Eclipse Data Space Connector (EDC) Release 23.12 Security Acceptance Criteria

[kelaja]

Release Security 23.12

Source in Catena-X Confluence and Expert Contacts here(Source only accessible for Catena-X Consortia members in current transition phase).

• Threat Modelling Analysis results
  Analysis completed (operations excluded):

  • List of risks generated or updated, rated & actions defined
  • Risks accepted or mitigation actions implemented and tested
  • no high threats acceptable

  Artifact Repository:

  • risk register (decentral on Catena-X confluence)

  Prime Contacts:

  • Security Team: SEC0

• Static Application Security Testing (SAST)

  • code must be scanned weekly with Veracode tool
  • medium risks require mitigation statement
  • high and above not accepted

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • Veracode UI
  • (+ GitHub Action)

  Prime Contacts:

  • Security Team: SEC1

• Dynamic Application Security Testing (DAST)
  incl API testing (if applicable)

  • all findings assessed
  • high & very high findings mitigated
  • evidence by re-scan

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • INVICTI tool

  Prime Contacts:

  • Security Team: SEC3 SEC4

• Secret scanning
  Scan executed centrally by SEC team and ZERO valid findings

  Artifact Repository:

  • Veracode or alternative tool
  • GitHub Secret Scanning
  • GitGuardian

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Prime Contact:

  • Security Team: SEC1

• Software Composition Analysis (SCA)
  Dependencies must be scanned with Veracode tool with regards to vulnerability

  • high and above not accepted
  • FOSS whitelist policy has to be passed

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • Veracode UI
  • (& GitHub Action)

  Prime Contacts:

  • Security Team: SEC1

• Container Scan conducted
  All containers in GitHub Packages must be scanned

  • High / Critical findings not accepted

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • Trivy
  • via nightly GitHub Action

  Prime Contacts:

  • Security Team: SEC2

• Infrastructure as Code
  IaC code must be scanned.

  • Error findings not accepted

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • KICS or alternative tool
  • via nightly GitHub Action

  Prime Contacts:

  • Security Team: SEC2

[stefan-ettl]

Threat Modeling - No change because we stick to 0.5.x Version of EDC.
Secret Scanning - eclipse-tractusx/tractusx-edc#872
SCA - https://github.com/eclipse-tractusx/tractusx-edc/actions/workflows/kics.yml

[kelaja]

@stefan-ettl kindly write the links to Sec-Topics so that the Sec-Team can check

[PiotrStys]

@stefan-ettl, what Kelaja is asking for would help plus I will need the URL to a working deployment to conduct DAST
Thanks

[klaudiaZF]

Hi @stefan-ettl can you please provide a link for SCA in Veracode?

thank you in advance

[klaudiaZF]

Hi All,

EDC control plane (tractusx-edc/edc-controlplane-postgresql-azure-vault) was discussed on today's security meeting and we decided that SCA can be passed with those high findings

https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1711902:31076005:31046153:31061803:::::5311698:

[Gitleena]

Hi All,

EDC Runtime Memory didn't pass the SCA due to 1 high vulnerability.

https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1711905:31076007:31046155:31061805:::::5311701:

[Gitleena]

Hi All,

EDC controlplane memory hashicorp vault is passed.

https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1711901:31076004:31046152:31061802:::::5311697:

[Gitleena]

Hi All,

SCA for EDC controlplane postgresql hashicorp vault is passed.

https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1711902:31076005:31046153:31061803:::::5311698:

[Gitleena]

Hi All,

EDC dataplane azure vault didn't pass the SCA due to 1 high vulnerability.

(https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1711906:31076002:31046150:31061800:::::5311703:)

[Gitleena]

Hi All,

edc-dataplane-hashicorp-vault didn't pass the SCA due to 1 high vulnerability.

(https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1711904:31076001:31046149:31061799:::::5311700:)

[DnlZF]

Hi,
there are no open GitGuardian findings:

-> Secret scanning approved

Best regards
Daniel

[stefan-ettl]

Because of the SCA, the likelyhood criteria is not met. We're not serving static content using this library.
@SSIRKC can you please confirm.

[kelaja]

Proposed Release Note:

Release Note EDC:

EDC provides no new release compared to R23.09 (a.k.a R3.2) but only patches, EDC Version 0.5.3 is part of Release 23.12 with the following limitations:

Basic Security Tests have been performed (https://github.com/eclipse-tractusx/sig-release/issues/75),
We strongly recommend to each EDC Operator apply their own security measures especially the Dynamic Application Security Testing (DAST) needs to be executed for each specific operation environment and instance.

TRGs 5.11, 7.01, 7.05, 7.07 cannot be fulfilled as the EDC has not been upgraded from 23.09 (QG checks - Release 23.12 tractusx-edc#885).
The TRGs will be completed in Release 24.05, as there will be a new EDC Version available.

[SSIRKC]

Hi @stefan-ettl,

I can confirm we have checked under which circumstances the vulnerability appears. According to the discoverers sources, the exploitation is only avaible when the library is used to serve static sources. Since this is not the case, the functionality cannot be abused under current circumstances, hence, is not affecting this Q.-gate.

Thanks for your help and time to check this.

[RoKrish14]

@kelaja @stefan-ettl
EDC v0.5.3 DAST Scan - PASS

[stefan-ettl]

Thank you @RoKrish14
As a Summary:

• DAST has passed --> can be checked.
• SCA had one issue but is not relevant in our case, as stated out by @SSIRKC --> can be checked.
• SAST there is no High or Critical issue (relevant here is edc-dataplane-hashicorp-vault, edc-controlplane-postgresql-hashicorp-vault and edc-dataplane-azure-vault) --> can be checked.
• Container Scan (Trivy) works as well (https://github.com/eclipse-tractusx/tractusx-edc/actions/runs/7130065529) --> can be checked.

@kelaja could you please check the boxes as stated above?