From 0a97c650d0a053d98274f5bfdedf640973156ae0 Mon Sep 17 00:00:00 2001 From: Maaike Date: Fri, 28 Jun 2024 11:16:06 +0200 Subject: [PATCH] reinit zaproxy PR --- .github/workflows/zaproxy.yml | 50 +++++++++++++++++++++++++++++++++++ .zap/rules.tsv | 23 ++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 .github/workflows/zaproxy.yml create mode 100644 .zap/rules.tsv diff --git a/.github/workflows/zaproxy.yml b/.github/workflows/zaproxy.yml new file mode 100644 index 000000000..a04fb9652 --- /dev/null +++ b/.github/workflows/zaproxy.yml @@ -0,0 +1,50 @@ +name: Run ZAP Baseline Scan ⚙️ + +on: [ push ] + +jobs: + main: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + - name: build and start containers using tests/test.env ⚙️ + run: | + cp tests/test.env wis2box.env + python3 wis2box-ctl.py build + python3 wis2box-ctl.py start + python3 wis2box-ctl.py status -a + sleep 30 + python3 wis2box-ctl.py status -a + - name: populate stations from CSV 📡 + run: | + python3 wis2box-ctl.py execute wis2box metadata station publish-collection + - name: add Malawi synop data to the system 🇲🇼 + env: + TOPIC_HIERARCHY: mw-mw_met_centre.data.core.weather.surface-based-observations.synop + CHANNEL: origin/a/wis2/mw-mw_met_centre/data/core/weather/surface-based-observations/synop + TERRITORY: MWI + DISCOVERY_METADATA: /data/wis2box/metadata/discovery/mw-surface-weather-observations.yml + DISCOVERY_METADATA_ID: urn:wmo:md:mw-mw_met_centre:surface-weather-observations + run: | + python3 wis2box-ctl.py execute wis2box dataset publish $DISCOVERY_METADATA + python3 wis2box-ctl.py execute wis2box metadata station add-topic --territory-name $TERRITORY $CHANNEL + python3 wis2box-ctl.py execute wis2box data ingest -mdi $DISCOVERY_METADATA_ID -p $TEST_DATA + sleep 10 + - name: ZAP baseline Scan on UI 🕵️‍♂️ + uses: zaproxy/action-baseline@v0.12.0 + with: + target: 'http://localhost' + rules_file_name: '.zap/rules.tsv' + allow_issue_writing: 'false' + fail_action: 'true' + - name: ZAP baseline Scan on wis2box-webapp 🕵️‍♂️ + uses: zaproxy/action-baseline@v0.12.0 + env: + ZAP_AUTH_HEADER_VALUE: "Basic d2lzMmJveC11c2VyOndpczJib3h0ZXN0MTIz" + ZAP_AUTH_HEADER: "Authorization" + with: + target: 'http://localhost/wis2box-webapp' + rules_file_name: '.zap/rules.tsv' + allow_issue_writing: 'false' + fail_action: 'true' \ No newline at end of file diff --git a/.zap/rules.tsv b/.zap/rules.tsv new file mode 100644 index 000000000..4a191ad7f --- /dev/null +++ b/.zap/rules.tsv @@ -0,0 +1,23 @@ +10202 IGNORE Absence of Anti-CSRF Tokens Medium +10038 IGNORE Content Security Policy (CSP) Header Not Set Medium +10098 IGNORE Cross-Domain Misconfiguration Medium +10020 IGNORE Missing Anti-clickjacking Header Medium +90003 IGNORE Sub Resource Integrity Attribute Missing Medium +90022 IGNORE Application Error Disclosure Medium +10054 IGNORE Cookie with SameSite Attribute None Low +10017 IGNORE Cross-Domain JavaScript Source File Inclusion Low +10023 IGNORE Information Disclosure - Debug Error Messages Low +10063 IGNORE Permissions Policy Header Not Set Low +10037 IGNORE "Server Leaks Information via ""X-Powered-By"" HTTP Response Header Field(s)" Low +10096 IGNORE Timestamp Disclosure - Unix Low +10021 IGNORE X-Content-Type-Options Header Missing Low +10027 IGNORE Information Disclosure - Suspicious Comments Informational +90033 IGNORE Loosely Scoped Cookie Informational +10109 IGNORE Modern Web Application Informational +10049 IGNORE Non-Storable Content Informational +10112 IGNORE Session Management Response Identified Informational +10049 IGNORE Storable and Cacheable Content Informational +10009 IGNORE In Page Banner Information Leak Low +10036 IGNORE "Server Leaks Version Information via ""Server"" HTTP Response Header Field" Low +10110 IGNORE Dangerous JS Functions Low +10105 IGNORE Authentication Credentials Captured Medium