From 9267c12d18caeb38e11b1d0e9bd12fedd8f6478d Mon Sep 17 00:00:00 2001 From: Seth Tisue Date: Tue, 5 Dec 2023 18:10:04 -0800 Subject: [PATCH] Fortify: add Scala 3 --- .github/workflows/ci.yml | 23 --- .github/workflows/fortify.yml | 9 +- build.sbt | 2 +- fortify.sbt | 2 +- ...bilities.txt => vulnerabilities-2.13.x.txt | 0 vulnerabilities-3.x.txt | 186 ++++++++++++++++++ 6 files changed, 193 insertions(+), 29 deletions(-) delete mode 100644 .github/workflows/ci.yml rename vulnerabilities.txt => vulnerabilities-2.13.x.txt (100%) create mode 100644 vulnerabilities-3.x.txt diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml deleted file mode 100644 index 4d3c3a4..0000000 --- a/.github/workflows/ci.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: test -on: - push: - branches: - - main - pull_request: -jobs: - test: - strategy: - fail-fast: false - matrix: - java: [8, 11, 17, 21] - scala: [2.13.x, 3.x] - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: coursier/cache-action@v6 - - uses: actions/setup-java@v3 - with: - distribution: temurin - java-version: ${{matrix.java}} - - name: Test - run: sbt ++${{matrix.scala}} test diff --git a/.github/workflows/fortify.yml b/.github/workflows/fortify.yml index fe43abb..6e32a8d 100644 --- a/.github/workflows/fortify.yml +++ b/.github/workflows/fortify.yml @@ -14,10 +14,11 @@ jobs: fail-fast: false matrix: java: [8, 11, 17, 21] + scala: [2.13.x, 3.x] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -61,7 +62,7 @@ jobs: - name: Test run: | - sbt compile + sbt ++${{matrix.scala}} compile rm -f target/vulnerabilities-actual.txt ./Fortify/Fortify_SCA_23.1.1/bin/sourceanalyzer \ -b akka-http-webgoat \ @@ -69,5 +70,5 @@ jobs: -scan \ | tail -n +4 > target/vulnerabilities-actual.txt cat target/scan.log - sum vulnerabilities.txt target/vulnerabilities-actual.txt - diff -u vulnerabilities.txt target/vulnerabilities-actual.txt + sum vulnerabilities-${{matrix.scala}.txt target/vulnerabilities-actual.txt + diff -u vulnerabilities-${{matrix.scala}}.txt target/vulnerabilities-actual.txt diff --git a/build.sbt b/build.sbt index b06da5e..1919e73 100644 --- a/build.sbt +++ b/build.sbt @@ -1,4 +1,4 @@ -crossScalaVersions := Seq("2.13.12", "3.3.1") +crossScalaVersions := Seq("3.3.1", "2.13.12") scalaVersion := crossScalaVersions.value.head scalacOptions ++= Seq("-deprecation", "-feature") diff --git a/fortify.sbt b/fortify.sbt index 226bb45..e6e3bb7 100644 --- a/fortify.sbt +++ b/fortify.sbt @@ -1,6 +1,6 @@ // enable the plugin addCompilerPlugin( - "com.lightbend" %% "scala-fortify" % "1.0.25" + "com.lightbend" %% "scala-fortify" % "1.1.0-RC1" cross CrossVersion.patch) // configure the plugin diff --git a/vulnerabilities.txt b/vulnerabilities-2.13.x.txt similarity index 100% rename from vulnerabilities.txt rename to vulnerabilities-2.13.x.txt diff --git a/vulnerabilities-3.x.txt b/vulnerabilities-3.x.txt new file mode 100644 index 0000000..e456216 --- /dev/null +++ b/vulnerabilities-3.x.txt @@ -0,0 +1,186 @@ +[62DCA7F0D8B6E3A52CE84F47A77199ED : low : System Information Leak : semantic ] +BootWebGoat.scala(27) : Throwable.printStackTrace() + +[FF2009D572CBDE9E6406A4B612E98535 : low : System Information Leak : semantic ] +BootWebGoat.scala(32) : Throwable.printStackTrace() + +[A10917E05DA99D3FCE47634C164CE9AF : low : HTML5 : Overly Permissive CORS Policy : semantic ] +Routes.scala(191) : Access-Control-Allow-Origin.