Skip to content

Commit e8f45b2

Browse files
felickzfelickz
authored
Update owasp-webgoat.md
1 parent 63620c4 commit e8f45b2

File tree

1 file changed

+8
-3
lines changed

1 file changed

+8
-3
lines changed

code-scanning-guides/synthetic-applications/owasp-webgoat.md

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,13 @@ Scanning OWASP WebGoat can have some issues right out of the box where CodeQL mi
88
This is due to the following:
99

1010
1. WebGoat uses JDK 17
11-
- Action uses JDK 8 by default
11+
- Action uses a different JDK by default. Use the `actions/setup-java` action.
1212
2. Uses Project Lombok
13-
- Future support will be coming to CodeQL natively
13+
- [support added to CodeQL natively in v2.14.4](https://github.blog/changelog/2023-09-01-code-scanning-with-codeql-improves-support-for-java-codebases-that-use-project-lombok/)
1414
3. Dependencies are not all present in Dependency Graph
15-
- Using [Submission API](https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api#using-pre-made-actions)
15+
- Using [Submission API](https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api#using-pre-made-actions)
16+
4. Vulnerabilities not detected.
17+
1. Local sources not detected
18+
- The default threat model includes remote sources of untrusted data. Use a CodeQL custom configuration file to [expand the threat model to include local sources](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models)https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models: `threat-models: local`
19+
2. For a lower precision scan that may include elevated false positive rates, use a custom configuration file that pulls in additional expirmental, low precision, and community packs/queries.
20+
- See: [Synthetics.yml](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/tree/main/configs#synthetics)

0 commit comments

Comments
 (0)