Skip to content

Commit f42fea5

Browse files
tonycchtonycch
committed
Added README to provide .net instruction
1 parent fbda554 commit f42fea5

20 files changed

+14
-8
lines changed

README.md

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
1-
# Code Scanning Javascript Tutorial
1+
# Code Scanning C# Tutorial
22

3-
Welcome to the Code Scanning Java Tutorial! This tutorial will take you through how to set up Github Advanced Security: Code Scanning as well as interpret results that it may find. The following repository contains SQL injection vulnerability for demonstration purpose.
3+
Welcome to the Code Scanning C# Tutorial! This tutorial will take you through how to set up Github Advanced Security: Code Scanning as well as interpret results that it may find. The following repository contains cross-site scripting vulnerability for demonstration purpose.
44

55
## Introduction
66

@@ -62,6 +62,10 @@ The Actions Workflow file contains a number of different sections including:
6262

6363
<img src="images/03-actions-sample-workflow.png" width="80%"/>
6464

65+
Please change `line 35` to only use `csharp` for this demonstration purpose.
66+
67+
<img src="images/03a-csharp-scanning.png" width="80%"/>
68+
6569
Click `Start Commit` -> `Commit this file` to commit the changes to _main_ branch.
6670
</p>
6771
</details>
@@ -107,7 +111,9 @@ Click the specific workflow run. You can view the progress of the Workflow run u
107111
<summary>Security Issues</summary>
108112
<p>
109113

110-
Once the Workflow has completed, click the `Security` tab -> ` Code Scanning Alerts`. An security alert "Query built from user-controlled sources" should be visible.
114+
Once the Workflow has completed, click the `Security` tab -> ` Code Scanning Alerts`. You can see 29 alerts, select the first "Cross-site scripting" alert.
115+
116+
<img src="images/06-select-cross-site-scripting.png" width="80%"/>
111117

112118
#### Security Alert View
113119

@@ -157,13 +163,13 @@ Click `show paths` in order to see the dataflow path that resulted in this alert
157163

158164
<summary>Fix the Security Alert</summary>
159165

160-
In order to fix this specific alert, we will need to ensure parameters used in the SQL query is validated and sanitized.
166+
In order to fix this specific alert, we will need to ensure the content being write to the `HttpContext`'s response is validated and sanitized.
161167

162-
Click on the `Code` tab and [Edit](https://docs.github.com/en/free-pro-team@latest/github/managing-files-in-a-repository/editing-files-in-your-repository) the file [`IndexController.java`](./src/main/java/com/github/hackathon/advancedsecurityjava/Controllers/IndexController.java) in the `Controllers` folder, replace the content with the file [`fixme`](./fixme).
168+
Click on the `Code` tab and [Edit](https://docs.github.com/en/free-pro-team@latest/github/managing-files-in-a-repository/editing-files-in-your-repository) the file [`Autocomplete.ashx.cs`](./WebGoat/WebGoatCoins/Autocomplete.ashx.cs) in the `WebGoat/WebGoatCoins` folder. For this demonstration purpose, we will simply write some hardcoded value to the `HttpContext` instance, this granatees the parameter is sanitized and safe.
163169

164170
<img src="images/11-fix-source-code.png" width="80%"/>
165171

166-
Click `Create a new branch for this commit and start a pull request`, name the branch `fix-sql-injection`, and create the Pull Request.
172+
Click `Create a new branch for this commit and start a pull request`, name the branch `fix-cross-site-scripting`, and create the Pull Request.
167173

168174
#### Pull Request Status Check
169175

@@ -179,15 +185,15 @@ After the Workflow has completed click on `Details` by the `Code Scanning Result
179185

180186
#### Fixed Alert
181187

182-
Notice that Code Scanning has detected that this Pull Request will fix the SQL injection vulnerability that was detected before.
188+
Notice that Code Scanning has detected that this Pull Request will fix the cross-site scripting vulnerability that was detected before.
183189

184190
<img src="images/14-fix-detail.png" width="80%"/>
185191

186192
Merge the Pull Request. After the Pull Request has been merged, another Workflow will kick off to scan the repository for any vulnerabilties.
187193

188194
#### Closed Security Alerts
189195

190-
After the final Workflow has completed, navigate back to the `Security` tab and click `Closed`. Notice that the **Query built from user-controlled sources** security alert now shows up as a closed issue.
196+
After the final Workflow has completed, navigate back to the `Security` tab and click `Closed`. Notice that the **Cross-site scripting** security alert now shows up as a closed issue.
191197

192198
<img src="images/15-fixed-alert.png" width="80%"/>
193199

images/00-repo-security-tab.png

171 KB
Loading

images/01-repo-secruity-setup-code-scanning.png

210 KB
Loading

images/02-repo-security-setup-codeql-workflow.png

156 KB
Loading

images/03-actions-sample-workflow.png

110 KB
Loading

images/03a-csharp-scanning.png

15.4 KB
Loading

images/04-actions-sample-events.png

20.6 KB
Loading

images/05-actions-completed.png

54.3 KB
Loading

images/06-security-codeql-alert.png

87.7 KB
Loading

images/06-select-cross-site-scripting.png

104 KB
Loading

images/07-security-codeql-show-more.png

27.2 KB
Loading

images/08-security-codeql-full-desc.png

59.9 KB
Loading

images/09-security-codeql-show-paths.png

92 KB
Loading

images/10-security-codeql-show-paths-details.png

143 KB
Loading

images/11-fix-source-code.png

73.3 KB
Loading

images/12-fix-pr-in-progress.png

128 KB
Loading

images/13-fix-pr-done.png

53.7 KB
Loading

images/14-fix-detail.png

119 KB
Loading

images/15-fixed-alert.png

83.8 KB
Loading

images/16-fix-history.png

131 KB
Loading

0 commit comments

Comments
 (0)