diff --git a/.gitignore b/.gitignore index bd5e7c5f3..5f728e611 100644 --- a/.gitignore +++ b/.gitignore @@ -1,8 +1,6 @@ target/ !.mvn/wrapper/maven-wrapper.jar functional-output/ -package-lock.json - ### STS ### .apt_generated .classpath diff --git a/Jenkinsfile_CNP b/Jenkinsfile_CNP index fb6b2a1d6..253a6612c 100644 --- a/Jenkinsfile_CNP +++ b/Jenkinsfile_CNP @@ -28,7 +28,7 @@ static LinkedHashMap secret(String secretName, String envVar) { [$class : 'AzureKeyVaultSecret', secretType : 'Secret', name : secretName, - version : '', + version : '', envVariable: envVar ] } @@ -173,4 +173,4 @@ withPipeline(type, product, component) { reportName : "IDAM Web Public E2E functional tests result" ] } -} +} \ No newline at end of file diff --git a/Jenkinsfile_nightly b/Jenkinsfile_nightly index bffcb3e34..ff71a346d 100644 --- a/Jenkinsfile_nightly +++ b/Jenkinsfile_nightly @@ -5,8 +5,8 @@ properties([ parameters([ - string(name: 'URL_TO_TEST', defaultValue: 'https://idam-web-public-idam-preview.service.core-compute-idam-preview.internal', description: 'The URL you want to run these tests against'), - string(name: 'API_URL_TO_TEST', defaultValue: 'https://idam-api-idam-preview.service.core-compute-idam-preview.internal', description: 'The API URL you want to run these tests against '), + string(name: 'URL_TO_TEST', defaultValue: 'https://idam-web-public.aat.platform.hmcts.net', description: 'The URL you want to run these tests against'), + string(name: 'API_URL_TO_TEST', defaultValue: 'https://idam-api.aat.platform.hmcts.net', description: 'The API URL you want to run these tests against '), ]) ]) @@ -19,7 +19,7 @@ def product = "idam" def component = "web-public" def secrets = [ - 'idam-idam-preview': [ + 'idam-idam-aat': [ secret('smoke-test-user-username', 'SMOKE_TEST_USER_USERNAME'), secret('smoke-test-user-password', 'SMOKE_TEST_USER_PASSWORD'), secret('notify-api-key', 'NOTIFY_API_KEY') @@ -43,6 +43,10 @@ withNightlyPipeline(type, product, component) { loadVaultSecrets(secrets) + enableSecurityScan() + + enableMutationTest() + enableFullFunctionalTest(200) after('fullFunctionalTest') { diff --git a/audit.json b/audit.json new file mode 100644 index 000000000..444b5db7f --- /dev/null +++ b/audit.json @@ -0,0 +1,227 @@ +{ + "90011_Charset Mismatch (Header Versus Meta Content-Type Charset)_https://idam-web-public.aat.platform.hmcts.net/cookies_GET": "ignore", + "90011_Charset Mismatch (Header Versus Meta Content-Type Charset)_https://idam-web-public.aat.platform.hmcts.net/terms-and-conditions_GET": "ignore", + "90011_Charset Mismatch (Header Versus Meta Content-Type Charset)_https://idam-web-public.aat.platform.hmcts.net/privacy-policy_GET": "ignore", + "90011_Charset Mismatch (Header Versus Meta Content-Type Charset)_https://idam-web-public.aat.platform.hmcts.net/login_GET": "ignore", + "90011_Charset Mismatch (Header Versus Meta Content-Type Charset)_https://idam-web-public.aat.platform.hmcts.net/contact-us_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template.log_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/apple-touch-icon-152x152.bak_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/fonts.bak_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/privacy-policy.old_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template-print.bak_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/cookies.log_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/apple-touch-icon.old_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/terms-and-conditions.log_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/apple-touch-icon-152x152.old_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/login.log_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template-ie7.bak_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/apple-touch-icon-167x167.backup_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/login.backup_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/apple-touch-icon-152x152.backup_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/application.old_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/apple-touch-icon.bak_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template-ie8.old_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts/govuk-template.old_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/contact-us.log_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts/ie.log_GET": "ignore", + "10027_Information Disclosure - Suspicious Comments_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts/details.polyfill.js_GET": "ignore", + "10027_Information Disclosure - Suspicious Comments_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts/ie.js_GET": "ignore", + "10054_Cookie Without SameSite Attribute_https://idam-web-public.aat.platform.hmcts.net/_GET": "ignore", + "10054_Cookie Without SameSite Attribute_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore", + "10016_Web Browser XSS Protection Not Enabled_https://idam-web-public.aat.platform.hmcts.net/_GET": "ignore", + "10104_User Agent