Day 9 : SAST Implementation with SonarCloud

Added Day 9, Day 10 and Day 11

2023/day09.md

@@ -0,0 +1,132 @@
+# Day 9: SAST Implementation with SonarCloud
+
+SonarCloud is a cloud-based platform that provides static code analysis to help developers find and fix code quality issues in their projects. It is designed to work with a variety of programming languages and tools, including Java, C#, JavaScript, and more.
+
+SonarCloud offers a range of features to help developers improve the quality of their code, including:
+
+- **Static code analysis**: SonarCloud analyzes the source code of a project and checks for issues such as coding style violations, potential bugs, security vulnerabilities, and other problems. It provides developers with a detailed report of the issues it finds, along with suggestions for how to fix them.
+- **Code review**: SonarCloud integrates with code review tools like GitHub pull requests, allowing developers to receive feedback on their code from their peers before it is merged into the main branch. This helps to catch issues early on in the development process, reducing the risk of bugs and other issues making it into production.
+- **Continuous integration**: SonarCloud can be integrated into a continuous integration (CI) pipeline, allowing it to automatically run static code analysis on every code commit. This helps developers catch issues early and fix them quickly, improving the overall quality of their codebase.
+- **Collaboration**: SonarCloud includes tools for team collaboration, such as the ability to assign issues to specific team members and track the progress of code review and issue resolution.
+- **Customization**: SonarCloud allows developers to customize the rules and configurations used for static code analysis, so they can tailor the analysis to fit the specific needs and coding standards of their team.
+
+Overall, SonarCloud is a valuable tool for developers looking to improve the quality of their code and reduce the risk of issues making it into production. It helps teams collaborate and catch problems early on in the development process, leading to faster, more efficient development and fewer bugs in the final product.
+
+Read more about SonarCloud [here](https://docs.sonarcloud.io/)
+
+### Integrate SonarCloud with GitHub Actions
+
+- Sign up for a [SonarCloud](https://sonarcloud.io/) account with your GitHub Account.
+- From the dashboard, click on “Import an organization from GitHub”
+    
+![](images/day09-1.png)
+    
+- Authorise and install SonarCloud app to access your GitHub account.
+    
+![](images/day09-2.png)
+    
+- Select the repository (free tier supports only public repositories) you want to analyze and click "Install"
+![](images/day09-3.png)
+    
+- In SonarCloud you can now create an organisation.
+
+![](images/day09-4.png)
+![](images/day09-5.png)
+
+- Now click on “Analyze a new Project”
+
+![](images/day09-6.png)
+
+- Click on setup to add the Project.
+
+![](images/day09-7.png)
+
+- Now on the SonarCloud dashboard you can the project.
+
+![](images/day09-8.png)
+
+- To setup the GitHub Actions, click on the project, then on **Information** > **Last analysis method**
+
+![](images/day09-9.png)
+
+- Click on **GitHub Actions**
+
+![](images/day09-10.png)
+
+- This will show some steps to integrate SonarCloud with GitHub actions. At the top you will see SONAR_TOKEN, we will add that as Github Secrets later.
+
+![](images/day09-11.png)
+
+- Next thing you will see is the yaml file for the GitHub Workflow
+
+![](images/day09-12.png)
+
+- You will also see a configuration file that we will have to add in the source code repo
+
+![](images/day09-13.png)
+![](images/day09-14.png)
+
+- At the bottom of page, disable the Automatic Analysis
+![](images/day09-15.png)
+
+- Now go the source code repo and add the following configuration `sonar-project.properties` in the root directory.
+
+```yaml
+sonar.projectKey=prateekjaindev_nodejs-todo-app-demo
+sonar.organization=prateekjaindev
+
+# This is the name and version displayed in the SonarCloud UI.
+#sonar.projectName=nodejs-todo-app-demo
+#sonar.projectVersion=1.0
+
+# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
+#sonar.sources=.
+
+# Encoding of the source code. Default is default system encoding
+#sonar.sourceEncoding=UTF-8
+```
+
+- Update or add the GitHub actions workflow with the following job in the `.github/workflows` directory
+
+```yaml
+name: SonarScan
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    types: [opened, synchronize, reopened]
+jobs:
+  sonarcloud:
+    name: SonarCloud
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarcloud-github-action@master
+        env:
+           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+```
+- Now go to GitHub and add GitHub Secret named SOANR_TOKEN.
+![](images/day09-16.png)
+- As soon as you commit the changes, the workflow will trigger.
+![](images/day09-17.png)
+- Now after every commit, you can check the updated reports on the SonarCloud dashboard.
+![](images/day09-18.png)
+
+### Quality Gates
+
+A quality gate is an indicator that tells you whether your code meets the minimum level of quality required for your project. It consists of a set of conditions that are applied to the results of each analysis. If the analysis results meet or exceed the quality gate conditions then it shows a **Passed** status otherwise, it shows a **Failed** status.
+
+By default SonarCloud comes with a default quality gate “Sonar way”. You can edit or create new one in the Organisation Settings.
+![](images/day09-19.png)
+### Resources
+
+- [SonarCloud Documentation](https://docs.sonarcloud.io/)
+- [How to create Quality gates on SonarQube](https://www.youtube.com/watch?v=8_Xt9vchlpY)
+- [Source Code of the repo I used for SAST implementation](https://github.com/prateekjaindev/nodejs-todo-app-demo)
+
+In the next part [Day 10](day10.md), we will discuss Software Composition Analysis (SCA).

