Analyzing HelloShiftLeft with NG SAST

This article shows how ShiftLeft CORE's NG SAST works using the HelloShiftLeft sample application.

Prerequisites

If you haven't already, install NG SAST.

To get HelloShiftLeft, you can clone its repo by running git clone https://github.com/ShiftLeftSecurity/HelloShiftLeft.git in the Terminal/Bash.

You must have the Java 8 SDK installed to use HelloShiftLeft.

Step 1: Build HelloShiftLeft

Build the HelloShiftLeft sample app using Maven by running mvn clean package (you can also use another build tool of your choice). You can expect the "BUILD SUCCESS" message to be printed to the Terminal/Bash if this is successful).

Step 2: Run NG SAST

To ngsast the code for HelloShiftLeft, run sl analyze --app HelloShiftLeft --wait --java target/hello-shiftleft-0.0.1.jar. You will see the following output:

[INFO] initialized gRPC logging connection to api.shiftleft.io:443

libplugin version 0.4.112 (72b9cabfb52b34ca9bf058f464361a76c50cde89)

libplugin version 0.4.112 (72b9cabfb52b34ca9bf058f464361a76c50cde89)

Shiftleft CLI 2020-06-10T19:24:55.946Z Copying Target File /HelloShiftLeft/target/hello-shiftleft-0.0.1.jar

[INFO] Uploading to secure tenant namespace

[INFO] Result file is /var/folders/8t/z2j...gp/T/shiftleft-78...70/output/HelloShiftLeft443117933

[INFO] Uploading to secure tenant namespace

31.85 MB / 31.85 MB [==================================================================] 100.00% 17.27 MB/s 1s

... Done. Submitted for analysis

Waiting for analysis to finish. Press ctrl+c to cancel.

Progress: 14%

...

Progress: 100%

Done. Load the following URL in your browser:

https://app.shiftleft.io/findingsSummary/HelloShiftLeft?apps=HelloShiftLeft&isApp=1

The Scan ID for application HelloShiftLeft is: 1

Step 3: View your results

Per the instructions printed to the Terminal/Bash, open up the URL provided. This will bring you to the ShiftLeft Dashboard, where you will see a summary of the vulnerabilities identified.