Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

As tech lead, I need "low" findings from WebInspect Oct 2022 scan addressed #2238

Closed
8 tasks
ADPennington opened this issue Nov 4, 2022 · 2 comments · Fixed by #2271 or #2941
Closed
8 tasks

As tech lead, I need "low" findings from WebInspect Oct 2022 scan addressed #2238

ADPennington opened this issue Nov 4, 2022 · 2 comments · Fixed by #2271 or #2941
Assignees
@n0remac
Labels
compliance OCIO-related compliance tasks dev security

Comments

@ADPennington
Copy link
Collaborator

ADPennington commented Nov 4, 2022
edited
Loading

Description:
ACF OCIO performs monthly security scans on prod using WebInspect, and has a few low findings for Oct 2022:

scan

More information is on p. 8+ here 🔒

Acceptance Criteria:

  • source of issue identified
  • source of issue resolved or documented
  • Testing Checklist has been run and all tests pass
  • README is updated, if necessary

Tasks:

  • investigate root cause
  • look into why this isnt showing up in owasp scans
  • resolve/document
  • Run Testing Checklist and confirm all tests pass
@ADPennington ADPennington added security dev compliance OCIO-related compliance tasks labels Nov 4, 2022
@ADPennington
Copy link
Collaborator Author

11/15 update:

  • @n0remac will remove robots via PR
  • @ADPennington will draw up notes for @tdrammeh1 @AiseosaO to review for remainder of low findings that do not need remediation.
  • we will re-work ADR#16 to track security scan waivers

cc: @stevenino

@n0remac n0remac mentioned this issue Nov 15, 2022
Merged
@ADPennington
Copy link
Collaborator Author

per discussion with OCIO on 1/10/2023:

  • robots file can be removed
  • webinspect results that are due to scan parameter limitations (e.g. java not enabled) can be ignored in future scan reports.
  • results that return a 403 forbidden should be rerouted to 404. we can spin up new tix for this if needed. seems relatively low in priority.
  • alex will capture false positives in ATO doc.

cc: @andrew-jameson @stevenino

@jtimpe jtimpe mentioned this issue Apr 12, 2024
Merged
29 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@n0remac n0remac

Labels
compliance OCIO-related compliance tasks dev security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

No more robots raft-tech/TANF-app
2238 document unsafe-inline exception raft-tech/TANF-app
2 participants
@n0remac @ADPennington