Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Installing SNYK mutation tool for Static Analysis #47

Closed
wants to merge 55 commits into from
Closed

Installing SNYK mutation tool for Static Analysis #47

wants to merge 55 commits into from

Conversation

fdounis
Copy link

@fdounis fdounis commented Oct 27, 2024
edited
Loading

PR integrates Snyk into our CI/CD pipeline as a static analysis tool for identifying known vulnerabilities in our dependencies. Snyk scans the project’s node_modules for any security issues, giving us insights into outdated or vulnerable packages and providing remediation suggestions.

Why Snyk?

  • Security: Snyk provides a comprehensive vulnerability database that enables early detection of risks in project dependencies.
  • Automation: By running Snyk in GitHub Actions, we automate security checks on every push or pull request to the main branch, improving our codebase’s resilience against known threats.
  • Visibility: Snyk gives actionable insights into vulnerability severity (High, Medium, Low), with guidance on fixing the issues detected.

Workflow Details:

The Snyk Vulnerability Scan workflow is triggered on each push to main and for every pull request targeting main.
Snyk will authenticate using a SNYK_TOKEN stored in GitHub Secrets, ensuring secure access.

The scan output provides a detailed list of vulnerabilities and potential fixes, allowing the team to prioritize remediation based on severity.

Steps Included:

  1. Installed Snyk using npm and added it as a dev dependency.
  2. Created a GitHub Actions workflow (snyk-analysis.yml) to run Snyk scans in our CI/CD pipeline.
image 3. Configured Snyk to authenticate via a GitHub secret token and to scan all project dependencies. Screenshot 2024-10-27 at 8 03 21 PM

Output Details:

Snyk will generate a report listing detected vulnerabilities with links to additional information on each issue.

Each finding includes:

  • Severity: High, Medium, Low
  • Dependency Path: The specific path and version of the vulnerable dependency
  • Fix Recommendation: Any available patches or upgrades to address the vulnerability
image image

T7alabdullah and others added 30 commits September 10, 2024 13:16
@T7alabdullah
Update README.md to include our names
b58aff9
@Nalseaf
Merged my Proj1 Edits -nalseaf
b03f604
@Nalseaf
Merge pull request #14 from CMU-17313Q/merge_proj1
beddc39 
Merged my Proj1 Edits -nalseaf
@mthani2
Merged Project 1 changes mthani2
b4153e2
@mthani2
Merge pull request #15 from CMU-17313Q/Feature-merge-project1-mthani2
314e8d9 
Merged Project 1 changes mthani2
merged project 1 to project 2
5a1bd8e
@mthani2
Attempting to add anonymous posting checkbox to composer.tpl - frontend
d1ba402
@T7alabdullah
Merged project 1 changes thali
8031ead
@fdounis
Merged Project 1 changes fdounis
e1c5179
@fdounis
Merge pull request #18 from CMU-17313Q/Feature-merge-project1-fdounis
187c78a 
Merged Project 1 changes fdounis
@fdounis
Merge pull request #19 from CMU-17313Q/feature-merge-project1-thali
2662a81 
Merged project 1 changes thali
@mthani2
Add 'Post anonymously' checkbox to composer.tpl for anonymous message…
3905401 
… posting functionality
@mthani2
undoing changes made to src/views.partials/chats/composer.tpl
1d644a6
@mthani2
commenting out package in gitignore. file
4e6054c
@mthani2
removed composer default file from package.json
c5cada4
@mthani2
created exception for nodebb-plugin-composer in .gitignore
72dd073
@Nalseaf
reintsalled the composer-default file
d41a0cd
@Nalseaf
Added an Anonymous toggle to the submit button
53b80c2
@mthani2
Merge pull request #16 from CMU-17313Q/sarra
8b82c6f 
Merged project 1 to project 2 -- sarrakhelfi
@mthani2
final design changes to composer-titiel-container.tpl
94c2883
@Nalseaf
Merge pull request #21 from CMU-17313Q/anonymous-posting-frontend
6d7f6f5 
Anonymous posting frontend
@mthani2
Composer-title-container final changes
ade6269
@mthani2
Added click to composer.js
d30e5fa
@mthani2
flag added for isAnon in composer.js
028cdb5
@mthani2
modified create.js to show user as anonymous
336af92
@mthani2
final changes made to create.js
082dd96
@mthani2
fixing ESlint error with indentation
cbbd2e0
@mthani2
Fix: Clean up trailing spaces and tabs
36d6d87
@mthani2
Fix: Clean up trailing spaces, resoling all lint
03ecf21
@mthani2
Fix: config.json exception created in gitignore
5bdb3dd
mthani2 and others added 25 commits October 1, 2024 16:36
@mthani2
Fix: create.js to address ESS_ASSERTION
5116276
@mthani2
Fix: newlin expectation in create.js file
4813856
@sarrakhelifi-cmu
Merge pull request #26 from CMU-17313Q/anonymous-post-full-feature
28026ec 
Anonymous Post Full Feature
@fdounis
Add basic reaction buttons (👍, ❤️, 😂) to the topic template
0c08dcb
@fdounis
Add the javascript functionality to make the buttons clickable (alrea…
2c6b4d7 
…dy implemented before, but refined)
@fdounis
Create API Route for Handling Reactions - src/routes/reactions.js
af2af4d
@fdounis
Create API Route to fetch reaction counts - added a get route to retr…
014aa67 
…ieve the counts
@fdounis
Added a function to fetch and display initial reaction counts when th…
b9c91ef 
…e page loads to the topic.tpl file
@fdounis
Updated the Javascript code, to try and properly send AJAX requests
69c430b
@fdounis
Imported my custom route to index.js
a88a0e4
@fdounis
Fixed the javascript so that the ajax request is sent to /api/post/3/…
450fb65 
…reaction instead of /post/3/reaction when button is clicked
@fdounis
Updated the reactions.js route to ensure it is using the api suffix
dd7516b
@fdounis
Created the nodebb-plugin-emoji-reactions directory and added a plugi…
b0926a2 
…n.json file inside
@fdounis
Added the library.json file within the nodebb-plugin-emoji-reactions …
a8e0a7f 
…folder, with the server-side logic for handling reactions
@fdounis
Create a package.json file to define the package
5e377cc
@fdounis
Restructured the topic.tpl file to work with the new back-end logic a…
46571f4 
…nd keep emoji count
@fdounis
Troubleshooting the issue with library.js
ae78637
@fdounis
Created the test/back-end directory within the emoji reactions plugin…
3ba2a04 
… folder to start testing on the backend
@fdounis
Created the initial back-end test file reactions.test.js within the t…
941ddba 
…est/back-end directory. This file will house all tests related to the emoji reactions API endpoints.
@fdounis
Implemented a test case to verify that a valid reaction (👍) can be su…
a726bb4 
…ccessfully added to a post. This ensures that the POST /api/post/:postId/reaction endpoint functions correctly under normal conditions
@fdounis
Added a test case to ensure that the API correctly handles invalid re…
f632384 
…actions. Attempting to add a reaction that is not among the predefined valid emojis (👍, ❤️, 😂) should result in a 400 Bad Request response with an appropriate error message.
@fdounis
Implemented a test to verify that unauthenticated users cannot add re…
36a207e 
…actions. The API should respond with a 403 Forbidden status and an appropriate error message when a user who is not logged in attempts to add a reaction.
@fdounis
Add a test case to ensure that the API gracefully handles server-side…
5204809 
… errors during reaction addition. Simulate a database error and verify that the API responds with a 500 Internal Server Error and an appropriate error message.
@fdounis
Add OWASP ZAP security scan workflow
709bc43
@fdounis
Add Snyk vulnerability scan workflow
254202e
@fdounis fdounis closed this Oct 27, 2024
@fdounis fdounis deleted the snyk-tool-integration branch October 27, 2024 17:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@fdounis @T7alabdullah @Nalseaf @mthani2 @sarrakhelifi-cmu