cloudfoundry/stratos

Configuration: CSP Protection Appears To Be Missing

mahantsucf opened this issue · 1 comments

mahantsucf commented

Stratos Version

Stratos Version 4.4.0

Frontend Deployment type

  • Cloud Foundry Application (cf push)
  • [ X] Kubernetes, using a helm chart
  • Docker, single container deploying all components
  • npm run start
  • Other (please specify below)

Backend (Jet Stream) Deployment type

  • Cloud Foundry Application (cf push)
  • Kubernetes, using a helm chart
  • Docker, single container deploying all components
  • Other (please specify below)

Expected behavior

When we do an AppScan static scan, the scanning results shouldn’t yield any vulnerabilities.

Actual behavior

We ran Appscan and these vulnerabilities were marked as Low Severity issues.

Steps to reproduce the behavior

AppScan Go: version 0.1.7

Steps

Open Appscan go application

Checkout the code of Stratos : release 4.4.0 (https://github.com/cloudfoundry/stratos.git) in your local machine.

Choose the type of scan i.e. Complete Security Scan

Click on Browse button and browse to the src folder(except test-e2e folder) of the stratos project that you checkout in step 2.

AppScan Go! retrieves appropriate files from the selected folder and lists them for review. No need to change anything on this just click on Continue button.

Click on Create a new scan button ---> Initiate scan : This will initiate the scan process.

When upload to AppScan on Cloud is complete, click the link review the status or results of the scan in the AppScan on Cloud service(there are lots of high severity issue you will see).

Reference : https://help.hcltechsw.com/appscan/ASoC/src_irx_gen_gui.html

Log output covering before error and any error statements

Log output covering before error and any error statements

![AppScan_Log](https://user-images.githubusercontent.com/81233158/127614123-2628af8c-ce96-4fe0-ac54-2dd8b4ef7e32.PNG)

Detailed Description

Exact Location where the issue occurs:
src\frontend\packages\cf-autoscaler\src\store\app-autoscaler.actions.ts:108
src\frontend\packages\cf-autoscaler\src\store\app-autoscaler.actions.ts:116
src\frontend\packages\cf-autoscaler\src\store\app-autoscaler.actions.ts:244
src\frontend\packages\cloud-foundry\src\actions\application.actions.ts:158
src\frontend\packages\cloud-foundry\src\actions\application.actions.ts:117

Context

A potential security configuration error has been identified. Security configuration errors in the web server, application server, application
framework, operating system, or database can threaten the security of the application and its data

Possible Implementation

Review the identified setting and make sure that all appropriate hardening has been performed. In particular:

  • Verify that default passwords have been replaced with secure passwords.
  • Verify that all unnecessary services and functionality have been disabled.
  • Verify that error handling is configured so that no unwanted information is leaked to the user after an error occurs.
    It is recommended that a well-documented and repeatable (or automated) process be adopted to ensure that security hardening is
    performed consistently and accurately
richard-cox commented

Is this some kind of a joke? Closing, no detail