Re intro sq li

.github/workflows/shiftleft.yml

@@ -0,0 +1,74 @@
+# This workflow integrates ShiftLeft NG SAST with GitHub
+# Visit https://docs.shiftleft.io for help
+name: ShiftLeft
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  NextGen-Static-Analysis:
+    runs-on: windows-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Setup .NET
+      uses: actions/setup-dotnet@v1
+      with:
+        dotnet-version: 5.0.x
+    - name: Download ShiftLeft CLI
+      run: |
+        Invoke-WebRequest -Uri 'https://cdn.shiftleft.io/download/sl-latest-windows-x64.zip' -OutFile sl.zip
+        Expand-Archive -Path sl.zip -DestinationPath .
+
+    - name: Build web api
+      run: dotnet build netcoreWebapi
+    - name: Extract branch name
+      shell: bash
+      run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+      id: extract_branch
+    - name: Analyze with NextGen Static Analysis
+      run: .\sl analyze --strict --app shiftleft-csharp-demo --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --csharp --dotnet --cpg netcoreWebapi/netcoreWebapi.csproj
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+
+
+    - name: Create status check
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        URL: https://app.shiftleft.io/findingsSummary/shiftleft-csharp-demo?apps=shiftleft-csharp-demo&isApp=1
+      run: |
+        $params = @{
+            Uri         = "https://api.github.com/repos/$ENV:GITHUB_REPOSITORY/check-runs"
+            Headers     = @{
+              'Authorization' = "Bearer $ENV:GITHUB_TOKEN"
+              'Accept' = 'application/vnd.github.antiope-preview+json'
+            }
+            Method      = 'POST'
+            Body        = "{`"name`": `"ShiftLeft NextGen Static Analysis`", `"head_sha`": `"$ENV:GITHUB_REF`", `"external_id`": `"shiftleft-csharp-demo`", `"details_url`": `"$ENV:URL`", `"status`": `"completed`", `"conclusion`": `"action_required`", `"output`": {`"title`": `"ShiftLeft NextGen Static Analysis Findings`", `"summary`": `"Visit $ENV:URL for the findings`"}}"
+            ContentType = 'application/json'
+        }
+        Invoke-RestMethod @params
+
+  Build-Rules: 
+    runs-on: windows-latest
+    needs: NextGen-Static-Analysis
+    steps:
+    - uses: actions/checkout@v2
+    - name: Download ShiftLeft CLI
+      run: |
+        Invoke-WebRequest -Uri 'https://cdn.shiftleft.io/download/sl-latest-windows-x64.zip' -OutFile sl.zip
+        Expand-Archive -Path sl.zip -DestinationPath .
+    - name: Validate Build Rules
+      run: |
+        .\sl check-analysis --app shiftleft-csharp-demo `
+        --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" `
+        --report `
+        --github-pr-number=${{github.event.number}} `
+        --github-pr-user=${{ github.repository_owner }} `
+        --github-pr-repo=${{ github.event.repository.name }} `
+        --github-token=${{ secrets.GITHUB_TOKEN }}
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+
+

README.md

@@ -1,4 +1,4 @@
-# ShiftLeft C# Demo
+# ShiftLeft C# Demo - Chuck B.
 This repository contains a vulnerable .NET application that is used in automated demos on shiftleft.io
 
 It is derived from: https://github.com/ShiftLeftSecurity/shiftleft-csharp-example

netcoreWebapi/Controllers/CustomersController.cs

@@ -96,8 +96,16 @@ public JsonResult Get(string sql)
         {
             const string connection = @"Data Source=MyData;Initial Catalog=Product;Trusted_Connection=true";
             var conn = new SqlConnection(connection);
-            string query = "INSERT INTO customers " + sql;
+            // ************************************************** Vulnerable Code Block 
+            string query = "INSERT INTO customers" + sql;
             var command = new SqlCommand(query, conn);
+
+            // **************************************************
+            // ************************************************** Remediated Code Block
+            //string query = "INSERT INTO customers @sql";
+            //var command = new SqlCommand(query, conn);
+            //command.Parameters.AddWithValue("@slq", sql);
+            // ****************************************************
             int result = command.ExecuteNonQuery();
             return Json(string.Format("Result: {0}", result));
         }

shiftleft.yml

@@ -0,0 +1,12 @@
+build_rules:
+  - id: allow-zero-findings
+    finding_types:
+      - vuln
+      - secret
+#      - insight
+#      - "*"
+    severity:
+      - SEVERITY_MEDIUM_IMPACT
+      - SEVERITY_HIGH_IMPACT
+      - SEVERITY_LOW_IMPACT
+    threshold: 0