Klagarge/MSE-CyberSec-DevSecOps
1
0
Fork 0
Code Issues Pull Requests Releases Activity
Files
355865586f3290a2c1ea78ca331592deab0a6e09
MSE-CyberSec-DevSecOps/docs/questions-part3.md
Klagarge 355865586f refactor: removed unused code 
docs: added answer for Q3.4
Signed-off-by: Klagarge <remi@heredero.ch>
2025-04-14 14:56:58 +02:00

36 lines
2.1 KiB
Markdown
Raw Blame History

# Questions
## Part 3
- **Q3.1**: Setup your CI/CD pipeline with an additional SAST solution. I propose that you use `semgrep` for this task. Get your inspiration here: https://semgrep.dev/for/gitlab and https://docs.gitlab.com/ee/user/application_security/sast/
- **Q3.2**: Describe the found problems (alerts) in the `calculator app` (in the original code, git tag `v3.0`)
- **Q3.3**: Install DAST OWASP ZAP on your host or in a Docker. Play with OWASP ZAP, analyze the calculator code
- **Q3.4**: Implement a DAST solution in your pipeline. Get some inspiration here https://docs.gitlab.com/ee/user/application_security/dast/ . Describe what you have integrated in your pipeline. *Note: you must ensure that your application is running while you are testing!*
- **Q3.5 (optional)**: Normally, the provided code has some bugs, which are discovered by SAST solution. Describe the found bugs (in the original code, git tag `v3.0`) and provide solution to remediate the problems. Indicate which commit/tag contains the corrected code
- **Q3.6 (optional)**: Describe the found bugs (in the original code, git tag `v3.0`) with DAST and provide solution to remediate the problems. Indicate which commit/tag contains the corrected code. Do corrections only in the provided code (no libraries)
# Answers - Part 3
## Q3.2
For some reasons, semgrep works locally, but not on GitLab. Here is the report when runned locally.
![SAST-report](figures/SAST-report.png)
## Q3.3
After performing a scan, we can see a few alerts as seen on this screenshot :
![alt text](figures/OWASP-ZAP.png)
## Q3.4
The integrate DAST in Github doesn't work on our version, we need the _Ultimate_ version of GitLab selfhosted.
We create a new Docker image for the application. This image auto launch the flask app when the container is started.
We used this image as a service for the DAST stage on our CI.
The stage use zaproxy to test the application. Warning do not return wailure, so the stage pass if no error is found by the OWASP ZAP.
We don't understand why the stage fail when we try to provide the html report as artifact. So if the stage fail, we can see the error in the logs.
Reference in New Issue View Git Blame Copy Permalink