ww

.github/workflows/main.yml

@@ -0,0 +1,51 @@
+name: Snyk CLI Scanss
+
+on:
+  push:
+    branches: [ main ]
+  # pull_request:
+  #  branches: [ main ]
+  #
+
+jobs:
+  snyk-pipeline:
+    runs-on: ubuntu-latest
+    name: Snyk CLI Scans
+    env:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+    steps:      
+      - uses: actions/checkout@v2
+      - name: Download Snyk
+        run: |
+          wget -O snyk https://static.snyk.io/cli/latest/snyk-linux
+          chmod +x ./snyk
+          mv ./snyk /usr/local/bin/
+
+      - name: Authenticate Snyk
+        run: snyk auth ${SNYK_TOKEN}
+
+      - name: Run Snyk Code
+        run: snyk code test --sarif-file-output=snyk_sast_results.json    
+        continue-on-error: true
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: snyk_sast_results.json
+
+      - name: Use the Upload Artifact GitHub Action
+        uses: actions/upload-artifact@v3
+        with:
+          name: snyk_sast_results_json
+          path: snyk_sast_results.json            
+
+      - name: Install packages
+        run: mvn install
+
+      - name: Run Snyk Test
+        run: snyk test --all-projects
+        continue-on-error: true
+
+      - name: Run Snyk Monitor
+        run: snyk monitor --all-projects
+        continue-on-error: true

.github/workflows/snyk-GHA-sharedaction-java-goof.yml

@@ -0,0 +1,15 @@
+name: Snyk Scan (External Shared Action)
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  monitor:
+    uses: mimidas-snyk/snyk-shared-action/.github/workflows/snyk-node-shared-action.yml@main
+    with:
+      SNYK_ORG: dc9e71be-cc1d-4b7a-87bf-6640adf930ee
+    secrets:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

README.md

@@ -6,4 +6,4 @@ It's divided into modules, each one having its own README:
 
 * [Todolist Goof](todolist-goof/README.md)
 * [Log4Shell Goof](log4shell-goof/README.md)
-* [Quickstart for running both Todolist with Log4Shell in Kubernetes](README-K8S.md)
+* [Quickstart for running both Todolist with Log4Shell in Kubernetes](README-K8S.md)

todolist-goof/Dockerfile

@@ -10,7 +10,7 @@ COPY todolist-web-common todolist-web-common
 COPY todolist-web-struts todolist-web-struts
 RUN --mount=target=$HOME/.m2,type=cache mvn install
 
-FROM tomcat:8.5.21
+FROM tomcat:9.0.95-jdk8-corretto-al2
 
 RUN mkdir /tmp/extracted_files
 COPY web.xml /usr/local/tomcat/conf/web.xml

todolist-goof/todolist-web-struts/pom.xml

@@ -27,7 +27,7 @@
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>
             <artifactId>log4j-core</artifactId>
-            <version>2.7</version>
+            <version>2.12.2</version>
         </dependency>
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>