Skip to content

Document web application vulnerability scanning procedure (#7021) #7096

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: develop
Choose a base branch
from

Conversation

dsotirho-ucsc
Copy link
Contributor

@dsotirho-ucsc dsotirho-ucsc commented May 6, 2025

Connected issues: #7021

Checklist

Author

  • PR is a draft
  • Target branch is develop
  • Name of PR branch matches issues/<GitHub handle of author>/<issue#>-<slug>
  • On ZenHub, PR is connected to all issues it (partially) resolves
  • PR description links to connected issues
  • PR title matches1 that of a connected issue or comment in PR explains why they're different
  • PR title references all connected issues
  • For each connected issue, there is at least one commit whose title references that issue

1 when the issue title describes a problem, the corresponding PR
title is Fix: followed by the issue title

Author (partiality)

  • Added p tag to titles of partial commits
  • This PR is labeled partial or completely resolves all connected issues
  • This PR partially resolves each of the connected issues or does not have the partial label

Author (chains)

  • This PR is blocked by previous PR in the chain or is not chained to another PR
  • The blocking PR is labeled base or this PR is not chained to another PR
  • This PR is labeled chained or is not chained to another PR

Author (reindex, API changes)

  • Added r tag to commit title or the changes introduced by this PR will not require reindexing of any deployment
  • This PR is labeled reindex:dev or the changes introduced by it will not require reindexing of dev
  • This PR is labeled reindex:anvildev or the changes introduced by it will not require reindexing of anvildev
  • This PR is labeled reindex:anvilprod or the changes introduced by it will not require reindexing of anvilprod
  • This PR is labeled reindex:prod or the changes introduced by it will not require reindexing of prod
  • This PR is labeled reindex:partial and its description documents the specific reindexing procedure for dev, anvildev, anvilprod and prod or requires a full reindex or carries none of the labels reindex:dev, reindex:anvildev, reindex:anvilprod and reindex:prod
  • This PR and its connected issues are labeled API or this PR does not modify a REST API
  • Added a (A) tag to commit title for backwards (in)compatible changes or this PR does not modify a REST API
  • Updated REST API version number in app.py or this PR does not modify a REST API

Author (upgrading deployments)

  • Ran make docker_images.json and committed the resulting changes or this PR does not modify azul_docker_images, or any other variables referenced in the definition of that variable
  • Documented upgrading of deployments in UPGRADING.rst or this PR does not require upgrading deployments
  • Added u tag to commit title or this PR does not require upgrading deployments
  • This PR is labeled upgrade or does not require upgrading deployments
  • This PR is labeled deploy:shared or does not modify docker_images.json, and does not require deploying the shared component for any other reason
  • This PR is labeled deploy:gitlab or does not require deploying the gitlab component
  • This PR is labeled deploy:runner or does not require deploying the runner image

Author (hotfixes)

  • Added F tag to main commit title or this PR does not include permanent fix for a temporary hotfix
  • Reverted the temporary hotfixes for any connected issues or the none of the stable branches (anvilprod and prod) have temporary hotfixes for any of the issues connected to this PR

Author (before every review)

  • Rebased PR branch on develop, squashed old fixups
  • Ran make requirements_update or this PR does not modify requirements*.txt, common.mk, Makefile and Dockerfile
  • Added R tag to commit title or this PR does not modify requirements*.txt
  • This PR is labeled reqs or does not modify requirements*.txt
  • make integration_test passes in personal deployment or this PR does not modify functionality that could affect the IT outcome

Peer reviewer (after approval)

  • PR is marked as approved
  • PR is not a draft
  • Ticket is in Review requested column
  • PR is awaiting requested review from system administrator
  • PR is assigned to only the system administrator

System administrator (after approval)

  • Actually approved the PR
  • Labeled connected issues as demo or no demo
  • Commented on connected issues about demo expectations or all connected issues are labeled no demo
  • Decided if PR can be labeled no sandbox
  • A comment to this PR details the completed security design review
  • PR title is appropriate as title of merge commit
  • N reviews label is accurate
  • Moved connected issues to Approved column
  • PR is assigned to only the operator

Operator (before pushing merge the commit)

  • Checked reindex:… labels and r commit title tag
  • Checked that demo expectations are clear or all connected issues are labeled no demo
  • Squashed PR branch and rebased onto develop
  • Sanity-checked history
  • Pushed PR branch to GitHub
  • Ran _select dev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused or this PR is not labeled deploy:shared
  • Ran _select dev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply or this PR is not labeled deploy:gitlab
  • Ran _select anvildev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused or this PR is not labeled deploy:shared
  • Ran _select anvildev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply or this PR is not labeled deploy:gitlab
  • Checked the items in the next section or this PR is labeled deploy:gitlab
  • PR is assigned to only the system administrator or this PR is not labeled deploy:gitlab

System administrator

  • Background migrations for dev.gitlab are complete or this PR is not labeled deploy:gitlab
  • Background migrations for anvildev.gitlab are complete or this PR is not labeled deploy:gitlab
  • PR is assigned to only the operator

Operator (before pushing merge the commit)

  • Ran _select dev.gitlab && make -C terraform/gitlab/runner or this PR is not labeled deploy:runner
  • Ran _select anvildev.gitlab && make -C terraform/gitlab/runner or this PR is not labeled deploy:runner
  • Added sandbox label or PR is labeled no sandbox
  • Pushed PR branch to GitLab dev or PR is labeled no sandbox
  • Pushed PR branch to GitLab anvildev or PR is labeled no sandbox
  • Build passes in sandbox deployment or PR is labeled no sandbox
  • Build passes in anvilbox deployment or PR is labeled no sandbox
  • Reviewed build logs for anomalies in sandbox deployment or PR is labeled no sandbox
  • Reviewed build logs for anomalies in anvilbox deployment or PR is labeled no sandbox
  • Deleted unreferenced indices in sandbox or this PR does not remove catalogs or otherwise causes unreferenced indices in dev
  • Deleted unreferenced indices in anvilbox or this PR does not remove catalogs or otherwise causes unreferenced indices in anvildev
  • Started reindex in sandbox or this PR is not labeled reindex:dev
  • Started reindex in anvilbox or this PR is not labeled reindex:anvildev
  • Checked for failures in sandbox or this PR is not labeled reindex:dev
  • Checked for failures in anvilbox or this PR is not labeled reindex:anvildev
  • Confirmed all checks in PR are OK and the PR is mergeable
  • The title of the merge commit starts with the title of this PR
  • Added PR # reference to merge commit title
  • Collected commit title tags in merge commit title but only included p if the PR is also labeled partial
  • Moved connected issues to Merged lower column in ZenHub
  • Moved blocked issues to Triage or no issues are blocked on the connected issues
  • Pushed merge commit to GitHub

Operator (chain shortening)

  • Changed the target branch of the blocked PR to develop or this PR is not labeled base
  • Removed the chained label from the blocked PR or this PR is not labeled base
  • Removed the blocking relationship from the blocked PR or this PR is not labeled base
  • Removed the base label from this PR or this PR is not labeled base

Operator (after pushing the merge commit)

  • Pushed merge commit to GitLab dev
  • Pushed merge commit to GitLab anvildev
  • Build passes on GitLab dev
  • Reviewed build logs for anomalies on GitLab dev
  • Build passes on GitLab anvildev
  • Reviewed build logs for anomalies on GitLab anvildev
  • Ran _select dev.shared && make -C terraform/shared apply or this PR is not labeled deploy:shared
  • Ran _select anvildev.shared && make -C terraform/shared apply or this PR is not labeled deploy:shared
  • Deleted PR branch from GitHub
  • Deleted PR branch from GitLab dev
  • Deleted PR branch from GitLab anvildev

Operator (reindex)

  • Deindexed all unreferenced catalogs in dev or this PR is neither labeled reindex:partial nor reindex:dev
  • Deindexed all unreferenced catalogs in anvildev or this PR is neither labeled reindex:partial nor reindex:anvildev
  • Deindexed specific sources in dev or this PR is neither labeled reindex:partial nor reindex:dev
  • Deindexed specific sources in anvildev or this PR is neither labeled reindex:partial nor reindex:anvildev
  • Indexed specific sources in dev or this PR is neither labeled reindex:partial nor reindex:dev
  • Indexed specific sources in anvildev or this PR is neither labeled reindex:partial nor reindex:anvildev
  • Started reindex in dev or this PR does not require reindexing dev
  • Started reindex in anvildev or this PR does not require reindexing anvildev
  • Checked for, triaged and possibly requeued messages in both fail queues in dev or this PR does not require reindexing dev
  • Checked for, triaged and possibly requeued messages in both fail queues in anvildev or this PR does not require reindexing anvildev
  • Emptied fail queues in dev or this PR does not require reindexing dev
  • Emptied fail queues in anvildev or this PR does not require reindexing anvildev
  • Restarted the Data Browser pipeline for the ucsc/hca/dev branch on GitLab in dev or this PR does not require reindexing dev
  • Restarted the Data Browser pipeline for the ucsc/lungmap/dev branch on GitLab in dev or this PR does not require reindexing dev
  • Restarted deploy_browser job in the GitLab pipeline for this PR in dev or this PR does not require reindexing dev
  • Restarted the Data Browser pipeline for the ucsc/anvil/anvildev branch on GitLab in anvildev or this PR does not require reindexing anvildev
  • Restarted deploy_browser job in the GitLab pipeline for this PR in anvildev or this PR does not require reindexing anvildev

Operator

  • Propagated the deploy:shared, deploy:gitlab, deploy:runner, API, reindex:partial, reindex:anvilprod and reindex:prod labels to the next promotion PRs or this PR carries none of these labels
  • Propagated any specific instructions related to the deploy:shared, deploy:gitlab, deploy:runner, API, reindex:partial, reindex:anvilprod and reindex:prod labels, from the description of this PR to that of the next promotion PRs or this PR carries none of these labels
  • PR is assigned to no one

Shorthand for review comments

  • L line is too long
  • W line wrapping is wrong
  • Q bad quotes
  • F other formatting problem

@github-actions github-actions bot added the orange [process] Done by the Azul team label May 6, 2025
Copy link

codecov bot commented May 6, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.24%. Comparing base (7964fe5) to head (9d9da68).

Additional details and impacted files
@@           Coverage Diff            @@
##           develop    #7096   +/-   ##
========================================
  Coverage    85.24%   85.24%           
========================================
  Files          152      152           
  Lines        22060    22060           
========================================
  Hits         18804    18804           
  Misses        3256     3256           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@coveralls
Copy link

coveralls commented May 6, 2025

Coverage Status

coverage: 85.417%. remained the same
when pulling 9d9da68 on issues/dsotirho-ucsc/7021-document-scan-procedure
into 7964fe5 on develop.

@dsotirho-ucsc dsotirho-ucsc force-pushed the issues/dsotirho-ucsc/7021-document-scan-procedure branch 3 times, most recently from 1023862 to 634e24a Compare May 8, 2025 16:13
@dsotirho-ucsc
Copy link
Contributor Author

7096_IT_2025-05-08.txt

Copy link
Member

@achave11-ucsc achave11-ucsc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, small nits.

@achave11-ucsc achave11-ucsc removed their assignment May 9, 2025
@dsotirho-ucsc
Copy link
Contributor Author

7096_IT_2025-05-09.txt

Copy link
Member

@achave11-ucsc achave11-ucsc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the intended category of ZAP application usage.

In that spirit, I'd rearrange the sections, moving the ZAP Setup last, and maybe the authenticated scan preceding it, but I'll leave that to your discretion. Also, consider having a small/medium explanatory paragraph in the beginning regarding the how long to expect for a scan to run and any network/connectivity delays that may be experienced while running this without request limit filters (if any).

@achave11-ucsc achave11-ucsc removed their assignment May 9, 2025
@dsotirho-ucsc dsotirho-ucsc force-pushed the issues/dsotirho-ucsc/7021-document-scan-procedure branch 3 times, most recently from 5fc1864 to ac189e9 Compare May 13, 2025 18:27
@dsotirho-ucsc
Copy link
Contributor Author

7096_IT_2025-05-13.txt

In that spirit, I'd rearrange the sections, moving the ZAP Setup last, and maybe the authenticated scan preceding it, but I'll leave that to your discretion.

I think it makes sense to have the setup first, since it has options that should be set before any scans are run.

Also, consider having a small/medium explanatory paragraph in the beginning regarding the how long to expect for a scan to run and any network/connectivity delays that may be experienced while running this without request limit filters (if any).

I've expanded a few of the sections to make them more descriptive, and added a ZAP Sessions section.

achave11-ucsc
achave11-ucsc previously approved these changes May 13, 2025
Copy link
Member

@achave11-ucsc achave11-ucsc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved ✅

@achave11-ucsc achave11-ucsc marked this pull request as ready for review May 13, 2025 21:31
OPERATOR.rst Outdated

- From the menu, select ``Tools`` -> ``Options``:

- -> ``Network`` -> ``Rate Limit``, add and enable a 3 request per second rule
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No double bullets, please.

Suggested change
- -> ``Network`` -> ``Rate Limit``, add and enable a 3 request per second rule
- Select ``Network`` -> ``Rate Limit``, add and enable a 3 request per second rule

OPERATOR.rst Outdated

The process for running an authenticated scan is to first obtain an Azul
authentication token, and launch the ZAP application with the token set as
an environment variable. See
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OPERATOR.rst Outdated

- -> ``Check for Updates``:

- Check for updates on startup: Checked
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Check for updates on startup: Checked
- Check the *Check for updates on startup* option

Use italics when you quote from a UI.

