Adding new stuff for the bootcamp.

.github/workflows/coverage.yml

@@ -0,0 +1,65 @@
+name: Coverage
+
+on:
+    push:
+        branches: [main]
+    pull_request:
+        branches: [main]
+
+permissions:
+    contents: read
+
+jobs:
+    build:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+
+            - name: Set up Java
+              uses: actions/setup-java@v4
+              with:
+                  distribution: temurin
+                  java-version: "17"
+
+            - name: Run tests with coverage
+              run: ./mvnw test
+
+            - name: Convert JaCoCo report to Cobertura
+              uses: danielpalme/ReportGenerator-GitHub-Action@5.3.11
+              with:
+                  reports: target/site/jacoco/jacoco.xml
+                  targetdir: target/site/cobertura
+                  reporttypes: Cobertura
+
+            - name: Prepare Cobertura report
+              run: cp target/site/cobertura/Cobertura.xml cobertura.xml
+
+            - name: Upload coverage artifact
+              if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+              uses: actions/upload-artifact@v4
+              with:
+                  name: cobertura-report
+                  path: cobertura.xml
+
+    # Separate job with minimal permissions for the coverage upload.
+    # Skipped for fork PRs since the artifact won't be uploaded.
+    upload-coverage:
+        needs: build
+        if: ${{ !cancelled() && needs.build.result == 'success' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
+        runs-on: ubuntu-latest
+        permissions:
+            contents: read
+            code-quality: write
+        steps:
+            - name: Download coverage artifact
+              uses: actions/download-artifact@v4
+              with:
+                  name: cobertura-report
+
+            - name: Upload coverage report
+              uses: actions/upload-code-coverage@v1
+              with:
+                  file: cobertura.xml
+                  language: Java
+                  label: code-coverage/jacoco

.gitignore

@@ -1,6 +1,7 @@
 /nb-configuration.xml
 /nbactions.xml
 /target/
+/data/
 /.classpath
 /.project
 /.settings/.jsdtscope
@@ -56,4 +57,4 @@ TestClass.class
 **/*.flattened-pom.xml
 /.gitconfig
 
-webgoat.gitconfig
+webgoat.gitconfig

Dockerfile

@@ -1,35 +1,10 @@
-FROM docker.io/eclipse-temurin:19-jre-focal
-LABEL NAME = "WebGoat: A deliberately insecure Web Application"
-MAINTAINER "WebGoat team"
+FROM eclipse-temurin:17-jre
 
-RUN \
-  useradd -ms /bin/bash webgoat && \
-  chgrp -R 0 /home/webgoat && \
-  chmod -R g=u /home/webgoat
+RUN useradd -ms /bin/bash appuser
+USER appuser
 
-USER webgoat
-
-COPY --chown=webgoat target/webgoat-*.jar /home/webgoat/webgoat.jar
+WORKDIR /home/appuser
+COPY --chown=appuser target/training-portal-*.jar app.jar
 
 EXPOSE 8080
-EXPOSE 9090
-
-WORKDIR /home/webgoat
-ENTRYPOINT [ "java", \
-   "-Duser.home=/home/webgoat", \
-   "-Dfile.encoding=UTF-8", \
-   "--add-opens", "java.base/java.lang=ALL-UNNAMED", \
-   "--add-opens", "java.base/java.util=ALL-UNNAMED", \
-   "--add-opens", "java.base/java.lang.reflect=ALL-UNNAMED", \
-   "--add-opens", "java.base/java.text=ALL-UNNAMED", \
-   "--add-opens", "java.desktop/java.beans=ALL-UNNAMED", \
-   "--add-opens", "java.desktop/java.awt.font=ALL-UNNAMED", \
-   "--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
-   "--add-opens", "java.base/java.io=ALL-UNNAMED", \
-   "--add-opens", "java.base/java.util=ALL-UNNAMED", \
-   "-Drunning.in.docker=true", \
-   "-Dwebgoat.host=0.0.0.0", \
-   "-Dwebwolf.host=0.0.0.0", \
-   "-Dwebgoat.port=8080", \
-   "-Dwebwolf.port=9090", \
-   "-jar", "webgoat.jar" ]
+ENTRYPOINT ["java", "-jar", "app.jar"]

README.md

@@ -1,145 +1,61 @@
-# WebGoat 8: A deliberately insecure Web Application
+# Acme Training Portal
 
-[![Build](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml/badge.svg?branch=develop)](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml)
-[![java-jdk](https://img.shields.io/badge/java%20jdk-17-green.svg)](https://jdk.java.net/)
-[![OWASP Labs](https://img.shields.io/badge/OWASP-Lab%20project-f7b73c.svg)](https://owasp.org/projects/)
-[![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
-[![Gitter](https://badges.gitter.im/OWASPWebGoat/community.svg)](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
-[![Discussions](https://img.shields.io/github/discussions/WebGoat/WebGoat)](https://github.com/WebGoat/WebGoat/discussions)
-[![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-%23FE5196?logo=conventionalcommits&logoColor=white)](https://conventionalcommits.org)
+Acme Training Portal is a deliberately vulnerable Spring Boot application for GitHub Advanced Security bootcamps. It models a small internal training catalog with tenant-scoped courses, comments, XML imports, and downloadable training documents.
 
-# Introduction
+Do not use this application as a production example.
 
-WebGoat is a deliberately insecure web application maintained by [OWASP](http://www.owasp.org/) designed to teach web
-application security lessons.
+## Run locally
 
-This program is a demonstration of common server-side application flaws. The
-exercises are intended to be used by people to learn about application security and
-penetration testing techniques.
-
-**WARNING 1:** *While running this program your machine will be extremely
-vulnerable to attack. You should disconnect from the Internet while using
-this program.*  WebGoat's default configuration binds to localhost to minimize
-the exposure.
-
-**WARNING 2:** *This program is for educational purposes only. If you attempt
-these techniques without authorization, you are very likely to get caught. If
-you are caught engaging in unauthorized hacking, most companies will fire you.
-Claiming that you were doing security research will not work as that is the
-first thing that all hackers claim.*
-
-![WebGoat](docs/images/webgoat.png)
-
-# Installation instructions:
-
-For more details check [the Contribution guide](/CONTRIBUTING.md)
-
-## 1. Run using Docker
-
-Already have a browser and ZAP and/or Burp installed on your machine in this case you can run the WebGoat image directly using Docker.
-
-Every release is also published on [DockerHub](https://hub.docker.com/r/webgoat/webgoat).
-
-```shell
-docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 webgoat/webgoat
-```
-
-If you want to reuse the container, give it a name:
-
-```shell
-docker run --name webgoat -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 webgoat/webgoat
-```
-
-As long as you don't remove the container you can use:
-
-```shell
-docker start webgoat
-```
-
-This way, you can start where you left off. If you remove the container, you need to use `docker run` again.
-
-## 2. Run using Docker with complete Linux Desktop
-
-Instead of installing tools locally we have a complete Docker image based on running a desktop in your browser. This way you only have to run a Docker image which will give you the best user experience.
-
-```shell
-docker run -p 127.0.0.1:3000:3000 webgoat/webgoat-desktop
-```
-
-## 3. Standalone
-
-Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
-
-```shell
-java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.3.jar
-```
-
-Click the link in the log to start WebGoat.
-
-## 4. Run from the sources
-
-### Prerequisites:
-
-* Java 17
-* Your favorite IDE
-* Git, or Git support in your IDE
-
-Open a command shell/window:
-
-```Shell
-git clone git@github.com:WebGoat/WebGoat.git
+```bash
+./mvnw spring-boot:run
 ```
 
-Now let's start by compiling the project.
-
-```Shell
-cd WebGoat
-git checkout <<branch_name>>
-# On Linux/Mac:
-./mvnw clean install
-
-# On Windows:
-./mvnw.cmd clean install
-
-# Using docker or podman, you can than build the container locally
-docker build -f Dockerfile . -t webgoat/webgoat
-```
+Open `http://localhost:8080`.
 
-Now we are ready to run the project. WebGoat is using Spring Boot.
+The app uses an in-memory H2 database and seeds sample courses every time it starts.
 
-```Shell
-# On Linux/Mac:
-./mvnw spring-boot:run
-# On Windows:
-./mvnw.cmd spring-boot:run
+## Build
 
+```bash
+./mvnw test
+./mvnw package
+java -jar target/training-portal-1.0.0-SNAPSHOT.jar
 ```
 
-... you should be running WebGoat on http://localhost:8080/WebGoat momentarily.
+## GHAS demo map
 
-Note: The above link will redirect you to login page if you are not logged in. LogIn/Create account to proceed.
+| Area | Example | Teaching point |
+| --- | --- | --- |
+| CodeQL security | Course search, course detail, and comment lookup concatenate request values into SQL | User-controlled data flowing into JDBC queries |
+| CodeQL security | Course comments render with `th:utext` | Stored cross-site scripting |
+| CodeQL security | `/download?file=...` resolves user-controlled document paths | Path traversal |
+| CodeQL security | XML import preview expands entities with default parser settings | XML external entity processing |
+| Secret Protection | Training tokens and passwords are hardcoded in Java and properties files | Secret detection and remediation workflow |
+| Dependabot | `commons-text` and `commons-io` are pinned to older versions | Dependency review and update workflow |
+| Code Quality | Resource leak, direct `Thread.run()`, boxed reference equality, missing `@Override`, unread locals, confusing field assignment, self-assignment, identical-value comparison, array index out of bounds, null dereference, synchronization on string constants, inefficient string use, and constant interface anti-pattern | Standard findings and pull request comments from GitHub Code Quality |
 
-To change the IP address add the following variable to the `WebGoat/webgoat-container/src/main/resources/application.properties` file:
+## Useful demo URLs
 
-```
-server.address=x.x.x.x
-```
+| URL | Purpose |
+| --- | --- |
+| `/` | Training catalog |
+| `/?tenant=northwind&q=Secure` | Search flow |
+| `/courses/1` | Course detail and comments |
+| `/documents` | Document listing |
+| `/download?file=onboarding.txt` | Document download |
+| `/download?file=../../pom.xml` | Path traversal discussion |
 
-## 4. Run with custom menu
+## XML import example
 
-For specialist only. There is a way to set up WebGoat with a personalized menu. You can leave out some menu categories or individual lessons by setting certain environment variables.
+Submit the form on the home page, or send a request like this:
 
-For instance running as a jar on a Linux/macOS it will look like this:
-
-```Shell
-export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
-export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
-java -jar target/webgoat-2023.3-SNAPSHOT.jar
+```bash
+curl -X POST http://localhost:8080/imports/preview \
+  --data-urlencode 'xml=<course><title>Imported Security Training</title></course>'
 ```
 
-Or in a docker run it would (once this version is pushed into docker hub) look like this:
+## Notes for instructors
 
-```Shell
-docker run -d -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" -e EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" webgoat/webgoat
-```
+This repository is designed to produce baseline findings after GHAS is enabled. Keep fixes and exercises small during workshops so participants can connect one code change to one alert or pull request comment.
 
+The file `src/test/java/com/acme/trainingportal/ParticipantCoverageExercisesTest.java` contains commented-out tests that participants can uncomment to increase code coverage and trigger a coverage report comment on the pull request.