Trace-X Release 23.12 Security Acceptance Criteria

[kelaja]

Release Security 23.12

Source in Catena-X Confluence and Expert Contacts here(Source only accessible for Catena-X Consortia members in current transition phase).

• [x] Threat Modelling Analysis results Analysis completed (operations excluded):

  • List of risks generated or updated, rated & actions defined
  • Risks accepted or mitigation actions implemented and tested
  • no high threats acceptable

  Artifact Repository:

  • risk register (decentral on Catena-X confluence)

  Prime Contacts:

  • Security Team: SEC0

• [x] Static Application Security Testing (SAST)

  • code must be scanned weekly with Veracode tool
  • medium risks require mitigation statement
  • high and above not accepted

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • Veracode UI
  • (+ GitHub Action)

  Prime Contacts:

  • Security Team: SEC1

• [x] Dynamic Application Security Testing (DAST) incl API testing (if applicable)

  • all findings assessed
  • high & very high findings mitigated
  • evidence by re-scan

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • INVICTI tool

  Prime Contacts:

  • Security Team: SEC3 SEC4

• [x] Secret scanning Scan executed centrally by SEC team and ZERO valid findings

  Artifact Repository:

  • Veracode or alternative tool
  • GitHub Secret Scanning
  • GitGuardian

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Prime Contact:

  • Security Team: SEC1

• [x] Software Composition Analysis (SCA) Dependencies must be scanned with Veracode tool with regards to vulnerability

  • high and above not accepted
  • FOSS whitelist policy has to be passed

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • Veracode UI
  • (& GitHub Action)

  Prime Contacts:

  • Security Team: SEC1

• [x] Container Scan conducted All containers in GitHub Packages must be scanned

  • High / Critical findings not accepted

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • Trivy
  • via nightly GitHub Action

  Prime Contacts:

  • Security Team: SEC2

• [x] Infrastructure as Code IaC code must be scanned.

  • Error findings not accepted

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • KICS or alternative tool
  • via nightly GitHub Action

  Prime Contacts:

  • Security Team: SEC2

[ds-mwesener]

Static Application Security Testing (SAST):

• Artifacts: 1) Veracode Frontend Scan Daily 2) Veracode Backend Scan Daily

Dynamic Application Security Testing (DAST)

• Artifacts: 1) Invicti Scan Report

Software Composition Analysis (SCA)

• Artifacts: 1) Veracode Software Composition Analysis Backend 2) Veracode Software Composition Analysis Frontend

  Container Scan conducted

• Artifacts: 1) Trivy Frontend & Backend Scan Daily

  Infrastructure as Code

• Artifacts: 1) Kics Frontend & Backend Scan Daily

Secret scanning

• Scan executed centrally by SEC team and ZERO valid findings 1) TODO by security team.

Threat Modelling Analysis results

• TODO will be populated by @mkanal once ready.

[ds-mwesener]

Hi @kelaja would it be possible to already check the prepared results in my comments above? As the Threat Modelling Analysis will take some time until it is done, it would be great to already have some progress.

Thanks you very much.

[mkanal]

@kelaja @guenterban PEN KeyCloak seems not to be working to successfully execute DAST tests. https://github.com/eclipse-tractusx/sig-infra/issues/346

[ds-mwesener]

Hi @kelaja / @guenterban https://github.com/eclipse-tractusx/sig-infra/issues/346 has been resolved and all results regarding security relevant scans can be found above. Thanks in advance.

[mkanal]

@guenterban Alignment took place by telephone on 13.11.2023. As there have been no changes since release 3.2, it is not necessary to update the Threat Modelling Analysis results

[PiotrStys]

Hi @ds-mwesener,

Regarding DAST, no high/critical findings reported by Invicti.

Speaking about the medium-level findings, please make sure you keep the SSL/TLS certificate updated as it has been reported to expire soon.

DAST Passed

Regards, Piotr

[DnlZF]

Hi, there are no open GitGuardian findings:

-> Secret scanning approved

Best regards Daniel

[klaudiaZF]

Hi All,

SCA Passed for Backend and Frontend, just please keep in mind that SAST did not pass, due to 2 high findings.

https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1439449:31075524:31045672:31061322:::::4536228:

https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1439450:31074853:31045001:31060651:::::4536230:

Please be also aware that we have few open medium findings.

[mkanal]

Hello @klaudiaZF we have mitigated the SCA. Kindlya ask for an recheck?

[klaudiaZF]

Hi @mkanal ,

High findings in Veracode are mitigated.

[klaudiaZF]

Hi All,

SAST passed for backend and frontend, please keep in mind that the red color on backend screenshot is due to SCA

https://analysiscenter.veracode.com/auth/index.jsp#ViewReportsDetailedReport:47240:1439450:31074853:31045001:31060651:::::4536230

https://analysiscenter.veracode.com/auth/index.jsp#ViewReportsDetailedReport:47240:1439449:31075524:31045672:31061322:::::4536228

Keep in mind that we have few open medium findings.

[klaudiaZF]

Hi All, We have new high finding for SCA backend. Can someone mitigated high finding ? SCA for backend can't be passed now

https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1439450:31074853:31045001:31060651:::::4536230:

[ds-mwesener]

HI @klaudiaZF the scans will be executed against the latest main of our code repository. As the release has been already completed is it okay for you to accept it here and create an issue on our repository to fix the high finding on our latest code base? Otherwise in my opinion it would be good to have a clear timeline how long we need to follow up on high findings regarding older releases. As this can always occur on all projects.

Thanks in advance!

Kind regards

Max

[scherersebastian]

backend has container scanning findings https://github.com/eclipse-tractusx/traceability-foss/security/code-scanning kics passed

[ds-mwesener]

HI @scherersebastian this is a known issue. Please find explanation here: https://github.com/eclipse-tractusx/traceability-foss/issues/354 and here: https://eclipse-tractusx.github.io/docs/release/trg-4/trg-4-02/#description

[klaudiaZF]

@guenterban is this ok if we pass SCA based on previous scan that didn't had a high vulnerability and fix that new high finding by creating an issue on repository?

[guenterban]

SCA passed We had done our snapshot with green light. The team has to fix it as a mainenance task.

[mkanal]

Hello @guenterban thank you very much.