Merge branch 'juice-shop:master' into master

.devcontainer.json

@@ -10,5 +10,5 @@
             { "mode": "auto" }
         ]
     },
-    "postCreateCommand": "export NG_CLI_ANALYTICS=ci && npm i -g @angular/cli && npm install"
+    "postCreateCommand": "export NG_CLI_ANALYTICS=ci && export NG_FORCE_TTY=false && npm i -g @angular/cli && npm install && unset NG_FORCE_TTY"
 }

.dockerignore

@@ -9,6 +9,8 @@ vagrant/
 logs/
 Dockerfile
 .npmrc
+/bom.json
+/bom.xml
 
 # Pattern is *not covered* by node_modules/ above no matter what IntelliJ says!
 frontend/node_modules/

.eslintrc.js

@@ -33,13 +33,13 @@ module.exports = {
       parser: '@typescript-eslint/parser',
       rules: {
         'no-void': 'off', // conflicting with recommendation from @typescript-eslint/no-floating-promises
-        // FIXME warnings below this line need to be checked and fixed. Line end comments below are number of findings per rule on 02.05.2022
-        '@typescript-eslint/no-misused-promises': 'off', // 1
-        '@typescript-eslint/explicit-function-return-type': 'off', // 197
-        '@typescript-eslint/restrict-plus-operands': 'off', // 250
-        '@typescript-eslint/strict-boolean-expressions': 'off', // 337
-        '@typescript-eslint/restrict-template-expressions': 'off', // 395
-        '@typescript-eslint/no-var-requires': 'off' // 509
+        // FIXME warnings below this line need to be checked and fixed.
+        '@typescript-eslint/no-misused-promises': 'off',
+        '@typescript-eslint/explicit-function-return-type': 'off',
+        '@typescript-eslint/restrict-plus-operands': 'off',
+        '@typescript-eslint/strict-boolean-expressions': 'off',
+        '@typescript-eslint/restrict-template-expressions': 'off',
+        '@typescript-eslint/no-var-requires': 'off'
       }
     }
   ]

.github/CODEOWNERS

@@ -1,2 +1,3 @@
 /vagrant/ @wurstbrot
 /test/cypress/ @ShubhamPalriwala
+/frontend/src/app/score-board-preview @J12934

.github/PULL_REQUEST_TEMPLATE.md

@@ -4,7 +4,9 @@ You can expedite processing of your PR by using this template to provide context
 and additional information. Before actually opening a PR please make sure that it
 does NOT fall into any of the following categories
 
-🚫 Spam PRs (accidental or intentional) - see https://pwning.owasp-juice.shop/part3/contribution.html#handling-of-spam-prs for more information 
+🚫 Spam PRs (accidental or intentional) - these will result in a 7 / 30 / ∞ days ban from
+interacting with the project depending on reoccurrence and severity. You can find more
+information [here](https://pwning.owasp-juice.shop/companion-guide/latest/part3/contribution.html#_handling_of_spam_prs). 
 
 🚫 Lazy typo fixing PRs - if you fix a typo in a file, your PR will only be merged
 if all other typos in the same file are also fixed with the same PR

.github/workflows/codeql-analysis.yml

@@ -18,13 +18,13 @@ jobs:
         language: [ 'javascript' ]
     steps:
     - name: Checkout repository
-      uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
         queries: security-extended
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v2
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2

.github/workflows/lint-fixer.yml

@@ -7,11 +7,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: "Check out Git repository"
-      uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available
-    - name: "Use Node.js 14"
-      uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e #v1: v2.x available
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
+    - name: "Use Node.js 18"
+      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d #v3.8.1
       with:
-        node-version: 16
+        node-version: 18
     - name: "Install CLI tools"
       run: npm install -g @angular/cli
     - name: "Install application"
@@ -21,11 +21,11 @@ jobs:
         npm install --ignore-scripts --legacy-peer-deps
     - name: "Fix everything which can be fixed"
       run: 'npm run lint:fix'
-    - uses: stefanzweifel/git-auto-commit-action@v4.0.0
+    - uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a #v4.16.0
       with:
         commit_message: "Auto-fix linting issues"
         branch: ${{ github.head_ref }}
         commit_options: '--signoff'
         commit_user_name: JuiceShopBot
         commit_user_email: [email protected]
-        commit_author: JuiceShopBot <[email protected]>
+        commit_author: JuiceShopBot <[email protected]>

.github/workflows/lock.yml

@@ -12,11 +12,11 @@ jobs:
   action:
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@f1a42f0f44eb83361d617a014663e1a76cf282d2 #note newer is available
+      - uses: dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 #v4.0.1
         with:
           issue-lock-comment: >
             This thread has been automatically locked because it has not had
             recent activity after it was closed. :lock: Please open a new issue
             for regressions or related bugs.
           issue-lock-reason: ''
-          pr-lock-reason: ''
+          pr-lock-reason: ''

.github/workflows/rebase.yml

@@ -10,11 +10,11 @@ jobs:
     if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
         with:
           fetch-depth: 0
       - name: Automatic Rebase
-        uses: cirrus-actions/rebase@1.2
+        uses: cirrus-actions/rebase@b87d48154a87a85666003575337e27b8cd65f691 #v1.8
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   # https://github.community/t5/GitHub-Actions/Workflow-is-failing-if-no-job-can-be-ran-due-to-condition/m-p/38186#M3250
@@ -23,4 +23,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Always run
-        run: echo "This job is used to prevent the workflow to fail when all other jobs are skipped."
+        run: echo "This job is used to prevent the workflow to fail when all other jobs are skipped."

.github/workflows/release.yml

@@ -3,6 +3,9 @@ on:
   push:
     tags:
       - v*
+env:
+  ANGULAR_CLI_VERSION: 15
+  CYCLONEDX_NPM_VERSION: '^1.12.0'
 jobs:
   package:
     runs-on: ${{ matrix.os }}
@@ -12,14 +15,15 @@ jobs:
         node-version: [16, 18, 20]
     steps:
       - name: "Check out Git repository"
-        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
       - name: "Use Node.js ${{ matrix.node-version }}"
-        uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e #v1: v2.x available
+        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d #v3.8.1
         with:
           node-version: ${{ matrix.node-version }}
       - name: "Install CLI tools"
         run: |
-          npm install -g @angular/cli
+          npm install -g @angular/cli@$ANGULAR_CLI_VERSION
+          npm install -g @cyclonedx/cyclonedx-npm@$CYCLONEDX_NPM_VERSION
           npm install -g grunt-cli
       - name: "Set packaging options for Grunt"
         run: |
@@ -36,10 +40,9 @@ jobs:
       - name: "Package application"
         run: |
           npm install --production
-          npm install -g grunt-cli
           npm run package:ci
       - name: 'Attach packaged archive to tag release'
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 #v0.1.15
         with:
           draft: true
           files: dist/*
@@ -49,25 +52,25 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Check out Git repository"
-        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
       - name: "Set up QEMU"
-        uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 #v1: V1.2.0 available
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 #v3.0.0
       - name: "Set up Docker Buildx"
-        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 #v1
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 #v3.0.0
       - name: "Login to DockerHub"
-        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 #v1.10
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d #v3.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: "Get tag name"
         id: tag
-        uses: dawidd6/action-get-tag@v1
+        uses: dawidd6/action-get-tag@727a6f0a561be04e09013531e73a3983a65e3479 #v1.1.0 TODO Action is archived and should be replaced eventually
       - name: "Set labels for ${{ github.ref }}"
         run: |
           echo "VCS_REF=`git rev-parse --short HEAD`" >> $GITHUB_ENV
           echo "BUILD_DATE=`date -u +”%Y-%m-%dT%H:%M:%SZ”`" >> $GITHUB_ENV
       - name: "Build and push for AMD64 and ARM64 processors"
-        uses: docker/build-push-action@a66e35b9cbcf4ad0ea91ffcaf7bbad63ad9e0229 #note: newer is available
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 #v5.0.0
         with:
           context: .
           file: ./Dockerfile
@@ -78,6 +81,7 @@ jobs:
           build-args: |
             VCS_REF=${{ env.VCS_REF }}
             BUILD_DATE=${{ env.BUILD_DATE }}
+            CYCLONEDX_NPM_VERSION=${{ env.CYCLONEDX_NPM_VERSION }}
   notify-slack:
     if: always()
     needs:
@@ -86,7 +90,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Slack workflow notification"
-        uses: Gamesight/slack-workflow-status@master
+        uses: Gamesight/slack-workflow-status@26a36836c887f260477432e4314ec3490a84f309 #v1.2.0
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/stale.yml

@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v6
+      - uses: actions/stale@5ebf00ea0e4c1561e9b43a292ed34424fb1d4578 #v6.0.1 TODO Upgrade to v8.0.0 or later
         with:
           stale-issue-message: >
             This issue has been automatically marked as `stale` because it has not had

.github/workflows/update-challenges-www.yml

@@ -3,7 +3,7 @@ name: "Update challenges on owasp-juice.shop"
 on:
   push:
     branches: [ master ]
-    paths: 
+    paths:
       - 'data/static/challenges.yml'
 
 jobs:
@@ -12,17 +12,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out Git repository
-      uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
       with:
         token: ${{ secrets.BOT_TOKEN }}
         repository: OWASP/www-project-juice-shop
-        branch: master
+        ref: master
     - name: Update challenges.yml
       run: |
         cd _data/
         rm challenges.yml
         wget https://raw.githubusercontent.com/juice-shop/juice-shop/master/data/static/challenges.yml
-    - uses: stefanzweifel/git-auto-commit-action@v4.0.0
+    - uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a #v4.16.0
       with:
         commit_message: "Auto-update challenges.yml from ${{ github.sha }}"
         branch: master

.github/workflows/update-news-www.yml

@@ -9,15 +9,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out Git repository
-      uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
       with:
         token: ${{ secrets.BOT_TOKEN }}
         repository: OWASP/www-project-juice-shop
         branch: master
     - name: Update tab_news.md
       run: |
         sed -i 's/<!-- next:juice-shop -->/<!-- next:juice-shop -->\n* ${{ github.event.release.published_at }}: juice-shop [`${{ github.event.release.tag_name }}`](https:\/\/github.com\/juice-shop\/juice-shop\/releases\/tag\/${{ github.event.release.tag_name }})/' tab_news.md
-    - uses: stefanzweifel/git-auto-commit-action@v4.0.0
+    - uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a #v4.16.0
       with:
         commit_message: "Add juice-shop ${{ github.event.release.tag_name }} release notes to tab_news.md"
         branch: master

.github/workflows/zap_scan.yml

@@ -10,11 +10,11 @@ jobs:
     name: Scan Juice Shop preview instance on Heroku
     steps:
       - name: Check out Git repository
-        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
         with:
           ref: develop
       - name: ZAP Scan
-        uses: zaproxy/action-baseline@v0.3.0
+        uses: zaproxy/action-baseline@41aee98ebc7cf2802c3beae4e7d4336413a21e43 # v0.9.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           target: 'https://preview.owasp-juice.shop'

.gitignore

@@ -30,6 +30,8 @@ vagrant/.vagrant/
 JSON
 JSON.map
 frontend/src/**/*.js
+/bom.json
+/bom.xml
 
 # IDEs
 .idea/
@@ -59,3 +61,6 @@ config/*.yml
 !config/unsafe.yml
 !config/tutorial.yml
 !config/oss.yml
+
+# System Files
+.DS_Store

.zap/rules.tsv

@@ -13,3 +13,7 @@
 10049	IGNORE	(Non-Storable Content)
 10110	IGNORE	(Dangerous JS Functions)
 90004	IGNORE	(Insufficient Site Isolation Against Spectre Vulnerability)
+90005	IGNORE	(Sec-Fetch-Dest Header is Missing)
+90005	IGNORE	(Sec-Fetch-Mode Header is Missing)
+90005	IGNORE	(Sec-Fetch-Site Header is Missing)
+90005	IGNORE	(Sec-Fetch-User Header is Missing)

CONTRIBUTING.md

@@ -23,9 +23,9 @@ The minimum requirements for code contributions are:
 
 You can find our detailed contribution guidelines over here:
 
-<https://pwning.owasp-juice.shop/part3/contribution.html>
+<https://pwning.owasp-juice.shop/companion-guide/latest/part3/contribution.html>
 
 ## I18N Contributions
 
 Learn all about our crowd-sourced [translation project on Crowdin](https://crowdin.com/project/owasp-juice-shop)
-here: <https://pwning.owasp-juice.shop/part3/translation.html>
+here: <https://pwning.owasp-juice.shop/companion-guide/latest/part3/translation.html>

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:18 as installer
+FROM node:18-buster as installer
 COPY . /juice-shop
 WORKDIR /juice-shop
 RUN npm i -g typescript ts-node
@@ -15,7 +15,20 @@ RUN rm data/chatbot/botDefaultTrainingData.json || true
 RUN rm ftp/legal.md || true
 RUN rm i18n/*.json || true
 
-FROM gcr.io/distroless/nodejs:18
+ARG CYCLONEDX_NPM_VERSION=latest
+RUN npm install -g @cyclonedx/cyclonedx-npm@$CYCLONEDX_NPM_VERSION
+RUN npm run sbom
+
+# workaround for libxmljs startup error
+FROM node:18-buster as libxmljs-builder
+WORKDIR /juice-shop
+RUN apt-get update && apt-get install -y build-essential python3
+COPY --from=installer /juice-shop/node_modules ./node_modules
+RUN rm -rf node_modules/libxmljs2/build && \
+  cd node_modules/libxmljs2 && \
+  npm run build
+
+FROM gcr.io/distroless/nodejs18-debian11
 ARG BUILD_DATE
 ARG VCS_REF
 LABEL maintainer="Bjoern Kimminich <[email protected]>" \
@@ -25,13 +38,14 @@ LABEL maintainer="Bjoern Kimminich <[email protected]>" \
     org.opencontainers.image.vendor="Open Web Application Security Project" \
     org.opencontainers.image.documentation="https://help.owasp-juice.shop" \
     org.opencontainers.image.licenses="MIT" \
-    org.opencontainers.image.version="15.0.0" \
+    org.opencontainers.image.version="15.3.0" \
     org.opencontainers.image.url="https://owasp-juice.shop" \
     org.opencontainers.image.source="https://github.com/juice-shop/juice-shop" \
     org.opencontainers.image.revision=$VCS_REF \
     org.opencontainers.image.created=$BUILD_DATE
 WORKDIR /juice-shop
 COPY --from=installer --chown=65532:0 /juice-shop .
+COPY --chown=65532:0 --from=libxmljs-builder /juice-shop/node_modules/libxmljs2 ./node_modules/libxmljs2
 USER 65532
 EXPOSE 3000
 CMD ["/juice-shop/build/app.js"]