feat: Misc ZAP Updates #914

afwilcox · 2025-01-30T20:29:33Z

Description

Please provide a summary of the change and the issue fixed. Please include relevant context. List dependency changes.

Made some changes to the Caddy File and Libraries in order to address the following vulnerabilities:
- CSP: Wildcard Directive
- CSP: script-src unsafe-eval
- CSP: script-src unsafe-inline
- Dangerous JS Function (Upgraded library)
- Deprecated Feature Policy Header Set

Updated the GitHub actions to do the following:

Removed ZAP from scheduled scans and added into PR workflow
Fail Action if a High Severity issue is found

The following ZAP reports were unable to be resolved:

CSP: style-src unsafe-inline: This is part of font awesome, and doesn't seem to work without it. See this GitHub Issue: SVG Symbols violate strict CSP style-src directives FortAwesome/Font-Awesome#16827
Hidden File Found: This is because our custom error page is triggered which does not return 404 error code
Proxy Disclosure: Suspect this is possibly coming from OpenShift is there is nothing sensitive in the headers, and attempting to disable OPTIONS, TRACE and TRACK in Caddy did not resolve the issue
Cookie with SameSite Attribute None: This is a Keycloak Cookie
Insufficient Site Isolation Against Spectre Vulnerability: Patching this will allow the authentication redirects to not function properly.
Timestamp Disclosure: This is a false positive as a result of some code in the Keycloak library
Information Disclosure: Suspicious Comments: - this is coming from a third party library where a comment contains the word 'bug'
Modern Web Application: Yes, this is a modern web application...
Non Storable Content: This is intentional as we don't want to allow anything to be cached
Sec-Fetch-Dest Header is Missing: Adding Header did not resolve issue, possibly being flagged from something else?
Sec-Fetch-Mode Header is Missing: Adding Header did not resolve issue, possibly being flagged from something else?
Sec-Fetch-Site Header is Missing: Adding Header did not resolve issue, possibly being flagged from something else?
Sec-Fetch-User Header is Missing: Adding Header did not resolve issue, possibly being flagged from something else?
Session Management Response Identified: As per ZAP this is informational only

Fixes # (issue)

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

Test A
Test B

Checklist

I have added tests that prove my fix is effective or that my feature works
New and existing unit tests pass locally with my changes

Further comments

Thanks for the PR!

Deployments, as required, will be available below:

Please create PRs in draft mode. Mark as ready to enable:

Analysis Workflow

After merge, new images are deployed in:

Merge Workflow

Thanks for the PR!

Deployments, as required, will be available below:

Please create PRs in draft mode. Mark as ready to enable:

Analysis Workflow

After merge, new images are deployed in:

Merge Workflow

Thanks for the PR!

Deployments, as required, will be available below:

Please create PRs in draft mode. Mark as ready to enable:

Analysis Workflow

After merge, new images are deployed in:

Merge Workflow

Thanks for the PR!

Deployments, as required, will be available below:

Please create PRs in draft mode. Mark as ready to enable:

Analysis Workflow

After merge, new images are deployed in:

Merge Workflow

…pliance-enforcement into CE-1378-zap-updates

sonarqubecloud · 2025-02-04T01:10:31Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

jon-funk

Really appreciate the work on this, always nice to do cleanup, improve standards and workflows.

Reading through the leftover ZAPs, none stick out as concerning. As with most policy tools you get some noise.

jon-funk · 2025-02-04T18:03:08Z

.github/workflows/.tests.yml

+          target: https://${{ env.PREFIX }}-frontend.${{ env.DOMAIN }}/api
+      - name: Check for Back End High Risk Alerts
+        run: |
+          HIGH_RISK_COUNT=$(jq '[.site[].alerts[] | select(.riskcode == "3")] | length' report_json.json)


Really clever use of jq in the zap report output!

afwilcox added 30 commits January 29, 2025 15:22

fix: Trying out a new CSP

ac13f20

chore: Remove require-trusted-types-for

8971456

chore: update Caddy file to return 404 on miss

28fa9ed

chore: Rollback previous change

d6e9ebd

chore: update Caddyfile to work with custom 404

ba1091f

chore: final try for 404 return code

cad5f37

chore: rollback recent Caddy changes

8245f5f

chore: Address Proxy Disclosure

846c6b6

Merge branch 'release/1.0.2' into CE-1378-zap-updates

b24a172

chore: Update keycloak library to fix ZAP issue

cdb2e96

Merge branch 'CE-1378-zap-updates' of https://github.com/bcgov/nr-com…

853f6d0

…pliance-enforcement into CE-1378-zap-updates

npm

643daf6

chore: Caddyfile format and CORP header test

0c19100

chore: rollback keycloak version bump

d7eb630

chore: roll back package-lock.json

b872064

chore: attempt to bump keycloak lib ver

4a54b5a

chore: update redux toolkit version

532d181

chore: add zap scan to tests

ebf59dd

fix: zap only scan FE

4a5210c

chore: zap updates

1f0a6de

chore: CORP updates

779f260

chore: rollback CORP

160f9f7

chore: adjust CORP

fc16f4e

chore: CORP updates

482ce4e

chore: CSP and CORP updates

92ecb8c

chore: block trace/options and tweak CORP

8f0e858

chore: CORP Updates

fd1d883

chore: CSP Updates

1cafcbd

chore: CORP Tweaks, surpress header

34d14a7

chore: CORP tweaks

11340da

afwilcox added 18 commits January 31, 2025 15:40

chore: CORP Updates

2155b76

chore: remove corp; block TRACE and OPTIONS

0b7f71a

chore: attempt to hide proxy

b7865ae

chore: block TRACK and move higher in Caddyfile

a02153c

chore: move global block config

93264c6

fix: clean up caddyFile and fail zap on high

097ac11

chore: test logic in job by lowering threshold

2c23eec

chore: add backend to Zap scan on PR

119a966

chore: ZAP scan job updates

749d547

Merge branch 'release/1.0.2' into CE-1378-zap-updates

2c7f7a3

fix: ZAP steps

5c8a68f

Merge branch 'CE-1378-zap-updates' of https://github.com/bcgov/nr-com…

c0e3ad1

…pliance-enforcement into CE-1378-zap-updates

fix: missed steps line

0b90e95

chore: update ZAP scans to run in sequence

8355572

chore: address Sec- headers

3774ad6

chore: Backout last change since it didn't matter

b8b258a

chore: Attempt to get rid of console error

bad7ca9

chore: Need to add unsafe-inline back in :(

aff5e85

mishraomp mentioned this pull request Feb 3, 2025

caddy improvements around CSP bcgov/quickstart-openshift#2265

Closed

afwilcox added 2 commits February 3, 2025 15:52

chore: Cleanup unused code

731915d

Merge branch 'release/1.0.2' into CE-1378-zap-updates

bbc62c3

jon-funk approved these changes Feb 4, 2025

View reviewed changes

jon-funk merged commit e7a0838 into release/1.0.2 Feb 4, 2025
20 checks passed

jon-funk deleted the CE-1378-zap-updates branch February 4, 2025 18:14

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Misc ZAP Updates #914

feat: Misc ZAP Updates #914

afwilcox commented Jan 30, 2025 •

edited by github-actions bot

Loading

sonarqubecloud bot commented Feb 4, 2025

jon-funk left a comment

jon-funk Feb 4, 2025

feat: Misc ZAP Updates #914

feat: Misc ZAP Updates #914

Conversation

afwilcox commented Jan 30, 2025 • edited by github-actions bot Loading

Description

How Has This Been Tested?

Checklist

Further comments

sonarqubecloud bot commented Feb 4, 2025

Quality Gate passed

jon-funk left a comment

Choose a reason for hiding this comment

jon-funk Feb 4, 2025

Choose a reason for hiding this comment

afwilcox commented Jan 30, 2025 •

edited by github-actions bot

Loading