbaty <81161693+IlanTSnyk@users.noreply.github.com> Date: Mon, 4 Apr 2022 13:50:54 +0300 Subject: [PATCH 1/9] Update package.json --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index da13bc85d2f..ad639906804 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "goof", "version": "1.0.1", - "description": "A vulnerable todo demo application", + "description": "A vulnerable todo demo application new desc", "homepage": "https://snyk.io/", "repository": { "type": "git", From d9b741fd7032deb2e9aff06f7e55057f592976a5 Mon Sep 17 00:00:00 2001 From: Ilan Torbaty <81161693+IlanTSnyk@users.noreply.github.com> Date: Mon, 4 Apr 2022 14:00:16 +0300 Subject: [PATCH 2/9] Rename package.json to new/package.json --- package.json => new/package.json | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename package.json => new/package.json (100%) diff --git a/package.json b/new/package.json similarity index 100% rename from package.json rename to new/package.json From f0b647809afa07eaa1778c5a955f214e30ded3d5 Mon Sep 17 00:00:00 2001 From: Ilan Torbaty <81161693+IlanTSnyk@users.noreply.github.com> Date: Mon, 4 Apr 2022 14:00:37 +0300 Subject: [PATCH 3/9] Rename package-lock.json to new/package-lock.json --- package-lock.json => new/package-lock.json | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename package-lock.json => new/package-lock.json (100%) diff --git a/package-lock.json b/new/package-lock.json similarity index 100% rename from package-lock.json rename to new/package-lock.json From 59c278b65509f6034169a74e2ecaa21e28afbdbb Mon Sep 17 00:00:00 2001 From: IlanTSnyk Date: Thu, 28 Apr 2022 17:47:30 +0300 Subject: [PATCH 4/9] chore: test ,snyk file with code --- .dccache | 1 + .snyk | 10 ++++++++++ 2 files changed, 11 insertions(+) create mode 100644 .dccache create mode 100644 .snyk diff --git a/.dccache b/.dccache new file mode 100644 index 00000000000..43793f49a03 --- /dev/null +++ b/.dccache @@ -0,0 +1 @@ +{"/Users/ilantorbaty/Dev/goof-new-name/app.js":[2267,1651156906969.3486,"174d57bfa8df392e6af4d329afe1cd1df2fd5847e5259aef392d9a8c335213ec"],"/Users/ilantorbaty/Dev/goof-new-name/mongoose-db.js":[1390,1651156906974.9875,"2896d0953469cf650d29942e793d02b7f70cbd5ff79af6ed73d095e9a05a6bab"],"/Users/ilantorbaty/Dev/goof-new-name/typeorm-db.js":[962,1651156906981.9927,"eb663a29511955d6b38321143205f19e8b1e97c0a885067d9f825ff3a43e099c"],"/Users/ilantorbaty/Dev/goof-new-name/utils.js":[641,1651156906982.3179,"89708c1c71ee8df581db821a502df0023f96c61be34038f2471419c61b9a17c9"],"/Users/ilantorbaty/Dev/goof-new-name/entity/Users.js":[259,1651156906970.0417,"3aa06d2acbe381eab0b8f8cdb89304e54c083b24b06aff63ccb70b2b2dab9a3e"],"/Users/ilantorbaty/Dev/goof-new-name/routes/index.js":[7004,1651156906981.3252,"94beceb9c6b840e39cd449b81b30941b510ba3a685f9a14bd5225af946f6c1c2"],"/Users/ilantorbaty/Dev/goof-new-name/routes/users.js":[1157,1651156906981.709,"6ad8ac7589f66b5892f6fc5a66d0b2114f7888b8654e6a3cd6d3b637d50c2ef6"],"/Users/ilantorbaty