From 376453058caf1e86b6a4261cece5c926849e8afb Mon Sep 17 00:00:00 2001 From: IneHerm Date: Fri, 19 Sep 2025 09:37:00 +0200 Subject: [PATCH 1/3] Create coffee_pot.py --- coffee_pot.py | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 coffee_pot.py diff --git a/coffee_pot.py b/coffee_pot.py new file mode 100644 index 00000000000..0368fa7fefc --- /dev/null +++ b/coffee_pot.py @@ -0,0 +1,35 @@ +import sqlite3 + +# 🚨 Secret issue: hardcoded API key +API_KEY = "sk_test_51H6rSuperSecretKeyDontHardcode12345" + +def show_coffee_pot(): + print(""" + ( ( + ) ) + ........ + | |] + \ / + `----' + """) + +# 🚨 SAST issue #1: SQL Injection risk (unsanitized input in query) +def get_order(user_input): + conn = sqlite3.connect("coffee.db") + cursor = conn.cursor() + query = f"SELECT * FROM orders WHERE customer = '{user_input}'" # vulnerable + cursor.execute(query) + return cursor.fetchall() + +# 🚨 SAST issue #2 + 🚨 Code quality issue: no explanatory comments +def process_payment(card_number): + if len(card_number) < 16: + return False + return True + + +if __name__ == "__main__": + show_coffee_pot() + name = input("Enter your name: ") + print(get_order(name)) + print(process_payment("1234-5678-9012-3456")) From 47bb17357fa3bb6fca90a5f692e8bcdc6d9a7337 Mon Sep 17 00:00:00 2001 From: IneHerm Date: Fri, 19 Sep 2025 10:42:26 +0200 Subject: [PATCH 2/3] another_one --- another_one.py | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 another_one.py diff --git a/another_one.py b/another_one.py new file mode 100644 index 00000000000..5f8645fc33a --- /dev/null +++ b/another_one.py @@ -0,0 +1,6 @@ +def show_coffee_pot(): + print(" ( ( ) ) ........ | |] \\ / `----' This is a very, very, very, very, very, very, very, very, very, very, very long line that makes the code hard to read on normal screens.") + + +if __name__ == "__main__": + show_coffee_pot() From 397b228dd45a1ab79c0f3ebe36344fdd031e6d79 Mon Sep 17 00:00:00 2001 From: IneHerm Date: Mon, 15 Dec 2025 15:44:04 +0100 Subject: [PATCH 3/3] Add files via upload --- pom.xml | 830 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 830 insertions(+) create mode 100644 pom.xml diff --git a/pom.xml b/pom.xml new file mode 100644 index 00000000000..dd8d38d238c --- /dev/null +++ b/pom.xml @@ -0,0 +1,830 @@ + + + 4.0.0 + + + org.springframework.boot + spring-boot-starter-parent + 3.1.0 + + + org.owasp.webgoat + webgoat + 2023.5-SNAPSHOT + jar + + WebGoat + WebGoat, a deliberately insecure Web Application + https://github.com/WebGoat/WebGoat + 2006 + + OWASP + https://github.com/WebGoat/WebGoat/ + + + + GNU General Public License, version 2 + https://www.gnu.org/licenses/gpl-2.0.txt + + + + + + mayhew64 + Bruce Mayhew + webgoat@owasp.org + OWASP + https://github.com/WebGoat/WebGoat + + + nbaars + Nanne Baars + nanne.baars@owasp.org + https://github.com/nbaars + Europe/Amsterdam + + + misfir3 + Jason White + jason.white@owasp.org + + + zubcevic + René Zubcevic + rene.zubcevic@owasp.org + + + aolle + Àngel Ollé Blázquez + angel@olleb.com + + + jwayman + Jeff Wayman + + + + dcowden + Dave Cowden + + + + lawson89 + Richard Lawson + + + + dougmorato + Doug Morato + doug.morato@owasp.org + OWASP + https://github.com/dougmorato + America/New_York + + https://avatars2.githubusercontent.com/u/9654?v=3&s=150 + + + + + + + OWASP WebGoat Mailing List + https://lists.owasp.org/mailman/listinfo/owasp-webgoat + Owasp-webgoat-request@lists.owasp.org + owasp-webgoat@lists.owasp.org + http://lists.owasp.org/pipermail/owasp-webgoat/ + + + + scm:git:git@github.com:WebGoat/WebGoat.git + scm:git:git@github.com:WebGoat/WebGoat.git + HEAD + https://github.com/WebGoat/WebGoat + + + + Github Issues + https://github.com/WebGoat/WebGoat/issues + + + + + 2.5.10 + + 3.3.7 + 3.3.0 + + 3.3.0 + 3.2.1 + 2.11.0 + 3.12.0 + 1.10.0 + 31.1-jre + 0.8.10 + 17 + 2.3.1 + 0.9.1 + 0.9.3 + 3.5.1 + 1.16.1 + 3.8.0 + 2.22.0 + 3.1.2 + 3.1.1 + 3.1.0 + 3.1.0 + 17 + 17 + 3.15.0 + + UTF-8 + UTF-8 + 3.1.1.RELEASE + 5.3.2 + 8080 + 9090 + 2.27.2 + 1.2 + 1.4.5 + + 1.7.0 + + + + + + + org.ow2.asm + asm + 9.5 + + + + org.apache.commons + commons-exec + 1.3 + + + org.asciidoctor + asciidoctorj + ${asciidoctorj.version} + + + + org.jsoup + jsoup + ${jsoup.version} + + + com.nulab-inc + zxcvbn + ${zxcvbn.version} + + + com.thoughtworks.xstream + xstream + ${xstream.version} + + + cglib + cglib-nodep + ${cglib.version} + + + xml-resolver + xml-resolver + ${xml-resolver.version} + + + io.jsonwebtoken + jjwt + ${jjwt.version} + + + com.google.guava + guava + ${guava.version} + + + commons-io + commons-io + ${commons-io.version} + + + org.apache.commons + commons-text + ${commons-text.version} + + + org.bitbucket.b_c + jose4j + ${jose4j.version} + + + org.webjars + bootstrap + ${bootstrap.version} + + + org.webjars + jquery + ${jquery.version} + + + com.github.tomakehurst + wiremock + ${wiremock.version} + + + io.github.bonigarcia + webdrivermanager + ${webdriver.version} + + + org.apache.commons + commons-compress + 1.22 + + + org.jruby + jruby + 9.4.2.0 + + + + + + org.apache.commons + commons-exec + + + org.springframework.boot + spring-boot-starter-validation + + + org.projectlombok + lombok + provided + true + + + javax.xml.bind + jaxb-api + ${jaxb.version} + + + org.springframework.boot + spring-boot-starter-undertow + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-tomcat + + + + + org.springframework.boot + spring-boot-starter-actuator + + + org.flywaydb + flyway-core + + + org.asciidoctor + asciidoctorj + + + org.springframework.boot + spring-boot-starter-data-jpa + + + org.springframework.boot + spring-boot-starter-security + + + org.springframework.boot + spring-boot-starter-thymeleaf + + + org.thymeleaf.extras + thymeleaf-extras-springsecurity6 + + + jakarta.servlet + jakarta.servlet-api + + + org.hsqldb + hsqldb + + + org.jsoup + jsoup + + + com.nulab-inc + zxcvbn + + + com.thoughtworks.xstream + xstream + + + cglib + cglib-nodep + + + xml-resolver + xml-resolver + + + io.jsonwebtoken + jjwt + + + com.google.guava + guava + + + commons-io + commons-io + + + org.apache.commons + commons-lang3 + + + org.apache.commons + commons-text + + + org.bitbucket.b_c + jose4j + + + org.webjars + bootstrap + + + org.webjars + jquery + + + jakarta.xml.bind + jakarta.xml.bind-api + + + com.sun.xml.bind + jaxb-impl + runtime + + + + org.springframework.boot + spring-boot-starter-test + test + + + org.springframework.security + spring-security-test + test + + + com.github.tomakehurst + wiremock + 3.0.0-beta-2 + test + + + io.rest-assured + rest-assured + test + + + org.springframework.boot + spring-boot-properties-migrator + runtime + + + + + + + false + + central + https://repo.maven.apache.org/maven2 + + + + + + false + + central + https://repo.maven.apache.org/maven2 + + + + + + + org.springframework.boot + spring-boot-maven-plugin + + true + true + org.owasp.webgoat.server.StartWebGoat + + + + org.asciidoctor + asciidoctorj + + + + + + + repackage + + + + + + org.codehaus.mojo + build-helper-maven-plugin + + + add-integration-test-source-as-test-sources + + add-test-source + + generate-test-sources + + + src/it/java + + + + + + + org.apache.maven.plugins + maven-failsafe-plugin + + + ${basedir}/src/test/resources/logback-test.xml + + -Xmx512m -Dwebgoatport=${webgoat.port} -Dwebwolfport=${webwolf.port} + org/owasp/webgoat/*Test + + + + integration-test + + integration-test + + + + verify + + verify + + + + + + org.apache.maven.plugins + maven-surefire-plugin + ${maven-surefire-plugin.version} + + --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED + --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED + --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED + --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED + --add-opens=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED + + **/*IntegrationTest.java + src/it/java + org/owasp/webgoat/*Test + + + + + org.apache.maven.plugins + maven-checkstyle-plugin + ${checkstyle.version} + + UTF-8 + true + true + config/checkstyle/checkstyle.xml + config/checkstyle/suppressions.xml + checkstyle.suppressions.file + + + + com.diffplug.spotless + spotless-maven-plugin + 2.33.0 + + + + + .gitignore + + + + + true + 4 + + + + + + **/*.md + + + + + + src/main/java/**/*.java + src/test/java/**/*.java + src/it/java/**/*.java + + + + + true + + + + + UTF-8 + ${line.separator} + true + false + true + 2 + false + false + recommended_2008_06 + true + true + true + + + + + + + check + + + + + + org.apache.maven.plugins + maven-enforcer-plugin + 3.3.0 + + + restrict-log4j-versions + + enforce + + validate + + + + + org.apache.logging.log4j:log4j-core + + + + true + + + + + + org.apache.maven.plugins + maven-compiler-plugin + + 17 + 17 + + + + + + + + local-server + + + start-server + + true + + + + + org.codehaus.mojo + build-helper-maven-plugin + + + reserve-container-port + + reserve-network-port + + process-resources + + + webgoat.port + webwolf.port + jmxPort + + + + + + + com.bazaarvoice.maven.plugins + process-exec-maven-plugin + 0.9 + + + start-jar + + start + + pre-integration-test + + ${project.build.directory} + + java + -jar + -Dlogging.pattern.console= + -Dwebgoat.server.directory=${java.io.tmpdir}/webgoat_${webgoat.port} + -Dwebgoat.user.directory=${java.io.tmpdir}/webgoat_${webgoat.port} + -Dspring.main.banner-mode=off + -Dwebgoat.port=${webgoat.port} + -Dwebwolf.port=${webwolf.port} + --add-opens + java.base/java.lang=ALL-UNNAMED + --add-opens + java.base/java.util=ALL-UNNAMED + --add-opens + java.base/java.lang.reflect=ALL-UNNAMED + --add-opens + java.base/java.text=ALL-UNNAMED + --add-opens + java.desktop/java.beans=ALL-UNNAMED + --add-opens + java.desktop/java.awt.font=ALL-UNNAMED + --add-opens + java.base/sun.nio.ch=ALL-UNNAMED + --add-opens + java.base/java.io=ALL-UNNAMED + --add-opens + java.base/java.util=ALL-UNNAMED + --add-opens + java.base/sun.nio.ch=ALL-UNNAMED + --add-opens + java.base/java.io=ALL-UNNAMED + ${project.build.directory}/webgoat-${project.version}.jar + + false + http://localhost:${webgoat.port}/WebGoat/actuator/health + + + + stop-jar-process + + stop-all + + post-integration-test + + + + + + + + owasp + + false + + + + + org.owasp + dependency-check-maven + 6.5.1 + + 7 + false + false + + + ${maven.multiModuleProjectDirectory}/config/dependency-check/project-suppression.xml + + + + + + check + + + + + + + + + + coverage + + false + + + + + org.apache.maven.plugins + maven-surefire-plugin + ${maven-surefire-plugin.version} + + --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED + --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED + --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED + --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED + ${surefire.jacoco.args} + + **/*IntegrationTest.java + src/it/java + org/owasp/webgoat/*Test + + + + + org.jacoco + jacoco-maven-plugin + ${jacoco.version} + + + before-unit-test + + prepare-agent + + + ${project.build.directory}/jacoco/jacoco-ut.exec + surefire.jacoco.args + + + + check + + check + + + + + BUNDLE + + + CLASS + COVEREDCOUNT + 0.6 + + + + + ${project.build.directory}/jacoco/jacoco-ut.exec + + + + after-unit-test + + report + + test + + ${project.build.directory}/jacoco/jacoco-ut.exec + ${project.reporting.outputDirectory}/jacoco-unit-test-coverage-report + + + + + + + + +