diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml deleted file mode 100644 index 898df085..00000000 --- a/.github/workflows/maven.yml +++ /dev/null @@ -1,80 +0,0 @@ -# This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time -# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-maven - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -name: SonarQube Analyze - -on: - push: - branches: - - '**' # This will trigger the workflow on pushes to any branch - pull_request: - types: [opened, synchronize, reopened] - workflow_dispatch: - -jobs: - build: - name: Build - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - - name: Set up JDK 17 - uses: actions/setup-java@v3 - with: - java-version: '17' - distribution: 'temurin' - cache: maven - - name: Cache SonarQube packages - uses: actions/cache@v3 - with: - path: ~/.sonar/cache - key: ${{ runner.os }}-sonar - restore-keys: ${{ runner.os }}-sonar - - name: Cache Maven packages - uses: actions/cache@v3 - with: - path: ~/.m2 - key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} - restore-keys: ${{ runner.os }}-m2 - - name: Build with Maven and analyze with SonarQube - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} - run: | - mvn -B test -Pcoverage verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \ - -Dsonar.javaOpts="-Xmx8192m " \ - -Dsonar.scanner.debug="true" \ - -Dsonar.sources="." \ - -Dsonar.exclusions="src/test/java/**/*" \ - -Dsonar.tests="src/test/java" \ - -X - - - name: SonarQube Pull Request Analysis - if: ${{ github.event_name == 'pull_request' }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} - run: | - mvn -B test -Pcoverage verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \ - -Dsonar.pullrequest.key="${{ github.event.pull_request.number }}" \ - -Dsonar.pullrequest.base="${{ github.event.pull_request.base.ref }}" \ - -Dsonar.pullrequest.branch="${{ github.head_ref }}" \ - -Dsonar.javaOpts="-Xmx8192m " \ - -Dsonar.scanner.debug="true" \ - -Dsonar.sources="." \ - -Dsonar.exclusions="src/test/java/**/*" \ - -Dsonar.tests="src/test/java" \ - -X - - # Optional: Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive - #- name: Update dependency graph - # uses: advanced-security/maven-dependency-submission-action@571e99aab1055c2e71a1e2309b9691de18d6b7d6 diff --git a/README.md b/README.md index 89a8aca3..82d3ff5c 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,4 @@ # Demo - Java Security -[![Quality Gate Status](https://nautilus.sonarqube.org/api/project_badges/measure?project=demo%3Ajava-security&metric=alert_status&token=squ_1e4f3504bdc994f093721895e070abe7c11b1632)](https://nautilus.sonarqube.org/dashboard?id=demo%3Ajava-security) [![Maintainability Rating](https://nautilus.sonarqube.org/api/project_badges/measure?project=demo%3Ajava-security&metric=sqale_rating&token=squ_1e4f3504bdc994f093721895e070abe7c11b1632)](https://nautilus.sonarqube.org/dashboard?id=demo%3Ajava-security) [![Reliability Rating](https://nautilus.sonarqube.org/api/project_badges/measure?project=demo%3Ajava-security&metric=reliability_rating&token=squ_1e4f3504bdc994f093721895e070abe7c11b1632)](https://nautilus.sonarqube.org/dashboard?id=demo%3Ajava-security) [![Security Rating](https://nautilus.sonarqube.org/api/project_badges/measure?project=demo%3Ajava-security&metric=security_rating&token=squ_1e4f3504bdc994f093721895e070abe7c11b1632)](https://nautilus.sonarqube.org/dashboard?id=demo%3Ajava-security) [![Security Hotspots](https://nautilus.sonarqube.org/api/project_badges/measure?project=demo%3Ajava-security&metric=security_hotspots&token=squ_1e4f3504bdc994f093721895e070abe7c11b1632)](https://nautilus.sonarqube.org/dashboard?id=demo%3Ajava-security) ## Use case This example demonstrates: - Vulnerabilities diff --git a/src/main/java/demo/security/servlet/FileServlet.java b/src/main/java/demo/security/servlet/FileServlet.java index 7c0dda76..17a4f61d 100644 --- a/src/main/java/demo/security/servlet/FileServlet.java +++ b/src/main/java/demo/security/servlet/FileServlet.java @@ -8,6 +8,8 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Paths; @WebServlet("/files") public class FileServlet extends HttpServlet { @@ -16,4 +18,11 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) String data = request.getParameter("data"); Utils.deleteFile(data); } + + @Override + protected void doPut(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + String filename = request.getParameter("filename"); + String content = request.getParameter("content"); + Files.write(Paths.get(filename), content.getBytes()); + } }