Merge branch 'branch-2.3-MVC' into heroku-deployment-tmp

Author: thomaswoehlke

.github/FUNDING.yml

@@ -1,7 +1,7 @@
 # These are supported funding model platforms
 
 github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
-patreon: # Replace with a single Patreon username
+patreon: thomaswoehlke
 open_collective: # Replace with a single Open Collective username
 ko_fi: # Replace with a single Ko-fi username
 tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel

.github/workflows/codacy-analysis.yml

@@ -8,11 +8,11 @@
 
 name: Codacy Security Scan
 
-on: 
+on:
   push:
-    branches: [ "master", "main" ]
+    branches: [ 'master', 'heroku-deployment', 'branch-2.3-MVC' ]
   pull_request:
-    branches: [ "master", "main" ]
+    branches: [ 'master', 'heroku-deployment', 'branch-2.3-MVC' ]
 
 jobs:
   codacy-security-scan:
@@ -22,7 +22,7 @@ jobs:
       # Checkout the repository to the GitHub Actions runner
       - name: Checkout code
         uses: actions/checkout@v2
-      
+
       # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
       - name: Run Codacy Analysis CLI
         uses: codacy/[email protected]
@@ -36,7 +36,7 @@ jobs:
           # Force 0 exit code to allow SARIF file generation
           # This will handover control about PR rejection to the GitHub side
           max-allowed-issues: 2147483647
-      
+
       # Upload the SARIF file generated in the previous step
       - name: Upload SARIF results file
         uses: github/codeql-action/upload-sarif@v1

.github/workflows/codeql-analysis.yml

@@ -7,10 +7,10 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [master]
+    branches: [ 'master', 'heroku-deployment', 'branch-2.3-MVC' ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [master]
+    branches: [ 'master', 'heroku-deployment', 'branch-2.3-MVC' ]
   schedule:
     - cron: '0 19 * * 2'
 
@@ -47,7 +47,7 @@ jobs:
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file. 
+        # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 

.github/workflows/fortify-analysis.yml

@@ -1,4 +1,4 @@
-################################################################################################################################################ 
+################################################################################################################################################
 # Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,#
 # dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial #
 # or contact our sales team, visit microfocus.com/appsecurity.                                                                                 #
@@ -14,17 +14,17 @@
 name: Fortify on Demand Scan
 
 # TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time
-on: 
+on:
   workflow_dispatch:
   push:
-    branches: [master]
+    branches: [ 'master', 'heroku-deployment', 'branch-2.3-MVC' ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [master]
-  
+    branches: [ 'master', 'heroku-deployment', 'branch-2.3-MVC' ]
+
 jobs:
   FoD-SAST-Scan:
-    # Use the appropriate runner for building your source code. 
+    # Use the appropriate runner for building your source code.
     # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax.
     runs-on: ubuntu-latest
 
