Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2683-zap-CORS-misconfig #2727

Merged
merged 20 commits into from
Dec 1, 2023
Merged

2683-zap-CORS-misconfig #2727

merged 20 commits into from
Dec 1, 2023

Conversation

raftmsohani
Copy link

@raftmsohani raftmsohani commented Oct 13, 2023
edited by ADPennington
Loading

Summary of Changes

Provide a brief summary of changes
Pull request closes #2683 _

How to Test

List the steps to test the PR

The test was done agains raft. CORS settings are applied to both staging and dev, so we should see same scan results against staging.

See below the scan result and note there is no CORS error:

Screenshot 2023-10-18 at 11 53 19 AM

Steps to test:

We can perform the scan from local machine by changing the scan address in zap-scanner.sh. Follow the steps below to perform scan from local:

  1. Change this line to:
APP_URL="https://tdp-frontend-raft.app.cloud.gov"
  1. Run the following command:
sh ./scripts/zap-scanner.sh frontend local dev

Deliverables

More details on how deliverables herein are assessed included here.

Deliverable 1: Accepted Features

Checklist of ACs:

  • [insert ACs here]
  • lfrohlich and/or adpennington confirmed that ACs are met.

Deliverable 2: Tested Code

  • Are all areas of code introduced in this PR meaningfully tested?
    • If this PR introduces backend code changes, are they meaningfully tested?
    • If this PR introduces frontend code changes, are they meaningfully tested?
  • Are code coverage minimums met?
    • Frontend coverage: [insert coverage %] (see CodeCov Report comment in PR)
    • Backend coverage: [insert coverage %] (see CodeCov Report comment in PR)

Deliverable 3: Properly Styled Code

  • Are backend code style checks passing on CircleCI?
  • Are frontend code style checks passing on CircleCI?
  • Are code maintainability principles being followed?

Deliverable 4: Accessible

  • Does this PR complete the epic?
  • Are links included to any other gov-approved PRs associated with epic?
  • Does PR include documentation for Raft's a11y review?
  • Did automated and manual testing with iamjolly and ttran-hub using Accessibility Insights reveal any errors introduced in this PR?

Deliverable 5: Deployed

  • Was the code successfully deployed via automated CircleCI process to development on Cloud.gov?

Deliverable 6: Documented

  • Does this PR provide background for why coding decisions were made?
  • If this PR introduces backend code, is that code easy to understand and sufficiently documented, both inline and overall?
  • If this PR introduces frontend code, is that code easy to understand and sufficiently documented, both inline and overall?
  • If this PR introduces dependencies, are their licenses documented?
  • Can reviewer explain and take ownership of these elements presented in this code review?

Deliverable 7: Secure

  • Does the OWASP Scan pass on CircleCI?
  • Do manual code review and manual testing detect any new security issues?
  • If new issues detected, is investigation and/or remediation plan documented?

Deliverable 8: User Research

Research product(s) clearly articulate(s):

  • the purpose of the research
  • methods used to conduct the research
  • who participated in the research
  • what was tested and how
  • impact of research on TDP
  • (if applicable) final design mockups produced for TDP development

@raftmsohani raftmsohani self-assigned this Oct 13, 2023
@raftmsohani raftmsohani added the Deploy with CircleCI-raft Deploy to https://tdp-frontend-raft.app.cloud.gov through CircleCI label Oct 16, 2023
@raftmsohani raftmsohani removed the Deploy with CircleCI-raft Deploy to https://tdp-frontend-raft.app.cloud.gov through CircleCI label Oct 17, 2023
@codecov
Copy link

codecov bot commented Oct 17, 2023
edited
Loading

Codecov Report

Merging #2727 (39880c1) into develop (a832605) will increase coverage by 0.00%.
Report is 2 commits behind head on develop.
The diff coverage is n/a.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff            @@
##           develop    #2727    +/-   ##
=========================================
  Coverage    92.79%   92.79%            
=========================================
  Files          202      246    +44     
  Lines         4591     5568   +977     
  Branches       320      480   +160     
=========================================
+ Hits          4260     5167   +907     
- Misses         271      308    +37     
- Partials        60       93    +33
Flag Coverage Δ
dev-backend 92.79% <ø> (ø)
dev-frontend 92.83% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 44 files with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update eac7e50...39880c1. Read the comment docs.

@raftmsohani raftmsohani added security compliance OCIO-related compliance tasks devops labels Oct 18, 2023
George-Hudson
George-Hudson reviewed Oct 18, 2023
View reviewed changes
scripts/zap-scanner.sh
-config globalexcludeurl.url_list.url\(15\).regex='^https:\/\/.*\.cloud.gov\/.*$' \
-config globalexcludeurl.url_list.url\(15\).description='Site - Cloud.gov' \
-config globalexcludeurl.url_list.url\(15\).enabled=true \

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am trying to remember why we put this in here, but it was for a very specific reason.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

originally it was added to disable the spider to scan some of the links associated with cloud.gov, but since we are also trying to scan dev/staging, it not possible to disable the cloud.gov as a whole

ADPennington
ADPennington approved these changes Dec 1, 2023
View reviewed changes
Copy link
Collaborator

@ADPennington ADPennington left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@raftmsohani @George-Hudson thanks for this. optimal to test this after merge into develop.

@andrew-jameson andrew-jameson merged commit eb16d8b into develop Dec 1, 2023
24 checks passed
@andrew-jameson andrew-jameson deleted the 2683-zap-result-cors-misconfiguration branch December 1, 2023 15:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@George-Hudson George-Hudson George-Hudson approved these changes

@ADPennington ADPennington ADPennington approved these changes

@andrew-jameson andrew-jameson andrew-jameson approved these changes

Assignees

@raftmsohani raftmsohani

Labels
compliance OCIO-related compliance tasks devops Ready to Merge security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ZAP result - CORS misconfiguration
4 participants
@raftmsohani @George-Hudson @ADPennington @andrew-jameson