Skip to content

fix: CSP headers and deps alerts#213

Merged
rafaelsilva29 merged 2 commits into
mainfrom
fix/deps-csp
Jun 11, 2026
Merged

fix: CSP headers and deps alerts#213
rafaelsilva29 merged 2 commits into
mainfrom
fix/deps-csp

Conversation

@rafaelsilva29

Copy link
Copy Markdown
Member

Description

Addresses multiple findings from the Solis ZAP security scan (rule 70010 — CSP CSDL Violation, rule 10015 — Cache-Control, rule 10027 — Information Disclosure via comments) and two Dependabot alerts in the frontend.

CSP fixes (ZAP 70010):

  • Removed five hardcoded static nonces from script-src in csp-header.conf and csp-header.env.conf. Static nonces are cryptographically meaningless and are correctly flagged as CSDL violations — they provide no security benefit over unsafe-inline.
  • The Maze analytics bootstrap was previously relying on one of those nonces for an inline <script> in maze.tsx. Replaced with an external public/maze-loader.js file served from self, eliminating the need for any nonce or unsafe-inline in script-src.
  • The SSI-based runtime config injection (window.apiUrl, window.authType, etc.) was previously a nonce-tagged inline <script> block injected via sed at Docker build time. Replaced with a dedicated config.js.ssi template served by nginx at /config.js with SSI processing (ssi_types application/javascript), injected into index.html as <script src="/config.js">.
  • Added missing font-src 'self' https://fonts.gstatic.com data: directive (fixes "Solis Content Security Policy Scanner 4" findings for .woff2 assets).
  • Added data: to img-src and frame-src to both CSP files for consistency.

Cache-Control fixes (ZAP 10015):

  • Added explicit nginx location blocks for static image/font assets (ico, png, svg, woff2, etc.) with public, max-age=86400, must-revalidate instead of falling through to the HTML catch-all.
  • Added explicit block for robots.txt and sitemap.xml with no-store.
  • /config.js served with no-store since it contains runtime environment values.

Suspicious comments fixes (ZAP 10027):

  • Removed developer comments from sw.ts, routes.tsx, utils/auth.ts, and auth-provider-oidc-helper.tsx that survived into compiled JS bundles and triggered keyword matches (API Key, token, NOTE, etc.).

Dependabot alerts:

  • Bumped vitest and @vitest/coverage-v8/@vitest/ui from 3.2.4 to 3.2.6 (GHSA-5xrq-8626-4rwp — critical: arbitrary file read/exec via Vitest UI server).
  • Bumped qs from 6.15.1 to 6.15.2 (GHSA-q8mj-m7cp-5q26 — moderate: DoS via qs.stringify). Added both to resolutions to cover transitive dependencies.

Docker base image hardening:

  • Added apk upgrade --no-cache openssl to all Alpine stages in Dockerfile (frontend) and Dockerfile.bff (backend) to patch CVE-2026-34182 (critical) and 8 high-severity OpenSSL vulnerabilities fixed in openssl@3.5.7-r0.

Type of Change

  • Bugfix
  • New Feature
  • Breaking Change
  • Refactor
  • Documentation
  • Other (security remediation: fixes Solis ZAP scan findings and Dependabot alerts)

Checklist

  • I have read the contributing guidelines
  • Existing issues have been referenced (where applicable)
  • I have verified this change is not present in other open pull requests
  • Functionality is documented
  • All code style checks pass
  • New code contribution is covered by automated tests
  • All new and existing tests pass

Signed-off-by: Rafael Silva (rafaelsi) <rafaelsi@cisco.com>
@github-actions

github-actions Bot commented Jun 11, 2026

Copy link
Copy Markdown

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see actions/dependency-review-action/issues/938.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
npm/@vitest/coverage-v8 3.2.6 UnknownUnknown
npm/@vitest/expect 3.2.6 UnknownUnknown
npm/@vitest/mocker 3.2.6 UnknownUnknown
npm/@vitest/pretty-format 3.2.6 UnknownUnknown
npm/@vitest/runner 3.2.6 UnknownUnknown
npm/@vitest/snapshot 3.2.6 UnknownUnknown
npm/@vitest/spy 3.2.6 UnknownUnknown
npm/@vitest/ui 3.2.6 UnknownUnknown
npm/@vitest/utils 3.2.6 UnknownUnknown
npm/qs 6.15.2 🟢 5.4
Details
CheckScoreReason
Code-Review⚠️ 2Found 6/30 approved changesets -- score normalized to 2
Security-Policy🟢 10security policy file detected
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1015 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices🟢 5badge detected: Passing
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/vitest 3.2.6 UnknownUnknown

Scanned Files

  • frontend/yarn.lock

Comment thread frontend/src/components/shared/maze/maze.tsx Outdated
Signed-off-by: Rafael Silva (rafaelsi) <rafaelsi@cisco.com>
@rafaelsilva29 rafaelsilva29 merged commit 158fc21 into main Jun 11, 2026
7 of 9 checks passed
@rafaelsilva29 rafaelsilva29 deleted the fix/deps-csp branch June 11, 2026 12:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants