From 83971824aac2cdc453ae87af16fa172570ea503a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Wed, 31 Jan 2024 02:04:41 +0100 Subject: [PATCH 1/2] Fixing that the sarif reports used different risk and confidence levels than the HTML reports --- .../SecurityScanning/AutomationFrameworkPlans/Baseline.yml | 2 -- .../SecurityScanning/AutomationFrameworkPlans/FullScan.yml | 2 -- .../SecurityScanning/AutomationFrameworkPlans/GraphQL.yml | 2 -- .../SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml | 2 -- 4 files changed, 8 deletions(-) diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml index 88ec3a373..54abfa7f9 100644 --- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml +++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml @@ -101,12 +101,10 @@ jobs: reportDescription: "" displayReport: false risks: - - "info" - "low" - "medium" - "high" confidences: - - "falsepositive" - "low" - "medium" - "high" diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml index 87afb8828..8ea838a9a 100644 --- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml +++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml @@ -106,12 +106,10 @@ jobs: reportDescription: "" displayReport: false risks: - - "info" - "low" - "medium" - "high" confidences: - - "falsepositive" - "low" - "medium" - "high" diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml index 3be077479..b134f3d07 100644 --- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml +++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml @@ -115,12 +115,10 @@ jobs: reportDescription: "" displayReport: false risks: - - "info" - "low" - "medium" - "high" confidences: - - "falsepositive" - "low" - "medium" - "high" diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml index eed3c0552..54393210e 100644 --- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml +++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml @@ -106,12 +106,10 @@ jobs: reportDescription: "" displayReport: false risks: - - "info" - "low" - "medium" - "high" confidences: - - "falsepositive" - "low" - "medium" - "high" From c7408dff391e0bd943a20c836f834d2c9be1e0aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Wed, 31 Jan 2024 02:15:56 +0100 Subject: [PATCH 2/2] Adjusting sample docs and assertion too --- .../Tests/SecurityScanningTests.cs | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs index 1530fed29..0bce7abc9 100644 --- a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs +++ b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs @@ -19,9 +19,11 @@ namespace Lombiq.Tests.UI.Samples.Tests; // https://github.com/Lombiq/UI-Testing-Toolbox/blob/dev/Lombiq.Tests.UI/Docs/SecurityScanning.md. // Most common alerts can be resolved by using the OrchardCoreBuilder.ConfigureSecurityDefaultsWithStaticFiles() -// extension method from Lombiq.HelpfulLibraries.OrchardCore. It's worth enabling in in your Program and then verifying -// that everything still works on the site before really getting into security scanning. If you experience any problems -// related to Content-Security-Policy, take a look at the documentation of IContentSecurityPolicyProvider and +// extension method from Lombiq.HelpfulLibraries.OrchardCore. We use it in this in our +// https://github.com/Lombiq/Open-Source-Orchard-Core-Extensions repo that these samples are configured for, and thus +// there are almost no alerts. It's worth enabling in in your Program and then verifying that everything still works on +// the site before really getting into security scanning. If you experience any problems related to +// Content-Security-Policy, take a look at the documentation of IContentSecurityPolicyProvider and // ContentSecurityPolicyAttribute to adjust the permissions, because these defaults are rather strict out of the box. // Note that security scanning has cross-platform support, but due to the limitations of virtualization under Windows in @@ -66,7 +68,8 @@ public Task BasicSecurityScanShouldPass() => // too. This is necessary because ZAP uses its own spider so it doesn't share session or cookies with the browser. // - The assertion on the scan results is custom. Use this if you (conditionally) want to assert on the results // differently from the global context.Configuration.SecurityScanningConfiguration.AssertSecurityScanResult. The - // default there is "no scanning alert is allowed"; we expect some alerts here. + // default there is "no scanning alert is allowed"; we expect an alert here due to the scan visiting the + // intentional error page under /Lombiq.Tests.UI.Shortcuts/Error/Index. // - The suppressions are not actually necessary here. The BasicSecurityScanShouldPass works fine without them. They // are only present to illustrate the type of adjustments you may want for your own site. [Fact] @@ -79,7 +82,7 @@ public Task SecurityScanWithCustomConfigurationShouldPass() => .DisablePassiveScanRule(10020, "The response does not include either Content-Security-Policy with 'frame-ancestors' directive.") .DisableScanRuleForUrlWithRegex(".*/about", 10038, "Content Security Policy (CSP) Header Not Set") .SignIn(), - sarifLog => sarifLog.Runs[0].Results.Count.ShouldBeInRange(17, 22)), + sarifLog => sarifLog.Runs[0].Results.Count.ShouldBe(1)), changeConfiguration: configuration => configuration.UseAssertAppLogsForSecurityScan()); // Let's get low-level into ZAP's configuration now. While the .NET configuration API of the Lombiq UI Testing