search

cloud-gov / deploy-stratos

Deployment pipeline for Stratos
Other
2 stars 4 forks source link

Address VDP finding for dashboard.fr.cloud.gov #47

Closed pburkholder closed 2 years ago

pburkholder commented 2 years ago

In order to be less insecure, we want to address 2022-02-28 VDP report

Security considerations

Close security hole

Implementation sketch

Apply similar patch from stratos 3

apburnes commented 2 years ago

Will test in staging before promoting to production.

pburkholder commented 2 years ago

I ran ZAP scan on staging and didn't find anything real concern. No Highs and the Mediums are of less concern (if they're valid).

pburkholder commented 2 years ago

I've reviewed the release notes and for Stratos and I don't see anything patched after 4.1.0 that would be security related.

https://github.com/cloudfoundry/stratos/issues/4716 relates to code released after 4.1.0 https://github.com/cloudfoundry/stratos/issues/4615 doesn't seem relevant since we only push to CF with persistence enabled.

I think we can go ahead and release this on Monday.

apburnes commented 2 years ago

Updated to v4.1.0 and released into production.