Closed kelaja closed 9 months ago
Threat Modelling Analysis results were updated within last release 23.09 https://confluence.catena-x.net/x/Cm1HAw. No significant changes. Next update is planned in 24.03 with the upcoming breaking change of the generic endpoint and the implementation of the orchestrator. @guenterban
Static Application Security Testing (SAST): No high risks found can you check @PiotrStys
Dynamic Application Security Testing (DAST): The pen environment was setup for 21.12.2023 @PiotrStys can you check
Software Composition Analysis (SCA): No high findings @klaudiaZF @Gitleena
Container Scan conducted: No high findings @scherersebastian can you confirm
Infrastructure as Code: No high findings @scherersebastian please confirm
@rybtim, can you please provide the updated URL of the deployment?
@kelaja: Threat Modelling Analysis passed
@rybtim, can you please provide the updated URL of the deployment?
Please find below links for deployed Pen environment https://argo.dev.demo.catena-x.net/applications/argocd/bpdm-pen?view=tree&resource= https://business-partners-pen.dev.demo.catena-x.net/companies/test-company/ui/swagger-ui/index.html https://business-partners-pen.dev.demo.catena-x.net/pool/ui/swagger-ui/index.html
@nicoprow EDIT: I removed the bridge link. Only Gate and Pool are relevant for Pen-Testing
@SujitMBRDI, @rybtim Sorry but this is not clear enough to me.
Are those URLs alternative deployments and is this enough to scan one of them? I believe that so far we used the one below for assessments: https://business-partners-pen.dev.demo.catena-x.net/pool
Does that seem to work for this QG as well?
Hi @SujitMBRDI , can you please provide a link to project name in Veracode for SCA ?
@SujitMBRDI, @rybtim Sorry but this is not clear enough to me.
Are those URLs alternative deployments and is this enough to scan one of them? I believe that so far we used the one below for assessments: https://business-partners-pen.dev.demo.catena-x.net/pool
Does that seem to work for this QG as well?
The last time we had two scans: One for the pool and one for the test-company subpath. These two would need to be executed again:
Hi @SujitMBRDI , can you please provide a link to project name in Veracode for SCA ?
Hello,
No high/critical findings reported back by Invicti. Others have been reviewed and approved.
DAST Passed
Thanks, Piotr
IaC/ KICS passed. Container trivys scans passed
Hi, there are no open GitGuardian findings:
-> Secret scanning approved
Best regards Daniel
Release Security 23.12
Source in Catena-X Confluence and Expert Contacts here(Source only accessible for Catena-X Consortia members in current transition phase).
[x] Threat Modelling Analysis results Analysis completed (operations excluded):
Artifact Repository:
Prime Contacts:
[x] Static Application Security Testing (SAST)
Best Practise:
Artifact Repository:
Prime Contacts:
[x] Dynamic Application Security Testing (DAST) incl API testing (if applicable)
Best Practise:
Artifact Repository:
Prime Contacts:
[x] Secret scanning Scan executed centrally by SEC team and ZERO valid findings
Artifact Repository:
Best Practise:
Prime Contact:
[x] Software Composition Analysis (SCA) Dependencies must be scanned with Veracode tool with regards to vulnerability
Best Practise:
Artifact Repository:
Prime Contacts:
[x] Container Scan conducted All containers in GitHub Packages must be scanned
Best Practise:
Artifact Repository:
Prime Contacts:
[x] Infrastructure as Code IaC code must be scanned.
Best Practise:
Artifact Repository:
Prime Contacts: