diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 000000000..d4db391b7 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,20 @@ +FROM golang:1.24-alpine AS builder +WORKDIR /build +COPY app/go.mod ./ +RUN go mod download +COPY app/ . +RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \ + go build -ldflags="-s -w" -trimpath \ + -o /build/quicknotes . + +# Создаём папку /data и даём права в builder +RUN mkdir -p /data && chown 65532:65532 /data + +FROM gcr.io/distroless/static:nonroot +WORKDIR /app +COPY --from=builder /build/quicknotes . +COPY --from=builder /data /data +COPY app/seed.json . +EXPOSE 8080 +USER 65532:65532 +ENTRYPOINT ["/app/quicknotes"] \ No newline at end of file diff --git a/app/handlers_test.go b/app/handlers_test.go index 9dff2e3e5..a06218de1 100644 --- a/app/handlers_test.go +++ b/app/handlers_test.go @@ -31,7 +31,8 @@ func do(t *testing.T, srv *Server, method, target string, body any) *httptest.Re } req := httptest.NewRequest(method, target, &buf) rec := httptest.NewRecorder() - srv.Routes().ServeHTTP(rec, req) + handler := securityHeaders(srv.Routes()) + handler.ServeHTTP(rec, req) return rec } @@ -131,3 +132,20 @@ func TestMetrics_ExposesPrometheusFormat(t *testing.T) { } } +func TestSecurityHeaders(t *testing.T) { + srv := newTestServer(t) + rec := do(t, srv, http.MethodGet, "/health", nil) + + if rec.Header().Get("X-Content-Type-Options") != "nosniff" { + t.Errorf("X-Content-Type-Options header missing or wrong: %q", rec.Header().Get("X-Content-Type-Options")) + } + if rec.Header().Get("X-Frame-Options") != "DENY" { + t.Errorf("X-Frame-Options header missing or wrong: %q", rec.Header().Get("X-Frame-Options")) + } + if rec.Header().Get("Content-Security-Policy") != "default-src 'none'" { + t.Errorf("Content-Security-Policy header missing or wrong: %q", rec.Header().Get("Content-Security-Policy")) + } + if rec.Header().Get("Referrer-Policy") != "no-referrer" { + t.Errorf("Referrer-Policy header missing or wrong: %q", rec.Header().Get("Referrer-Policy")) + } +} \ No newline at end of file diff --git a/app/main.go b/app/main.go index e258ffcfe..215fc06a7 100644 --- a/app/main.go +++ b/app/main.go @@ -26,9 +26,11 @@ func main() { } server := NewServer(store) + handler := securityHeaders(server.Routes()) + srv := &http.Server{ Addr: addr, - Handler: server.Routes(), + Handler: handler, ReadHeaderTimeout: 5 * time.Second, } diff --git a/app/middleware.go b/app/middleware.go new file mode 100644 index 000000000..4f14246f9 --- /dev/null +++ b/app/middleware.go @@ -0,0 +1,13 @@ +package main + +import "net/http" + +func securityHeaders(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("X-Content-Type-Options", "nosniff") + w.Header().Set("X-Frame-Options", "DENY") + w.Header().Set("Content-Security-Policy", "default-src 'none'") + w.Header().Set("Referrer-Policy", "no-referrer") + next.ServeHTTP(w, r) + }) +} \ No newline at end of file diff --git a/app/zap.yaml b/app/zap.yaml new file mode 100644 index 000000000..22120617b --- /dev/null +++ b/app/zap.yaml @@ -0,0 +1,26 @@ +env: + contexts: + - excludePaths: [] + name: baseline + urls: + - http://host.docker.internal:8080 + parameters: + failOnError: true + progressToStdout: false +jobs: +- parameters: + enableTags: false + maxAlertsPerRule: 10 + type: passiveScan-config +- parameters: + maxDuration: 1 + url: http://host.docker.internal:8080 + type: spider +- parameters: + maxDuration: 0 + type: passiveScan-wait +- parameters: + format: Long + summaryFile: /home/zap/zap_out.json + rules: [] + type: outputSummary diff --git a/compose.yaml b/compose.yaml new file mode 100644 index 000000000..a59a76b3a --- /dev/null +++ b/compose.yaml @@ -0,0 +1,35 @@ +services: + quicknotes: + image: quicknotes:lab6 + container_name: quicknotes-lab6 + restart: unless-stopped + user: "0:0" + ports: + - "8080:8080" + volumes: + - quicknotes-data:/data + environment: + - ADDR=:8080 + - DATA_PATH=/data/notes.json + - SEED_PATH=/app/seed.json + healthcheck: + test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/health"] + interval: 10s + timeout: 5s + retries: 3 + start_period: 5s + + # Drop all capabilities + cap_drop: + - ALL + # добавлять ничего не надо, так как приложению не нужны capabilities + + # Read-only root filesystem + read_only: true + + # no-new-privileges + security_opt: + - no-new-privileges:true + +volumes: + quicknotes-data: \ No newline at end of file diff --git a/submissions/image-1.png b/submissions/image-1.png new file mode 100644 index 000000000..677864f06 Binary files /dev/null and b/submissions/image-1.png differ diff --git a/submissions/image-2.png b/submissions/image-2.png new file mode 100644 index 000000000..ae52c6061 Binary files /dev/null and b/submissions/image-2.png differ diff --git a/submissions/image-3.png b/submissions/image-3.png new file mode 100644 index 000000000..e5e2506da Binary files /dev/null and b/submissions/image-3.png differ diff --git a/submissions/image-4.png b/submissions/image-4.png new file mode 100644 index 000000000..2fc80cee0 Binary files /dev/null and b/submissions/image-4.png differ diff --git a/submissions/image-5.png b/submissions/image-5.png new file mode 100644 index 000000000..7713ffa8c Binary files /dev/null and b/submissions/image-5.png differ diff --git a/submissions/image-6.png b/submissions/image-6.png new file mode 100644 index 000000000..0f7e50d3c Binary files /dev/null and b/submissions/image-6.png differ diff --git a/submissions/image-7.png b/submissions/image-7.png new file mode 100644 index 000000000..b1dc5942f Binary files /dev/null and b/submissions/image-7.png differ diff --git a/submissions/image.png b/submissions/image.png new file mode 100644 index 000000000..c91bb2660 Binary files /dev/null and b/submissions/image.png differ diff --git a/submissions/lab9.md b/submissions/lab9.md new file mode 100644 index 000000000..f69fd627b --- /dev/null +++ b/submissions/lab9.md @@ -0,0 +1,157 @@ +# Lab 9 + +Frolova AI - M25RO-01, + +a.frolova@innopolis.university + +Ссылка на PR: https://github.com/inno-devops-labs/DevOps-Intro/pull/1407 + +## 1.1 Необходимые сканы + +1. Сканиерование образа + +```bash +docker run --rm -v //var/run/docker.sock:/var/run/docker.sock aquasec/trivy:0.59.1 image --severity HIGH,CRITICAL --no-progress quicknotes:lab6 > submissions/trivy-image.txt +``` + +Скачалась база уязвимостей, определилась ОС, нашелся Go-бинарник, завершилось сканирование, и вывод ушел в файл `submissions/trivy-image.txt`. + + + +Файл `submissions/trivy-image.txt`: + + + +2. Сканирование файловой системы репозитория + +```bash +docker run --rm -v //var/run/docker.sock:/var/run/docker.sock -v "$PWD:/src" aquasec/trivy:0.59.1 fs --severity HIGH,CRITICAL --no-progress /src > submissions/trivy-fs.txt +``` + +Здесь слетела кодировка, но речь идет о том, что найдена 1 уязвимость HIGH, AsymmetricPrivateKey - это приватный ssh ключ, который попал в репозиторий, и указано, по какому пути находится файл. + +Файл `trivy-fs`: + + + +Эту проблему можно решить, добвив .vagrant в gitignore и удалив файл из репозитория. + +3. Сканирование конфигурации + +```bash +docker run --rm -v //var/run/docker.sock:/var/run/docker.sock -v "${PWD}:/src" aquasec/trivy:0.59.1 config --severity HIGH,CRITICAL /src 2>&1 | Out-File -Encoding UTF8 submissions/trivy-config.txt +``` + +Файл `trivy-config`: + + + +Была найдена одна уязвимость Dockerfile - отсутвует user инструкция, контейнер запускается от root. Нужно изменить Dockerfile и добавить `USER 65532:65532`. + +4. Генерация SBOM + +```bash +docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:0.59.1 image --format cyclonedx quicknotes:lab6 > submissions/sbom.json +``` + +Фрагмент файла `sbom`: + + + +Здесь содержится информация об ОС (Debian 13.5), базовых пактах, go приложении и зависимостях. + + +## Ответы на вопросы + +a) CVE severity is one input, not the answer. What else matters when triaging? + +Кроме CVSS-оценки важны: + +- **Reachability** - вызывается ли уязвимая функция в нашем коде? Если нет, то риск значительно ниже. +- **Exploit availability** - есть ли публичный PoC/эксплойт? Если есть, приоритет выше. +- **Deployment context** - изолирован ли сервис (например, в закрытой сети) или доступен из интернета? +- **Business impact** - что именно ломается: критичный API или вспомогательный эндпоинт? + +Только совокупность этих факторов позволяет принять взвешенное решение: фиксить, принять риск или отложить. + +--- + +b) Why is the minimal base the strongest single security control? + +Минимальный базовый образ (distroless, scratch) содержит только статически собранный бинарник и минимальные файлы. Это резко уменьшает поверхность атаки: +- Нет shell, пакетного менеджера, компилятора, утилит +- Практически нет CVE в самом образе +- Нечем злоупотреблять при компрометации контейнера + +Это единственный контроль, который одномоментно устраняет сотни потенциальных уязвимостей. + +--- + +c) `.trivyignore` — when is it the right move, and when is it security theater? + +**Правильно:** когда уязвимость точно не эксплуатируется в данном контексте (например, CVE в библиотеке, которая не используется в коде), и к этому приложена дата пересмотра. + +**Театр:** когда игнорируют находки без анализа, «чтобы отчёт был зелёным». Если нет даты пересмотра или причины — это просто заметание проблем под ковёр. + +--- + +d) The SBOM is a list of components. What concrete future problem does having it today solve? + +SBOM позволяет **мгновенно ответить на вопрос**: «Затронут ли нас новый CVE?» + +Например, когда вышла Log4Shell (2021), компании с SBOM смогли за минуты проверить, используется ли Log4j в их проектах. Без SBOM — приходилось вручную проверять каждый репозиторий, что занимало дни и недели. + +## Task2 + +### 2.1 ZAP baseline + +```bash +docker run --rm -v "$(pwd -W):/zap/wrk" ghcr.io/zaproxy/zaproxy:2.16.0 zap-baseline.py -t http://host.docker.internal:8080 2>&1 | tee submissions/zap-report.txt + +``` + +Фрагмент файла `zap-report`: + + + +Zap нашел 3 url для сканирования, провел 65 пассивных проверок, которые успешно прошли. Найдено 2 предупреждения (2 url не существует). + +ZAP предупреждает, что версия устарела. Критических уязвимостей не найдено. + +### 2.2 ZAP findings triage + +| ID | Name | Risk | URL | Disposition | Reason | +|----|------|------|-----|-------------|--------| +| 10049 | Storable and Cacheable Content | Medium | `/` | FIX | Добавить Cache-Control заголовки | +| 10049 | Storable and Cacheable Content | Medium | `/sitemap.xml` | ACCEPT | QuickNotes — API, sitemap.xml не существует | +| 10116 | ZAP is Out of Date | Informational | — | ACCEPT | Используется фиксированная версия ZAP 2.16.0 | + +### 2.3 + +- Добавлен middleware `securityHeaders` в `app/middleware.go`, который устанавливает заголовки безопасности (`X-Content-Type-Options`, `X-Frame-Options`, `CSP`, `Referrer-Policy`). +- Middleware подключён ко всем маршрутам в `main.go`. +- Добавлен тест `TestSecurityHeaders`, проверяющий наличие заголовков. +- Тест проходит успешно (`PASS`), заголовки применяются корректно. + + + +### 2.4 Повторное сканирование + +Результат: + + + +### Ответы на вопросы + +e) Why a middleware and not per-handler header sets? + +Middleware применяется ко всем маршрутам сразу, не дублирует код, легче поддерживать и изменять. Это соответствует принципу DRY (Don't Repeat Yourself). +--- +f) `Content-Security-Policy: default-src 'none'` is the strictest CSP. What does it break? Why is it OK for QuickNotes (an API) but not for a website? + +CSP `default-src 'none'` запрещает любые внешние ресурсы (скрипты, стили, изображения, шрифты). Для API это безопасно, потому что API не загружает внешние ресурсы. Для веб-сайта это сломает рендеринг страниц, так как браузер не сможет загрузить CSS, JS, шрифты и т.д. +--- + +g) False positives vs accepted findings: ZAP often flags informational issues that aren't real problems. What's the cost of marking them all "accepted" without reading them? + +Если принимать все находки без проверки, можно пропустить реальную уязвимость, замаскированную под ложную. Это создаёт иллюзию безопасности («мы всё проверили»), но на деле оставляет дыры. Каждое принятие должно быть осознанным и задокументированным. diff --git a/submissions/sbom.json b/submissions/sbom.json new file mode 100644 index 000000000..34f019d87 Binary files /dev/null and b/submissions/sbom.json differ diff --git a/submissions/trivy-config.txt b/submissions/trivy-config.txt new file mode 100644 index 000000000..32a746ccf --- /dev/null +++ b/submissions/trivy-config.txt @@ -0,0 +1,53 @@ +docker : 2026-07-08T17:39:46Z INFO [misconfig] Misconfiguration scanning is enabled +строка:1 знак:1 ++ docker run --rm -v //var/run/docker.sock:/var/run/docker.sock -v "${P ... ++ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CategoryInfo : NotSpecified: (2026-07-08T17:3...ning is enabled:String) [], RemoteException + + FullyQualifiedErrorId : NativeCommandError + +2026-07-08T17:39:46Z INFO [misconfig] Need to update the built-in checks +2026-07-08T17:39:46Z INFO [misconfig] Downloading the built-in checks... +165.46 KiB / 165.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2026-07-08T17:39:49 +Z ERROR [rego] Error occurred while parsing. Trying to fallback to embedded check file_path="root/.cache/trivy/policy/c +ontent/policies/cloud/policies/aws/ec2/specify_ami_owners.rego" err="root/.cache/trivy/policy/content/policies/cloud/po +licies/aws/ec2/specify_ami_owners.rego:30: rego_type_error: undefined ref: input.aws.ec2.requestedamis[__local622__]\n\ +tinput.aws.ec2.requestedamis[__local622__]\n\t ^\n\t have: \"requestedamis\"\n\t + want (one of): [\"instances\" \"launchconfigurations\" \"launchtemplates\" \"networkacls\" \"securitygroups\" \"subnet +s\" \"volumes\" \"vpcs\"]" +2026-07-08T17:39:49Z ERROR [rego] Failed to find embedded check, skipping file_path="root/.cache/trivy/policy/content/p +olicies/cloud/policies/aws/ec2/specify_ami_owners.rego" +2026-07-08T17:39:49Z ERROR [rego] Error occurred while parsing file_path="root/.cache/trivy/policy/content/policies/clo +ud/policies/aws/ec2/specify_ami_owners.rego" err="root/.cache/trivy/policy/content/policies/cloud/policies/aws/ec2/spec +ify_ami_owners.rego:30: rego_type_error: undefined ref: input.aws.ec2.requestedamis[__local622__]\n\tinput.aws.ec2.requ +estedamis[__local622__]\n\t ^\n\t have: \"requestedamis\"\n\t want (one of): [\" +instances\" \"launchconfigurations\" \"launchtemplates\" \"networkacls\" \"securitygroups\" \"subnets\" \"volumes\" \"v +pcs\"]" +2026-07-08T17:39:50Z ERROR [rego] Error occurred while parsing. Trying to fallback to embedded check file_path="root/.c +ache/trivy/policy/content/policies/cloud/policies/aws/ec2/specify_ami_owners.rego" err="root/.cache/trivy/policy/conten +t/policies/cloud/policies/aws/ec2/specify_ami_owners.rego:30: rego_type_error: undefined ref: input.aws.ec2.requestedam +is[__local622__]\n\tinput.aws.ec2.requestedamis[__local622__]\n\t ^\n\t have: \"requestedamis +\"\n\t want (one of): [\"instances\" \"launchconfigurations\" \"launchtemplates\" \"networkacls\" \"securi +tygroups\" \"subnets\" \"volumes\" \"vpcs\"]" +2026-07-08T17:39:50Z ERROR [rego] Failed to find embedded check, skipping file_path="root/.cache/trivy/policy/content/p +olicies/cloud/policies/aws/ec2/specify_ami_owners.rego" +2026-07-08T17:39:50Z ERROR [rego] Error occurred while parsing file_path="root/.cache/trivy/policy/content/policies/clo +ud/policies/aws/ec2/specify_ami_owners.rego" err="root/.cache/trivy/policy/content/policies/cloud/policies/aws/ec2/spec +ify_ami_owners.rego:30: rego_type_error: undefined ref: input.aws.ec2.requestedamis[__local622__]\n\tinput.aws.ec2.requ +estedamis[__local622__]\n\t ^\n\t have: \"requestedamis\"\n\t want (one of): [\" +instances\" \"launchconfigurations\" \"launchtemplates\" \"networkacls\" \"securitygroups\" \"subnets\" \"volumes\" \"v +pcs\"]" +2026-07-08T17:39:50Z INFO Detected config files num=1 + +Dockerfile (dockerfile) +======================= +Tests: 21 (SUCCESSES: 20, FAILURES: 1) +Failures: 1 (HIGH: 1, CRITICAL: 0) + +AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument +тХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХРтХР +Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. + +See https://avd.aquasec.com/misconfig/ds002 +тФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФА + + diff --git a/submissions/trivy-fs.txt b/submissions/trivy-fs.txt new file mode 100644 index 000000000..0d32d33bc --- /dev/null +++ b/submissions/trivy-fs.txt @@ -0,0 +1,9 @@ +2026-07-08T17:38:19Z INFO [vulndb] Need to update DB +2026-07-08T17:38:19Z INFO [vulndb] Downloading vulnerability DB... +2026-07-08T17:38:19Z INFO [vulndb] Downloading artifact... repo="mirror.gcr.io/aquasec/trivy-db:2" +2026-07-08T17:38:28Z INFO [vulndb] Artifact successfully downloaded repo="mirror.gcr.io/aquasec/trivy-db:2" +2026-07-08T17:38:28Z INFO [vuln] Vulnerability scanning is enabled +2026-07-08T17:38:28Z INFO [secret] Secret scanning is enabled +2026-07-08T17:38:28Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning +2026-07-08T17:38:28Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.59/docs/scanner/secret#recommendation for faster secret detection +2026-07-08T17:38:28Z FATAL Fatal error fs scan error: scan error: scan failed: failed analysis: walk filesystem: walk dir error: unknown error with C:/Program Files/Git/src: lstat C:/Program Files/Git/src: no such file or directory diff --git a/submissions/trivy-image.txt b/submissions/trivy-image.txt new file mode 100644 index 000000000..1b50cf352 --- /dev/null +++ b/submissions/trivy-image.txt @@ -0,0 +1,56 @@ + +quicknotes:lab6 (debian 13.5) +============================= +Total: 0 (HIGH: 0, CRITICAL: 0) + + +app/quicknotes (gobinary) +========================= +Total: 11 (HIGH: 11, CRITICAL: 0) + +┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐ +│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ +├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤ +│ stdlib │ CVE-2026-25679 │ HIGH │ fixed │ v1.24.13 │ 1.25.8, 1.26.1 │ net/url: Incorrect parsing of IPv6 host literals in net/url │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-25679 │ +│ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤ +│ │ CVE-2026-27145 │ │ │ │ 1.25.11, 1.26.4 │ crypto/x509: golang: golang crypto/x509: Denial of Service │ +│ │ │ │ │ │ │ via excessive processing of DNS... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-27145 │ +│ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤ +│ │ CVE-2026-32280 │ │ │ │ 1.25.9, 1.26.2 │ crypto/x509: crypto/tls: golang: Go: Denial of Service │ +│ │ │ │ │ │ │ vulnerability in certificate chain building... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32280 │ +│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ +│ │ CVE-2026-32281 │ │ │ │ │ crypto/x509: golang: Go crypto/x509: Denial of Service via │ +│ │ │ │ │ │ │ inefficient certificate chain validation... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32281 │ +│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ +│ │ CVE-2026-32283 │ │ │ │ │ crypto/tls: golang: Go crypto/tls: Denial of Service via │ +│ │ │ │ │ │ │ multiple TLS 1.3 key... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32283 │ +│ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤ +│ │ CVE-2026-33811 │ │ │ │ 1.25.10, 1.26.3 │ net: golang: Go net package: Denial of Service via long │ +│ │ │ │ │ │ │ CNAME response... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-33811 │ +│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ +│ │ CVE-2026-33814 │ │ │ │ │ net/http/internal/http2: golang: golang.org/x/net: Go │ +│ │ │ │ │ │ │ HTTP/2: Denial of Service via malformed │ +│ │ │ │ │ │ │ SETTINGS_MAX_FRAME_SIZE frame... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-33814 │ +│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ +│ │ CVE-2026-39820 │ │ │ │ │ net/mail: golang: Go net/mail: Denial of Service via crafted │ +│ │ │ │ │ │ │ email inputs │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-39820 │ +│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ +│ │ CVE-2026-39836 │ │ │ │ │ ELSA-2026-22121: golang security update (IMPORTANT) │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-39836 │ +│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ +│ │ CVE-2026-42499 │ │ │ │ │ net/mail: golang: net/mail: Denial of Service via │ +│ │ │ │ │ │ │ pathological email address parsing │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-42499 │ +│ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤ +│ │ CVE-2026-42504 │ │ │ │ 1.25.11, 1.26.4 │ mime: golang: Golang MIME: Denial of Service via │ +│ │ │ │ │ │ │ maliciously-crafted MIME header │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-42504 │ +└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘ diff --git a/submissions/zap-report-after.txt b/submissions/zap-report-after.txt new file mode 100644 index 000000000..881e5ddbf --- /dev/null +++ b/submissions/zap-report-after.txt @@ -0,0 +1,76 @@ +Using the Automation Framework +Total of 3 URLs +PASS: Vulnerable JS Library (Powered by Retire.js) [10003] +PASS: In Page Banner Information Leak [10009] +PASS: Cookie No HttpOnly Flag [10010] +PASS: Cookie Without Secure Flag [10011] +PASS: Re-examine Cache-control Directives [10015] +PASS: Cross-Domain JavaScript Source File Inclusion [10017] +PASS: Content-Type Header Missing [10019] +PASS: Anti-clickjacking Header [10020] +PASS: X-Content-Type-Options Header Missing [10021] +PASS: Information Disclosure - Debug Error Messages [10023] +PASS: Information Disclosure - Sensitive Information in URL [10024] +PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025] +PASS: HTTP Parameter Override [10026] +PASS: Information Disclosure - Suspicious Comments [10027] +PASS: Off-site Redirect [10028] +PASS: Cookie Poisoning [10029] +PASS: User Controllable Charset [10030] +PASS: User Controllable HTML Element Attribute (Potential XSS) [10031] +PASS: Viewstate [10032] +PASS: Directory Browsing [10033] +PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034] +PASS: Strict-Transport-Security Header [10035] +PASS: HTTP Server Response Header [10036] +PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] +PASS: Content Security Policy (CSP) Header Not Set [10038] +PASS: X-Backend-Server Header Information Leak [10039] +PASS: Secure Pages Include Mixed Content [10040] +PASS: HTTP to HTTPS Insecure Transition in Form Post [10041] +PASS: HTTPS to HTTP Insecure Transition in Form Post [10042] +PASS: User Controllable JavaScript Event (XSS) [10043] +PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044] +PASS: Retrieved from Cache [10050] +PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052] +PASS: Cookie without SameSite Attribute [10054] +PASS: CSP [10055] +PASS: X-Debug-Token Information Leak [10056] +PASS: Username Hash Found [10057] +PASS: X-AspNet-Version Response Header [10061] +PASS: PII Disclosure [10062] +PASS: Permissions Policy Header Not Set [10063] +PASS: Timestamp Disclosure [10096] +PASS: Hash Disclosure [10097] +PASS: Cross-Domain Misconfiguration [10098] +PASS: Source Code Disclosure [10099] +PASS: Weak Authentication Method [10105] +PASS: Reverse Tabnabbing [10108] +PASS: Modern Web Application [10109] +PASS: Dangerous JS Functions [10110] +PASS: Authentication Request Identified [10111] +PASS: Session Management Response Identified [10112] +PASS: Verification Request Identified [10113] +PASS: Script Served From Malicious Domain (polyfill) [10115] +PASS: Absence of Anti-CSRF Tokens [10202] +PASS: Private IP Disclosure [2] +PASS: Session ID in URL Rewrite [3] +PASS: Script Passive Scan Rules [50001] +PASS: Stats Passive Scan Rule [50003] +PASS: Insecure JSF ViewState [90001] +PASS: Java Serialization Object [90002] +PASS: Sub Resource Integrity Attribute Missing [90003] +PASS: Insufficient Site Isolation Against Spectre Vulnerability [90004] +PASS: Charset Mismatch [90011] +PASS: Application Error Disclosure [90022] +PASS: WSDL File Detection [90030] +PASS: Loosely Scoped Cookie [90033] +WARN-NEW: Storable and Cacheable Content [10049] x 3 + http://host.docker.internal:8080 (404 Not Found) + http://host.docker.internal:8080/robots.txt (404 Not Found) + http://host.docker.internal:8080/sitemap.xml (404 Not Found) +WARN-NEW: ZAP is Out of Date [10116] x 1 + http://host.docker.internal:8080 (404 Not Found) +FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 2 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 65 +Automation plan warnings: + Job spider error accessing URL http://host.docker.internal:8080 status code returned : 404 expected 200 diff --git a/submissions/zap-report.txt b/submissions/zap-report.txt new file mode 100644 index 000000000..f001ee0be --- /dev/null +++ b/submissions/zap-report.txt @@ -0,0 +1,75 @@ +Using the Automation Framework +Total of 3 URLs +PASS: Vulnerable JS Library (Powered by Retire.js) [10003] +PASS: In Page Banner Information Leak [10009] +PASS: Cookie No HttpOnly Flag [10010] +PASS: Cookie Without Secure Flag [10011] +PASS: Re-examine Cache-control Directives [10015] +PASS: Cross-Domain JavaScript Source File Inclusion [10017] +PASS: Content-Type Header Missing [10019] +PASS: Anti-clickjacking Header [10020] +PASS: X-Content-Type-Options Header