Initial commit (#80)

Author: json-hamilton

docker-compose.zap.yaml

@@ -0,0 +1,21 @@
+version: '3.8'
+
+services:
+  ffc-ahwr-backoffice:
+    command: npm run start:watch
+    build:
+      target: development
+    image: ffc-ahwr-backoffice-development
+    environment:
+      NODE_ENV: test
+    volumes:
+      - ./test-output/:/home/node/test-output/
+
+  zap-baseline-scan:
+    image: owasp/zap2docker-stable:2.11.1
+    command: zap-baseline.py -t http://ffc-ahwr-backoffice:${PORT:-3000} -c config/zap.conf -r test-output/zap-report.html -a -d -I
+    depends_on:
+      - ffc-ahwr-backoffice
+    volumes:
+      - ./test-output/:/zap/wrk/test-output/
+      - ./zap/:/zap/wrk/config/

package.json

@@ -1,6 +1,6 @@
 {
   "name": "ffc-ahwr-backoffice",
-  "version": "1.17.4",
+  "version": "1.18.0",
   "description": "Back office of the health and welfare of your livestock",
   "homepage": "https://github.com/DEFRA/ffc-ahwr-backoffice",
   "main": "app/index.js",

zap/zap.conf

@@ -0,0 +1,63 @@
+# zap-baseline rule configuration file
+# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
+# Only the rule identifiers are used - the names are just for info
+# You can add your own messages to each rule by appending them after a tab on each line.
+10009	WARN	(In Page Banner Information Leak)
+10010	WARN	(Cookie No HttpOnly Flag)
+10011	WARN	(Cookie Without Secure Flag)
+10015	WARN	(Incomplete or No Cache-control and Pragma HTTP Header Set)
+10017	WARN	(Cross-Domain JavaScript Source File Inclusion)
+10019	WARN	(Content-Type Header Missing)
+10020	WARN	(X-Frame-Options Header Scanner)
+10021	WARN	(X-Content-Type-Options Header Missing)
+10023	WARN	(Information Disclosure - Debug Error Messages)
+10024	WARN	(Information Disclosure - Sensitive Information in URL)
+10025	WARN	(Information Disclosure - Sensitive Information in HTTP Referrer Header)
+10026	WARN	(HTTP Parameter Override)
+10027	WARN	(Information Disclosure - Suspicious Comments)
+10028	WARN	(Open Redirect)
+10029	WARN	(Cookie Poisoning)
+10030	WARN	(User Controllable Charset)
+10031	WARN	(User Controllable HTML Element Attribute (Potential XSS))
+10032	WARN	(Viewstate Scanner)
+10033	WARN	(Directory Browsing)
+10034	WARN	(Heartbleed OpenSSL Vulnerability (Indicative))
+10035	WARN	(Strict-Transport-Security Header Scanner)
+10036	WARN	(HTTP Server Response Header Scanner)
+10037	WARN	(Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s))
+10038	WARN	(Content Security Policy (CSP) Header Not Set)
+10039	WARN	(X-Backend-Server Header Information Leak)
+10040	WARN	(Secure Pages Include Mixed Content)
+10041	WARN	(HTTP to HTTPS Insecure Transition in Form Post)
+10042	WARN	(HTTPS to HTTP Insecure Transition in Form Post)
+10043	WARN	(User Controllable JavaScript Event (XSS))
+10044	WARN	(Big Redirect Detected (Potential Sensitive Information Leak))
+10049	WARN	(Content Cacheability)
+10050	WARN	(Retrieved from Cache)
+10052	WARN	(X-ChromeLogger-Data (XCOLD) Header Information Leak)
+10054	WARN	(Cookie Without SameSite Attribute)
+10055	WARN	(CSP Scanner)
+10056	WARN	(X-Debug-Token Information Leak)
+10057	WARN	(Username Hash Found)
+10061	WARN	(X-AspNet-Version Response Header Scanner)
+10062	WARN	(PII Disclosure)
+10063	WARN	(Feature Policy Header Not Set)
+10094	WARN	(Base64 Disclosure)
+10096	WARN	(Timestamp Disclosure)
+10097	WARN	(Hash Disclosure)
+10098	WARN	(Cross-Domain Misconfiguration)
+10099	WARN	(Source Code Disclosure)
+10105	WARN	(Weak Authentication Method)
+10108	WARN	(Reverse Tabnabbing)
+10109	WARN	(Modern Web Application)
+10110	WARN	(Dangerous JS Functions)
+10202	WARN	(Absence of Anti-CSRF Tokens)
+2	WARN	(Private IP Disclosure)
+3	WARN	(Session ID in URL Rewrite)
+50001	WARN	(Script Passive Scan Rules)
+90001	WARN	(Insecure JSF ViewState)
+90002	WARN	(Java Serialization Object)
+90003	WARN	(Sub Resource Integrity Attribute Missing)
+90011	WARN	(Charset Mismatch)
+90022	WARN	(Application Error Disclosure)
+90033	WARN	(Loosely Scoped Cookie)