Knowledge Agent Release 23.12 Security Acceptance Criteria

[kelaja]

Release Security 23.12

Source in Catena-X Confluence and Expert Contacts here(Source only accessible for Catena-X Consortia members in current transition phase).

• [x] Threat Modelling Analysis results Analysis completed (operations excluded):

  • List of risks generated or updated, rated & actions defined
  • Risks accepted or mitigation actions implemented and tested
  • no high threats acceptable

  Artifact Repository:

  • risk register (decentral on Catena-X confluence)

  Prime Contacts:

  • Security Team: SEC0

• [x] Static Application Security Testing (SAST)

  • code must be scanned weekly with Veracode tool
  • medium risks require mitigation statement
  • high and above not accepted

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • Veracode UI
  • (+ GitHub Action)

  Prime Contacts:

  • Security Team: SEC1

• [x] Dynamic Application Security Testing (DAST) incl API testing (if applicable)

  • all findings assessed
  • high & very high findings mitigated
  • evidence by re-scan

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • INVICTI tool

  Prime Contacts:

  • Security Team: SEC3 SEC4

• [x] Secret scanning Scan executed centrally by SEC team and ZERO valid findings

  Artifact Repository:

  • Veracode or alternative tool
  • GitHub Secret Scanning
  • GitGuardian

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Prime Contact:

  • Security Team: SEC1

• [x] Software Composition Analysis (SCA) Dependencies must be scanned with Veracode tool with regards to vulnerability

  • high and above not accepted
  • FOSS whitelist policy has to be passed

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • Veracode UI
  • (& GitHub Action)

  Prime Contacts:

  • Security Team: SEC1

• [x] Container Scan conducted All containers in GitHub Packages must be scanned

  • High / Critical findings not accepted

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • Trivy
  • via nightly GitHub Action

  Prime Contacts:

  • Security Team: SEC2

• [x] Infrastructure as Code IaC code must be scanned.

  • Error findings not accepted

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • KICS or alternative tool
  • via nightly GitHub Action

  Prime Contacts:

  • Security Team: SEC2

[klaudiaZF]

Hi All,

knowledge-agents-edc/agentplane-hashicorp

https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1821738:30860082:30830277:30845927:::::5591887:

SCA Did not pass due to high finding

knowledge-agents-edc/agentplane-azure-vault

https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1748168:30860088:30830283:30845932:::::5407226:

SCA Did not pass due to high findings

knowledge-agents/remoting-agent

https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1821742:30871297:30841490:30857140:::::5591892:

SCA Did not pass due to high findings

knowledge-agents/conforming-agent

https://analysiscenter.veracode.com/auth/index.jsp#HomeAppProfile:47240:1821743

SCA Passed

knowledge-agents/provisioning-agent

https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1821739:30871271:30841464:30857114:::::5591888:

SCA Did not pass due to high findings

[klaudiaZF]

Hi All, After today's scanning knowledge-agents-edc/agentplane-hashicorp changed to passed.

https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1821738:30860082:30830277:30845927:::::5591887

SCA Passed for knowledge-agents-edc/agentplane-hashicorp

[PiotrStys]

Hello,

No high vulnerabilities reported back by OWASP ZAP. Others have been assessed and approved.

DAST Passed

Thanks, Piotr

[drcgjung]

Hi all - all modules should now be green (SAST + SCA, Container modulo base image [temurin/jammy] vulnerabilities)

Thx to the complete security & OSS team. Your are never sleeping and always helpful!!

[DnlZF]

Hi, there are no open GitGuardian findings: -> Secret scanning approved

Best regards Daniel

[klaudiaZF]

Hi All and @drcgjung

Everything is on green now

SCA Passed

https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1821738:30860082:30830277:30845927:::::5591887

https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1748168:30860088:30830283:30845932:::::5407226

https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1821742:30871297:30841490:30857140:::::5591892

https://analysiscenter.veracode.com/auth/index.jsp#HomeAppProfile:47240:1821743

https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1821739:30871271:30841464:30857114:::::5591888

[kelaja]

• @drcgjung kindly verfify Container Check for approval

[drcgjung]

Here are the trivy findings for knowledge-agents-edc. Shows that only high/medium finding of the base images are left (see the DevOps discussion, OSS requirements weigh higher)

[drcgjung]

Here are the trivy findings for knowledge-agents. Since the release PR is pending on an IP check (https://github.com/eclipse-tractusx/knowledge-agents/pull/66), we show a locally-built preview results on 1.10.15. Shows that only high findings of the base images are left (see the DevOps discussion, OSS requirements weigh higher than security). Note that we had to derive from base images in the case of strong runtime dependencies on RDF4J SDK (remoting-agent) and Ontop VKP (provisioning-agent)

"Scans removed"

[kelaja]

Dear Colleagues kindly check:

• [x] Threat Modeling @guenterban
• [ ] Container Scan @scherersebastian @drcgjung
• [x] IaC approved by @scherersebastian

[guenterban]

Threat Modeling approved. No major changes

[klaudiaZF]

Hi All,

SAST passed

https://analysiscenter.veracode.com/auth/index.jsp#ViewReportsDetailedReport:47240:1821742:30871297:30841490:30857140:::::5591892

https://analysiscenter.veracode.com/auth/index.jsp#ViewReportsDetailedReport:47240:1821743:30871268:30841461:30857111:::::5591893

https://analysiscenter.veracode.com/auth/index.jsp#ViewReportsDetailedReport:47240:1821739:30871271:30841464:30857114:::::5591888

https://analysiscenter.veracode.com/auth/index.jsp#ViewReportsDetailedReport:47240:1821738:30860082:30830277:30845927:::::5591887

https://analysiscenter.veracode.com/auth/index.jsp#ViewReportsDetailedReport:47240:1748168:30860088:30830283:30845932:::::5407226

Just please keep in mind that we have few open medium findings.

[scherersebastian]

Here are the trivy findings for knowledge-agents. Since the release PR is pending on an IP check (eclipse-tractusx/knowledge-agents#66), we show a locally-built preview results on 1.10.15. Shows that only high findings of the base images are left (see the DevOps discussion, OSS requirements weigh higher than security). Note that we had to derive from base images in the case of strong runtime dependencies on RDF4J SDK (remoting-agent) and Ontop VKP (provisioning-agent)

as @drcgjung stated. kics passed

[drcgjung]

@kelaja @scherersebastian Container Scan for knowledge-agents (IP check through, release done) should now also be green. Aaaaah thats all a moving target, another medium for spring-boot ... feeling like sisiphos.

A29078924@T000c60ad4 Applications % trivy image tractusx/remoting-agent:1.10.15 2023-11-29T15:36:42.005+0100 INFO Need to update DB 2023-11-29T15:36:42.005+0100 INFO DB Repository: ghcr.io/aquasecurity/trivy-db 2023-11-29T15:36:42.005+0100 INFO Downloading DB... 41.10 MiB / 41.10 MiB [------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 5.97 MiB p/s 7.1s 2023-11-29T15:36:50.546+0100 INFO Vulnerability scanning is enabled 2023-11-29T15:36:50.546+0100 INFO Secret scanning is enabled 2023-11-29T15:36:50.546+0100 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2023-11-29T15:36:50.546+0100 INFO Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection 2023-11-29T15:36:50.578+0100 INFO Detected OS: ubuntu 2023-11-29T15:36:50.578+0100 INFO Detecting Ubuntu vulnerabilities... 2023-11-29T15:36:50.579+0100 INFO Number of language-specific files: 1 2023-11-29T15:36:50.579+0100 INFO Detecting jar vulnerabilities...

tractusx/remoting-agent:1.10.15 (ubuntu 22.04)

Total: 35 (UNKNOWN: 0, LOW: 24, MEDIUM: 11, HIGH: 0, CRITICAL: 0)

A29078924@T000c60ad4 Applications % trivy image tractusx/provisioning-agent:1.10.15 2023-11-29T15:38:39.564+0100 INFO Vulnerability scanning is enabled 2023-11-29T15:38:39.564+0100 INFO Secret scanning is enabled 2023-11-29T15:38:39.564+0100 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2023-11-29T15:38:39.564+0100 INFO Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection 2023-11-29T15:38:43.002+0100 INFO JAR files found 2023-11-29T15:38:43.010+0100 INFO Java DB Repository: ghcr.io/aquasecurity/trivy-java-db:1 2023-11-29T15:38:43.010+0100 INFO Downloading the Java DB... 483.92 MiB / 483.92 MiB [---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 4.92 MiB p/s 1m39s 2023-11-29T15:40:23.599+0100 INFO The Java DB is cached for 3 days. If you want to update the database more frequently, the '--reset' flag clears the DB cache. 2023-11-29T15:40:23.602+0100 INFO Analyzing JAR files takes a while... 2023-11-29T15:40:23.711+0100 INFO Detected OS: ubuntu 2023-11-29T15:40:23.711+0100 INFO Detecting Ubuntu vulnerabilities... 2023-11-29T15:40:23.712+0100 INFO Number of language-specific files: 1 2023-11-29T15:40:23.712+0100 INFO Detecting jar vulnerabilities...

tractusx/provisioning-agent:1.10.15 (ubuntu 22.04)

Total: 32 (UNKNOWN: 0, LOW: 22, MEDIUM: 10, HIGH: 0, CRITICAL: 0)

And that one is using the official TX base image

A29078924@T000c60ad4 Applications % trivy image tractusx/conforming-agent:1.10.15 2023-11-29T15:40:46.772+0100 INFO Vulnerability scanning is enabled 2023-11-29T15:40:46.772+0100 INFO Secret scanning is enabled 2023-11-29T15:40:46.772+0100 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2023-11-29T15:40:46.772+0100 INFO Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection 2023-11-29T15:40:48.321+0100 INFO JAR files found 2023-11-29T15:40:48.322+0100 INFO Analyzing JAR files takes a while... 2023-11-29T15:40:48.364+0100 INFO Detected OS: alpine 2023-11-29T15:40:48.364+0100 INFO Detecting Alpine vulnerabilities... 2023-11-29T15:40:48.366+0100 INFO Number of language-specific files: 1 2023-11-29T15:40:48.366+0100 INFO Detecting jar vulnerabilities...

tractusx/conforming-agent:1.10.15 (alpine 3.18.4)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)

"Scans removed"

I have the idea of using the non-base images for 24.03 no more as runtime, but just as "build container" and then repackage the stuff into the official base image. Because its all JRE-based this should not be too difficult.

[scherersebastian]

If you can't remove the libraries and install the fixed ones, and there is no way around - then please commit yourself to a hot fix as soon as you can fix it. @drcgjung I trust your assessment, you as a developer know your app best, if you say there is no way - you are passed, with the commitment of a fix. We should not discuss open Findings this openly!

[drcgjung]

here is the commitment https://github.com/eclipse-tractusx/knowledge-agents/issues/72

[scherersebastian]

here is the commitment https://github.com/eclipse-tractusx/knowledge-agents/issues/72

Trivy passed :)