Closed kelaja closed 7 months ago
bs-sili
commented
10 months ago Security Team: SEC0
Threat Modelling Analysis results: risk Discovery Finder Security Assessment - Discovery Finder (Source only accessible for Catena-X Consortia members in current transition phase)
bs-sili
commented
10 months ago Security Team: SEC1
Secret scanning: Secret Scanning (gitleaks) is activated and available: https://github.com/eclipse-tractusx/sldt-discovery-finder/actions/workflows/gitleaks.yml
bs-sili
commented
10 months ago @Security Team: SEC1 Static Application Security Testing (SAST):
Please see the results here: https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsAllFlaws:47240:1739409:30762590:30732804:30748454::5382776
One medium risk which is mitigated.
bs-sili
commented
10 months ago Security Team: SEC1 Software Composition Analysis (SCA): Please have a look at https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1739409:30762590:30732804:30748454:::::5382776:
bs-sili
commented
10 months ago @Security Team: SEC3 SEC4 Dynamic Application Security Testing (DAST): Invicti scan made - the results can be seen here: https://www.netsparkercloud.com/scans/report/04af2d3bf4a54d696122b0c002e0d9d2/
bs-sili
commented
10 months ago @Security Team: SEC2 Container Scan conducted: currently under clarification as Trivy scan is marking some findings which cannot solved at the moment.
Update (24.11.2023) : As disscussed at the DevSecops meeting this Friday, the finding cannot be mitigated at the moment cause of license check. But as agreed the finding will not be a blocker for QG.
klaudiaZF
commented
10 months ago 
PiotrStys
commented
10 months ago Hello,
No high/critical findings reported by Invicti.
DAST Passed
Regards, Piotr
DnlZF
commented
9 months ago Hi, there are no open GitGuardian findings:
-> Secret scanning approved
Best regards Daniel
bs-sili
commented
9 months ago @kelaja @guenterban Hi together,
I had a quick check in front of the upcoming QG meeting at Monday. There still some checks open:
Please have a look at that open points.
Many thanks in advance!
Best regards Simone
guenterban
commented
9 months ago Threat Modelling Analysis results: no changes since last released Threat Modelling Analysis results - passed
Static Application Security Testing (SAST) - no high or very high findings in Veracode Static Application Security Testing (SAST) - passed
scherersebastian
commented
9 months ago @Security Team: SEC2 Container Scan conducted: currently under clarification as Trivy scan is marking some findings which cannot solved at the moment.
Update (24.11.2023) : As disscussed at the DevSecops meeting this Friday, the finding cannot be mitigated at the moment cause of license check. But as agreed the finding will not be a blocker for QG.
as stated. KICS passed
Release Security 23.12
Source in Catena-X Confluence and Expert Contacts here(Source only accessible for Catena-X Consortia members in current transition phase).
[x] Threat Modelling Analysis results Analysis completed (operations excluded):
Artifact Repository:
Prime Contacts:
[x] Static Application Security Testing (SAST)
Best Practise:
Artifact Repository:
Prime Contacts:
[x] Dynamic Application Security Testing (DAST) incl API testing (if applicable)
Best Practise:
Artifact Repository:
Prime Contacts:
[x] Secret scanning Scan executed centrally by SEC team and ZERO valid findings
Artifact Repository:
Best Practise:
Prime Contact:
[x] Software Composition Analysis (SCA) Dependencies must be scanned with Veracode tool with regards to vulnerability
Best Practise:
Artifact Repository:
Prime Contacts:
[x] Container Scan conducted All containers in GitHub Packages must be scanned
Best Practise:
Artifact Repository:
Prime Contacts:
[x] Infrastructure as Code IaC code must be scanned.
Best Practise:
Artifact Repository:
Prime Contacts: