feat: dast scan integration

.github/actions/setup-memory-runtime/action.yml

@@ -0,0 +1,73 @@
+#################################################################################
+#  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+#
+#  See the NOTICE file(s) distributed with this work for additional
+#  information regarding copyright ownership.
+#
+#  This program and the accompanying materials are made available under the
+#  terms of the Apache License, Version 2.0 which is available at
+#  https://www.apache.org/licenses/LICENSE-2.0.
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#################################################################################
+
+
+---
+name: "Setup TractusX EDC in memory runtime"
+description: "Setup TractusX EDC in memory runtime"
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/checkout@v4
+    - uses: ./.github/actions/setup-java
+
+    - uses: actions/checkout@v4
+
+    - name: Dockerize TractusX EDC in memory distribution
+      shell: bash
+      run: |
+        ./gradlew :edc-controlplane:edc-runtime-memory:dockerize
+
+    - name: Starting MIW, Keycloak and Postgres Servers
+      shell: bash
+      run: |
+        cd edc-tests/miw-tests/src/test/resources/docker-environment
+        docker compose up -d --wait
+
+    - uses: nick-fields/retry@v3
+      name: Wait for MIW
+      with:
+        timeout_minutes: 5
+        max_attempts: 3
+        command: |
+          code=$(curl -IL -sw "%{http_code}" http://localhost:8000/api/actuator/health -o /dev/null)
+          if [ "$code" -ne "401" ]; then
+            echo "MIW not ready yet, status = $code"
+            exit 1;
+          fi   
+
+    - name: Starting in memory TractusX EDC
+      shell: bash
+      run: |
+        cd dast
+        docker compose up -d 
+
+
+    - uses: nick-fields/retry@v3
+      name: Wait for TractusX EDC
+      with:
+        timeout_minutes: 5
+        max_attempts: 3
+        command: |
+          code=$(curl -IL -sw "%{http_code}" http://localhost:8181/api/check/health -o /dev/null)
+          if [ "$code" -ne "401" ]; then
+            echo "TractusX EDC not ready yet, status = $code"
+            docker logs dast-edc-runtime-1
+            exit 1;
+          fi

.github/workflows/dast-scan.yaml

@@ -0,0 +1,123 @@
+#################################################################################
+#  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+#
+#  See the NOTICE file(s) distributed with this work for additional
+#  information regarding copyright ownership.
+#
+#  This program and the accompanying materials are made available under the
+#  terms of the Apache License, Version 2.0 which is available at
+#  https://www.apache.org/licenses/LICENSE-2.0.
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#################################################################################
+
+name: ZAP_ALL
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+jobs:
+  zap_scan:
+    runs-on: ubuntu-latest
+    name: OWASP ZAP API Scan
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-memory-runtime
+
+      - name: Fetch MIW VP token
+        run: ./dast/fetch-token.sh
+
+      - name: API Catalog Request Test
+        id: catalog_request
+        run: |
+          dsp_response=$(curl -w "%{http_code}" --request POST \
+            --url http://localhost:8282/api/v1/dsp/catalog/request \
+            --header "Authorization: $VP_TOKEN" \
+            --header 'Content-Type: application/json' \
+              --data '{
+              "@type": "dspace:CatalogRequestMessage",
+              "dspace:filter": {
+                "@type": "QuerySpec",
+                "limit": 50,
+                "offset": 0,
+                "sortOrder": "ASC",
+                "filterExpression": []
+              },
+              "@context": {
+                "@vocab": "https://w3id.org/edc/v0.0.1/ns/",
+                "edc": "https://w3id.org/edc/v0.0.1/ns/",
+                "tx": "https://w3id.org/tractusx/v0.0.1/ns/",
+                "dcat": "http://www.w3.org/ns/dcat#",
+                "dct": "https://purl.org/dc/terms/",
+                "odrl": "http://www.w3.org/ns/odrl/2/",
+                "dspace": "https://w3id.org/dspace/v0.8/"
+              }
+            }')
+
+          echo "Response: $dsp_response"
+
+      - name: Generating report skeletons
+        if: success() || failure()
+        run: |
+          touch API_report.html
+          chmod a+w API_report.html
+          ls -lrt
+
+      - name: Run ZAP API scan
+        run: |
+          set +e
+
+          echo "Pulling ZAP image..."
+          docker pull ghcr.io/zaproxy/zaproxy:stable -q
+          echo "Starting ZAP Docker container..."
+          docker run --network miw-net -v ${GITHUB_WORKSPACE}:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py -t http://edc-runtime:8282/api/v1/dsp -f openapi -r API_report.html -T 1
+
+          echo "... done."
+
+      - name: Upload HTML report
+        if: success() || failure()
+        uses: actions/upload-artifact@v3
+        with:
+          name: ZAP_API scan report
+          path: ./API_report.html
+
+  zap_scan2:
+    runs-on: ubuntu-latest
+    name: OWASP ZAP FULL Scan
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-memory-runtime
+
+      - name: Generating report skeletons
+        if: success() || failure()
+        run: |
+          touch fullscan_report.html
+          chmod a+w fullscan_report.html
+          ls -lrt
+
+      - name: Perform ZAP FULL scan
+        run: |
+          set +e
+
+          echo "Pulling ZAP image..."
+          docker pull ghcr.io/zaproxy/zaproxy:stable -q
+          echo "Starting ZAP Docker container..."
+          docker run --network miw-net -v ${GITHUB_WORKSPACE}:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py -t http://edc-runtime:8282/api/v1/dsp -r fullscan_report.html -T 1
+
+          echo "... done."
+
+      - name: Upload HTML report
+        if: success() || failure()
+        uses: actions/upload-artifact@v3
+        with:
+          name: ZAP_FULL scan report
+          path: ./fullscan_report.html

