From 195c42d1e6bbd5c643cbb678f5dc8480d41abd5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=AA=20M=E1=BA=A1nh=20H=C3=B9ng?= <36054622+lemanhhung0943437948@users.noreply.github.com> Date: Fri, 11 Sep 2020 02:00:48 +0700 Subject: [PATCH 1/4] Update SECURITY.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ok đc r --- SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 8ef229d..162ba18 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -7,8 +7,8 @@ currently being supported with security updates. | Version | Supported | | ------- | ------------------ | -| 5.1.x | :white_check_mark: | -| 4.1.x | :white_check_mark: | +| 5.0.x | :white_check_mark: | +| 4.0.x | :white_check_mark: | ## Reporting a Vulnerability From df7fffb4dc6de2917d7c24f862f09568ce15ed44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=AA=20M=E1=BA=A1nh=20H=C3=B9ng?= <36054622+lemanhhung0943437948@users.noreply.github.com> Date: Fri, 11 Sep 2020 02:03:24 +0700 Subject: [PATCH 2/4] Create codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 62 +++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000..502880f --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,62 @@ +name: "CodeQL" + +on: + push: + branches: [master] + pull_request: + # The branches below must be a subset of the branches above + branches: [master] + schedule: + - cron: '0 10 * * 1' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + # Override automatic language detection by changing the below list + # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] + language: ['javascript'] + # Learn more... + # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + with: + # We must fetch at least the immediate parents so that if this is + # a pull request then we can checkout the head. + fetch-depth: 2 + + # If this run was triggered by a pull request event, then checkout + # the head of the pull request instead of the merge commit. + - run: git checkout HEAD^2 + if: ${{ github.event_name == 'pull_request' }} + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: ${{ matrix.language }} + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v1 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 From 462e8f0a1860d940163dabb9d294a01137a66229 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=AA=20M=E1=BA=A1nh=20H=C3=B9ng?= <36054622+lemanhhung0943437948@users.noreply.github.com> Date: Thu, 24 Sep 2020 02:00:01 +0000 Subject: [PATCH 3/4] Create shiftleft-analysis.yml --- .github/workflows/shiftleft-analysis.yml | 36 ++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/shiftleft-analysis.yml diff --git a/.github/workflows/shiftleft-analysis.yml b/.github/workflows/shiftleft-analysis.yml new file mode 100644 index 0000000..5a97689 --- /dev/null +++ b/.github/workflows/shiftleft-analysis.yml @@ -0,0 +1,36 @@ +# This workflow integrates Scan with GitHub's code scanning feature +# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft +# Visit https://slscan.io/en/latest/integrations/code-scan for help +name: SL Scan + +# This section configures the trigger for the workflow. Feel free to customize depending on your convention +on: push + +jobs: + Scan-Build: + # Scan runs on ubuntu, mac and windows + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + # Instructions + # 1. Setup JDK, Node.js, Python etc depending on your project type + # 2. Compile or build the project before invoking scan + # Example: mvn compile, or npm install or pip install goes here + # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url + + - name: Perform Scan + uses: ShiftLeftSecurity/scan-action@master + env: + WORKSPACE: "" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SCAN_AUTO_BUILD: true + with: + output: reports + # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type + # type: credscan,java + # type: python + + - name: Upload report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: reports From 8ad843e7b14b2cd652a1fe67d2cb98345e309cb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=AA=20M=E1=BA=A1nh=20H=C3=B9ng?= <36054622+lemanhhung0943437948@users.noreply.github.com> Date: Thu, 24 Sep 2020 02:00:19 +0000 Subject: [PATCH 4/4] Revert "Create shiftleft-analysis.yml" --- .github/workflows/shiftleft-analysis.yml | 36 ------------------------ 1 file changed, 36 deletions(-) delete mode 100644 .github/workflows/shiftleft-analysis.yml diff --git a/.github/workflows/shiftleft-analysis.yml b/.github/workflows/shiftleft-analysis.yml deleted file mode 100644 index 5a97689..0000000 --- a/.github/workflows/shiftleft-analysis.yml +++ /dev/null @@ -1,36 +0,0 @@ -# This workflow integrates Scan with GitHub's code scanning feature -# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft -# Visit https://slscan.io/en/latest/integrations/code-scan for help -name: SL Scan - -# This section configures the trigger for the workflow. Feel free to customize depending on your convention -on: push - -jobs: - Scan-Build: - # Scan runs on ubuntu, mac and windows - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - # Instructions - # 1. Setup JDK, Node.js, Python etc depending on your project type - # 2. Compile or build the project before invoking scan - # Example: mvn compile, or npm install or pip install goes here - # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url - - - name: Perform Scan - uses: ShiftLeftSecurity/scan-action@master - env: - WORKSPACE: "" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SCAN_AUTO_BUILD: true - with: - output: reports - # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type - # type: credscan,java - # type: python - - - name: Upload report - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: reports