Enable code scanning (vulnerabilities)

[akrguda]

As a member of the development team I know how we can scan ower code about vulnerabilities so that we can improve the security and quality of our software project.

DoR:

• [x] A software developer is selected and confirmed to handle this ticket

Acceptance Criteria:

• [x] AC1: An evalutation about which tool etc. can be used for this purpose
• [x] AC2: The selected tool gets tested about usability in our project
• [x] AC3: The evaluated tool and how to use it is documented
• [x] AC4: Check the different layers and tool to check the security.

DoD:

• [x] We got the knowhow how to improve the vulnerabilities
• [x] With a demonstration about the roadmap, all members of the team knows what is to do next and how to handle it at work
• [x] The next steps are cleary specified

[akrguda]

Simon has some ideas about how to handle it.

[balsih]

Tool-Options

• https://www.sonarqube.org/downloads/ (self-hosted) = Static Code Analysis for Java, C#, JavaScript, HTML, CSS and much more. Für Open Source Projekte kann auch kostenlos SonarCloud verwendet werden, was von den Incubators auch empfohlen wird: https://sonarcloud.io (cloud-hosting)
• Dependabot von GitHub (cloud-hosting) um das Dependency-Tracking zu automatisieren. Dieser Bot erstellt bei einer Vulnerability auch gleich einen entsprechenden Pull-Request 😄
• https://snyk.io/plans/ (cloud-hosting) = Container- and IaC-Security

Mit diesen 3 Tools hätten wir in meinen Augen die ganze Chain abgedeckt.

Frameworks

• OWASP
• NIST
• STRIDE

Weitere interne Infos

• https://wiki.akros.ch/display/TO/Security+Initiative
• https://wiki.akros.ch/display/TO/Austausch+AKROS+Marketplace
• Microsoft Thread Model (File liegt im readme im architecture-folder)

Ansprechpersonen

• Matthias Blaser
• Thomas Kneubühl

[asiday]

Please check the documentation for the local code analyse with SonarQube here https://wiki.akros.ch/display/TO/Code+Analysis+with+SonarQube