Offer security checks (OSOE-351)

[Piedone]

Perhaps integrate with some tool that can test a form for XSS vulnerability or something like that. Need to look around.

Jira issue

[Piedone]

We could explore using ZAP.

• They also offer GitHub Actions: https://github.com/marketplace?query=zap&verification=verified_creator
  • These simply run the packaged scans though, see eg. here.
  • For an OC app, we'd need the API and Full Scans.
  • If we use these actions, then the app needs to be kept running even after test execution finishes, which seems problematic. Rather, we'd need to run the Docker commands from within the tests, after switching the app to interactive mode. Then, at the end of the scan, we can switch back from interactive mode (either by instructing ZAP to open InteractiveModeController.Continue or by setting IInteractiveModeStatusAccessor.Enabled directly).
• Instead of packaged scans, ZAP is migrating to the new Automation Framework. zap-weekly uses the Automation Framework as the baseline scan already, we should use that. We can create such an Automation Framework YAML in the desktop app and then use it to run a scan by default.
• Using ZAP to proxy UITT browser interactions would perhaps be the best, in addition to starting scans in a browser opened by UITT. If the latter is not possible, then we can configure the login shortcut to handle authentication (also see users).
  • For this, we need to configure Docker to allow access to the app running on localhost in the host, which the mentioned actions do.
  • Others have thought about this too.
  • There's a .NET API package but that only supports .NET Framework.
• Similar to accessibility checks, there should be a way to run these scans for every page view (with ZAP's proxy feature) or explicitly, either for only the current page or like monkey tests, unleashing a scan with the spider. Also similar to accessibility checks, there should be a way to always create a report (see AccessibilityCheckingConfiguration.CreateReportAlways).
• To be able to assert on the report from a test, we need a machine-readable version of it. ZAP's SARIF report seems suitable for this (sample report). This is available with the report_json switch for packaged scans. We need to save this and also the human-readable pretty report to the Failure Dump. The report_html or report_md switches can do this (perhaps also add the report to the workflow summary?).
• ZAP's full configuration should be surfaced in its native way, most possibly with the YAML approach of Automation Framework.
• Check if there are ZAP plugins that are useful for us, like Attack Surface Detector. These need to be possible to easily run locally in GHA.
• We need a separate ZAP instance for each scan.
• We could integrate with GitHub Code Scanning, see GitHub Code Scanning Integration  zaproxy/action-baseline#63 and https://github.com/SvanBoxel/zaproxy-to-ghas. Docs on integration is here. This needs SARIF export, see here. However, this doesn't seem necessary, since we'd fail the build on any security issue anyway.

[Piedone]

There's also a long list of suitable tools by OWASP here: https://owasp.org/www-community/Source_Code_Analysis_Tools. I checked these out, only the open-source tools supporting .NET (since this list about code scanning, unlike ZAP). Didn't find anything better than what we already use in .NET Analyzers.

[BenedekFarkas]

We should also investigate using https://codeql.github.com/, AFAIK it partially overlaps with https://github.com/Lombiq/.NET-Analyzers too.

[Piedone]

That looks like something we'd configure for code scanning or run in a CI workflow with the CodeQL Action. And yeah, this is rather static code analysis than something related to UI testing.

We can look into trying it out on OSOCE (since unless you use Enterprise, it's only available for public repos) with LGHA. Will you open an issue in the latter or shall I?

[BenedekFarkas]

Yes, here are my initial findings too: Lombiq/GitHub-Actions#283

Also found this: https://github.com/apisec-inc/ethicalcheck-action, worth comparing with ZAP.

[Piedone]

That looks the same as ZAP's OpenAPI scan.