Fuzzer_https://idam-w10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts_GETeb-public.aat.platform.hmcts.net/assets/stylesheets_GET": "ignore", + "10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts_GET": "ignore", + "10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/assets/images_GET": "ignore", + "10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore", + "10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/assets_GET": "ignore", + "10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml_GET": "ignore", + "10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/_GET": "ignore", + "10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/assets/images/apple-touch-icon-120x120.png_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/login.bak_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template-print.log_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template.bak_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template.backup_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/contact-us.bak_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/apple-touch-icon-180x180.log_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template-ie8.backup_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/application.backup_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/favicon.log_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/login.old_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template-ie6.old_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template-ie8.log_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/favicon.bak_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/fonts-ie8.old_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template-ie8.bak_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/gov.uk_logotype_crown_invert_trans.png_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/apple-touch-icon-167x167.png_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template-ie8.css_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts/govuk-template.js_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/terms-and-conditions_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/apple-touch-icon.png_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/fonts-ie8.css_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/fonts.css_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/gov.uk_logotype_crown.svg_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts/details.polyfill.js_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template-print.css_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/favicon.ico_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/apple-touch-icon-152x152.png_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template-ie7.css_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/login_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/cookies_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/apple-touch-icon-120x120.png_GET": "ignore", + "10038_Content Security Policy (CSP) Header Not Set_https://idam-web-public.aat.platform.hmcts.net/cookies_GET": "ignore", + "10038_Content Security Policy (CSP) Header Not Set_https://idam-web-public.aat.platform.hmcts.net/login_GET": "ignore", + "10038_Content Security Policy (CSP) Header Not Set_https://idam-web-public.aat.platform.hmcts.net/terms-and-conditions_GET": "ignore", + "10038_Content Security Policy (CSP) Header Not Set_https://idam-web-public.aat.platform.hmcts.net/contact-us_GET": "ignore", + "10038_Content Security Policy (CSP) Header Not Set_https://idam-web-public.aat.platform.hmcts.net/_GET": "ignore", + "10038_Content Security Policy (CSP) Header Not Set_https://idam-web-public.aat.platform.hmcts.net/privacy-policy_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets/images/apple-touch-icon.png_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets/images/gov.uk_logotype_crown_invert_trans.png_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets/images/apple-touch-icon-167x167.png_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/terms-and-conditions_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template-ie8.css_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/privacy-policy_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts/govuk-template.js_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/fonts-ie8.css_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template-ie6.css_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/contact-us_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets/images/apple-touch-icon-180x180.png_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/login_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets/images_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template-ie7.css_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets/images/apple-touch-icon-152x152.png_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts/ie.js_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/application.css_GET": "ignore", + "10108_Reverse Tabnabbing_https://idam-web-public.aat.platform.hmcts.net/cookies_GET": "ignore", + "10108_Reverse Tabnabbing_https://idam-web-public.aat.platform.hmcts.net/contact-us_GET": "ignore", + "10108_Reverse Tabnabbing_https://idam-web-public.aat.platform.hmcts.net/terms-and-conditions_GET": "ignore", + "10108_Reverse Tabnabbing_https://idam-web-public.aat.platform.hmcts.net/privacy-policy_GET": "ignore", + "10108_Reverse Tabnabbing_https://idam-web-public.aat.platform.hmcts.net/login_GET": "ignore", + "40029_Trace.axd Information Leak_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/trace.axd_GET": "ignore", + "40029_Trace.axd Information Leak_https://idam-web-public.aat.platform.hmcts.net/trace.axd_GET": "ignore", + "40029_Trace.axd Information Leak_https://idam-web-public.aat.platform.hmcts.net/assets/images/trace.axd_GET": "ignore", + "40029_Trace.axd Information Leak_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts/trace.axd_GET": "ignore", + "40028_ELMAH Information Leak_https://idam-web-public.aat.platform.hmcts.net/elmah.axd_GET": "ignore", + "10035_Strict-Transport-Security Header Not Set_https://idam-web-public.aat.platform.hmcts.net/_GET": "ignore", + "10011_Cookie Without Secure Flag_https://idam-web-public.aat.platform.hmcts.net/_GET": "ignore", + "10011_Cookie Without Secure Flag_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore", + "10036_Server Leaks Version Information via \"Server\" HTTP Response Header Field_https://idam-web-public.aat.platform.hmcts.net/_GET": "ignore", + "10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets_GET": "ignore", + "10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets_GET": "ignore", + "10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets_GET": "ignore", + "10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets_GET": "ignore", + "40029_Trace.axd Information Leak_https://idam-web-public.aat.platform.hmcts.net/assets/trace.axd_GET":"ignore", + "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/_GET":"ignore", + "10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/assets_GET":"ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets/images/gov.uk_logotype_crown.svg_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template-print.css_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/cookies_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts/details.polyfill.js_GET": "ignore", + "90033_Loosely Scoped Cookie_https://idam-web-public.aat.platform.hmcts.net/_GET": "ignore", + "10010_Cookie No HttpOnly Flag_https://idam-web-public.aat.platform.hmcts.net/_GET": "ignore", + "10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/contact-us_GET": "ignore", + "10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/login_GET": "ignore", + "10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/privacy-policy_GET": "ignore", + "10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/contact-us_GET": "ignore", + "10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/privacy-policy_GET": "ignore", + "10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/terms-and-conditions_GET": "ignore", + "10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/cookies_GET": "ignore", + "10104_User Agent Fuzzer_https://idam-web-public.aat.platform.hmcts.net/privacy-policy_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore", + "0095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/Copy of ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.log_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.backup_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore", + "10098_Cross-Domain Misconfiguration_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore", + "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/cookies_GET": "ignore", + "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/privacy-policy_GET": "ignore", + "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/login_GET": "ignore", + "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/terms-and-conditions_GET": "ignore", + "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore", + "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/privacy-policy_GET": "ignore", + "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore", + "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/contact-us_GET": "ignore", + "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/terms-and-conditions_GET": "ignore", + "90033_Loosely Scoped Cookie_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore", + "10027_Information Disclosure - Suspicious Comments_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore", + "10035_Strict-Transport-Security Header Not Set_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore", + "10021_X-Content-Type-Options Header Missing_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore", + "10010_Cookie No HttpOnly Flag_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore", + "10036_Server Leaks Version Information via \"Server\" HTTP Response Header Field_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template-ie8.bak_GET": "ignore", + "10054_Cookie Without SameSite Attribute_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore", + "10054_Cookie Without SameSite Attribute_https://idam-web-public.aat.platform.hmcts.net/_GET": "ignore", + "10054_Cookie Without SameSite Attribute_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore", + "10054_Cookie Without SameSite Attribute_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore", + "10054_Cookie Without SameSite Attribute_https://idam-web-public.aat.platform.hmcts.net/_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/gov.uk_logotype_crown_invert_trans.png_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/apple-touch-icon-167x167.png_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template-ie8.css_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts/govuk-template.js_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/terms-and-conditions_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/apple-touch-icon.png_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/fonts-ie8.css_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/fonts.css_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/gov.uk_logotype_crown.svg_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts/details.polyfill.js_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template-print.css_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/favicon.ico_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/images/apple-touch-icon-152x152.png_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/assets/stylesheets/govuk-template-ie7.css_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/login_GET": "ignore", + "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/cookies_GET": "ignore", + "10038_Content Security Policy (CSP) Header Not Set_https://idam-web-public.aat.platform.hmcts.net/cookies_GET": "ignore", + "10038_Content Security Policy (CSP) Header Not Set_https://idam-web-public.aat.platform.hmcts.net/login_GET": "ignore", + "10038_Content Security Policy (CSP) Header Not Set_https://idam-web-public.aat.platform.hmcts.net/terms-and-conditions_GET": "ignore", + "10038_Content Security Policy (CSP) Header Not Set_https://idam-web-public.aat.platform.hmcts.net/contact-us_GET": "ignore", + "10038_Content Security Policy (CSP) Header Not Set_https://idam-web-public.aat.platform.hmcts.net/_GET": "ignore", + "10038_Content Security Policy (CSP) Header Not Set_https://idam-web-public.aat.platform.hmcts.net/privacy-policy_GET": "ignore", + "90011_Charset Mismatch (Header Versus Meta Content-Type Charset)_https://idam-web-public.aat.platform.hmcts.net/terms-and-conditions_GET": "ignore", + "90011_Charset Mismatch (Header Versus Meta Content-Type Charset)_https://idam-web-public.aat.platform.hmcts.net/login_GET": "ignore", + "90011_Charset Mismatch (Header Versus Meta Content-Type Charset)_https://idam-web-public.aat.platform.hmcts.net/cookies_GET": "ignore", + "90011_Charset Mismatch (Header Versus Meta Content-Type Charset)_https://idam-web-public.aat.platform.hmcts.net/privacy-policy_GET": "ignore", + "90011_Charset Mismatch (Header Versus Meta Content-Type Charset)_https://idam-web-public.aat.platform.hmcts.net/contact-us_GET": "ignore", + "10098_Cross-Domain Misconfiguration_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore", + "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/privacy-policy_GET": "ignore", + "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/cookies_GET": "ignore", + "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore", + "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore", + "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/terms-and-conditions_GET": "ignore", + "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/privacy-policy_GET": "ignore", + "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/login_GET": "ignore", + "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/terms-and-conditions_GET": "ignore", + "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/contact-us_GET": "ignore", + "10108_Reverse Tabnabbing_https://idam-web-public.aat.platform.hmcts.net/terms-and-conditions_GET": "ignore", + "10108_Reverse Tabnabbing_https://idam-web-public.aat.platform.hmcts.net/cookies_GET": "ignore", + "10108_Reverse Tabnabbing_https://idam-web-public.aat.platform.hmcts.net/privacy-policy_GET": "ignore", + "10108_Reverse Tabnabbing_https://idam-web-public.aat.platform.hmcts.net/contact-us_GET": "ignore", + "10108_Reverse Tabnabbing_https://idam-web-public.aat.platform.hmcts.net/login_GET": "ignore", + "10027_Information Disclosure - Suspicious Comments_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore", + "10027_Information Disclosure - Suspicious Comments_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts/details.polyfill.js_GET": "ignore", + "10027_Information Disclosure - Suspicious Comments_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts/ie.js_GET": "ignore", + "10035_Strict-Transport-Security Header Not Set_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore", + "10035_Strict-Transport-Security Header Not Set_https://idam-web-public.aat.platform.hmcts.net/_GET": "ignore", + "40028_ELMAH Information Leak_https://idam-web-public.aat.platform.hmcts.net/elmah.axd_GET": "ignore", + "10021_X-Content-Type-Options Header Missing_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore", + "10011_Cookie Without Secure Flag_https://idam-web-public.aat.platform.hmcts.net/_GET": "ignore", + "10011_Cookie Without Secure Flag_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore", + "10011_Cookie Without Secure Flag_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore", + "10010_Cookie No HttpOnly Flag_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore", + "10036_Server Leaks Version Information via \"Server\" HTTP Response Header Field_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore", + "10036_Server Leaks Version Information via \"Server\" HTTP Response Header Field_https://idam-web-public.aat.platform.hmcts.net/_GET": "ignore", + "90033_Loosely Scoped Cookie_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore", + "10095_Backup File Disclosure_https://idam-web-public.aat.platform.hmcts.net/Copy of ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore", + "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore", + "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore" +} \ No newline at end of file diff --git a/security.sh b/security.sh index 4adad9e0a..56f17161b 100644 --- a/security.sh +++ b/security.sh @@ -1,5 +1,7 @@ #!/bin/bash #echo "${SECURITYCONTEXT}" > /zap/security.context +export LC_ALL=C.UTF-8 +export LANG=C.UTF-8 zap-x.sh -d -host 0.0.0.0 -port 1001 -config api.disablekey=true -config scanner.attackOnStart=true -config view.mode=attack -config connection.dnsTtlSuccessfulQueries=-1 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true /dev/null 2>&1 & i=0 while !(curl -s http://0.0.0.0:1001) > /dev/null @@ -10,6 +12,7 @@ while !(curl -s http://0.0.0.0:1001) > /dev/null echo "ZAP has successfully started" zap-cli --zap-url http://0.0.0.0 -p 1001 status -t 120 zap-cli --zap-url http://0.0.0.0 -p 1001 open-url "${TEST_URL}" + zap-cli --zap-url http://0.0.0.0 -p 1001 exclude ".*jquery-3.4.1.min.js$" zap-cli --zap-url http://0.0.0.0 -p 1001 spider ${TEST_URL} zap-cli --zap-url http://0.0.0.0 -p 1001 active-scan --scanners all --recursive "${TEST_URL}" zap-cli --zap-url http://0.0.0.0 -p 1001 report -o activescan.html -f html @@ -17,4 +20,5 @@ while !(curl -s http://0.0.0.0:1001) > /dev/null chown -R $(id -u):$(id -u) activescan.html cp *.html functional-output/ zap-cli -p 1001 alerts -l Informational - zap-cli --zap-url http://0.0.0.0 -p 1001 alerts -l High --exit-code False + zap-cli --zap-url http://0.0.0.0 -p 1001 alerts -l High --exit-code False + curl --fail http://0.0.0.0:1001/OTHER/core/other/jsonreport/?formMethod=GET --output report.json \ No newline at end of file