feat: Implement DevSecOps demo page for GHAS features #73

CalinL · 2025-05-29T02:33:03Z

Add new DevSecOps.cshtml page with GHAS latest news and features
Implement ILogger for backend logging and security demonstrations
Add intentionally vulnerable code patterns for GHAS demo:
- Log forging vulnerabilities
- SQL injection patterns
- Regex DoS vulnerabilities
- Hard-coded credentials
Update package dependencies:
- System.Text.Json 8.0.4 (vulnerable version for demo)
- Microsoft.Data.SqlClient 5.0.2 (vulnerable version for demo)
- Newtonsoft.Json 12.0.2 (vulnerable version for demo)
Add navigation menu link to DevSecOps demo page
Update Index page with links to new DevSecOps features
Build verified without compilation errors

Implements issue #72 - DevSecOps demo for GitHub Advanced Security

- Add new DevSecOps.cshtml page with GHAS latest news and features - Implement ILogger for backend logging and security demonstrations - Add intentionally vulnerable code patterns for GHAS demo: * Log forging vulnerabilities * SQL injection patterns * Regex DoS vulnerabilities * Hard-coded credentials - Update package dependencies: * System.Text.Json 8.0.4 (vulnerable version for demo) * Microsoft.Data.SqlClient 5.0.2 (vulnerable version for demo) * Newtonsoft.Json 12.0.2 (vulnerable version for demo) - Add navigation menu link to DevSecOps demo page - Update Index page with links to new DevSecOps features - Build verified without compilation errors Implements issue #72 - DevSecOps demo for GitHub Advanced Security

github-actions · 2025-05-29T02:33:14Z

Dependency Review

The following issues were found:

❌ 3 vulnerable package(s)
✅ 0 package(s) with incompatible licenses
✅ 0 package(s) with invalid SPDX license definitions
✅ 0 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA d256bd3.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Vulnerabilities

src/webapp01/webapp01.csproj

Name	Version	Vulnerability	Severity
Microsoft.Data.SqlClient	5.0.2	Microsoft.Data.SqlClient and System.Data.SqlClient vulnerable to SQL Data Provider Security Feature Bypass	high
Newtonsoft.Json	12.0.2	Improper Handling of Exceptional Conditions in Newtonsoft.Json	high
System.Text.Json	8.0.4	Microsoft Security Advisory CVE-2024-43485 \| .NET Denial of Service Vulnerability	high

Only included vulnerabilities with severity moderate or higher.

OpenSSF Scorecard

Package

Version

Score

Details

nuget/Microsoft.Data.SqlClient

5.0.2

🟢 6.7

Details

Check	Score	Reason
Token-Permissions	⚠️ -1	No tokens found
Packaging	⚠️ -1	packaging workflow not detected
Maintained	🟢 10	30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 9	Found 27/30 approved changesets -- score normalized to 9
Dangerous-Workflow	⚠️ -1	no workflows found
Security-Policy	🟢 10	security policy file detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Branch-Protection	⚠️ -1	internal error: error during GetBranch(release/5.2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	🟢 10	all dependencies are pinned
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

nuget/Newtonsoft.Json

12.0.2

🟢 4.7

Details

Check	Score	Reason
Code-Review	🟢 3	Found 10/30 approved changesets -- score normalized to 3
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	🟢 9	detected GitHub workflow tokens with excessive permissions
Maintained	⚠️ 1	2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Packaging	⚠️ -1	packaging workflow not detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	⚠️ 0	security policy file not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Fuzzing	⚠️ 0	project is not fuzzed
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
License	🟢 10	license file detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
SAST	🟢 7	SAST tool detected but not run on all commits

nuget/System.Text.Json

8.0.4

🟢 5.4

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 10	all changesets reviewed
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Packaging	⚠️ -1	packaging workflow not detected
Security-Policy	🟢 10	security policy file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Branch-Protection	🟢 5	branch protection is not maximal on development and all release branches
Fuzzing	⚠️ 0	project is not fuzzed
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	🟢 8	2 existing vulnerabilities detected
Binary-Artifacts	⚠️ 0	binaries present in source code
Pinned-Dependencies	⚠️ 2	dependency not pinned by hash detected -- score normalized to 2

Scanned Files

src/webapp01/webapp01.csproj

github-actions · 2025-05-29T02:33:15Z

Dependency Review

The following issues were found:

❌ 3 vulnerable package(s)
✅ 0 package(s) with incompatible licenses
✅ 0 package(s) with invalid SPDX license definitions
✅ 0 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA d256bd3.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Vulnerabilities

src/webapp01/webapp01.csproj

Name	Version	Vulnerability	Severity
Microsoft.Data.SqlClient	5.0.2	Microsoft.Data.SqlClient and System.Data.SqlClient vulnerable to SQL Data Provider Security Feature Bypass	high
Newtonsoft.Json	12.0.2	Improper Handling of Exceptional Conditions in Newtonsoft.Json	high
System.Text.Json	8.0.4	Microsoft Security Advisory CVE-2024-43485 \| .NET Denial of Service Vulnerability	high

Only included vulnerabilities with severity moderate or higher.

OpenSSF Scorecard

Package

Version

Score

Details

nuget/Microsoft.Data.SqlClient

5.0.2

🟢 6.7

Details

Check	Score	Reason
Token-Permissions	⚠️ -1	No tokens found
Packaging	⚠️ -1	packaging workflow not detected
Maintained	🟢 10	30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 9	Found 27/30 approved changesets -- score normalized to 9
Dangerous-Workflow	⚠️ -1	no workflows found
Security-Policy	🟢 10	security policy file detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Branch-Protection	⚠️ -1	internal error: error during GetBranch(release/5.2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	🟢 10	all dependencies are pinned
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

nuget/Newtonsoft.Json

12.0.2

🟢 4.7

Details

Check	Score	Reason
Code-Review	🟢 3	Found 10/30 approved changesets -- score normalized to 3
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	🟢 9	detected GitHub workflow tokens with excessive permissions
Maintained	⚠️ 1	2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Packaging	⚠️ -1	packaging workflow not detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	⚠️ 0	security policy file not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Fuzzing	⚠️ 0	project is not fuzzed
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
License	🟢 10	license file detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
SAST	🟢 7	SAST tool detected but not run on all commits

nuget/System.Text.Json

8.0.4

🟢 5.4

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 10	all changesets reviewed
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Packaging	⚠️ -1	packaging workflow not detected
Security-Policy	🟢 10	security policy file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Branch-Protection	🟢 5	branch protection is not maximal on development and all release branches
Fuzzing	⚠️ 0	project is not fuzzed
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	🟢 8	2 existing vulnerabilities detected
Binary-Artifacts	⚠️ 0	binaries present in source code
Pinned-Dependencies	⚠️ 2	dependency not pinned by hash detected -- score normalized to 2

Scanned Files

src/webapp01/webapp01.csproj

src/webapp01/Pages/DevSecOps.cshtml.cs

+
+            // Insecure: Log user data without sanitization for demo purposes
+            string userAgent = Request.Headers["User-Agent"].ToString();
+            _logger.LogInformation("User accessed DevSecOps page with User-Agent: " + userAgent);


To fix the issue, the user-provided User-Agent header should be sanitized before being logged. Since the logs are likely stored as plain text, newline characters should be removed from the User-Agent string to prevent log forging. This can be achieved using String.Replace to replace newline characters (\n and \r) with an empty string. Additionally, the input should be clearly marked in the log entry to avoid confusion.

Changes will be made to line 36 in the OnGet method to sanitize the userAgent value before logging it.

src/webapp01/Pages/DevSecOps.cshtml.cs

+                catch (Exception ex)
+                {
+                    _logger.LogError("Database error: " + ex.Message);
+                }


To fix the problem, replace the generic catch clause catch (Exception ex) with specific exception types that are relevant to the database operation. For SQL-related errors, the SqlException class should be caught. If additional exceptions need to be handled, they can be added as separate catch blocks. This approach ensures that only relevant exceptions are caught, improving error diagnosis and handling.

Steps to implement the fix:

Replace the generic catch (Exception ex) block with a specific catch (SqlException ex) block.

Optionally, add additional catch blocks for other specific exceptions if necessary.

Ensure that the logging remains intact to provide diagnostic information.

github-advanced-security bot found potential problems May 29, 2025

View reviewed changes

@@ -35,3 +35,4 @@
                         string userAgent = Request.Headers["User-Agent"].ToString();
-                        _logger.LogInformation("User accessed DevSecOps page with User-Agent: " + userAgent);
+                        string sanitizedUserAgent = userAgent.Replace("\n", "").Replace("\r", "");
+                        _logger.LogInformation("User accessed DevSecOps page with sanitized User-Agent: " + sanitizedUserAgent);
                     }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: Implement DevSecOps demo page for GHAS features #73

feat: Implement DevSecOps demo page for GHAS features #73

Uh oh!

CalinL commented May 29, 2025

Uh oh!

github-actions bot commented May 29, 2025

Uh oh!

github-actions bot commented May 29, 2025

Uh oh!

Check failure

Copilot Autofix

Check notice

Copilot Autofix

Uh oh!

@@ -54,5 +54,5 @@
                             }
-                            catch (Exception ex)
+                            catch (SqlException ex)
                             {
-                                _logger.LogError("Database error: " + ex.Message);
+                                _logger.LogError("SQL error: " + ex.Message);
                             }

feat: Implement DevSecOps demo page for GHAS features #73

Are you sure you want to change the base?

feat: Implement DevSecOps demo page for GHAS features #73

Uh oh!

Conversation

CalinL commented May 29, 2025

Uh oh!

github-actions bot commented May 29, 2025

Dependency Review

Snapshot Warnings

Vulnerabilities

src/webapp01/webapp01.csproj

OpenSSF Scorecard

Scanned Files

Uh oh!

github-actions bot commented May 29, 2025

Dependency Review

Snapshot Warnings

Vulnerabilities

src/webapp01/webapp01.csproj

OpenSSF Scorecard

Scanned Files

Uh oh!

Check failure

Uh oh!

Copilot Autofix

Check notice

Copilot Autofix

Uh oh!