2023/day10.md

@@ -0,0 +1,33 @@
+# Day 10: Software Composition Analysis Overview
+
+Software composition analysis (SCA) is a process that helps developers identify the open source libraries, frameworks, and components that are included in their software projects. SCA tools scan the codebase of a software project and provide a report that lists all the open source libraries, frameworks, and components that are being used. This report includes information about the licenses and vulnerabilities of these open source libraries and components, as well as any security risks that may be associated with them.
+
+There are several benefits to using SCA tools in software development projects. These benefits include:
+
+1. **Improved security**: By identifying the open source libraries and components that are being used in a project, developers can assess the security risks associated with these libraries and components. This allows them to take appropriate measures to fix any vulnerabilities and protect their software from potential attacks.
+2. **Enhanced compliance**: SCA tools help developers ensure that they are using open source libraries and components that are compliant with the appropriate licenses. This is particularly important for companies that have strict compliance policies and need to ensure that they are not infringing on any third-party intellectual property rights.
+3. **Improved efficiency**: SCA tools can help developers save time and effort by automating the process of identifying and tracking open source libraries and components. This allows developers to focus on more important tasks, such as building and testing their software.
+4. **Reduced risk**: By using SCA tools, developers can identify and fix vulnerabilities in open source libraries and components before they become a problem. This helps to reduce the risk of security breaches and other issues that could damage the reputation of the software and the company.
+5. **Enhanced quality**: By identifying and addressing any vulnerabilities in open source libraries and components, developers can improve the overall quality of their software. This leads to a better user experience and a higher level of customer satisfaction.
+
+In addition to these benefits, SCA tools can also help developers to identify any potential legal issues that may arise from the use of open source libraries and components. For example, if a developer is using a library that is licensed under a copyleft license, they may be required to share any changes they make to the library with the community.
+
+Despite these benefits, there are several challenges associated with SCA:
+
+1. **Scale**: As the use of open source software has become more widespread, the number of components that need to be analyzed has grown exponentially. This can make it difficult for organizations to keep track of all the components they are using and to identify any potential issues.
+2. **Complexity**: Many software applications are made up of a large number of components, some of which may have been added years ago and are no longer actively maintained. This can make it difficult to understand the full scope of an application and to identify any potential issues.
+3. **False positives**: SCA tools can generate a large number of alerts, some of which may be false positives. This can be frustrating for developers who have to review and dismiss these alerts, and it can also lead to a lack of trust in the SCA tool itself.
+4. **Lack of standardization**: There is no standard way to conduct SCA, and different tools and approaches can produce different results. This can make it difficult for organizations to compare the results of different SCA tools and to determine which one is best for their needs.
+
+Overall, SCA tools provide a number of benefits to software developers and can help to improve the security, compliance, efficiency, risk management, and quality of software projects. By using these tools, developers can ensure that they are using open source libraries and components that are compliant with the appropriate licenses, free of vulnerabilities, and of high quality. This helps to protect the reputation of their software and the company, and leads to a better user experience.
+
+### SCA Tools (Opensource or Free Tier)
+- **[OWASP Dependncy Check](https://owasp.org/www-project-dependency-check/)**: Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
+- **[Snyk](https://snyk.io/product/open-source-security-management/)**: Snyk Open Source provides a developer-first SCA solution, helping developers find, prioritize, and fix security vulnerabilities and license issues in open source dependencies.
+
+### Resources
+
+- [Software Composition Analysis (SCA): What You Should Know](https://www.aquasec.com/cloud-native-academy/supply-chain-security/software-composition-analysis-sca/)
+- [Software Composition Analysis 101: Knowing what’s inside your apps - Magno Logan](https://www.youtube.com/watch?v=qyVDHH4T1oo)
+
+In the next part [Day 11](day11.md), we will discuss Dependency Check and integrate it with GitHub Actions.