*() + +[F4038E7E8C591F997550F69BCD82597D : critical : Path Manipulation : dataflow ] +Routes.scala(146) : ->FileAndResourceDirectives.getFromFile(0) + Routes.scala(145) : ->akka.http.webgoat.Routes$getFileFromParameter$lzyINIT1$$anonfun$1.apply(0) + +[F4038E7E8C591F997550F69BCD82597E : critical : Path Manipulation : dataflow ] +Routes.scala(150) : ->FileAndResourceDirectives.getFromFile(0) + Routes.scala(149) : ->akka.http.webgoat.Routes$getFileFromFormField$lzyINIT1$$anonfun$1.apply(0) + +[F4038E7E8C591F997550F69BCD82597F : critical : Path Manipulation : dataflow ] +Routes.scala(154) : ->FileAndResourceDirectives.getFromFile(0) + Routes.scala(153) : ->akka.http.webgoat.Routes$getFileFromPathSegment$lzyINIT1$$anonfun$1.apply(0) + +[F3B1A7D4B98E2ADD2460828D6F7D1FA1 : critical : Path Manipulation : dataflow ] +Routes.scala(161) : ->FileAndResourceDirectives.getFromDirectory(0) + Routes.scala(160) : ->akka.http.webgoat.Routes$getFromDirectoryFromParameter$lzyINIT1$$anonfun$1.apply(0) + +[0985058C028D3F7A0F051DBFB990B548 : critical : Path Manipulation : dataflow ] +Routes.scala(166) : ->FileAndResourceDirectives.getFromBrowseableDirectory(0) + Routes.scala(165) : ->akka.http.webgoat.Routes$getFromBrowseableDirectoryFromParameter$lzyINIT1$$anonfun$1.apply(0) + +[AECF567DEF24AA17E38A085A85CC4295 : low : System Information Leak : Internal : dataflow ] +BootWebGoat.scala(26) : ->Predef.println(0) + BootWebGoat.scala(26) : <- Throwable.getMessage(return) + +[1D5E495D51EE36E26607545EF28BB120 : high : Server-Side Request Forgery : dataflow ] +Routes.scala(173) : ->HttpRequest.apply(1) + Routes.scala(173) : <->Uri.apply(0->return) + Routes.scala(172) : ->akka.http.webgoat.Routes$runClientRequestFromParameter$lzyINIT1$$anonfun$1$$anonfun$1.apply(0) + +[AFBEDA705009F858C2AC58700B810DA4 : high : Server-Side Request Forgery : dataflow ] +Routes.scala(183) : ->HttpRequest.apply(1) + Routes.scala(183) : <->Uri.apply(0->return) + Routes.scala(182) : ->akka.http.webgoat.Routes$runClientRequestWithUriPartFromParameter$lzyINIT1$$anonfun$1$$anonfun$1.apply(0) + +[98C435F77D036EC63BD08708503E5DF6 : critical : Command Injection : dataflow ] +Routes.scala(45) : ->ProcessBuilder.!!(this) + Routes.scala(45) : <->ProcessImplicits.stringToProcess(0->return) + Routes.scala(43) : ->akka.http.webgoat.Routes$commandInjectionSimple$lzyINIT1$$anonfun$1.apply(0) + +[BC4F6F8140D8E9AF3B7F4CCC61AA16A6 : critical : Command Injection : dataflow ] +Routes.scala(51) : ->ProcessBuilder.!!(this) + Routes.scala(51) : <->ProcessImplicits.stringToProcess(0->return) + Routes.scala(57) : ->Routes.execute(0) + Routes.scala(57) : ->akka.http.webgoat.Routes$commandInjectionCallMethod$lzyINIT1$$anonfun$1$$anonfun$1.apply(this) + Routes.scala(57) : <=> (this) + Routes.scala(57) : <->akka.http.webgoat.Routes$commandInjectionCallMethod$lzyINIT1$$anonfun$1$$anonfun$1.innerinit^(0->this) + Routes.scala(56) : ->akka.http.webgoat.Routes$commandInjectionCallMethod$lzyINIT1$$anonfun$1.apply(0) + +[BC4F6F8140D8E9AF3B7F4CCC61AA16A7 : critical : Command Injection : dataflow ] +Routes.scala(51) : ->ProcessBuilder.!!