/Dev/goof-new-name/views/admin.ejs":[543,1651156906982.9817,"d88491c558787b36fe11402f052be05b8172403e53c8349225799f80bc43bf61"],"/Users/ilantorbaty/Dev/goof-new-name/views/edit.ejs":[1068,1651156906983.2869,"867ce350c8ae5d7793208c3b170d98f2733bc15382900833efbc55a59f74e4fe"],"/Users/ilantorbaty/Dev/goof-new-name/views/index.ejs":[607,1651156906983.4895,"3de0b4b893f9c6115f35a9bf6d72b3ed929cf8f4c1a4e8a15056ddd8d1f22c9b"],"/Users/ilantorbaty/Dev/goof-new-name/views/layout.ejs":[856,1651156906983.6885,"da44ae8f7de4f1fcdecd91306e702849099a98dca3421d369c036d697b8e16f9"],"/Users/ilantorbaty/Dev/goof-new-name/public/js/ga.js":[320,1651156906980.1687,"ec0bd48aaa6c1da6132f86157ff8419cc0d6a016026d17f237a636938d914164"]} \ No newline at end of file diff --git a/.snyk b/.snyk new file mode 100644 index 00000000000..6551649c021 --- /dev/null +++ b/.snyk @@ -0,0 +1,10 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +# ignores vulnerabilities until expiry date; change duration by modifying expiry date +ignore: + Command Injection: + - '*': + reason: some reason + expires: 2022-05-28T14:46:39.506Z + created: 2022-04-28T14:46:39.508Z +patch: {} From a464b81c25ce6a29ad4c6df93ae14722593e52aa Mon Sep 17 00:00:00 2001 From: IlanTSnyk Date: Thu, 28 Apr 2022 19:24:34 +0300 Subject: [PATCH 5/9] chore: test .snyk file with code --- .snyk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.snyk b/.snyk index 6551649c021..a347cfcceec 100644 --- a/.snyk +++ b/.snyk @@ -2,7 +2,7 @@ version: v1.25.0 # ignores vulnerabilities until expiry date; change duration by modifying expiry date ignore: - Command Injection: + 0dc621dd-6d69-4410-b8ca-be6878ceea45: - '*': reason: some reason expires: 2022-05-28T14:46:39.506Z From d93bacef4296739672416bdb4f64f02434e974c9 Mon Sep 17 00:00:00 2001 From: Ilan Torbaty <81161693+IlanTSnyk@users.noreply.github.com> Date: Mon, 2 May 2022 12:14:32 +0300 Subject: [PATCH 6/9] Update .snyk --- .snyk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.snyk b/.snyk index a347cfcceec..8908cea65dc 100644 --- a/.snyk +++ b/.snyk @@ -2,7 +2,7 @@ version: v1.25.0 # ignores vulnerabilities until expiry date; change duration by modifying expiry date ignore: - 0dc621dd-6d69-4410-b8ca-be6878ceea45: + 7b9c1f5e-257d-4d17-a8ea-30d8793fc700: - '*': reason: some reason expires: 2022-05-28T14:46:39.506Z From d747d6829ce14ebdb3bc0a22c4a8ade445734541 Mon Sep 17 00:00:00 2001 From: IlanTSnyk Date: Mon, 2 May 2022 12:25:23 +0300 Subject: [PATCH 7/9] chore: test code ignore via vs code plugin --- .dccache | 2 +- app.js | 1 + routes/index.js | 3 +++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.dccache b/.dccache index 43793f49a03..736aecf43bb 100644 --- a/.dccache +++ b/.dccache @@ -1 +1 @@ -{"/Users/ilantorbaty/Dev/goof-new-name/app.js":[2267,1651156906969.3486,"174d57bfa8df392e6af4d329afe1cd1df2fd5847e5259aef392d9a8c335213ec"],"/Users/ilantorbaty/Dev/goof-new-name/mongoose-db.js":[1390,1651156906974.9875,"2896d0953469cf650d29942e793d02b7f70cbd5ff79af6ed73d095e9a05a6bab"],"/Users/ilantorbaty/Dev/goof-new-name/typeorm-db.js":[962,1651156906981.9927,"eb663a29511955d6b38321143205f19e8b1e97c0a885067d9f825ff3a43e099c"],"/Users/ilantorbaty/Dev/goof-new-name/utils.js":[641,1651156906982.3179,"89708c1c71ee8df581db821a502df0023f96c61be34038f2471419c61b9a17c9"],"/Users/ilantorbaty/Dev/goof-new-name/entity/Users.js":[259,1651156906970.0417,"3aa06d2acbe381eab0b8f8cdb89304e54c083b24b06aff63ccb70b2b2dab9a3e"],"/Users/ilantorbaty/Dev/goof-new-name/routes/index.js":[7004,1651156906981.3252,"94beceb9c6b840e39cd449b81b30941b510ba3a685f9a14bd5225af946f6c1c2"],"/Users/ilantorbaty/Dev/goof-new-name/routes/users.js":[1157,1651156906981.709,"6ad8ac7589f66b5892f6fc5a66d0b2114f7888b8654e6a3cd6d3b637d50c2ef6"],"/Users/ilantorbaty/Dev/goof-new-name/views/admin.ejs":[543,1651156906982.9817,"d88491c558787b36fe11402f052be05b8172403e53c8349225799f80bc43bf61"],"/Users/ilantorbaty/Dev/goof-new-name/views/edit.ejs":[1068,1651156906983.2869,"867ce350c8ae5d7793208c3b170d98f2733bc15382900833efbc55a59f74e4fe"],"/Users/ilantorbaty/Dev/goof-new-name/views/index.ejs":[607,1651156906983.4895,"3de0b4b893f9c6115f35a9bf6d72b3ed929cf8f4c1a4e8a15056ddd8d1f22c9b"],"/Users/ilantorbaty/Dev/goof-new-name/views/layout.ejs":[856,1651156906983.6885,"da44ae8f7de4f1fcdecd91306e702849099a98dca3421d369c036d697b8e16f9"],"/Users/ilantorbaty/Dev/goof-new-name/public/js/ga.js":[320,1651156906980.1687,"ec0bd48aaa6c1da6132f86157ff8419cc0d6a016026d17f237a636938d914164"]} \ No newline at end of file +{"/Users/ilantorbaty/Dev/goof-new-name/app.js":[2321,1651483470131.434,"3afdc0037417e5b135ab3e440716663d710e328db2904fd35a817ec1a78398c3"],"/Users/ilantorbaty/Dev/goof-new-name/mongoose-db.js":[1390,1651156906974.9875,"2896d0953469cf650d29942e793d02b7f70cbd5ff79af6ed73d095e9a05a6bab"],"/Users/ilantorbaty/Dev/goof-new-name/typeorm-db.js":[962,1651156906981.9927,"eb663a29511955d6b38321143205f19e8b1e97c0a885067d9f825ff3a43e099c"],"/Users/ilantorbaty/Dev/goof-new-name/utils.js":[641,1651156906982.3179,"89708c1c71ee8df581db821a502df0023f96c61be34038f2471419c61b9a17c9"],"/Users/ilantorbaty/Dev/goof-new-name/entity/Users.js":[259,1651156906970.0417,"3aa06d2acbe381eab0b8f8cdb89304e54c083b24b06aff63ccb70b2b2dab9a3e"],"/Users/ilantorbaty/Dev/goof-new-name/public/about.html":[70,1651156906978.4565,"21203315cbebc6b0ee319503a16c2f12a9adc6d2e8a7a571a7acf15574c6c505"],"/Users/ilantorbaty/Dev/goof-new-name/routes/index.js":[7164,1651483487886.8862,"0fb33834f8a8720364f2c0fc219f5b75e858d793a3cad25431ff7dcee0a3d7d4"],"/Users/ilantorbaty/Dev/goof-new-name/routes/users.js":[1157,1651156906981.709,"6ad8ac7589f66b5892f6fc5a66d0b2114f7888b8654e6a3cd6d3b637d50c2ef6"],"/Users/ilantorbaty/Dev/goof-new-name/views/admin.ejs":[543,1651156906982.9817,"d88491c558787b36fe11402f052be05b8172403e53c8349225799f80bc43bf61"],"/Users/ilantorbaty/Dev/goof-new-name/views/edit.ejs":[1068,1651156906983.2869,"867ce350c8ae5d7793208c3b170d98f2733bc15382900833efbc55a59f74e4fe"],"/Users/ilantorbaty/Dev/goof-new-name/views/index.ejs":[607,1651156906983.4895,"3de0b4b893f9c6115f35a9bf6d72b3ed929cf8f4c1a4e8a15056ddd8d1f22c9b"],"/Users/ilantorbaty/Dev/goof-new-name/views/layout.ejs":[856,1651156906983.6885,"da44ae8f7de4f1fcdecd91306e702849099a98dca3421d369c036d697b8e16f9"],"/Users/ilantorbaty/Dev/goof-new-name/public/js/ga.js":[320,1651156906980.1687,"ec0bd48aaa6c1da6132f86157ff8419cc0d6a016026d17f237a636938d914164"]} \ No newline at end of file diff --git a/app.js b/app.js index b668f198bc9..008a093f64b 100644 --- a/app.js +++ b/app.js @@ -70,6 +70,7 @@ if (app.get('env') == 'development') { app.use(errorHandler()); } +// deepcode ignore HardcodedNonCryptoSecret: var token = 'SECRET_TOKEN_f8ed84e8f41e4146403dd4a6bbcea5e418d23a9'; console.log('token: ' + token); diff --git a/routes/index.js b/routes/index.js index a226e73d6a0..4a513e1f6aa 100644 --- a/routes/index.js +++ b/routes/index.js @@ -83,6 +83,7 @@ exports.create = function (req, res, next) { var url = item.match(imgRegex)[1]; console.log('found img: ' + url); + // deepcode ignore CommandInjection: exec('identify ' + url, function (err, stdout, stderr) { console.log(err); if (err !== null) { @@ -113,6 +114,7 @@ exports.create = function (req, res, next) { }; exports.destroy = function (req, res, next) { + // deepcode ignore NoSqli: Todo.findById(req.params.id, function (err, todo) { try { @@ -141,6 +143,7 @@ exports.edit = function (req, res, next) { }; exports.update = function (req, res, next) { + // deepcode ignore NoSqli: Todo.findById(req.params.id, function (err, todo) { todo.content = req.body.content; From f1dcc90283107f810f93d8c0a5f3e031f265d305 Mon Sep 17 00:00:00 2001 From: Ilan Torbaty <81161693+IlanTSnyk@users.noreply.github.com> Date: Wed, 3 Aug 2022 11:12:56 +0300 Subject: [PATCH 8/9] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 00a0af2dc1d..be2c4a07a1c 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ This vulnerable app includes the following capabilities to experiment with: * [Docker Image Scanning](#docker-image-scanning) for base images with known vulnerabilities in system libraries * [Runtime alerts](#runtime-alerts) for detecting an invocation of vulnerable functions in open source dependencies -## Running +## Running - ```bash mongod & From 09c9a072fea0ea6e2ac005d2d5628827437a2ea7 Mon Sep 17 00:00:00 2001 From: Ilan Torbaty <81161693+IlanTSnyk@users.noreply.github.com> Date: Wed, 3 Aug 2022 11:25:05 +0300 Subject: [PATCH 9/9] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index be2c4a07a1c..00a0af2dc1d 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ This vulnerable app includes the following capabilities to experiment with: * [Docker Image Scanning](#docker-image-scanning) for base images with known vulnerabilities in system libraries * [Runtime alerts](#runtime-alerts) for detecting an invocation of vulnerable functions in open source dependencies -## Running - +## Running ```bash mongod &