From 355865586f3290a2c1ea78ca331592deab0a6e09 Mon Sep 17 00:00:00 2001 From: Klagarge Date: Mon, 14 Apr 2025 12:58:46 +0200 Subject: [PATCH] refactor: removed unused code docs: added answer for Q3.4 Signed-off-by: Klagarge --- .gitlab-ci.yml | 17 ++--------------- docs/questions-part3.md | 16 +++++++++++++--- 2 files changed, 15 insertions(+), 18 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 159ace1..b0acd34 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,8 +1,6 @@ variables: DOCKER_IMAGE_TEST: registry.forge.hefr.ch/klagarge/mse2425-grp09/python-pdm:latest DOCKER_IMAGE_APP: registry.forge.hefr.ch/klagarge/mse2425-grp09/devsecops-app:latest - APP_PORT: 5000 - TARGET_URL: "http://app:${APP_PORT}" default: image: $DOCKER_IMAGE_TEST @@ -88,18 +86,8 @@ docker-build-app: include: - template: Jobs/SAST.gitlab-ci.yml -# - template: DAST.gitlab-ci.yml -#dast-ci: -# stage: dast -# dast_configuration: -# site_profile: "dast-site-profile-devsecops-mse" -# scanner_profile: "dast-scanner-profile-devsecops-mse" -#services: -# - name: $DOCKER_IMAGE_APP -# alias: app - -dast-local: +dast: stage: dast image: ghcr.io/zaproxy/zaproxy:stable services: @@ -108,5 +96,4 @@ dast-local: script: - echo "Waiting for the app to start on http://app:5000" - timeout 60 bash -c 'until curl -s http://app:5000; do echo "Waiting..."; sleep 3; done' - - zap-full-scan.py -t http://app:5000 -I - allow_failure: true # Allow failure for DAST job (because GitLab is not well configured and network didn't work) \ No newline at end of file + - zap-full-scan.py -t http://app:5000 -I \ No newline at end of file diff --git a/docs/questions-part3.md b/docs/questions-part3.md index b569c4d..e830b02 100644 --- a/docs/questions-part3.md +++ b/docs/questions-part3.md @@ -2,7 +2,7 @@ ## Part 3 -- **Q3.1**: Setup your CI/CD pipeline with an additional SAST solution. I propose that you use `semgrep` for this task. Get your inspiration here: https://semgrep.dev/for/gitlab and https://docs.gitlab.com/ee/user/application_security/sast/ +- **Q3.1**: Setup your CI/CD pipeline with an additional SAST solution. I propose that you use `semgrep` for this task. Get your inspiration here: https://semgrep.dev/for/gitlab and https://docs.gitlab.com/ee/user/application_security/sast/ - **Q3.2**: Describe the found problems (alerts) in the `calculator app` (in the original code, git tag `v3.0`) - **Q3.3**: Install DAST OWASP ZAP on your host or in a Docker. Play with OWASP ZAP, analyze the calculator code - **Q3.4**: Implement a DAST solution in your pipeline. Get some inspiration here https://docs.gitlab.com/ee/user/application_security/dast/ . Describe what you have integrated in your pipeline. *Note: you must ensure that your application is running while you are testing!* @@ -14,7 +14,7 @@ ## Q3.2 -For some reasons, semgrep works locally, but not on GitLab. Here is the report when runned locally. +For some reasons, semgrep works locally, but not on GitLab. Here is the report when runned locally. ![SAST-report](figures/SAST-report.png) @@ -22,4 +22,14 @@ For some reasons, semgrep works locally, but not on GitLab. Here is the report w After performing a scan, we can see a few alerts as seen on this screenshot : -![alt text](figures/OWASP-ZAP.png) \ No newline at end of file +![alt text](figures/OWASP-ZAP.png) + +## Q3.4 +The integrate DAST in Github doesn't work on our version, we need the _Ultimate_ version of GitLab selfhosted. + +We create a new Docker image for the application. This image auto launch the flask app when the container is started. + +We used this image as a service for the DAST stage on our CI. +The stage use zaproxy to test the application. Warning do not return wailure, so the stage pass if no error is found by the OWASP ZAP. + +We don't understand why the stage fail when we try to provide the html report as artifact. So if the stage fail, we can see the error in the logs.