Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Offer security checks (OSOE-351) #128

Closed
Piedone opened this issue Feb 10, 2022 · 6 comments · Fixed by #322
Closed

Offer security checks (OSOE-351) #128

Piedone opened this issue Feb 10, 2022 · 6 comments · Fixed by #322
Assignees
Labels
enhancement New feature or request

Comments

@Piedone
Copy link
Member

Piedone commented Feb 10, 2022

Perhaps integrate with some tool that can test a form for XSS vulnerability or something like that. Need to look around.

Jira issue

@Piedone Piedone added the enhancement New feature or request label Feb 10, 2022
@github-actions github-actions bot changed the title Offer security checks Offer security checks (OSOE-351) Sep 18, 2022
@Piedone
Copy link
Member Author

Piedone commented Nov 4, 2023

We could explore using ZAP.

  • They also offer GitHub Actions: https://github.com/marketplace?query=zap&verification=verified_creator
    • These simply run the packaged scans though, see eg. here.
    • For an OC app, we'd need the API and Full Scans.
    • If we use these actions, then the app needs to be kept running even after test execution finishes, which seems problematic. Rather, we'd need to run the Docker commands from within the tests, after switching the app to interactive mode. Then, at the end of the scan, we can switch back from interactive mode (either by instructing ZAP to open InteractiveModeController.Continue or by setting IInteractiveModeStatusAccessor.Enabled directly).
  • Instead of packaged scans, ZAP is migrating to the new Automation Framework. zap-weekly uses the Automation Framework as the baseline scan already, we should use that. We can create such an Automation Framework YAML in the desktop app and then use it to run a scan by default.
  • Using ZAP to proxy UITT browser interactions would perhaps be the best, in addition to starting scans in a browser opened by UITT. If the latter is not possible, then we can configure the login shortcut to handle authentication (also see users).
  • Similar to accessibility checks, there should be a way to run these scans for every page view (with ZAP's proxy feature) or explicitly, either for only the current page or like monkey tests, unleashing a scan with the spider. Also similar to accessibility checks, there should be a way to always create a report (see AccessibilityCheckingConfiguration.CreateReportAlways).
  • To be able to assert on the report from a test, we need a machine-readable version of it. ZAP's SARIF report seems suitable for this (sample report). This is available with the report_json switch for packaged scans. We need to save this and also the human-readable pretty report to the Failure Dump. The report_html or report_md switches can do this (perhaps also add the report to the workflow summary?).
  • ZAP's full configuration should be surfaced in its native way, most possibly with the YAML approach of Automation Framework.
  • Check if there are ZAP plugins that are useful for us, like Attack Surface Detector. These need to be possible to easily run locally in GHA.
  • We need a separate ZAP instance for each scan.
  • We could integrate with GitHub Code Scanning, see GitHub Code Scanning Integration  zaproxy/action-baseline#63 and https://github.com/SvanBoxel/zaproxy-to-ghas. Docs on integration is here. This needs SARIF export, see here. However, this doesn't seem necessary, since we'd fail the build on any security issue anyway.

@Piedone
Copy link
Member Author

Piedone commented Nov 12, 2023

There's also a long list of suitable tools by OWASP here: https://owasp.org/www-community/Source_Code_Analysis_Tools. I checked these out, only the open-source tools supporting .NET (since this list about code scanning, unlike ZAP). Didn't find anything better than what we already use in .NET Analyzers.

@BenedekFarkas
Copy link
Member

BenedekFarkas commented Nov 16, 2023

We should also investigate using https://codeql.github.com/, AFAIK it partially overlaps with https://github.com/Lombiq/.NET-Analyzers too.

@Piedone
Copy link
Member Author

Piedone commented Nov 17, 2023

That looks like something we'd configure for code scanning or run in a CI workflow with the CodeQL Action. And yeah, this is rather static code analysis than something related to UI testing.

We can look into trying it out on OSOCE (since unless you use Enterprise, it's only available for public repos) with LGHA. Will you open an issue in the latter or shall I?

@BenedekFarkas
Copy link
Member

Yes, here are my initial findings too: Lombiq/GitHub-Actions#283

Also found this: https://github.com/apisec-inc/ethicalcheck-action, worth comparing with ZAP.

@Piedone
Copy link
Member Author

Piedone commented Nov 17, 2023

That looks the same as ZAP's OpenAPI scan.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants