Skip to content

Commit

Permalink
chore: fix dast scan
Browse files Browse the repository at this point in the history
  • Loading branch information
wolf4ood committed May 3, 2024
1 parent 622b81d commit 1a27ea8
Show file tree
Hide file tree
Showing 13 changed files with 563 additions and 82 deletions.
23 changes: 3 additions & 20 deletions .github/actions/setup-memory-runtime/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,33 +29,16 @@ runs:

- uses: actions/checkout@v4

- name: Dockerize TractusX EDC in memory distribution
- name: Dockerize TractusX EDC in memory distribution for Dast
shell: bash
run: |
./gradlew :edc-controlplane:edc-runtime-memory:dockerize
./gradlew :samples:edc-dast:edc-dast-runtime:dockerize
- name: Starting MIW, Keycloak and Postgres Servers
shell: bash
run: |
cd edc-tests/miw-tests/src/test/resources/docker-environment
docker compose up -d --wait
- uses: nick-fields/retry@v3
name: Wait for MIW
with:
timeout_minutes: 5
max_attempts: 3
command: |
code=$(curl -IL -sw "%{http_code}" http://localhost:8000/api/actuator/health -o /dev/null)
if [ "$code" -ne "401" ]; then
echo "MIW not ready yet, status = $code"
exit 1;
fi
- name: Starting in memory TractusX EDC
shell: bash
run: |
cd dast
cd samples/edc-dast
docker compose up -d
Expand Down
8 changes: 5 additions & 3 deletions .github/workflows/dast-scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@
name: ZAP_ALL

on:
pull_request:
branches: [ "main" ]
schedule:
- cron: '0 0 * * *'
workflow_dispatch:
Expand All @@ -33,15 +35,15 @@ jobs:
- uses: actions/checkout@v4
- uses: ./.github/actions/setup-memory-runtime

- name: Fetch MIW VP token
run: ./dast/fetch-token.sh
- name: Fetch SI TOKEN
run: ./samples/edc-dast/fetch-token.sh

- name: API Catalog Request Test
id: catalog_request
run: |
dsp_response=$(curl -w "%{http_code}" --request POST \
--url http://localhost:8282/api/v1/dsp/catalog/request \
--header "Authorization: $VP_TOKEN" \
--header "Authorization: $SI_TOKEN" \
--header 'Content-Type: application/json' \
--data '{
"@type": "dspace:CatalogRequestMessage",
Expand Down
37 changes: 0 additions & 37 deletions dast/fetch-token.sh

This file was deleted.

28 changes: 7 additions & 21 deletions dast/docker-compose.yaml → samples/edc-dast/docker-compose.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,29 +22,15 @@ version: '3'

services:
edc-runtime:

Check warning on line 24 in samples/edc-dast/docker-compose.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Healthcheck Not Set

Check containers periodically to see if they are running properly.

Check warning on line 24 in samples/edc-dast/docker-compose.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Host Namespace is Shared

The hosts process namespace should not be shared by containers

Check warning on line 24 in samples/edc-dast/docker-compose.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Memory Not Limited

Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory

Check warning on line 24 in samples/edc-dast/docker-compose.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Networks Not Set

Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.

Check warning on line 24 in samples/edc-dast/docker-compose.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Security Opt Not Set

Attribute 'security_opt' should be defined.

Check warning on line 24 in samples/edc-dast/docker-compose.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[LOW] Container Capabilities Unrestricted

Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

Check warning on line 24 in samples/edc-dast/docker-compose.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[LOW] Cpus Not Limited

CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
image: edc-runtime-memory:latest
environment:
TX_SSI_OAUTH_TOKEN_URL: http://keycloak:8080/realms/miw_test/protocol/openid-connect/token
TX_SSI_OAUTH_CLIENT_ID: miw_private_client
TX_SSI_OAUTH_CLIENT_SECRET_ALIAS: client-alias
EDC_VAULT_SECRETS: "client-alias:miw_private_client"
TX_SSI_MIW_URL: http://miw:8000
TX_SSI_MIW_AUTHORITY_ID: BPNL000000000000
TX_SSI_MIW_AUTHORITY_ISSUER: did:web:localhost%3A8000:BPNL000000000000
TX_SSI_ENDPOINT_AUDIENCE: "http://test"
EDC_DATAPLANE_TOKEN_VALIDATION_ENDPOINT: "http://validate"
EDC_API_AUTH_KEY: password

networks:
- miw-net
image: edc-dast-runtime:latest
volumes:
- type: bind
source: ./edc-dast-runtime/configuration.properties
target: /app/configuration.properties
ports:

Check warning on line 30 in samples/edc-dast/docker-compose.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Container Traffic Not Bound To Host Interface

Incoming container traffic should be bound to a specific host interface
- "8282:8282"
- "8181:8181"

- "8989:8989"
- "8990:8990"
volumes:
postgres_data:
driver: local

networks:
miw-net:
external: true
34 changes: 34 additions & 0 deletions samples/edc-dast/edc-dast-extensions/build.gradle.kts
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
/********************************************************************************
* Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
*
* See the NOTICE file(s) distributed with this work for additional
* information regarding copyright ownership.
*
* This program and the accompanying materials are made available under the
* terms of the Apache License, Version 2.0 which is available at
* https://www.apache.org/licenses/LICENSE-2.0.
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*
* SPDX-License-Identifier: Apache-2.0
********************************************************************************/

plugins {
`java-library`
}

dependencies {
implementation(libs.edc.spi.core)
implementation(libs.edc.lib.cryptocommon)
implementation(libs.edc.core.token)
implementation(libs.edc.ih.spi)
implementation(libs.edc.ih.spi.store)
}

edcBuild {
publish.set(false)
}
Loading

0 comments on commit 1a27ea8

Please sign in to comment.