Skip to content

Cognition-Partner-Workshops/uc-vulnerability-remediation-java-dotnet

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Enterprise Vulnerability Remediation — Java / .NET Portfolio

Demo repository representing a slice of a large enterprise application estate (~300 applications, primarily Java and .NET) with a mature vulnerability backlog. It is designed for running Devin Security Swarm scans and autonomous remediation workflows against real, production-grade codebases — not synthetic seeded vulnerabilities.

Portfolio

Service Stack Source Why it's here
services/retirement-core-banking Java 17 / Spring Boot / Gradle Apache Fineract 1.8.4 (Apache-2.0) Real core-banking / retirement-services platform pinned to a 2023 release, carrying a genuine backlog of known CVEs in its dependency tree (Spring, Jackson, snakeyaml, etc.)
services/policy-admin-portal .NET Framework 4.7.2 / ASP.NET MVC 5 / NuGet eShopModernizing (MIT) Legacy .NET line-of-business app with an aged packages.config (Newtonsoft.Json 12.0.1, log4net 2.0.10, jQuery 3.5.0, bootstrap 4.3.1, …)
infrastructure/ Terraform + Packer + Docker This repo Infra/AMI vulnerability track: pinned outdated AMIs and end-of-life base images

Scenario

  • Application backlog: 500+ open application vulnerabilities across the estate; ticket history restarts in January 2026 (new VIT module), but the underlying vulnerabilities are more than a year old — hence the pinned 2023 release tags.
  • Infrastructure backlog: 8,000+ open Critical/High infrastructure vulnerabilities, dominated by outdated AMIs and base images — see infrastructure/.
  • Remediation loop: security scan → VIT ticket → L3 triage/fix → security re-scan → confirm → close. The automated analog implemented here is documented in docs/REMEDIATION_WORKFLOW.md.

Scanning

Two scanner paths are wired in .github/workflows/:

  • Snyk (snyk-scan.yml) — Open Source (Gradle + NuGet) and IaC scans, matching estates standardized on Snyk. Requires a SNYK_TOKEN secret.
  • Trivy (vuln-auto-remediate.yml) — scanner-agnostic fallback path with the closed-loop Devin auto-remediation trigger (no external account needed).

Devin Security Swarm can also be pointed directly at this repository; the two service trees and the IaC tree give it Java, .NET, and infrastructure findings in a single scan.

Layout

services/
  retirement-core-banking/   # Apache Fineract 1.8.4 (full source tree)
  policy-admin-portal/       # ASP.NET MVC 5 solution (packages.config)
infrastructure/
  terraform/                 # EC2 fleet pinned to outdated AMIs
  packer/                    # AMI build template on an EOL base image
  docker/                    # EOL base-image Dockerfile
docs/
  REMEDIATION_WORKFLOW.md    # Closed-loop scan→fix→verify→escalate flow

Licenses

  • services/retirement-core-banking retains its Apache-2.0 license and notices.
  • services/policy-admin-portal originates from eShopModernizing (MIT).

About

Enterprise vulnerability remediation demo — real-world Java (Apache Fineract 1.8.4) + .NET (legacy ASP.NET MVC) portfolio with genuine CVE backlog, Snyk/Trivy scan workflows, and infra/AMI remediation track

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors