Merge pull request #9 from ArturSnyk/sarif/checking_scanning_flow

ArturSnyk · web-flow · commit 94c93d7793a7 · 2021-07-18T18:52:45.000+03:00
Sarif/checking scanning flow
diff --git a/.github/scan.yml b/.github/scan.yml
@@ -0,0 +1,13 @@
+name: Testing security scan - using sarif
+on: [push]
+
+jobs:
+  build:
+    name: sarif testing action
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: sarif/results.sarif
diff --git a/.gitignore b/.gitignore
@@ -6,3 +6,4 @@ node_modules
 sass
 config.rb
 npm-debug.log
+.dccache
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,5 @@
-FROM node:6-stretch
+# FROM node:6-stretch
+FROM node:14.1.0
 
 RUN mkdir /usr/src/goof
 RUN mkdir /tmp/extracted_files
diff --git a/README.md b/README.md
@@ -45,7 +45,7 @@ npm run cleanup
 This app uses npm dependencies holding known vulnerabilities.
 
 Here are the exploitable vulnerable packages:
-- [Mongoose - Buffer Memory Exposure](https://snyk.io/vuln/npm:mongoose:20160116)
+- [Mongoose - Buffer Memory Exposure](https://snyk.io/vuln/npm:mongoose:20160116) - requires a version <= Node.js 8. For the exploit demo purposes, one can update the Dockerfile `node` base image to use `FROM node:6-stretch`.
 - [st - Directory Traversal](https://snyk.io/vuln/npm:st:20140206)
 - [ms - ReDoS](https://snyk.io/vuln/npm:ms:20151024)
 - [marked - XSS](https://snyk.io/vuln/npm:marked:20150520)
diff --git a/sarif/results.sarif b/sarif/results.sarif
