sgerlach · sgerlach · Nov 14, 2022 · Nov 14, 2022 · Nov 14, 2022 · Nov 14, 2022
diff --git a/.github/workflows/demo-hawkscan.yml → .github/workflows/demo-testing.yml b/.github/workflows/demo-hawkscan.yml → .github/workflows/demo-testing.yml
@@ -1,30 +1,30 @@
 name: Build and Test
 on:
   pull_request:
+  workflow_dispatch:
 
 jobs:
-  build-and-test:
-    name: Build and test
+  snyk-code:
     runs-on: ubuntu-latest
-    services:
-      postgres-db:
-        image: postgres
-        ports:
-          - 5432:5432
+    steps:
+      - uses: actions/checkout@master
+      - name: Snyk Code
+        uses: snyk/actions/gradle@master
         env:
-          POSTGRES_DB: postgresql
-          POSTGRES_USER: postgresql
-          POSTGRES_PASSWORD: postgresql
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+  stackhawk-hawkscan:
+    name: Runs the application and the HawkScan test of the app
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
       - name: Build and Run Vulny!
         run: docker-compose build && docker-compose up -d
       - name: HawkScan
         uses: stackhawk/hawkscan-action@v2.0.0
         with:
           apiKey: ${{ secrets.HAWK_API_KEY }}
-          configurationFiles: stackhawk.d/stackhawk-custom-params.yml stackhawk-github-pr.yml
+          configurationFiles: stackhawk.d/stackhawk-custom-params.yml stackhawk.d/stackhawk-github-pr.yml
         env:
           COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
           BRANCH_NAME: ${{ github.head_ref }}
diff --git a/.github/workflows/hawkscan.yml b/.github/workflows/hawkscan.yml
diff --git a/Dockerfile b/Dockerfile
@@ -2,6 +2,7 @@ FROM openjdk:11.0.10-jdk-slim
 
 RUN mkdir /javavulny /app
 COPY . /javavulny/
+RUN sed -i 's/localhost\:5432/db\:5432/' /javavulny/src/main/resources/application-postgresql.properties
 
 RUN cd /javavulny \
 && ./gradlew --no-daemon build \

diff --git a/README.md b/README.md
@@ -1,6 +1,11 @@
 # Java Spring Vulny
 
-Java Spring Vulny is a simple application that combines the power and sophistication of the Spring framework with some homegrown naïveté. Its purpose is to provide a target for web application security test scanners such as [OWASP ZAProxy](https://www.zaproxy.org/) and [StackHawk](https://www.stackhawk.com/).
+Java Spring Vulny is a simple application that combines the power and sophistication of the Spring framework with some 
+homegrown naïveté. Its purpose is to provide a target for web application security test scanners 
+such as [OWASP ZAProxy](https://www.zaproxy.org/) and [StackHawk](https://www.stackhawk.com/).
+
+
+Most of the configuration options for StackHawk can be found under the stackhawk.d directory.
 
