Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ZAP active scanning for source and journalist interfaces #6617

Open
wants to merge 5 commits into
base: develop
Choose a base branch
from

Conversation

ghost
Copy link

@ghost ghost commented Oct 12, 2022

Status

Ready for review

Description of Changes

Changes proposed in this pull request:

Adds zap proxy active scanning for journalist and source interfaces, both authenticated and unauthenticated.

Testing

How should the reviewer test this PR?

Verify that zap scans run in CircleCI and produce the expected HTML reports as artifacts

Deployment

Should not disrupt deployment

Checklist

Choose one of the following:

  • I have opened a PR in the docs repo for these changes, or will do so later
  • I would appreciate help with the documentation
  • These changes do not require documentation

@lgtm-com
Copy link

lgtm-com bot commented Oct 12, 2022

This pull request introduces 3 alerts when merging 7834fe2 into cc3ed8a - view on LGTM.com

new alerts:

  • 2 for Use of the return value of a procedure
  • 1 for Unused local variable

@ghost ghost force-pushed the 5946-zap-rewrite branch from 7834fe2 to 26214bc Compare October 12, 2022 09:43
@lgtm-com
Copy link

lgtm-com bot commented Oct 12, 2022

This pull request introduces 3 alerts when merging 26214bc into cc3ed8a - view on LGTM.com

new alerts:

  • 2 for Use of the return value of a procedure
  • 1 for Unused local variable

@ghost ghost force-pushed the 5946-zap-rewrite branch 6 times, most recently from a8120d5 to 6c5ab56 Compare October 12, 2022 15:05
@lgtm-com
Copy link

lgtm-com bot commented Oct 12, 2022

This pull request introduces 3 alerts when merging 6c5ab56 into cc3ed8a - view on LGTM.com

new alerts:

  • 2 for Use of the return value of a procedure
  • 1 for Unused local variable

@ghost ghost force-pushed the 5946-zap-rewrite branch from 6c5ab56 to cf933b1 Compare October 12, 2022 15:20
@lgtm-com
Copy link

lgtm-com bot commented Oct 12, 2022

This pull request introduces 3 alerts when merging cf933b1 into cc3ed8a - view on LGTM.com

new alerts:

  • 2 for Use of the return value of a procedure
  • 1 for Unused local variable

@ghost ghost force-pushed the 5946-zap-rewrite branch from cf933b1 to cf67970 Compare October 19, 2022 18:55
@lgtm-com
Copy link

lgtm-com bot commented Oct 19, 2022

This pull request introduces 3 alerts when merging cf67970 into 3288be8 - view on LGTM.com

new alerts:

  • 3 for Unused local variable

@ghost ghost force-pushed the 5946-zap-rewrite branch from cf67970 to 5b032cd Compare October 19, 2022 19:10
@lgtm-com
Copy link

lgtm-com bot commented Oct 19, 2022

This pull request introduces 2 alerts when merging 5b032cd into 3288be8 - view on LGTM.com

new alerts:

  • 1 for Unused local variable
  • 1 for Unused import

@ghost ghost force-pushed the 5946-zap-rewrite branch 4 times, most recently from d789ec4 to ee7f214 Compare October 25, 2022 16:21
@ghost ghost changed the title [WIP] ZAP active scanning for source and journalist interfaces ZAP active scanning for source and journalist interfaces Oct 25, 2022
@ghost ghost marked this pull request as ready for review October 25, 2022 16:33
@ghost ghost self-requested a review as a code owner October 25, 2022 16:33
@eloquence
Copy link
Member

@L3th3 Just checking in, is this formally ready for review now? (The description still says WIP.) If so, it looks like the static-analysis failure is due to changes in the PR, with bandit complaining about the use of shell=True.

@ghost ghost force-pushed the 5946-zap-rewrite branch 3 times, most recently from c477cbb to 312ef77 Compare October 27, 2022 10:17
@ghost ghost force-pushed the 5946-zap-rewrite branch from 312ef77 to 60a89c4 Compare October 27, 2022 10:23
@ghost ghost force-pushed the 5946-zap-rewrite branch from 60a89c4 to c8ab312 Compare October 27, 2022 10:44
@ghost
Copy link
Author

ghost commented Oct 27, 2022

Yes, it's ready for review. The bandit check is fixed

@cfm cfm self-assigned this Nov 22, 2022
Copy link
Member

@cfm cfm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this, @L3th3! I can confirm:

  • Verify that zap scans run in CircleCI and produce the expected HTML reports as artifacts

I've read through the diff and left some comments inline, with the goal of integrating this script and CI job as much as possible into our current conventions. Let me know what you think.

And a question for follow-up work once this is merged: In the scan report (e.g.) https://output.circle-artifacts.com/output/job/121fb14c-4b31-42b5-acc0-cda447097bb2/artifacts/0/~/project/src_report.html, I note a number of alerts that are by-products of how the applications are served in the development environment. Could these alerts be silenced, so that a maintainer can tell at a glance whether a pull request introduce new alerts at the application-code rather than the make dev level?

.circleci/config.yml Show resolved Hide resolved
Makefile Outdated Show resolved Hide resolved
Comment on lines +1 to +4
urllib3<1.25,>=1.21.1
zapcli
pyotp
selenium
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How would you feel about moving this to something like securedrop/requirements/python3/scan-requirements.txt (with or without a pre-processed scan-requirements.in)?

scans/zapscan.py Outdated Show resolved Hide resolved
scans/zapscan.py Outdated
@@ -0,0 +1,188 @@
from time import sleep
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How would you feel about moving this script to either of the devops or securedrop/bin directories?

.circleci/config.yml Outdated Show resolved Hide resolved
@cfm cfm assigned ghost and unassigned cfm Nov 22, 2022
Copy link
Member

@cfm cfm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for updating this, @L3th3! A couple questions from my previous review are still outstanding, and it looks like you'll need to rebase from develop to resolve conflicts with .circleci/config.yml. Let me know if you'd like to pair on any of this.

Comment on lines +241 to +242
.PHONY: dev-detatched
dev-detatched: ## Run the development server in a Docker container without attatching tty.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typos:

Suggested change
.PHONY: dev-detatched
dev-detatched: ## Run the development server in a Docker container without attatching tty.
.PHONY: dev-detached
dev-detached: ## Run the development server in a Docker container without attaching tty.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants