Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OSOE-351: Offer security checks #322

Merged
merged 133 commits into from
Dec 5, 2023
Merged
Changes from 1 commit
Commits
Show all changes
133 commits
Select commit Hold shift + click to select a range
0d18df7
Adding basics of installing ZAP from Docker
Piedone Nov 14, 2023
338811b
Adding ZAP baseline scan run as a prototype
Piedone Nov 14, 2023
32f9b54
Inserting SecurityScanningTests into the sample walkthrough
Piedone Nov 14, 2023
2d288e3
Interactive mode docs and making internally used methods internal
Piedone Nov 14, 2023
290aa3d
Running ZAP scans for the current base URL
Piedone Nov 14, 2023
62c4233
Temporarily not running retries
Piedone Nov 14, 2023
ed31832
Fixing ZAP network access under Linux
Piedone Nov 14, 2023
8af3f0d
Managing the ZapManager instance centrally
Piedone Nov 14, 2023
19cc147
Redirecting ZAP output to the test output
Piedone Nov 14, 2023
f174c2f
Making SecurityScanShouldPass pass with simplified setup
Piedone Nov 14, 2023
d0ba4a8
Docs
Piedone Nov 14, 2023
dd3ff19
Basics of using YAML config files
Piedone Nov 15, 2023
8c703cc
Adding support for YAML config files
Piedone Nov 15, 2023
1c6667a
Running spiderAjax only for "modern" apps
Piedone Nov 15, 2023
540dc9e
Switching to the Blog recipe since ZAP has a bug with Coming Soon
Piedone Nov 15, 2023
51f429d
Link to ZAP bug report
Piedone Nov 15, 2023
06d5560
Centralizing YAML paths
Piedone Nov 15, 2023
4fa49b9
More flexible YML manipulation
Piedone Nov 15, 2023
e25d515
Adding UITestContext extensions for security scans
Piedone Nov 15, 2023
1ba4af9
Nicer-looking reports
Piedone Nov 15, 2023
821bf4a
Adding basics of separate docs page
Piedone Nov 15, 2023
7c21ab1
Generating SARIF reports too
Piedone Nov 15, 2023
754bd4c
Automatically setting report directories to the conventional one
Piedone Nov 15, 2023
694557f
Docs
Piedone Nov 15, 2023
06a7e02
Changing report theme to the less extravagant "corporate" one
Piedone Nov 15, 2023
06bbfe0
Saving ZAP reports into the Failure Dump
Piedone Nov 15, 2023
c5fc663
Adding the ability to assert on security scan results
Piedone Nov 15, 2023
4fbd32a
Making SecurityScanShouldPass pass
Piedone Nov 15, 2023
2c48541
Docs
Piedone Nov 16, 2023
868763a
Adding assertion delegate that doesn't fail on HSTS not being set
Piedone Nov 16, 2023
0a5f608
Changing ugly object-based YAML manipulation to nicer YamlDocument-ba…
Piedone Nov 16, 2023
f2b5407
Simpler sample assertion
Piedone Nov 16, 2023
d1c851a
Docs
Piedone Nov 16, 2023
35f2e8e
Fixing that Automation Framework plan YAMLs were called "configuratio…
Piedone Nov 16, 2023
1509582
Making sure Automation Framework Plans are copied to the NuGet packag…
Piedone Nov 16, 2023
5ed1520
Restoring the Baseline plan
Piedone Nov 16, 2023
361d165
Less oblivious assertion in sample test
Piedone Nov 16, 2023
74693fa
Disabling the Strict-Transport-Security Header Not Set rule since it'…
Piedone Nov 16, 2023
0e4f77b
Removing the spiderAjax job from plans by default but adding configur…
Piedone Nov 16, 2023
c4ae329
Fixing SecurityScanWithCustomConfigurationShouldPass
Piedone Nov 16, 2023
61f162d
Better configurability
Piedone Nov 16, 2023
6ee61e1
Fixing debug code
Piedone Nov 16, 2023
0980b9d
Docs formatting
Piedone Nov 16, 2023
2a04614
Rule IDs are actually ints
Piedone Nov 16, 2023
3f1f974
Fixing assertion for when there are no alerts
Piedone Nov 16, 2023
805d731
Helper to merge YAMLs
Piedone Nov 16, 2023
8ac11f1
Fixing method name
Piedone Nov 16, 2023
4f7ca1f
Docs
Piedone Nov 16, 2023
e4e479b
Preventing running more than one scan in the same test
Piedone Nov 16, 2023
a61497c
Adding config to always create a scan report but it's not working now
Piedone Nov 16, 2023
e6cfe46
Adding DisableActiveScanRule()
Piedone Nov 17, 2023
5befd0f
Updating NuGet metadata
Piedone Nov 17, 2023
fe76c3a
We can actually also use the current stable version of ZAP
Piedone Nov 19, 2023
80ddf4a
Better ZAP error handling
Piedone Nov 19, 2023
81bba3b
Typo
Piedone Nov 19, 2023
74c2b43
Configurability for disabling a rule just for a single URL
Piedone Nov 19, 2023
b983c30
Adding simplified fluent configuration
Piedone Nov 20, 2023
c03f54a
Making current user shortcut controller more explicit
Piedone Nov 20, 2023
0b6f0c2
Removing useless "At least 100 URLs found" sample test from scans
Piedone Nov 20, 2023
1e2fca6
Fixing CurrentUserController user retrieval logic
Piedone Nov 20, 2023
9e027f4
Support login
Piedone Nov 21, 2023
2c9a9bc
Docs
Piedone Nov 21, 2023
1c16a3f
More docs
Piedone Nov 21, 2023
2c5711d
Fixing potential race condition in ZAP initialization
Piedone Nov 21, 2023
176b1c1
Fixing docker pull failing due to hint
Piedone Nov 21, 2023
cd99756
Low-level config sample
Piedone Nov 21, 2023
023c25a
Docs
Piedone Nov 21, 2023
8ab5590
Code styling
Piedone Nov 21, 2023
e9ac2f6
Removing leftover arguments
Piedone Nov 21, 2023
f4a31f7
Merge remote-tracking branch 'origin/dev' into issue/OSOE-351
Piedone Nov 22, 2023
751f031
Docs formatting
Piedone Nov 22, 2023
e3a15c9
Removing link to now fixed ZAP bug
Piedone Nov 22, 2023
acb9f00
Excluding irrelevant technologies from the scans, making them faster
Piedone Nov 22, 2023
033e23b
Comment on an alternative to separate ZAP Docker container instances …
Piedone Nov 22, 2023
b41d9d2
Merge remote-tracking branch 'origin/issue/OSOE-733' into issue/OSOE-351
Piedone Nov 22, 2023
e8ac897
Removing now unnecessary browser configs
Piedone Nov 22, 2023
9c4ad2d
Resetting debug code
Piedone Nov 23, 2023
5281dd8
Docs
Piedone Nov 23, 2023
dc9e849
Docs
Piedone Nov 23, 2023
30f9c6a
Spelling
Piedone Nov 23, 2023
2fffa22
More spelling
Piedone Nov 23, 2023
600b0db
Updating Helpful Libraries NuGet references to latest
Piedone Nov 23, 2023
7212085
Removing unnecessary code
Piedone Nov 23, 2023
71b0967
Trying to fix report creation issue under GitHub-hosted GHA runners
Piedone Nov 23, 2023
3724507
MaxRetryCount = 0 not to waste time
Piedone Nov 23, 2023
8ceaf8d
Another attempt to fix report creation issue under GitHub-hosted GHA …
Piedone Nov 23, 2023
eca957d
Another attempt to fix report creation issue under GitHub-hosted GHA …
Piedone Nov 23, 2023
439fe04
Merge remote-tracking branch 'origin/issue/OSOE-733' into issue/OSOE-351
Piedone Nov 23, 2023
1328958
Attempting to fix test temp directory cleanup failing due to somethin…
Piedone Nov 23, 2023
a9bf935
How about chmod a+x?
Piedone Nov 23, 2023
3645b93
Trying to restore the original permissions of the reports folder
Piedone Nov 23, 2023
1a9868c
Debug code
Piedone Nov 23, 2023
26aa5ec
Fixing debug code
Piedone Nov 23, 2023
8459d69
Simplifying ExecuteAndGetOutputAsync() call with new overload
Piedone Nov 23, 2023
691ff51
Debug output
Piedone Nov 23, 2023
2eafae1
Attempting additional chmod
Piedone Nov 23, 2023
db617f2
Fail-safe for a clean-up fail under GHA
Piedone Nov 23, 2023
b65ccd9
Fixing restoring the original folder permission
Piedone Nov 23, 2023
3a9b0f6
Removing leftover directory deletion
Piedone Nov 23, 2023
7ddb051
Removing useless code
Piedone Nov 23, 2023
7b9e58d
Adding debug code to see if the chmod alone breaks clean-up
Piedone Nov 23, 2023
624bd3c
Removing chmod to see if anything else breaks clean-up
Piedone Nov 23, 2023
aa20e16
Removing debug code
Piedone Nov 23, 2023
acffc2b
Docs
Piedone Nov 23, 2023
a267151
Intentionally failing security scan to test artifacts
Piedone Nov 23, 2023
879570d
Removing MaxRetryCount = 0
Piedone Nov 23, 2023
c16dcc9
Revert "Intentionally failing security scan to test artifacts"
Piedone Nov 23, 2023
2122a99
Updating Helpful Libraries references
Piedone Nov 23, 2023
7316bd6
Docs
Piedone Nov 23, 2023
d5dd603
Fixing SQL Docker operations
Piedone Nov 23, 2023
6272d30
Simplifying SQL Server Docker CLI calls
Piedone Nov 23, 2023
f36a553
Adding script to display display the runtime of scan rules
Piedone Nov 24, 2023
44b117b
Excluding technologies also in CustomZapAutomationFrameworkPlan
Piedone Nov 24, 2023
b47fdd6
Merge remote-tracking branch 'origin/dev' into issue/OSOE-351
Piedone Nov 26, 2023
e4cadd4
Typo
Piedone Nov 30, 2023
bed71de
Grammar
Piedone Nov 30, 2023
56dddac
SecurityScanConfiguration docs clarification and reference fixes
Piedone Nov 30, 2023
8c2c3ee
Fixing docs method reference
Piedone Nov 30, 2023
145c0ad
Clarifying URL regex configurations
Piedone Nov 30, 2023
e122fac
Simplifying AF plan context URL management
Piedone Nov 30, 2023
1e2993d
Cleaning up the ZAP container after completion
Piedone Nov 30, 2023
116bd83
Cleaning up the ZAP image too after completion
Piedone Nov 30, 2023
462d7b1
Revert "Cleaning up the ZAP image too after completion"
Piedone Nov 30, 2023
f0706cf
Adding shortcuts for configuring active scan rules
Piedone Dec 2, 2023
c97657a
AddRequestor() docs clarification
Piedone Dec 2, 2023
631b502
Adding SecurityScanConfiguration.AddAdditionalUri()
Piedone Dec 2, 2023
558b6ad
Docs on the "Cross Site Scripting (DOM Based)" active scan rule
Piedone Dec 2, 2023
b39e37e
Fixing that AdditionalUris wasn't applied to the YAML
Piedone Dec 2, 2023
5f74805
MD, C# linting fixes
Piedone Dec 2, 2023
61d16f8
Fixing MD indentation again
Piedone Dec 2, 2023
b9fb086
Code styling
Piedone Dec 4, 2023
72496e9
Removing outdated comment
Piedone Dec 4, 2023
ba9010a
Updating Lombiq.HelpfulLibraries package references
Piedone Dec 5, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Code styling
Piedone committed Dec 4, 2023
commit b9fb086c7b1892d65e8a76655ce5245b3dfa08ac
3 changes: 1 addition & 2 deletions Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
Original file line number Diff line number Diff line change
@@ -37,8 +37,7 @@ public SecurityScanningTests(ITestOutputHelper testOutputHelper)
// will fail the scan, but don't worry! You'll get a nice report about the findings in the failure dump.
[Fact]
public Task BasicSecurityScanShouldPass() =>
ExecuteTestAfterSetupAsync(
context => context.RunAndAssertBaselineSecurityScanAsync());
ExecuteTestAfterSetupAsync(context => context.RunAndAssertBaselineSecurityScanAsync());

// Time for some custom configuration! While this scan also runs the Baseline scan, it does this with several
// adjustments: