Item Relationship Service (IRS) Release 23.12 Security Acceptance Criteria

[kelaja]

Release Security 23.12

Source in Catena-X Confluence and Expert Contacts here(Source only accessible for Catena-X Consortia members in current transition phase).

• [x] Threat Modelling Analysis results Analysis completed (operations excluded):

  • List of risks generated or updated, rated & actions defined
  • Risks accepted or mitigation actions implemented and tested
  • no high threats acceptable

  Artifact Repository:

  • risk register (decentral on Catena-X confluence)

  Prime Contacts:

  • Security Team: SEC0

• [x] Static Application Security Testing (SAST)

https://github.com/eclipse-tractusx/item-relationship-service/issues/237

• code must be scanned weekly with Veracode tool
• medium risks require mitigation statement

• high and above not accepted

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • Veracode UI
  • (+ GitHub Action)

  Prime Contacts:

  • Security Team: SEC1

• [x] Dynamic Application Security Testing (DAST)

https://github.com/eclipse-tractusx/item-relationship-service/issues/237 incl API testing (if applicable)

• all findings assessed
• high & very high findings mitigated

• evidence by re-scan

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • INVICTI tool

  Prime Contacts:

  • Security Team: SEC3 SEC4

• [x] Secret scanning

https://github.com/eclipse-tractusx/item-relationship-service/issues/237 Scan executed centrally by SEC team and ZERO valid findings

Artifact Repository:

- Veracode or alternative tool
- GitHub Secret Scanning
- GitGuardian

Best Practise:

- Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

Prime Contact:

 - Security Team: SEC1

• [x] Software Composition Analysis (SCA)

https://github.com/eclipse-tractusx/item-relationship-service/issues/237 Dependencies must be scanned with Veracode tool with regards to vulnerability

• high and above not accepted

• FOSS whitelist policy has to be passed

  Best Practise:

• Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

• Veracode UI

• (& GitHub Action)

  Prime Contacts:

• Security Team: SEC1

• [x] Container Scan conducted

https://github.com/eclipse-tractusx/item-relationship-service/issues/237 All containers in GitHub Packages must be scanned

- High / Critical findings not accepted

Best Practise:

- Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

Artifact Repository:

- Trivy
- via nightly GitHub Action

Prime Contacts:

- Security Team: SEC2

• [x] Infrastructure as Code IaC code must be scanned.

  • Error findings not accepted

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • KICS or alternative tool
  • via nightly GitHub Action

  Prime Contacts:

  • Security Team: SEC2

[mkanal]

@kelaja @guenterban PEN KeyCloak seems not to be working to successfully execute DAST tests. https://github.com/eclipse-tractusx/sig-infra/issues/346

[ds-jhartmann]

invicti scan passed with only medium and lower findings: https://www.netsparkercloud.com/scans/report/6addd8f3e5084e13a4c9b0b901f75d8c/ No new findings compared to last QG

[mkanal]

@guenterban Alignment took place by telephone on 13.11.2023. As there have been no changes since release 3.2, it is not necessary to update the Threat Modelling Analysis results

[ds-jhartmann]

Secret scanning No secrets found in secret scan: https://github.com/eclipse-tractusx/item-relationship-service/security/secret-scanning

Static Application Security Testing (SAST) 32x the same medium finding, all are mitigated:

Software Composition Analysis (SCA) No vulnerabilities in dependencies

Container Scan conducted No issues found in container scan: https://github.com/eclipse-tractusx/item-relationship-service/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3ATrivy

Infrastructure as Code No errors found by KICS, only warnings: https://github.com/eclipse-tractusx/item-relationship-service/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3ATrivy%2CKICS

[mkanal]

Hi @kelaja
kindly ask to close this ticket now. We have achieved all checks, is there anything more to do?