[R24.5] SAST / DAST PCWM conformity : TRG 8.01 & TRG 2-6 - Githubissues

eclipse-tractusx / traceability-foss

https://eclipse-tractusx.github.io/traceability-foss/docs/

Apache License 2.0

11 stars 23 forks source link

[R24.5] SAST / DAST PCWM conformity : TRG 8.01 & TRG 2-6 #780

Closed mkanal closed 7 months ago

mkanal commented 8 months ago

As product I want migrate from deprecated S/DAST to new proposed S/DAST toolings so that compliant to the TRGs for R24.5

Hints / Details

Please migrate to the new tools, which means using Static Application Security Testing CodeQl (https://eclipse-tractusx.github.io/docs/release/trg-0/trg-8-01/ ) for software security testing and Software Composition Analysis (https://eclipse-tractusx.github.io/docs/release/trg-2/trg-2-6/ ) for analyzing software components. It is also important to change/delete the related GitHub actions.

Acceptance Criteria

[ ] TRG 8 .1 Veracode is descoped from documentation, cd/cd pipeline, code, KIT docu etc
[ ] TRG 8 .1 CodeQl is used for SAST including extension documentation, cd/cd pipeline, code, KIT docu etc
[ ] TRG 2.1 Dependabot is used for SCA including extension documentation, cd/cd pipeline, code, KIT docu etc
[ ] TRG 2.1 Veracode is descoped from documentation, cd/cd pipeline, code, KIT docu etc

Out of Scope

...

ds-crehm commented 7 months ago

Not possible to test. PRs look good to me. Ready for review @jzbmw