DEPENDENCIES

@@ -1,4 +1,4 @@
 maven/mavencentral/com.apicatalog/carbon-did/0.0.2, Apache-2.0, approved, #9239
 maven/mavencentral/com.apicatalog/iron-ed25519-cryptosuite-2020/0.8.1, Apache-2.0, approved, #11157
 maven/mavencentral/com.apicatalog/iron-verifiable-credentials/0.8.1, Apache-2.0, approved, #9234
 maven/mavencentral/com.apicatalog/titanium-json-ld/1.0.0, Apache-2.0, approved, clearlydefined
@@ -418,8 +418,8 @@
 maven/mavencentral/org.eclipse.jetty/jetty-util/11.0.20, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-webapp/11.0.20, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-xml/11.0.20, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.flywaydb/flyway-core/10.8.1, , restricted, clearlydefined
-maven/mavencentral/org.flywaydb/flyway-database-postgresql/10.8.1, , restricted, clearlydefined
+maven/mavencentral/org.flywaydb/flyway-core/10.8.1, Apache-2.0, approved, #13291
+maven/mavencentral/org.flywaydb/flyway-database-postgresql/10.8.1, Apache-2.0, approved, #13290
 maven/mavencentral/org.glassfish.hk2.external/aopalliance-repackaged/3.0.5, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.glassfish
 maven/mavencentral/org.glassfish.hk2/hk2-api/3.0.5, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.glassfish
 maven/mavencentral/org.glassfish.hk2/hk2-locator/3.0.5, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.glassfish

dast/docker-compose.yaml

@@ -0,0 +1,50 @@
+#################################################################################
+#  Copyright (c) 2021,2023 Contributors to the Eclipse Foundation
+#
+#  See the NOTICE file(s) distributed with this work for additional
+#  information regarding copyright ownership.
+#
+#  This program and the accompanying materials are made available under the
+#  terms of the Apache License, Version 2.0 which is available at
+#  https://www.apache.org/licenses/LICENSE-2.0.
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#################################################################################
+
+
+version: '3'
+
+services:
+  edc-runtime:
+    image: edc-runtime-memory:latest
+    environment:
+      TX_SSI_OAUTH_TOKEN_URL: http://keycloak:8080/realms/miw_test/protocol/openid-connect/token
+      TX_SSI_OAUTH_CLIENT_ID: miw_private_client
+      TX_SSI_OAUTH_CLIENT_SECRET_ALIAS: client-alias
+      EDC_VAULT_SECRETS: "client-alias:miw_private_client"
+      TX_SSI_MIW_URL: http://miw:8000
+      TX_SSI_MIW_AUTHORITY_ID: BPNL000000000000
+      TX_SSI_MIW_AUTHORITY_ISSUER: did:web:localhost%3A8000:BPNL000000000000
+      TX_SSI_ENDPOINT_AUDIENCE: "http://test"
+      EDC_DATAPLANE_TOKEN_VALIDATION_ENDPOINT: "http://validate"
+      EDC_API_AUTH_KEY: password
+
+    networks:
+      - miw-net
+    ports:
+      - "8282:8282"
+      - "8181:8181"
+
+volumes:
+  postgres_data:
+    driver: local
+
+networks:
+  miw-net:
+    external: true

dast/fetch-token.sh

@@ -0,0 +1,37 @@
+#################################################################################
+#  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+#
+#  See the NOTICE file(s) distributed with this work for additional
+#  information regarding copyright ownership.
+#
+#  This program and the accompanying materials are made available under the
+#  terms of the Apache License, Version 2.0 which is available at
+#  https://www.apache.org/licenses/LICENSE-2.0.
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#################################################################################
+
+#!/bin/bash
+
+response=$(curl -X POST -d 'client_id=miw_private_client&grant_type=client_credentials&client_secret=miw_private_client&scope=openid' http://localhost:8080/realms/miw_test/protocol/openid-connect/token)
+token=$(echo "$response" | jq -r '.access_token')
+
+credentials=$(curl --url 'http://localhost:8000/api/credentials?type=SummaryCredential' --header "Authorization: Bearer $token"  --header 'Content-Type: application/json'  | jq -r '.content')
+
+
+vp_token=$(curl --request POST \
+            --url 'http://localhost:8000/api/presentations?asJwt=true&audience=http://test' \
+            --header "Authorization: Bearer $token" \
+            --header 'Content-Type: application/json' \
+            --data "{ \"verifiableCredentials\": $credentials }" \
+            | jq -r '.vp')
+
+echo "VP_TOKEN=$vp_token" >> "$GITHUB_ENV"
+
+