 ## Building and Running in Docker
 

diff --git a/javaspringvulny_postman_collection.json b/javaspringvulny_postman_collection.json
@@ -158,7 +158,7 @@
 											"bearer": [
 												{
 													"key": "token",
-													"value": "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyIiwicm9sZXMiOlsiUk9MRV9VU0VSIl0sInRlbmFudElkIjoiMTIzNDU2NyIsImlhdCI6MTY2Mzk1NDY4OSwiZXhwIjoxNjYzOTU4Mjg5fQ.dnCsM7wKsasVj-rTtj_rffMDfVlOZxoQziE6VKpv0D4",
+													"value": "",
 													"type": "string"
 												}
 											]
@@ -332,6 +332,16 @@
 								{
 									"name": "search 2",
 									"request": {
+										"auth": {
+											"type": "bearer",
+											"bearer": [
+												{
+													"key": "token",
+													"value": "",
+													"type": "string"
+												}
+											]
+										},
 										"method": "GET",
 										"header": [
 											{
@@ -354,7 +364,7 @@
 											"variable": [
 												{
 													"key": "text",
-													"value": "ea nisi venia",
+													"value": "items",
 													"description": "(Required) "
 												}
 											]
@@ -403,6 +413,71 @@
 								}
 							]
 						},
+						{
+							"name": "admin",
+							"item": [
+								{
+									"name": "freeHosen",
+									"request": {
+										"auth": {
+											"type": "bearer",
+											"bearer": [
+												{
+													"key": "token",
+													"value": "",
+													"type": "string"
+												}
+											]
+										},
+										"method": "GET",
+										"header": [],
+										"url": {
+											"raw": "{{baseUrl}}/api/jwt/admin/freeHosen",
+											"host": [
+												"{{baseUrl}}"
+											],
+											"path": [
+												"api",
+												"jwt",
+												"admin",
+												"freeHosen"
+											]
+										}
+									},
+									"response": []
+								},
+								{
+									"name": "freeHosen",
+									"request": {
+										"auth": {
+											"type": "bearer",
+											"bearer": [
+												{
+													"key": "token",
+													"value": "",
+													"type": "string"
+												}
+											]
+										},
+										"method": "PUT",
+										"header": [],
+										"url": {
+											"raw": "{{baseUrl}}/api/jwt/admin/freeHosen",
+											"host": [
+												"{{baseUrl}}"
+											],
+											"path": [
+												"api",
+												"jwt",
+												"admin",
+												"freeHosen"
+											]
+										}
+									},
+									"response": []
+								}
+							]
+						},
 						{
 							"name": "signin",
 							"protocolProfileBehavior": {
@@ -759,16 +834,6 @@
 			]
 		}
 	],
-	"auth": {
-		"type": "bearer",
-		"bearer": [
-			{
-				"key": "token",
-				"value": "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyIiwicm9sZXMiOlsiUk9MRV9VU0VSIl0sInRlbmFudElkIjoiMTIzNDU2NyIsImlhdCI6MTY2Mzk1MzM2OCwiZXhwIjoxNjYzOTU2OTY4fQ.UzEiOz6MvfyN4-JSA23ue_xtGSkqtbNW5kpiFGCh_F4",
-				"type": "string"
-			}
-		]
-	},
 	"event": [
 		{
 			"listen": "prerequest",

diff --git a/src/main/resources/application-postgresql.properties b/src/main/resources/application-postgresql.properties
@@ -1,5 +1,5 @@
 spring.datasource.platform=postgres
-spring.datasource.url=jdbc:postgresql://localhost/postgres
+spring.datasource.url=jdbc:postgresql://localhost:5432/postgres
 spring.datasource.username=postgresql
 spring.datasource.password=postgresql
 spring.datasource.driverClassName=org.postgresql.Driver

diff --git a/stackhawk.d/stackhawk-auth-json-token.yml b/stackhawk.d/stackhawk-auth-json-token.yml
@@ -30,8 +30,6 @@ app:
 hawk:
   spider:
     base: false
-    postmanConfig:
-      filePath: javaspringvulny_postman_collection.json
   failureThreshold: high
 hawkAddOn:
   scripts:
@@ -40,4 +38,3 @@ hawkAddOn:
       type: active
       path: stackhawk.d
       language: JAVASCRIPT
-  spider: false
diff --git a/stackhawk.d/stackhawk-custom-params.yml b/stackhawk.d/stackhawk-custom-params.yml
@@ -1,5 +1,5 @@
 app:
-  applicationId: ${APP_ID:44d63acb-a50b-4ab5-baa3-9508bb12691f}
+  applicationId: ${APP_ID:458599ed-6493-44c1-9b9d-73ba0eac5bc8}
   env: ${APP_ENV:custom-params}
   host: ${APP_HOST:https://localhost:9000}
   excludePaths:
@@ -45,10 +45,10 @@ app:
 
 hawk:
   failureThreshold: high
+  spider:
+    base: false
 
 hawkAddOn:
-  spider: false
-  maxDurationMinutes: 10
   scripts:
     - name: api1:2019-tennant-check.js
       id: 1000012