Missing [10021] +PASS: Information Disclosure - Debug Error Messages [10023] +PASS: Information Disclosure - Sensitive Information in URL [10024] +PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025] +PASS: HTTP Parameter Override [10026] +PASS: Information Disclosure - Suspicious Comments [10027] +PASS: Off-site Redirect [10028] +PASS: Cookie Poisoning [10029] +PASS: User Controllable Charset [10030] +PASS: User Controllable HTML Element Attribute (Potential XSS) [10031] +PASS: Viewstate [10032] +PASS: Directory Browsing [10033] +PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034] +PASS: Strict-Transport-Security Header [10035] +PASS: HTTP Server Response Header [10036] +PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] +PASS: Content Security Policy (CSP) Header Not Set [10038] +PASS: X-Backend-Server Header Information Leak [10039] +PASS: Secure Pages Include Mixed Content [10040] +PASS: HTTP to HTTPS Insecure Transition in Form Post [10041] +PASS: HTTPS to HTTP Insecure Transition in Form Post [10042] +PASS: User Controllable JavaScript Event (XSS) [10043] +PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044] +PASS: Retrieved from Cache [10050] +PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052] +PASS: Cookie without SameSite Attribute [10054] +PASS: CSP [10055] +PASS: X-Debug-Token Information Leak [10056] +PASS: Username Hash Found [10057] +PASS: X-AspNet-Version Response Header [10061] +PASS: PII Disclosure [10062] +PASS: Permissions Policy Header Not Set [10063] +PASS: Timestamp Disclosure [10096] +PASS: Hash Disclosure [10097] +PASS: Cross-Domain Misconfiguration [10098] +PASS: Source Code Disclosure [10099] +PASS: Weak Authentication Method [10105] +PASS: Reverse Tabnabbing [10108] +PASS: Modern Web Application [10109] +PASS: Dangerous JS Functions [10110] +PASS: Authentication Request Identified [10111] +PASS: Session Management Response Identified [10112] +PASS: Verification Request Identified [10113] +PASS: Script Served From Malicious Domain (polyfill) [10115] +PASS: Absence of Anti-CSRF Tokens [10202] +PASS: Private IP Disclosure [2] +PASS: Session ID in URL Rewrite [3] +PASS: Script Passive Scan Rules [50001] +PASS: Stats Passive Scan Rule [50003] +PASS: Insecure JSF ViewState [90001] +PASS: Java Serialization Object [90002] +PASS: Sub Resource Integrity Attribute Missing [90003] +PASS: Insufficient Site Isolation Against Spectre Vulnerability [90004] +PASS: Charset Mismatch [90011] +PASS: Application Error Disclosure [90022] +PASS: WSDL File Detection [90030] +PASS: Loosely Scoped Cookie [90033] +WARN-NEW: Storable and Cacheable Content [10049] x 2 + http://host.docker.internal:8080 (404 Not Found) + http://host.docker.internal:8080/sitemap.xml (404 Not Found) +WARN-NEW: ZAP is Out of Date [10116] x 1 + http://host.docker.internal:8080 (404 Not Found) +FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 2 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 65 +Automation plan warnings: + Job spider error accessing URL http://host.docker.internal:8080 status code returned : 404 expected 200 diff --git a/zap-report-fixed.html b/zap-report-fixed.html new file mode 100644 index 000000000..4f08ad380 --- /dev/null +++ b/zap-report-fixed.html @@ -0,0 +1,322 @@ + + +
+ +| Risk Level | +Number of Alerts | +
|---|---|
|
+ High
+ |
+
+ 0
+ |
+
|
+ Medium
+ |
+
+ 0
+ |
+
|
+ Low
+ |
+
+ 0
+ |
+
|
+ Informational
+ |
+
+ 0
+ |
+
|
+ False Positives:
+ |
+
+ 0
+ |
+
For each step: result (Pass/Fail) - risk (of highest alert(s) for the step, if any).
+ + + + + + +| Name | +Risk Level | +Number of Instances | +
|---|