dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Pom update (#1290)

Browse Source 
* asciidoctorj update

* pom and suppression updates
This commit is contained in:
René Zubcevic 2022-07-11 13:28:44 +02:00 committed by GitHub
parent e4eb5d783a
commit f8b7ca5c85
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 76 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
config/dependency-check/project-suppression.xml
View File

@ -1,42 +1,77 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress base="true"> <suppress>
<notes><![CDATA[ <notes><![CDATA[
This suppresses false positives identified on spring framework. This suppresses all CVE entries that have a score below CVSS 7.
]]></notes> ]]></notes>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe> <cvssBelow>7</cvssBelow>
<cve>CVE-2020-5398</cve>
</suppress> </suppress>
<suppress base="true"> <suppress>
<notes><![CDATA[ <notes><![CDATA[
This suppresses false positives identified on spring framework. file name: spring-tx-5.3.21.jar
]]></notes> ]]></notes>
<cpe>cpe:/a:redhat:undertow</cpe> <sha1>13f4f564024d2f85502c151942307c3ca851a4f7</sha1>
<cve>CVE-2019-14888</cve> <cve>CVE-2016-1000027</cve>
</suppress> </suppress>
<suppress base="true"> <suppress>
<notes><![CDATA[ <notes><![CDATA[
This suppresses false positives identified on spring framework. file name: spring-core-5.3.21.jar
]]></notes> ]]></notes>
<cpe>cpe:/a:pivotal_software:spring_security</cpe> <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
<cve>CVE-2018-1258</cve> <cve>CVE-2016-1000027</cve>
</suppress> </suppress>
<suppress base="true"> <suppress>
<notes><![CDATA[
file name: spring-aop-5.3.21.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-aop@.*$</packageUrl>
<cve>CVE-2016-1000027</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-boot-starter-security-2.7.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring\-boot\-starter\-security@.*$</packageUrl>
<cve>CVE-2022-22978</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: jruby-stdlib-9.2.20.1.jar: jopenssl.jar (shaded: rubygems:jruby-openssl:0.11.0)
]]></notes>
<packageUrl regex="true">^pkg:maven/rubygems/jruby\-openssl@.*$</packageUrl>
<cpe>cpe:/a:jruby:jruby</cpe> <cpe>cpe:/a:jruby:jruby</cpe>
<cve>CVE-2018-1000613</cve> <cpe>cpe:/a:openssl:openssl</cpe>
<cve>CVE-2018-1000180</cve> </suppress>
<cve>CVE-2017-18640</cve> <suppress>
<cve>CVE-2011-4838</cve> <notes><![CDATA[
</suppress> file name: xstream-1.4.5.jar
<suppress base="true"><!-- vulnerable components lesson --> ]]></notes>
<packageUrl regex="true">^pkg:maven/com\.thoughtworks\.xstream/xstream@.*$</packageUrl>
<cpe>cpe:/a:xstream_project:xstream</cpe> <cpe>cpe:/a:xstream_project:xstream</cpe>
<cve>CVE-2017-7957</cve> <vulnerabilityName>CVE-2013-7285</vulnerabilityName>
<cve>CVE-2016-3674</cve> <vulnerabilityName>CVE-2016-3674</vulnerabilityName>
<cve>CVE-2020-26217</cve> <vulnerabilityName>CVE-2017-7957</vulnerabilityName>
<cve>CVE-2020-26258</cve> <vulnerabilityName>CVE-2020-26217</vulnerabilityName>
</suppress> <vulnerabilityName>CVE-2020-26258</vulnerabilityName>
<suppress base="true"><!-- webgoat-server --> <vulnerabilityName>CVE-2020-26259</vulnerabilityName>
<cpe>cpe:/a:postgresql:postgresql</cpe> <vulnerabilityName>CVE-2021-21341</vulnerabilityName>
<cve>CVE-2018-10936</cve> <vulnerabilityName>CVE-2021-21342</vulnerabilityName>
</suppress> <vulnerabilityName>CVE-2021-21343</vulnerabilityName>
<vulnerabilityName>CVE-2021-21344</vulnerabilityName>
<vulnerabilityName>CVE-2021-21345</vulnerabilityName>
<vulnerabilityName>CVE-2021-21346</vulnerabilityName>
<vulnerabilityName>CVE-2021-21347</vulnerabilityName>
<vulnerabilityName>CVE-2021-21348</vulnerabilityName>
<vulnerabilityName>CVE-2021-21349</vulnerabilityName>
<vulnerabilityName>CVE-2021-21350</vulnerabilityName>
<vulnerabilityName>CVE-2021-21351</vulnerabilityName>
<vulnerabilityName>CVE-2021-43859</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-jcl-5.3.21.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-.*@.*$</packageUrl>
<cve>CVE-2016-1000027</cve>
</suppress>
</suppressions> </suppressions>

13
pom.xml
View File

@ -119,7 +119,7 @@
<webwolf.port>9090</webwolf.port> <webwolf.port>9090</webwolf.port>
<!-- Shared properties with plugins and version numbers across submodules--> <!-- Shared properties with plugins and version numbers across submodules-->
<asciidoctorj.version>2.5.2</asciidoctorj.version> <asciidoctorj.version>2.5.3</asciidoctorj.version>
<bootstrap.version>3.3.7</bootstrap.version> <bootstrap.version>3.3.7</bootstrap.version>
<cglib.version>2.2</cglib.version> <!-- do not update necessary for lesson --> <cglib.version>2.2</cglib.version> <!-- do not update necessary for lesson -->
<checkstyle.version>3.1.2</checkstyle.version> <checkstyle.version>3.1.2</checkstyle.version>
@ -337,8 +337,8 @@
<version>6.5.1</version> <version>6.5.1</version>
<configuration> <configuration>
<failBuildOnCVSS>7</failBuildOnCVSS> <failBuildOnCVSS>7</failBuildOnCVSS>
<skipProvidedScope>true</skipProvidedScope> <skipProvidedScope>false</skipProvidedScope>
<skipRuntimeScope>true</skipRuntimeScope> <skipRuntimeScope>false</skipRuntimeScope>
<suppressionFiles> <suppressionFiles>
<!--suppress UnresolvedMavenProperty --> <!--suppress UnresolvedMavenProperty -->
<suppressionFile> <suppressionFile>
@ -536,14 +536,7 @@
<groupId>org.asciidoctor</groupId> <groupId>org.asciidoctor</groupId>
<artifactId>asciidoctorj</artifactId> <artifactId>asciidoctorj</artifactId>
</dependency> </dependency>
<dependency>
<groupId>org.jruby</groupId>
<artifactId>jruby-complete</artifactId>
</dependency>
</requiresUnpack> </requiresUnpack>
<jvmArguments>
<!-- -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000-->
</jvmArguments>
</configuration> </configuration>
</plugin> </plugin>
<plugin> <plugin>

17
src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java
View File

@ -41,15 +41,15 @@ import java.sql.*;
public class SqlInjectionLesson6a extends AssignmentEndpoint { public class SqlInjectionLesson6a extends AssignmentEndpoint {
private final LessonDataSource dataSource; private final LessonDataSource dataSource;
private static final String YOUR_QUERY_WAS = "<br> Your query was: ";
public SqlInjectionLesson6a(LessonDataSource dataSource) { public SqlInjectionLesson6a(LessonDataSource dataSource) {
this.dataSource = dataSource; this.dataSource = dataSource;
} }
@PostMapping("/SqlInjectionAdvanced/attack6a") @PostMapping("/SqlInjectionAdvanced/attack6a")
@ResponseBody @ResponseBody
public AttackResult completed(@RequestParam String userid_6a) { public AttackResult completed(@RequestParam(value="userid_6a") String userId) {
return injectableQuery(userid_6a); return injectableQuery(userId);
// The answer: Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data -- // The answer: Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data --
} }
@ -66,7 +66,7 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
ResultSet.CONCUR_READ_ONLY)) { ResultSet.CONCUR_READ_ONLY)) {
ResultSet results = statement.executeQuery(query); ResultSet results = statement.executeQuery(query);
if ((results != null) && (results.first())) { if ((results != null) && results.first()) {
ResultSetMetaData resultsMetaData = results.getMetaData(); ResultSetMetaData resultsMetaData = results.getMetaData();
StringBuilder output = new StringBuilder(); StringBuilder output = new StringBuilder();
@ -83,17 +83,16 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
output.append(appendingWhenSucceded); output.append(appendingWhenSucceded);
return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build(); return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();
} else { } else {
return failed(this).output(output.toString() + "<br> Your query was: " + query).build(); return failed(this).output(output.toString() + YOUR_QUERY_WAS + query).build();
} }
} else { } else {
return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build(); return failed(this).feedback("sql-injection.advanced.6a.no.results").output(YOUR_QUERY_WAS + query).build();
} }
} catch (SQLException sqle) { } catch (SQLException sqle) {
return failed(this).output(sqle.getMessage() + "<br> Your query was: " + query).build(); return failed(this).output(sqle.getMessage() + YOUR_QUERY_WAS + query).build();
} }
} catch (Exception e) { } catch (Exception e) {
e.printStackTrace(); return failed(this).output(this.getClass().getName() + " : " + e.getMessage() + YOUR_QUERY_WAS + query).build();
return failed(this).output(this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + query).build();
} }
} }
} }

2
src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson6aTest.java
View File

@ -23,9 +23,7 @@
package org.owasp.webgoat.lessons.sql_injection.introduction; package org.owasp.webgoat.lessons.sql_injection.introduction;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest; import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
import org.springframework.test.context.junit.jupiter.SpringExtension;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.containsString;