Closed kelaja closed 9 months ago
dvasunin
commented
12 months ago https://confluence.catena-x.net/display/cxsecurity/Security+Assessment+-+IDS+Essential+Services%3A+SD+Factory @guenterban , please approve. I couldn't find Kowalczyk Szymon and Pablo Theissen guthub's account to notify them
SSIRKC
commented
11 months ago Hey @dvasunin,
I am also from the security team. Can you add me as approver? Will try to approve this then for you.
@SSIRKC
kelaja
commented
11 months ago @SSIRKC kindly write your approval for the tasks in the comments so that I can approve. If you want to approve by yourself I think comitter rights are required. BR
SSIRKC
commented
11 months ago Hi @kelaja,
from security team I can fill out the form to this extend: Threat Modelling Analysis results Analysis completed (operations excluded):
List of risks generated or updated, rated & actions defined Risks accepted or mitigation actions implemented and tested no high threats acceptable -> No open threats could be found by me -> No additional comments on this matter by Szymon Artifact Repository:
risk register (decentral on Catena-X confluence) -> The confluence page exists and last date updated was 04.08.2023 Prime Contacts: Pablo Theissen Szymon Kowalczyk Security Team: SEC0
@kelaja please contact me for the SD factory assessment migration to GitHub. Please forward me two proposals for next week to shortly align on the migration.
sharathshivprasad
commented
11 months ago Threat modelling Document: https://confluence.catena-x.net/display/cxsecurity/Security+Assessment+-+IDS+Essential+Services%3A+SD+Factory
Static Application Security Testing:
Vercode passed in ng repo. please check and approve in TX.
DetailedReport_product-sd-hub_20_Nov_2023.pdf
Dynamic Application Security Testing: Latest Invicti report : https://www.netsparkercloud.com/websites/dashboard/1c886ef5079f43ffc29dafeb01c2e9e7/?scanGroupId=4bbd9843-3909-43b7-8d7f-3d9afdbe1134 scan-report-sdfactory-pen.int.demo.catena-x.net-detailedscan-14_11_2023 06_15 PM.pdf
Container Scan : Latest Trivy Link: https://github.com/eclipse-tractusx/sd-factory/actions/runs/6964229715
Secret scanning: No High/Critical findings in Veracode found. Attached the latest veracode report. Please check gitguardian from your side as well and approve.
Software Composition Analysis (SCA): latest report is here: https://github.com/eclipse-tractusx/sd-factory/actions/runs/6937612075 veracode report aleady attached above.
Infrastructure as Code: Latest KICS report: https://github.com/eclipse-tractusx/sd-factory/actions/runs/6937781409
kelaja
commented
11 months ago @SSIRKC how can I contact you?
SSIRKC
commented
11 months ago @kelaja either CX Teams or kristian.cicka@mercedes-benz.com
DnlZF
commented
11 months ago Hi,
there are no open GitGuardian findings:
-> Secret scanning approved
Best regards Daniel
PiotrStys
commented
11 months ago Hello,
No high/critical vulnerabilities reported back by an Invicti scan. Others have been assessed and approved.
DAST Passed
Best regards, Piotr
klaudiaZF
commented
11 months ago Hi @sharathshivprasad , can you please provide a link for SCA in Veracode?
Thank you in advance
sharathshivprasad
commented
11 months ago Hi @sharathshivprasad , can you please provide a link for SCA in Veracode?
Thank you in advance
Hello @klaudiaZF , Please find the latest veracode scan report. Link: https://analysiscenter.veracode.com/auth/index.jsp#ViewReportsResultSummary:47240:1449024:30942982 Latest Report: DetailedReport_product-sd-hub_26_Nov_2023.pdf
Veracode trigger from github: https://github.com/eclipse-tractusx/sd-factory/actions/runs/6999101297
klaudiaZF
commented
11 months ago Hi All,
SCA Passed
Just please keep in mind that we have two open medium findings.
dvasunin
commented
11 months ago Hi All,
SCA Passed
Just please keep in mind that we have two open medium findings:
These findings are most probably false positive. CSRF is not relevant as SDF is stateless and does not use cookies, second comes from library we use, but also does not look relevant as SDF does not operate sensitive data on its own on that level. 3d line in application.yml is just a part of copyright header.
scherersebastian
commented
11 months ago IaC / KICS passed. No trivy / container scan. Please set up the scan of https://hub.docker.com/r/tractusx/sdfactory/tags
dvasunin
commented
11 months ago @scherersebastian please take a look at https://github.com/eclipse-tractusx/sd-factory/actions/runs/7012561647 looks like trivy task was scheduled after your comment
Release Security 23.12
Source in Catena-X Confluence and Expert Contacts here(Source only accessible for Catena-X Consortia members in current transition phase).
[x] Threat Modelling Analysis results Analysis completed (operations excluded):
Artifact Repository:
Prime Contacts:
[x] Static Application Security Testing (SAST)
Best Practise:
Artifact Repository:
Prime Contacts:
[x] Dynamic Application Security Testing (DAST) incl API testing (if applicable)
Best Practise:
Artifact Repository:
Prime Contacts:
[x] Secret scanning Scan executed centrally by SEC team and ZERO valid findings
Artifact Repository:
Best Practise:
Prime Contact:
[x] Software Composition Analysis (SCA) Dependencies must be scanned with Veracode tool with regards to vulnerability
Best Practise:
Artifact Repository:
Prime Contacts:
[ ] Container Scan conducted All containers in GitHub Packages must be scanned
Best Practise:
Artifact Repository:
Prime Contacts:
[x] Infrastructure as Code IaC code must be scanned.
Best Practise:
Artifact Repository:
Prime Contacts: