Snipe codeacy workflow (#9460)

* Removed printerClass="NunoMaduro\Collision\Adapters\Phpunit\Printer"

Signed-off-by: snipe <snipe@snipe.net>

* fix ldap ad authentication filter query mechanism (#7441)

* Create SECURITY.md

* Create codacy-analysis.yml

Co-authored-by: Istvan Basa <basipottom@gmail.com>

.github/workflows/codacy-analysis.yml

@@ -0,0 +1,49 @@
+# This workflow checks out code, performs a Codacy security scan
+# and integrates the results with the
+# GitHub Advanced Security code scanning feature.  For more information on
+# the Codacy security scan action usage and parameters, see
+# https://github.com/codacy/codacy-analysis-cli-action.
+# For more information on Codacy Analysis CLI in general, see
+# https://github.com/codacy/codacy-analysis-cli.
+
+name: Codacy Security Scan
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '36 23 * * 3'
+
+jobs:
+  codacy-security-scan:
+    name: Codacy Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout the repository to the GitHub Actions runner
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
+      - name: Run Codacy Analysis CLI
+        uses: codacy/codacy-analysis-cli-action@1.1.0
+        with:
+          # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository
+          # You can also omit the token and run the tools that support default configurations
+          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
+          verbose: true
+          output: results.sarif
+          format: sarif
+          # Adjust severity of non-security issues
+          gh-code-scanning-compat: true
+          # Force 0 exit code to allow SARIF file generation
+          # This will handover control about PR rejection to the GitHub side
+          max-allowed-issues: 2147483647
+
+      # Upload the SARIF file generated in the previous step
+      - name: Upload SARIF results file
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: results.sarif

SECURITY.md

@@ -0,0 +1,27 @@
+# Security Policy
+
+We take security issues very seriously, and will always attempt to address any 
+vulnerabilities as quickly as possible. 
+
+## Supported Versions
+
+We try to make a reasonable effort to support older versions of Snipe-IT, 
+however there are times when library dependencies and/or PHP/MySQL dependencies 
+make it impossible to backport security fixes on older versions. 
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 5.1.x   | :white_check_mark: |
+| 5.0.x   | :x:                |
+| 4.0.x   | :white_check_mark: |
+| < 4.0   | :x:                |
+
+## Reporting a Vulnerability
+
+Security vulnerabilities should be sent to security@snipeitapp.com. You can typically expect a 
+response within two business days, and we typically have fixes out in under a week from the initial disclosure.
+
+This obviously varies based on the severity of the  security issue and the difficulty in remediation, 
+but those have historically been the timelines we worm around.
+
+For a full breakdown of our security policies, please see https://snipeitapp.com/security.

app/Models/Ldap.php

@@ -93,8 +93,12 @@ class Ldap extends Model
 
         \Log::debug('Attempting to login using distinguished name:'.$userDn);
 
-
+        
         $filterQuery = $settings->ldap_auth_filter_query . $username;
+        $filter = Setting::getSettings()->ldap_filter;
+        $filterQuery = "({$filter}({$filterQuery}))";
+
+        \Log::debug('Filter query: '.$filterQuery);
 
 
         if (!$ldapbind = @ldap_bind($connection, $userDn, $password)) {