2023/day11.md

@@ -0,0 +1,69 @@
+# Day 11: SCA Implementation with OWASP Dependency Check
+
+### OWASP Dependency Check
+
+OWASP Dependency Check is an open-source tool that checks project dependencies for known vulnerabilities. It can be used to identify dependencies with known vulnerabilities and determine if any of those vulnerabilities are exposed in the application.
+
+The tool works by scanning the dependencies of a project and checking them against a database of known vulnerabilities. If a vulnerability is found, the tool will report the vulnerability along with the associated CVE (Common Vulnerabilities and Exposures) identifier, a standardized identifier for publicly known cybersecurity vulnerabilities.
+
+To use OWASP Dependency Check, you will need to include it as a part of your build process. There are integrations available for a variety of build tools, including Maven, Gradle, and Ant. You can also use the command-line interface to scan your dependencies.
+
+OWASP Dependency Check is particularly useful for identifying vulnerabilities in third-party libraries and frameworks that your application depends on. These types of dependencies can introduce vulnerabilities into your application if they are not properly managed. By regularly scanning your dependencies, you can ensure that you are aware of any vulnerabilities and take steps to address them.
+
+It is important to note that OWASP Dependency Check is not a replacement for secure coding practices and should be used in conjunction with other security measures. It is also important to regularly update dependencies to ensure that you are using the most secure version available.
+
+### Integrate Dependency Check with GitHub Actions
+
+To use Dependency Check with GitHub Actions, you can create a workflow file in your repository's `.github/workflows` directory. Here is an example workflow that runs Dependency Check on every push to the `main` branch:
+
+```yaml
+name: Dependency-Check
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    types: [opened, synchronize, reopened]
+jobs:
+  dependency-check:
+    name: Dependency-Check
+    runs-on: ubuntu-latest
+    steps: 
+      - name: Download OWASP Dependency Check
+        run: |
+          VERSION=$(curl -s https://jeremylong.github.io/DependencyCheck/current.txt)
+          curl -sL "https://github.com/jeremylong/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip" --output dependency-check.zip
+          unzip dependency-check.zip
+      - name: Run Dependency Check
+        run: |
+          ./dependency-check/bin/dependency-check.sh --out report.html --scan .
+          rm -rf dependency-check*
+
+      - name: Upload Artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: artifacts
+          path: report.html
+```
+
+This workflow does the following:
+
+1. Defines a workflow called `Dependency-Check` that runs on every push to the `main` branch.
+2. Specifies that the workflow should run on the `ubuntu-latest` runner.
+3. Downloads and installs Dependency Check.
+4. Runs Dependency Check on the current directory (`.`) and generate a report in report.html file.
+5. Removes the downloaded Dependency Check files.
+6. Upload the report file as artifacts.
+
+You can download the report from the Artifacts and open it in the Browser.
+
+![](images/day11-1.png)
+
+You can customize this workflow to fit your needs. For example, you can specify different branches to run the workflow on, or specify different dependencies to check. You can also configure Dependency Check to generate a report in a specific format (e.g., HTML, XML, JSON) and save it to the repository.
+
+### Resources
+
+- [Dependency Check Documentation](https://jeremylong.github.io/DependencyCheck/)
+- [Source Code of the repo I used for SCA implementation](https://github.com/prateekjaindev/nodejs-todo-app-demo)
+
+In the next part [Day 12](day12.md), we will discuss Secure Coding Review.