Closed kelaja closed 7 months ago
Security Team: SEC0
Threat Modelling Analysis results: risk Discovery Finder Security Assessment - Discovery Finder (Source only accessible for Catena-X Consortia members in current transition phase)
Security Team: SEC1
Secret scanning: Secret Scanning (gitleaks) is activated and available: https://github.com/eclipse-tractusx/sldt-discovery-finder/actions/workflows/gitleaks.yml
@Security Team: SEC1 Static Application Security Testing (SAST):
Please see the results here: https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsAllFlaws:47240:1739409:30762590:30732804:30748454::5382776
One medium risk which is mitigated.
Security Team: SEC1 Software Composition Analysis (SCA): Please have a look at https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1739409:30762590:30732804:30748454:::::5382776:
@Security Team: SEC3 SEC4 Dynamic Application Security Testing (DAST): Invicti scan made - the results can be seen here: https://www.netsparkercloud.com/scans/report/04af2d3bf4a54d696122b0c002e0d9d2/
@Security Team: SEC2 Container Scan conducted: currently under clarification as Trivy scan is marking some findings which cannot solved at the moment.
Update (24.11.2023) : As disscussed at the DevSecops meeting this Friday, the finding cannot be mitigated at the moment cause of license check. But as agreed the finding will not be a blocker for QG.
Hello,
No high/critical findings reported by Invicti.
DAST Passed
Regards, Piotr
Hi, there are no open GitGuardian findings:
-> Secret scanning approved
Best regards Daniel
@kelaja @guenterban Hi together,
I had a quick check in front of the upcoming QG meeting at Monday. There still some checks open:
Please have a look at that open points.
Many thanks in advance!
Best regards Simone
Threat Modelling Analysis results: no changes since last released Threat Modelling Analysis results - passed
Static Application Security Testing (SAST) - no high or very high findings in Veracode Static Application Security Testing (SAST) - passed
@Security Team: SEC2 Container Scan conducted: currently under clarification as Trivy scan is marking some findings which cannot solved at the moment.
Update (24.11.2023) : As disscussed at the DevSecops meeting this Friday, the finding cannot be mitigated at the moment cause of license check. But as agreed the finding will not be a blocker for QG.
as stated. KICS passed
Release Security 23.12
Source in Catena-X Confluence and Expert Contacts here(Source only accessible for Catena-X Consortia members in current transition phase).
[x] Threat Modelling Analysis results Analysis completed (operations excluded):
Artifact Repository:
Prime Contacts:
[x] Static Application Security Testing (SAST)
Best Practise:
Artifact Repository:
Prime Contacts:
[x] Dynamic Application Security Testing (DAST) incl API testing (if applicable)
Best Practise:
Artifact Repository:
Prime Contacts:
[x] Secret scanning Scan executed centrally by SEC team and ZERO valid findings
Artifact Repository:
Best Practise:
Prime Contact:
[x] Software Composition Analysis (SCA) Dependencies must be scanned with Veracode tool with regards to vulnerability
Best Practise:
Artifact Repository:
Prime Contacts:
[x] Container Scan conducted All containers in GitHub Packages must be scanned
Best Practise:
Artifact Repository:
Prime Contacts:
[x] Infrastructure as Code IaC code must be scanned.
Best Practise:
Artifact Repository:
Prime Contacts: