Conversation
They are part of the repository since 2017 they have never been updated and probably don't work anymore
It is old any never used we only update versions in this file
They are old might work but we now have the all in one image which we actively maintain and release
Part of the Travis build we use to have no longer needed as we moved to Github actions
Spring cleanup to make it a bit easier for users to only offer two options: Docker and stand alone version
…') { def mvn = tool 'Default Maven'; withSonarQubeEnv() { sh "${mvn}/bin directory
Added 'Tester' to the README description.
Review Summary by QodoUpgrade WebGoat to Java 15 with dependency updates and cleanup of obsolete configurations
WalkthroughsDescription• Update WebGoat to Java 15 with compiler and dependency upgrades • Fix AsciiDoctor macro implementations to use updated API (ContentNode instead of AbstractBlock) • Remove obsolete deployment configurations (Vagrant, docker-compose, platform quickstarts, scripts) • Update GitHub Actions workflows and add SonarQube/ShiftLeft security scanning • Correct typos and grammar in SQL injection lesson documentation • Update Maven dependencies to latest compatible versions File Changes1. webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/OperatingSystemMacro.java
|
Code Review by Qodo
1. Hardcoded Personal Artifactory Server
|
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
| <distributionManagement> | ||
| <snapshotRepository> | ||
| <id>snapshots</id> | ||
| <name>Artifactory West-snapshots</name> | ||
| <url>http://35.236.103.251:8081/artifactory/hamid-maven-one-libs-snapshot-local</url> | ||
| </snapshotRepository> | ||
| </distributionManagement> |
There was a problem hiding this comment.
1. Hardcoded personal artifactory server 🐞 Bug ⛨ Security
The pom.xml adds a distributionManagement block pointing to a hardcoded public IP (35.236.103.251) over plain HTTP. Any developer running mvn deploy will transmit Maven credentials unencrypted to this personal/test Artifactory instance, enabling credential interception and supply chain attacks.
Agent Prompt
## Issue description
The pom.xml contains a `<distributionManagement>` block pointing to a personal Artifactory server at a hardcoded public IP address over plain HTTP. This exposes Maven credentials to interception and routes artifacts to an unauthorized third-party server.
## Issue Context
The block was added at the bottom of pom.xml just before `</project>`. The URL `http://35.236.103.251:8081/artifactory/hamid-maven-one-libs-snapshot-local` uses HTTP (not HTTPS) and a hardcoded IP that appears to be a personal test instance.
## Fix Focus Areas
- pom.xml[296-302]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| branches: | ||
| - master # or the name of your main branch |
There was a problem hiding this comment.
2. Github actions branches filter misplaced 🐞 Bug ✓ Correctness
In .github/workflows/build.yml, the branches key is placed inside the job definition (same level as runs-on and steps) instead of under the on: trigger block. GitHub Actions silently ignores unknown job-level keys, so the workflow now triggers on every push to every branch with no restriction.
Agent Prompt
## Issue description
The `branches` filter is placed inside the job definition instead of under the `on:` trigger. GitHub Actions ignores it there, causing the workflow to fire on every push to every branch.
## Issue Context
The correct structure requires `branches` to be nested under `on.push`, not at the job level. The original workflow (before this PR) had a proper multi-OS, multi-JDK matrix build that was replaced with a trivial demo.
## Fix Focus Areas
- .github/workflows/build.yml[1-21]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| stages { | ||
| stage('Build') { | ||
| steps { | ||
| sh mvn package |
There was a problem hiding this comment.
3. Jenkinsfile groovy syntax error 🐞 Bug ✓ Correctness
In jenkinsfile (lowercase), the Build stage uses sh mvn package without quoting the argument. In Jenkins declarative pipeline Groovy DSL, sh requires a String argument; package is a reserved Groovy keyword, causing a parse-level compilation failure that prevents the entire pipeline from loading.
Agent Prompt
## Issue description
The `sh` step in the Build stage of `jenkinsfile` is missing quotes around its argument, causing a Groovy parse error that prevents the pipeline from loading in Jenkins.
## Issue Context
`package` is a reserved Groovy keyword. Without quoting, `sh mvn package` is invalid Groovy syntax. The correct form is `sh 'mvn package'`.
## Fix Focus Areas
- jenkinsfile[7-7]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| - name: Download ShiftLeft CLI | ||
| run: | | ||
| curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl |
There was a problem hiding this comment.
4. Shiftleft cli downloaded without integrity check 🐞 Bug ⛨ Security
The ShiftLeft workflow downloads a binary from a CDN URL via curl and immediately marks it executable and runs it — with no checksum or signature verification. A compromised CDN or MITM attack would result in arbitrary code execution in the CI runner with access to SHIFTLEFT_ACCESS_TOKEN and GITHUB_TOKEN.
Agent Prompt
## Issue description
The ShiftLeft CLI binary is downloaded and executed without any integrity verification. A tampered binary would execute with access to CI secrets.
## Issue Context
The binary is downloaded at line 22 and executed at line 29 with `SHIFTLEFT_ACCESS_TOKEN` and `GITHUB_TOKEN` in the environment. A checksum verification step must be added between download and execution.
## Fix Focus Areas
- .github/workflows/main.yml[20-29]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
2 participants
No description provided.