(this) + Routes.scala(51) : <->ProcessImplicits.stringToProcess(0->return) + Routes.scala(64) : ->Routes.execute(0) + Routes.scala(64) : ->akka.http.webgoat.Routes$commandInjectionNestedParameterDirectives$lzyINIT1$$anonfun$1$$anonfun$1$$anonfun$1.apply(this) + Routes.scala(64) : <=> (this) + Routes.scala(64) : <->akka.http.webgoat.Routes$commandInjectionNestedParameterDirectives$lzyINIT1$$anonfun$1$$anonfun$1$$anonfun$1.innerinit^(0->this) + Routes.scala(63) : ->akka.http.webgoat.Routes$commandInjectionNestedParameterDirectives$lzyINIT1$$anonfun$1$$anonfun$1.apply(this) + Routes.scala(63) : <=> (this) + Routes.scala(64) : <->akka.http.webgoat.Routes$commandInjectionNestedParameterDirectives$lzyINIT1$$anonfun$1$$anonfun$1.innerinit^(0->this) + Routes.scala(62) : ->akka.http.webgoat.Routes$commandInjectionNestedParameterDirectives$lzyINIT1$$anonfun$1.apply(0) + +[9910602FAA08593DC4B73AFB31DAF6CF : critical : Command Injection : dataflow ] +Routes.scala(51) : ->ProcessBuilder.!!(this) + Routes.scala(51) : <->ProcessImplicits.stringToProcess(0->return) + Routes.scala(71) : ->Routes.execute(0) + Routes.scala(71) : ->akka.http.webgoat.Routes$commandInjectionMoreParameters$lzyINIT1$$anonfun$1$$anonfun$1.apply(this) + Routes.scala(71) : <=> (this) + Routes.scala(71) : <->akka.http.webgoat.Routes$commandInjectionMoreParameters$lzyINIT1$$anonfun$1$$anonfun$1.innerinit^(0->this) + Routes.scala(70) : ->akka.http.webgoat.Routes$commandInjectionMoreParameters$lzyINIT1$$anonfun$1.apply(1) + +[9910602FAA08593DC4B73AFB31DAF6D0 : critical : Command Injection : dataflow ] +Routes.scala(51) : ->ProcessBuilder.!!(this) + Routes.scala(51) : <->ProcessImplicits.stringToProcess(0->return) + Routes.scala(77) : ->Routes.execute(0) + Routes.scala(77) : ->akka.http.webgoat.Routes$commandInjectionMultipleParametersByConjunction$lzyINIT1$$anonfun$1$$anonfun$1.apply(this) + Routes.scala(77) : <=> (this) + Routes.scala(77) : <->akka.http.webgoat.Routes$commandInjectionMultipleParametersByConjunction$lzyINIT1$$anonfun$1$$anonfun$1.innerinit^(0->this) + Routes.scala(76) : ->akka.http.webgoat.Routes$commandInjectionMultipleParametersByConjunction$lzyINIT1$$anonfun$1.apply(1) + +[BC4F6F8140D8E9AF3B7F4CCC61AA16A8 : critical : Command Injection : dataflow ] +Routes.scala(51) : ->ProcessBuilder.!!(this) + Routes.scala(51) : <->ProcessImplicits.stringToProcess(0->return) + Routes.scala(83) : ->Routes.execute(0) + Routes.scala(83) : ->akka.http.webgoat.Routes$commandInjectionMultipleParametersByAlternative$lzyINIT1$$anonfun$1$$anonfun$1.apply(this) + Routes.scala(83) : <=> (this) + Routes.scala(83) : <->akka.http.webgoat.Routes$commandInjectionMultipleParametersByAlternative$lzyINIT1$$anonfun$1$$anonfun$1.innerinit^(0->this) + Routes.scala(82) : ->akka.http.webgoat.Routes$commandInjectionMultipleParametersByAlternative$lzyINIT1$$anonfun$1.apply(0) + +[BC4F6F8140D8E9AF3B7F4CCC61AA16A9 : critical : Command Injection : dataflow ] +Routes.scala(51) : ->ProcessBuilder.!!