Merge pull request #35 from advanced-security/webgoat-synthetic-guidance

WebGoat Synthetic Guidance Updates

Author: felickz

code-scanning-guides/synthetic-applications/owasp-webgoat.md

@@ -8,8 +8,12 @@ Scanning OWASP WebGoat can have some issues right out of the box where CodeQL mi
 This is due to the following:
 
 1. WebGoat uses JDK 17
-  - Action uses JDK 8 by default
+    - Action uses a different JDK by default.  Use the `actions/setup-java` action.
 2. Uses Project Lombok
-  - Future support will be coming to CodeQL natively
+    - [support added to CodeQL natively in v2.14.4](https://github.blog/changelog/2023-09-01-code-scanning-with-codeql-improves-support-for-java-codebases-that-use-project-lombok/)
 3. Dependencies are not all present in Dependency Graph
-  - Using [Submission API](https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api#using-pre-made-actions)    
+    - Using [Submission API](https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api#using-pre-made-actions)    
+4. Vulnerabilities not detected. 
+    - Enhance CodeQL to use a custom configuration file that broadens the threat model and pulls in additional expirmental, low precision, and community packs/queries. Note that this may include alerts with elevated false positive rates due to lower precision.
+        - See: [Synthetics.yml](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/tree/main/configs#synthetics)
+        - The default threat model includes remote sources of untrusted data.  This config will also [expand the threat model to include local sources](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models): `threat-models: local`

code-scanning-guides/synthetic-applications/owasp-webgoat.yml

@@ -13,10 +13,6 @@ permissions:
   contents: read
   security-events: write
 
-env:
-  # Lombok support is now included by default, this is no longer needed
-  # CODEQL_EXTRACTOR_JAVA_RUN_ANNOTATION_PROCESSORS: true
-
 jobs:
   analyze:
     name: Analyze
@@ -28,34 +24,34 @@ jobs:
         language: [ 'java', 'javascript' ]
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
 
     # WebGoat requires Java/JDK 17
     - name: Set up JDK 17
       if: matrix.language == 'java'
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
         distribution: 'temurin'
         java-version: 17
         architecture: x64
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # [optional] enabled extended queries
         # queries: +security-extended,security-and-quality
         # [optional] Field Config - standard packs, extensions, and extra packs
-        config-file: advanced-security/codeql-queries/config/codeql.yml@main
+        config-file: GitHubSecurityLab/CodeQL-Community-Packs/configs/synthetics.yml@main
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # Run the Analysis
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
 
     # Submit Maven Dependency Tree to GitHub
     - name: Maven Dependency Tree Dependency Submission
       if: matrix.language == 'java'
-      uses: advanced-security/maven-dependency-submission-action@v3.0.2
+      uses: advanced-security/maven-dependency-submission-action@v3