From 7cfcd3acdf886861d26a8523031c31d3576343e5 Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Mon, 21 Dec 2020 17:34:54 +0100 Subject: [PATCH 1/6] Update importReportFromUrl.ctp --- app/View/EventReports/ajax/importReportFromUrl.ctp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/View/EventReports/ajax/importReportFromUrl.ctp b/app/View/EventReports/ajax/importReportFromUrl.ctp index 79df0f799..7c6cb4fc6 100644 --- a/app/View/EventReports/ajax/importReportFromUrl.ctp +++ b/app/View/EventReports/ajax/importReportFromUrl.ctp @@ -10,7 +10,7 @@ 'field' => 'url', 'class' => 'input span6', 'div' => 'text', - 'label' => sprintf('%s: ', __('URL')) . __('Content for this URL will be downloaded and converted to Mardown') + 'label' => sprintf('%s: ', __('URL')) . __('Content for this URL will be downloaded and converted to Markdown') ), ), 'submit' => array( @@ -18,4 +18,4 @@ 'ajaxSubmit' => sprintf('submitPopoverForm(\'%s\', \'addEventReport\', 0, 1)', h($event_id)) ) ) - )); \ No newline at end of file + )); From adb37f6980d68f04aa714e79365f6fb10becbda6 Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Mon, 21 Dec 2020 17:35:20 +0100 Subject: [PATCH 2/6] Update indexForEvent.ctp --- app/View/EventReports/ajax/indexForEvent.ctp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/View/EventReports/ajax/indexForEvent.ctp b/app/View/EventReports/ajax/indexForEvent.ctp index 34a8cb77f..a224b4413 100644 --- a/app/View/EventReports/ajax/indexForEvent.ctp +++ b/app/View/EventReports/ajax/indexForEvent.ctp @@ -27,7 +27,7 @@ 'onClickParams' => [$baseurl . '/eventReports/importReportFromUrl/' . h($event_id)], 'active' => true, 'text' => __('Import from URL'), - 'title' => __('Content for this URL will be downloaded and converted to Mardown'), + 'title' => __('Content for this URL will be downloaded and converted to Markdown'), 'fa-icon' => 'link', 'requirement' => $canModify && $importModuleEnabled, ), From 99166f9f7b4b13ba4d7100c53bd0d3bf62346665 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 22 Dec 2020 10:48:23 +0100 Subject: [PATCH 3/6] handlerSSL should be true --- app/Plugin/ShibbAuth/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Plugin/ShibbAuth/README.md b/app/Plugin/ShibbAuth/README.md index 829b0f7cd..bfcc1ce5b 100644 --- a/app/Plugin/ShibbAuth/README.md +++ b/app/Plugin/ShibbAuth/README.md @@ -144,7 +144,7 @@ If used with Apache as webserver it might be useful to make a distinction to fil If you want the logout button to work for killing your session, you can use the CustomAuth plugin to configure a custom logout url, by default the url should be https://<host>/Shibboleth.sso/Logout. This leads to a local logout. If you want to also trigger a logout at the identity provider, you can use the return mechanism. In this case you will need to change the allowed redirects. Your logout url will look like https://<host>/Shibboleth.sso/Logout?return=https:///Logout. Edit your shibboleth configuration (often at /etc/shibboleth/shibboleth2.xml) as necessary. Relevant shibboleth documentation can be found at https://wiki.shibboleth.net/confluence/display/SP3/Logout and https://wiki.shibboleth.net/confluence/display/SP3/Sessions. ```xml ``` From 926dea22c8db48582af327e4fc4c76e23b3de3fc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 22 Dec 2020 12:39:02 +0100 Subject: [PATCH 4/6] CodeQL added --- .github/workflows/codeql-analysis.yml | 67 +++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 000000000..f2da0572a --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,67 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ 2.4 ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ 2.4 ] + schedule: + - cron: '31 16 * * 1' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + language: [ 'javascript', 'python' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] + # Learn more: + # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v1 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 From 419c7dd1ca7db9e3e8b8fca24ddc038d9c942f54 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 22 Dec 2020 12:39:53 +0100 Subject: [PATCH 5/6] Veracode added --- .github/workflows/veracode-analysis.yml | 60 +++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 .github/workflows/veracode-analysis.yml diff --git a/.github/workflows/veracode-analysis.yml b/.github/workflows/veracode-analysis.yml new file mode 100644 index 000000000..3e8f493ed --- /dev/null +++ b/.github/workflows/veracode-analysis.yml @@ -0,0 +1,60 @@ +# This workflow will initiate a Veracode Static Analysis Pipeline scan, return a results.json and convert to SARIF for upload as a code scanning alert + +name: Veracode Static Analysis Pipeline Scan + +# Controls when the action will run. Triggers the workflow on push or pull request +# events but only for the master branch +on: + push: + branches: [ 2.4 ] + pull_request: + branches: [ 2.4 ] + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter + build-and-pipeline-scan: + # The type of runner that the job will run on + runs-on: ubuntu-latest + steps: + + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps + - uses: actions/checkout@v2 + with: + repository: '' + + - uses: papeloto/action-zip@v1 + with: + files: / + recursive: true + dest: veracode-pipeline-scan-results-to-sarif.zip + + - uses: actions/upload-artifact@v1 + with: + name: my-artifact + path: veracode-pipeline-scan-results-to-sarif.zip + + # download the Veracode Static Analysis Pipeline scan jar + - uses: wei/curl@master + with: + args: -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + - run: unzip -o pipeline-scan-LATEST.zip + + - uses: actions/setup-java@v1 + with: + java-version: 1.8 + - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-pipeline-scan-results-to-sarif.zip + continue-on-error: true + - uses: actions/upload-artifact@v1 + with: + name: ScanResults + path: results.json + - name: Convert pipeline scan output to SARIF format + id: convert + uses: veracode/veracode-pipeline-scan-results-to-sarif@master + with: + pipeline-results-json: results.json + - uses: github/codeql-action/upload-sarif@v1 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: veracode-results.sarif From 6dcca5527ed372e2b740e341c83feb8d638ad2d2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 22 Dec 2020 12:50:08 +0100 Subject: [PATCH 6/6] chg: [veracode] removed --- .github/workflows/veracode-analysis.yml | 60 ------------------------- 1 file changed, 60 deletions(-) delete mode 100644 .github/workflows/veracode-analysis.yml diff --git a/.github/workflows/veracode-analysis.yml b/.github/workflows/veracode-analysis.yml deleted file mode 100644 index 3e8f493ed..000000000 --- a/.github/workflows/veracode-analysis.yml +++ /dev/null @@ -1,60 +0,0 @@ -# This workflow will initiate a Veracode Static Analysis Pipeline scan, return a results.json and convert to SARIF for upload as a code scanning alert - -name: Veracode Static Analysis Pipeline Scan - -# Controls when the action will run. Triggers the workflow on push or pull request -# events but only for the master branch -on: - push: - branches: [ 2.4 ] - pull_request: - branches: [ 2.4 ] - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter - build-and-pipeline-scan: - # The type of runner that the job will run on - runs-on: ubuntu-latest - steps: - - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps - - uses: actions/checkout@v2 - with: - repository: '' - - - uses: papeloto/action-zip@v1 - with: - files: / - recursive: true - dest: veracode-pipeline-scan-results-to-sarif.zip - - - uses: actions/upload-artifact@v1 - with: - name: my-artifact - path: veracode-pipeline-scan-results-to-sarif.zip - - # download the Veracode Static Analysis Pipeline scan jar - - uses: wei/curl@master - with: - args: -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip - - run: unzip -o pipeline-scan-LATEST.zip - - - uses: actions/setup-java@v1 - with: - java-version: 1.8 - - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-pipeline-scan-results-to-sarif.zip - continue-on-error: true - - uses: actions/upload-artifact@v1 - with: - name: ScanResults - path: results.json - - name: Convert pipeline scan output to SARIF format - id: convert - uses: veracode/veracode-pipeline-scan-results-to-sarif@master - with: - pipeline-results-json: results.json - - uses: github/codeql-action/upload-sarif@v1 - with: - # Path to SARIF file relative to the root of the repository - sarif_file: veracode-results.sarif