(this) + Routes.scala(51) : <->ProcessImplicits.stringToProcess(0->return) + Routes.scala(91) : ->Routes.execute(0) + Routes.scala(90) : ->akka.http.webgoat.Routes$commandInjectionParameterInRouteAlternative$lzyINIT1$$anonfun$1$$anonfun$2.apply(this) + Routes.scala(91) : <=> (this) + Routes.scala(91) : <->akka.http.webgoat.Routes$commandInjectionParameterInRouteAlternative$lzyINIT1$$anonfun$1$$anonfun$2.innerinit^(0->this) + Routes.scala(88) : ->akka.http.webgoat.Routes$commandInjectionParameterInRouteAlternative$lzyINIT1$$anonfun$1.apply(0) + +[BC4F6F8140D8E9AF3B7F4CCC61AA16AA : critical : Command Injection : dataflow ] +Routes.scala(51) : ->ProcessBuilder.!!(this) + Routes.scala(51) : <->ProcessImplicits.stringToProcess(0->return) + Routes.scala(101) : ->Routes.execute(0) + Routes.scala(101) : ->akka.http.webgoat.Routes$commandInjectionDirectiveValue$lzyINIT1$$anonfun$1$$anonfun$1.apply(this) + Routes.scala(101) : <=> (this) + Routes.scala(101) : <->akka.http.webgoat.Routes$commandInjectionDirectiveValue$lzyINIT1$$anonfun$1$$anonfun$1.innerinit^(0->this) + Routes.scala(100) : ->akka.http.webgoat.Routes$commandInjectionDirectiveValue$lzyINIT1$$anonfun$1.apply(0) + +[BC4F6F8140D8E9AF3B7F4CCC61AA16AB : critical : Command Injection : dataflow ] +Routes.scala(51) : ->ProcessBuilder.!!(this) + Routes.scala(51) : <->ProcessImplicits.stringToProcess(0->return) + Routes.scala(104) : ->Routes.execute(0) + Routes.scala(104) : ->akka.http.webgoat.Routes$executeAndComplete$$anonfun$1.apply(this) + Routes.scala(104) : <=> (this) + Routes.scala(104) : <->akka.http.webgoat.Routes$executeAndComplete$$anonfun$1.innerinit^(0->this) + Routes.scala(108) : ->Routes.executeAndComplete(0) + Routes.scala(108) : ->akka.http.webgoat.Routes$commandInjectionParameterAbstract$lzyINIT1$$anonfun$1.apply(0) + +[BC4F6F8140D8E9AF3B7F4CCC61AA16AC : critical : Command Injection : dataflow ] +Routes.scala(51) : ->ProcessBuilder.!!(this) + Routes.scala(51) : <->ProcessImplicits.stringToProcess(0->return) + Routes.scala(117) : ->Routes.execute(0) + Routes.scala(117) : ->akka.http.webgoat.Routes$commandInjectiondAsync$lzyINIT1$$anonfun$1$$anonfun$1$$anonfun$2$$anonfun$1.apply(this) + Routes.scala(117) : <=> (this) + Routes.scala(117) : <->akka.http.webgoat.Routes$commandInjectiondAsync$lzyINIT1$$anonfun$1$$anonfun$1$$anonfun$2$$anonfun$1.innerinit^(0->this) + Routes.scala(116) : ->akka.http.webgoat.Routes$commandInjectiondAsync$lzyINIT1$$anonfun$1$$anonfun$1$$anonfun$2.apply(this) + Routes.scala(116) : <=> (this) + Routes.scala(117) : <->akka.http.webgoat.Routes$commandInjectiondAsync$lzyINIT1$$anonfun$1$$anonfun$1$$anonfun$2.innerinit^(0->this) + Routes.scala(115) : ->akka.http.webgoat.Routes$commandInjectiondAsync$lzyINIT1$$anonfun$1$$anonfun$1.apply(this) + Routes.scala(115) : <=> (this) + Routes.scala(118) : <->akka.http.webgoat.Routes$commandInjectiondAsync$lzyINIT1$$anonfun$1$$anonfun$1.innerinit^(0->this) + Routes.scala(112) : ->akka.http.webgoat.Routes$commandInjectiondAsync$lzyINIT1$$anonfun$1.apply(0) + +[BC4F6F8140D8E9AF3B7F4CCC61AA16AD : critical : Command Injection : dataflow ] +Routes.scala(51) : ->ProcessBuilder.!!(this) + Routes.scala(51) : <->ProcessImplicits.stringToProcess(0->return) + Routes.scala(127) : ->Routes.execute(0) + Routes.scala(127) : ->akka.http.webgoat.Routes$commandInjectionFromPathSegment$lzyINIT1$$anonfun$1$$anonfun$1.apply(this) + Routes.scala(127) : <=> (this) + Routes.scala(127) : <->akka.http.webgoat.Routes$commandInjectionFromPathSegment$lzyINIT1$$anonfun$1$$anonfun$1.innerinit^(0->this) + Routes.scala(126) : ->akka.http.webgoat.Routes$commandInjectionFromPathSegment$lzyINIT1$$anonfun$1.apply(0) + +[BC4F6F8140D8E9AF3B7F4CCC61AA16AE : critical : Command Injection : dataflow ] +Routes.scala(51) : ->ProcessBuilder.!!(this) + Routes.scala(51) : <->ProcessImplicits.stringToProcess(0->return) + Routes.scala(133) : ->Routes.execute(0) + Routes.scala(133) : ->akka.http.webgoat.Routes$commandInjectionFromFormField$lzyINIT1$$anonfun$1$$anonfun$1.apply(this) + Routes.scala(133) : <=> (this) + Routes.scala(133) : <->akka.http.webgoat.Routes$commandInjectionFromFormField$lzyINIT1$$anonfun$1$$anonfun$1.innerinit^(0->this) + Routes.scala(132) : ->akka.http.webgoat.Routes$commandInjectionFromFormField$lzyINIT1$$anonfun$1.apply(0) + +[A2C37B7CF28EEE6331EB712FEA151F51 : critical : Command Injection : dataflow ] +Routes.scala(51) : ->ProcessBuilder.!!(this) + Routes.scala(51) : <->ProcessImplicits.stringToProcess(0->return) + Routes.scala(139) : ->Routes.execute(0) + Routes.scala(139) : <->HttpCookiePair.value(this->return) + Routes.scala(139) : ->akka.http.webgoat.Routes$commandInjectionFromCookie$lzyINIT1$$anonfun$1$$anonfun$1.apply(this) + Routes.scala(139) : <=> (this) + Routes.scala(139) : <->akka.http.webgoat.Routes$commandInjectionFromCookie$lzyINIT1$$anonfun$1$$anonfun$1.innerinit^(0->this) + Routes.scala(138) : ->akka.http.webgoat.Routes$commandInjectionFromCookie$lzyINIT1$$anonfun$1.apply(0) + +[3C19C215BE7A8DF59CD47FC24DAF64B0 : low : Code Correctness : Constructor Invokes Overridable Function : structural ] + BootWebGoat.scala(16) + Function: akka.http.webgoat.BootWebGoat.BootWebGoat [BootWebGoat.scala(11)] + Function: akka.http.webgoat.BootWebGoat.system [BootWebGoat.scala(12)] + +[3C19C215BE7A8DF59CD47FC24DAF64B1 : low : Code Correctness : Constructor Invokes Overridable Function : structural ] + BootWebGoat.scala(16) + Function: akka.http.webgoat.BootWebGoat.BootWebGoat [BootWebGoat.scala(11)] + Function: akka.http.webgoat.BootWebGoat.system [BootWebGoat.scala(12)] + +[3C19C215BE7A8DF59CD47FC24DAF64B2 : low : Code Correctness : Constructor Invokes Overridable Function : structural ] + BootWebGoat.scala(21) + Function: akka.http.webgoat.BootWebGoat.BootWebGoat [BootWebGoat.scala(11)] + Function: akka.http.webgoat.BootWebGoat.system [BootWebGoat.scala(12)] + +[3C19C215BE7A8DF59CD47FC24DAF64B3 : low : Code Correctness : Constructor Invokes Overridable Function : structural ] + BootWebGoat.scala(33) + Function: akka.http.webgoat.BootWebGoat.BootWebGoat [BootWebGoat.scala(11)] + Function: akka.http.webgoat.BootWebGoat.system [BootWebGoat.scala(12)]