@@ -37,27 +37,27 @@ jobs:
           fetch-depth: 2
       # If this run was triggered by a pull request event, then checkout the head of the pull request instead of the merge commit.
       - run: git checkout HEAD^2
-        if: ${{ github.event_name == 'pull_request' }}      
+        if: ${{ github.event_name == 'pull_request' }}
       # Java 8 required by ScanCentral Client and FoD Uploader(Univeral CI Tool)
       - name: Setup Java
         uses: actions/setup-java@v1
         with:
-          java-version: 13
-      
+          java-version: 15
+
       # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
       # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
       #   ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle).
       #   ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner.
       #   ScanCentral has additional options that should be set for PHP and Python projects
       #   For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
-      #   ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ 
+      #   ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/
       - name: Download Fortify ScanCentral Client
         uses: fortify/gha-setup-scancentral-client@v1
       - name: Package Code + Dependencies
         run: scancentral package $PACKAGE_OPTS -o package.zip
         env:
           PACKAGE_OPTS: "-bt mvn"
-      
+
       # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java
       # TODO: Update ENV variables for your application and create the necessary GitHub Secrets.  Helpful hints:
       #   Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used).
@@ -66,16 +66,16 @@ jobs:
         uses: fortify/gha-setup-fod-uploader@v1
       - name: Perform SAST Scan
         run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES"
-        env: 
-          FOD_TENANT: ${{ secrets.FOD_TENANT }}  
+        env:
+          FOD_TENANT: ${{ secrets.FOD_TENANT }}
           FOD_USER: ${{ secrets.FOD_USER }}
           FOD_PAT: ${{ secrets.FOD_PAT }}
           FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }}
           FOD_URL: "https://ams.fortify.com/"
           FOD_API_URL: "https://api.ams.fortify.com/"
           FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf"
           FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})'
-      
+
       # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
       # TODO: Review Action inputs. For most users, these will be the same as used in the Perform SAST Scan step.
       - name: Download Results
@@ -87,7 +87,7 @@ jobs:
           password: ${{ secrets.FOD_PAT }}
           release-id: ${{ secrets.FOD_RELEASE_ID }}
           output: ./sarif/output.sarif
-      
+
       # Import Fortify on Demand results to GitHub Security Code Scanning
       - name: Import Results
         uses: github/codeql-action/upload-sarif@v1

.github/workflows/maven.yml

@@ -5,9 +5,9 @@ name: Java CI with Maven
 
 on:
   push:
-    branches: [ master ]
+    branches: [ 'master', 'heroku-deployment', 'branch-2.3-MVC' ]
   pull_request:
-    branches: [ master ]
+    branches: [ 'master', 'heroku-deployment', 'branch-2.3-MVC' ]
 
 jobs:
   build:
@@ -16,9 +16,9 @@ jobs:
 
     steps:
     - uses: actions/checkout@v2
-    - name: Set up JDK 13
+    - name: Set up JDK 15
       uses: actions/setup-java@v1
       with:
-        java-version: 13
+        java-version: 15
     - name: Build with Maven
       run: ./mvnw -B -DskipTests clean dependency:purge-local-repository dependency:resolve dependency:resolve-plugins dependency:sources dependency:tree package spring-boot:repackage site --file pom.xml

.github/workflows/ossar-analysis.yml

@@ -5,9 +5,9 @@ name: OSSAR
 
 on:
   push:
-    branches: [ master ]
+    branches: [  'master', 'heroku-deployment', 'branch-2.3-MVC' ]
   pull_request:
-    branches: [ master ]
+    branches: [  'master', 'heroku-deployment', 'branch-2.3-MVC' ]
 
 jobs:
   OSSAR-Scan:

.github/workflows/veracode-analysis.yml

@@ -6,9 +6,9 @@ name: Veracode Static Analysis Pipeline Scan
 # events but only for the master branch
 on:
   push:
-    branches: [ master ]
+    branches: [  'master', 'heroku-deployment', 'branch-2.3-MVC' ]
   pull_request:
-    branches: [ master ]
+    branches: [  'master', 'heroku-deployment', 'branch-2.3-MVC' ]
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
@@ -17,7 +17,7 @@ jobs:
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
     steps:
-    
+
     # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps
     - uses: actions/checkout@v2
       with:
@@ -28,28 +28,28 @@ jobs:
         files: /
         recursive: true
         dest: veracode-pipeline-scan-results-to-sarif.zip
-          
+
     - uses: actions/upload-artifact@v1
       with:
         name: my-artifact
         path: veracode-pipeline-scan-results-to-sarif.zip
-    
+
     # download the Veracode Static Analysis Pipeline scan jar
     - uses: wei/curl@master
       with:
         args: -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
     - run: unzip -o pipeline-scan-LATEST.zip
-    
+
     - uses: actions/setup-java@v1
       with:
-        java-version: 13
+        java-version: 15
     - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-pipeline-scan-results-to-sarif.zip
       continue-on-error: true
     - uses: actions/upload-artifact@v1
       with:
         name: ScanResults
         path: results.json
-    - name: Convert pipeline scan output to SARIF format 
+    - name: Convert pipeline scan output to SARIF format
       id: convert
       uses: veracode/veracode-pipeline-scan-results-to-sarif@master
       with:

.github/workflows/xanitizer-analysis.yml

@@ -0,0 +1,86 @@
+# This workflow downloads and installs the latest version of Xanitizer, builds your project, runs a Xanitizer security analysis on it,
+# and then archives the findings list reports and uploads the findings into the GitHub code scanning alert section of your repository.
+#
+# Documentation for the `RIGS-IT/xanitizer-action` is located here: https://github.com/RIGS-IT/xanitizer-action
+#
+# To use this basic workflow, you will need to complete the following setup steps:
+#
+# 1. The underlying Xanitizer, used in this workflow, needs a separate license file.
+#    Licenses are free of charge for open source projects and for educational usage.
+#    To get more information about the Xanitizer licenses and how to obtain a license file,
+#    please consult https://www.xanitizer.com/xanitizer-pricing/.
+#
+# 2. The content of the license file has to be stored as a GitHub secret (e.g. XANITIZER_LICENSE) on this repository.
+#    Please consult https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details.
+#
+# 3. Reference the GitHub secret in the step using the `RIGS-IT/xanitizer-action` GitHub action.
+#    Example:
+#    - name: Xanitizer Security Analysis
+#      uses: RIGS-IT/xanitizer-action@v1
+#      with:
+#        license: ${{ secrets.XANITIZER_LICENSE }}
+#
+# 4. As a static application security testing (SAST) tool,
+#    Xanitizer requires that all dependencies of the artifacts being analyzed can be resolved successfully.
+#    So you have to install all used libraries and build your project before running the security analysis,
+#    e.g. via `mvn compile` for Java or `npm install` for JavaScript
+
+name: "Xanitizer Security Analysis"
+
+on:
+  # Run the workflow on each push
+  push:
+  # Run the workflow each day at 5 am
+  # schedule:
+  # - cron: '0 5 * * *'
+  # Run the workflow manually
+  workflow_dispatch:
+
+jobs:
+  xanitizer-security-analysis:
+    # Xanitizer runs on ubuntu-latest and windows-latest.
+    runs-on: ubuntu-latest
+
+    steps:
+      # Check out the repository
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      # Set up the correct Java version for your project
+      # Please comment out, if your project does not contain Java source code.
+      - name: Set up JDK 15
+        uses: actions/setup-java@v1
+        with:
+          java-version: 15
+
+      # Compile the code for Java projects and get all libraries, e.g. via Maven
+      # Please adapt, if your project uses another build system to compile Java source code.
+      # Please comment out, if your project does not contain Java source code.
+      - name: Compile Java code
+        run: ./mvnw -B -DskipTests clean dependency:purge-local-repository dependency:resolve dependency:resolve-plugins dependency:sources dependency:tree package spring-boot:repackage site --file pom.xml
+
+      # Install all dependent libraries for JavaScript/TypeScript projects, e.g. via npm
+      # Please adapt to run `npm install` in the correct directories.
+      # Please adapt, if your project uses another package manager for getting JavaScript libraries.
+      # Please comment out, if your project does not use a package manager for getting JavaScript libraries.
+      #- name: Install JavaScript libraries
+      #  run: npm install
+
+      # Run the security analysis with default settings
+      - name: Xanitizer Security Analysis
+        uses: RIGS-IT/xanitizer-action@v1
+        with:
+          license: ${{ secrets.XANITIZER_LICENSE }}
+
+      # Archiving the findings list reports
+      - uses: actions/upload-artifact@v2
+        with:
+          name: Xanitizer-Reports
+          path: |
+            *-Findings-List.pdf
+            *-Findings-List.sarif
+
+      # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action
+      - uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: Xanitizer-Findings-List.sarif

.idea/compiler.xml

@@ -1,2 +1,2 @@
-distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.6.3/apache-maven-3.6.3-bin.zip
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.6.2/apache-maven-3.6.2-bin.zip
 wrapperUrl=https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar