SIDM-4178 Add exclusions for low-level issues (aat only). (#449)

* SIDM-4178 Add exclusions for low-level issues (aat only). * Update security.sh
hmcts · Aug 21, 2020 · ffe663a · ffe663a
1 parent 6589552
commit ffe663a
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 2 deletions.
diff --git a/audit.json b/audit.json
@@ -225,5 +225,38 @@
   "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/ruxitagentjs_ICA2SVfjqrux_10185200212095618.js_GET": "ignore",
   "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/_GET" : "ignore",
   "40025_Proxy Disclosure_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET" : "ignore",
-  "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore"
+  "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore",
+  "10047_HTTPS Content Available via HTTP_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts/jquery-3.5.1.min.js_GET": "ignore",
+  "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml?ui_locales=cy_GET": "ignore",
+  "10096_Timestamp Disclosure - Unix_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml?ui_locales=en_GET": "ignore",
+  "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts_GET": "ignore",
+  "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml?ui_locales=cy_GET": "ignore",
+  "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/_GET": "ignore",
+  "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore",
+  "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts/jquery-3.5.1.min.js_GET": "ignore",
+  "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml_GET": "ignore",
+  "90027_Cookie Slack Detector_https://idam-web-public.aat.platform.hmcts.net/assets_GET": "ignore",
+  "90011_Charset Mismatch (Header Versus Meta Content-Type Charset)_https://idam-web-public.aat.platform.hmcts.net/login_GET": "ignore",
+  "90011_Charset Mismatch (Header Versus Meta Content-Type Charset)_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml?ui_locales=cy_GET": "ignore",
+  "90011_Charset Mismatch (Header Versus Meta Content-Type Charset)_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml_GET": "ignore",
+  "90011_Charset Mismatch (Header Versus Meta Content-Type Charset)_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml?ui_locales=en_GET": "ignore",
+  "90011_Charset Mismatch (Header Versus Meta Content-Type Charset)_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore",
+  "10054_Cookie Without SameSite Attribute_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml?ui_locales=cy_GET": "ignore",
+  "10054_Cookie Without SameSite Attribute_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml?ui_locales=en_GET": "ignore",
+  "10054_Cookie Without SameSite Attribute_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore",
+  "10054_Cookie Without SameSite Attribute_https://idam-web-public.aat.platform.hmcts.net/_GET": "ignore",
+  "10027_Information Disclosure - Suspicious Comments_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts/jquery-3.5.1.min.js_GET": "ignore",
+  "10038_Content Security Policy (CSP) Header Not Set_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml_GET": "ignore",
+  "10038_Content Security Policy (CSP) Header Not Set_https://idam-web-public.aat.platform.hmcts.net/login_GET": "ignore",
+  "10038_Content Security Policy (CSP) Header Not Set_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml?ui_locales=en_GET": "ignore",
+  "10038_Content Security Policy (CSP) Header Not Set_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml?ui_locales=cy_GET": "ignore",
+  "10038_Content Security Policy (CSP) Header Not Set_https://idam-web-public.aat.platform.hmcts.net/robots.txt_GET": "ignore",
+  "10011_Cookie Without Secure Flag_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml?ui_locales=en_GET": "ignore",
+  "10011_Cookie Without Secure Flag_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml?ui_locales=cy_GET": "ignore",
+  "10029_Cookie Poisoning_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml?ui_locales=cy_GET": "ignore",
+  "10029_Cookie Poisoning_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml?ui_locales=en_GET": "ignore",
+  "10010_Cookie No HttpOnly Flag_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml?ui_locales=cy_GET": "ignore",
+  "10010_Cookie No HttpOnly Flag_https://idam-web-public.aat.platform.hmcts.net/sitemap.xml?ui_locales=en_GET": "ignore",
+  "10109_Modern Web Application_https://idam-web-public.aat.platform.hmcts.net/assets/javascripts/jquery-3.5.1.min.js_GET": "ignore",
+  "10015_Incomplete or No Cache-control and Pragma HTTP Header Set_https://idam-web-public.aat.platform.hmcts.net/login_GET": "ignore"
 }
diff --git a/security.sh b/security.sh
@@ -56,4 +56,9 @@ chown -R $(id -u):$(id -u) activescan.html
 cp *.html functional-output/
 zap-cli -p $ZAP_PORT alerts -l Informational
 zap-cli --zap-url http://$ZAP_HOST -p $ZAP_PORT alerts -l High --exit-code False
-curl --fail http://${ZAP_HOST}:${ZAP_PORT}/OTHER/core/other/jsonreport/?formMethod=GET --output report.json
+curl --fail http://${ZAP_HOST}:${ZAP_PORT}/OTHER/core/other/jsonreport/?formMethod=GET --output report.json
+
+# INFO: in order to add more exclusions for low-level issues, please do the following:
+# - Extract the JSON output of the security scan from the build (an array of objects, each beginning with "task":"OWASP Zaproxy")
+# - Transform it with jq using the following query: map({(.fingerprint):"ignore"})|add
+# - Add the entries you are interested in to audit.json