From 86b5dc4df39c882ad3a7c5cb8690a230d0c56d4c Mon Sep 17 00:00:00 2001
From: Dmytro Bykov <dmytro.bykov@ebp.ch>
Date: Thu, 8 Aug 2024 15:26:28 +0200
Subject: [PATCH] added auth-zap-scan

---
 .github/workflows/zap_scan.yaml | 27 +++++++---
 zap/context/default.context     | 89 +++++++++++++++++++++++++++++++++
 2 files changed, 110 insertions(+), 6 deletions(-)
 create mode 100644 zap/context/default.context

diff --git a/.github/workflows/zap_scan.yaml b/.github/workflows/zap_scan.yaml
index d5a006a9..75ccf14d 100644
--- a/.github/workflows/zap_scan.yaml
+++ b/.github/workflows/zap_scan.yaml
@@ -14,6 +14,14 @@ env:
   DATABASE_URL: postgres://postgres:postgres@localhost:5432/postgres?schema=public
 
 jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Review Dependencies
+        uses: actions/dependency-review-action@v4
+
   install:
     runs-on: ubuntu-latest
     steps:
@@ -30,18 +38,25 @@ jobs:
         uses: actions/cache@v4
         with:
           path: ${{ steps.npm-cache-dir.outputs.dir }}
-          key: "${{ runner.os }}-npm-${{ hashFiles('package-lock.json') }}"
+          key: "${{ runner.os }}-npm-${{ env.NODE_VERSION }}-${{ hashFiles('package-lock.json') }}"
           restore-keys: |
             ${{ runner.os }}-npm-
       - name: Cache node modules
         uses: actions/cache@v4
         with:
           path: ./node_modules
-          key: "${{ runner.os }}-node_modules-${{ hashFiles('package-lock.json') }}-${{ hashFiles('**/schema.prisma') }}"
+          key: "${{ runner.os }}-node_modules-${{ env.NODE_VERSION }}-${{ hashFiles('package-lock.json') }}-${{ hashFiles('**/schema.prisma') }}"
           restore-keys: |
             ${{ runner.os }}-node_modules-
+      - name: Cache e2e node modules
+        uses: actions/cache@v4
+        with:
+          path: ./e2e/node_modules
+          key: "${{ runner.os }}-node_modules_e2e-${{ env.NODE_VERSION }}-${{ hashFiles('./e2e/package-lock.json') }}"
+          restore-keys: |
+            ${{ runner.os }}-node_modules_e2e-
       - name: Install node dependencies
-        run: npm ci
+        run: npm install
       - name: Generate prisma types
         run: npm run prisma -- generate
 
@@ -71,8 +86,8 @@ jobs:
           sed -i 's/- \.\/volumes\/elasticsearch\/data:\/usr\/share\/elasticsearch\/data//g' ./docker-compose.yaml
           docker compose up -d db oidc elasticsearch
           sleep 60
-      - name: Migrate database
-        run: npm run prisma -- migrate deploy
+        # run: npm run prisma -- migrate deploy
+      #- name: Migrate database
       - name: Start frontend
         run: |
           npm run build
@@ -82,7 +97,7 @@ jobs:
         uses: zaproxy/action-full-scan@v0.10.0
         with:
           target: "http://localhost:4200"
-          cmd_options: "-a"
+          cmd_options: -a -j -U "admin" -n /zap/context/default.context
       - name: Upload ZAP Scan Results
         uses: actions/upload-artifact@v4
         with:
diff --git a/zap/context/default.context b/zap/context/default.context
new file mode 100644
index 00000000..b817e5fe
--- /dev/null
+++ b/zap/context/default.context
@@ -0,0 +1,89 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<configuration>
+    <context>
+        <name>Standard-Kontext</name>
+        <desc/>
+        <inscope>true</inscope>
+        <incregexes>http://localhost:4011.*</incregexes>
+        <incregexes>http://localhost:4200.*</incregexes>
+        <tech>
+            <include>Db.PostgreSQL</include>
+            <include>Language.ASP</include>
+            <include>Language.JSP/Servlet</include>
+            <include>Language.Java</include>
+            <include>Language.Java.Spring</include>
+            <include>Language.JavaScript</include>
+            <include>Language.XML</include>
+            <include>OS.Linux</include>
+            <include>OS.Windows</include>
+            <include>SCM.Git</include>
+            <include>WS.Apache</include>
+            <include>WS.Tomcat</include>
+            <exclude>Db</exclude>
+            <exclude>Db.CouchDB</exclude>
+            <exclude>Db.Firebird</exclude>
+            <exclude>Db.HypersonicSQL</exclude>
+            <exclude>Db.IBM DB2</exclude>
+            <exclude>Db.MariaDB</exclude>
+            <exclude>Db.Microsoft Access</exclude>
+            <exclude>Db.Microsoft SQL Server</exclude>
+            <exclude>Db.MongoDB</exclude>
+            <exclude>Db.MySQL</exclude>
+            <exclude>Db.Oracle</exclude>
+            <exclude>Db.SAP MaxDB</exclude>
+            <exclude>Db.SQLite</exclude>
+            <exclude>Db.Sybase</exclude>
+            <exclude>Language</exclude>
+            <exclude>Language.C</exclude>
+            <exclude>Language.PHP</exclude>
+            <exclude>Language.Python</exclude>
+            <exclude>Language.Ruby</exclude>
+            <exclude>OS</exclude>
+            <exclude>OS.MacOS</exclude>
+            <exclude>SCM</exclude>
+            <exclude>SCM.SVN</exclude>
+            <exclude>WS</exclude>
+            <exclude>WS.IIS</exclude>
+        </tech>
+        <urlparser>
+            <class>org.zaproxy.zap.model.StandardParameterParser</class>
+            <config>{"kvps":"&amp;","kvs":"=","struct":[]}</config>
+        </urlparser>
+        <postparser>
+            <class>org.zaproxy.zap.model.StandardParameterParser</class>
+            <config>{"kvps":"&amp;","kvs":"=","struct":[]}</config>
+        </postparser>
+        <authentication>
+            <type>2</type>
+            <strategy>EACH_RESP</strategy>
+            <pollurl/>
+            <polldata/>
+            <pollheaders/>
+            <pollfreq>60</pollfreq>
+            <pollunits>REQUESTS</pollunits>
+            <loggedin>\Qid_token\E</loggedin>
+            <loggedout>\QLogout\E</loggedout>
+            <form>
+                <loginurl>http://localhost:4011/Account/Login</loginurl>
+                <loginbody>Input.ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fresponse_type%3Dcode%26client_id%3Dassets%26state%3DSU5kZlpCanU1bFkydFFVSTVyMVdEVFBpdFh2WEs1SERaLnJ4YWJOcUNRTkRG%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A4200%26scope%3Dopenid%2520profile%2520email%2520cognito%26code_challenge%3DzQOsMsXRWejLxaINRJtgwpnJfg6blQjzO2p0Av_ghDY%26code_challenge_method%3DS256%26nonce%3DSU5kZlpCanU1bFkydFFVSTVyMVdEVFBpdFh2WEs1SERaLnJ4YWJOcUNRTkRG&amp;Input.Username={%username%}&amp;Input.Password={%password%}&amp;Input.Button=login&amp;__RequestVerificationToken=CfDJ8J9zj19_xjZOumsf_DtW9A0qnKNQFTcBhLJ35LoRFoxjUmXvMVvsN82mEDDWhVM_qlMHI9HhagwnbEeLp-eac5vWEvRIRkxzZS7aFWThs1zxMCkxe5QByRRCI89MbiC-njZelIq17MrtiyhP2xqz3mI&amp;Input.RememberLogin=false</loginbody>
+                <loginpageurl>http://localhost:4011/Account/Login</loginpageurl>
+            </form>
+        </authentication>
+        <users>
+            <user>267;true;YWRtaW4=;2;YWRtaW4=~YWRtaW4=~</user>
+        </users>
+        <forceduser>267</forceduser>
+        <session>
+            <type>0</type>
+        </session>
+        <authorization>
+            <type>0</type>
+            <basic>
+                <header/>
+                <body/>
+                <logic>AND</logic>
+                <code>-1</code>
+            </basic>
+        </authorization>
+    </context>
+</configuration>