@hannes-ucsc hannes-ucsc removed their assignment May 14, 2025
Copy link
Member

@hannes-ucsc hannes-ucsc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also ask for another peer review from Abraham asking him to walk through these steps in order to verify them.

OPERATOR.rst Outdated
Comment on lines 703 to 705
environment variable. See the `ZAP documentation
<https://www.zaproxy.org/docs/getting-further/authentication/handling-auth-yourself/>`_
for more information.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For long URLs, separate the link and the target definition as outlined in the Sphinx documentation I linked to in my previous review.

OPERATOR.rst Outdated
- From the popup, select the *No, I do not want to persis this session at this
moment in time* option and click *Start*

- From the menu, select *Edit* -> *ZAP Mode* -> *Standard Mode* (This should be
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use em dash, please.

Suggested change
- From the menu, select *Edit* -> *ZAP Mode* -> *Standard Mode* (This should be
- From the menu, select *Edit* *ZAP Mode* *Standard Mode* (This should be

OPERATOR.rst Outdated
- Using the Swagger UI, excecute an enpoint such as ``/index/catalogs``

- Note the example ``curl`` command, and copy the token from the
``Authorization`` header option (e.g. "Bearer ya29.a0…")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
``Authorization`` header option (e.g. "Bearer ya29.a0…")
``Authorization`` header option (e.g. ``Bearer ya29.a0…``)

OPERATOR.rst Outdated
new scan. Failure to do so can pollute the scan results with the findings from
the previous scan.

If you are promopted with options to persist the ZAP session, select the *No, I
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If you are promopted with options to persist the ZAP session, select the *No, I
If you are prompted with options to persist the ZAP session, select the *No, I

OPERATOR.rst Outdated

- Check the *Check for updates to the add-ons you have installed* option

Running an authenticated scan
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sounds like it is optional. It should state clearly that all scans should be authenticated, or, if only some should be authenticated, which ones.

@hannes-ucsc hannes-ucsc removed their assignment May 15, 2025
@dsotirho-ucsc dsotirho-ucsc force-pushed the issues/dsotirho-ucsc/7021-document-scan-procedure branch from 7fe1f01 to c473359 Compare May 15, 2025 23:40
@dsotirho-ucsc
Copy link
Contributor Author

7096_IT_2025-05-15.txt

@dsotirho-ucsc
Copy link
Contributor Author

dsotirho-ucsc commented May 16, 2025

Please also ask for another peer review from Abraham asking him to walk through these steps in order to verify them.

@achave11-ucsc, Please peer review, and attempt to follow the guide in order to successfully run scans and generate reports. A full list of the URLs to scan is available from the issue template for the monthly scan (template is not yet merged PR #7121).

Since completing all 8 scans would take a ~24 hours, I suggest running one scan fully (the Azul indexer scans complete the quickest), generating a report, and comparing the results to the last triaged scan results on this Google Sheet. For the other scans, getting the scan to start and seeing findings start to trickle in should suffice.

Feel free to reach out if you have any questions, however (hopefully) the guide will give you everything you need. Thanks!

achave11-ucsc
achave11-ucsc previously approved these changes May 17, 2025
Copy link
Member

@achave11-ucsc achave11-ucsc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM ✅

Copy link
Member

@hannes-ucsc hannes-ucsc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PL please.

@hannes-ucsc hannes-ucsc added 2 reviews [process] Lead requested changes twice and removed 1 review [process] Lead requested changes once labels May 21, 2025
@hannes-ucsc hannes-ucsc removed their assignment May 21, 2025
@dsotirho-ucsc dsotirho-ucsc force-pushed the issues/dsotirho-ucsc/7021-document-scan-procedure branch 2 times, most recently from 2d10b12 to bcf2b25 Compare May 23, 2025 20:35
@dsotirho-ucsc dsotirho-ucsc force-pushed the issues/dsotirho-ucsc/7021-document-scan-procedure branch from bcf2b25 to 9d9da68 Compare May 27, 2025 16:02
@dsotirho-ucsc
Copy link
Contributor Author

7096_IT_2025-05-27.txt

Copy link
Member

@hannes-ucsc hannes-ucsc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe we discussed in PL using a numbered list for the sequence of steps. Please also flatten the list structure so that it becomes a simple sequence of steps. Make sure that list items are complete sentences.

@hannes-ucsc hannes-ucsc added 3 reviews [process] Lead requested changes thrice and removed 2 reviews [process] Lead requested changes twice labels May 27, 2025
@hannes-ucsc hannes-ucsc removed their assignment May 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3 reviews [process] Lead requested changes thrice orange [process] Done by the Azul team
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants