akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

fix: Update security remediation plan and QA report for Grype SBOM implementation

Browse Source 
- Removed outdated security remediation plan for DoD failures, indicating no active specifications.
- Documented recent completion of Grype SBOM remediation, including implementation summary and QA report.
- Updated QA report to reflect successful validation of security scans with zero HIGH/CRITICAL findings.
- Deleted the previous QA report file as its contents are now integrated into the current report.
This commit is contained in:
GitHub Actions
2026-01-10 05:40:56 +00:00
parent 18d1294c24
commit e95590a727
9 changed files with 4221 additions and 462 deletions
Download Patch File Download Diff File Expand all files Collapse all files

150
docs/plans/current_spec.md
View File

@@ -1,137 +1,59 @@
# Current Specification
# Security Remediation Plan — DoD Failures (CodeQL + Trivy)
**Status**: No active specification
**Last Updated**: 2026-01-10
**Created:** 2026-01-09
---
This plan addresses the **HIGH/CRITICAL security findings** reported in [docs/reports/qa_report.md](docs/reports/qa_report.md).
## Active Projects
> The prior Codecov patch-coverage plan was moved to [docs/plans/patch_coverage_spec.md](docs/plans/patch_coverage_spec.md).
Currently, there are no active specifications or implementation plans in progress.
## Goal
---
Restore DoD to ✅ PASS by eliminating **all HIGH/CRITICAL** findings from:
## Recently Completed
- CodeQL (Go + JS) results produced by **Security: CodeQL All (CI-Aligned)**
- Trivy results produced by **Security: Trivy Scan**
### Grype SBOM Remediation (2026-01-10)
Hard constraints:
- Do **not** weaken gates (no suppressing findings unless a false-positive is proven and documented).
- Prefer minimal, targeted changes.
- Avoid adding new runtime dependencies.
Successfully resolved CI/CD failures in the Supply Chain Verification workflow caused by Grype SBOM format mismatch.
## Scope
**Documentation**:
- **Implementation Summary**: [docs/implementation/GRYPE_SBOM_REMEDIATION.md](../implementation/GRYPE_SBOM_REMEDIATION.md)
- **QA Report**: [docs/reports/qa_report.md](../reports/qa_report.md)
- **Archived Plan**: [docs/plans/archive/grype_sbom_remediation_2026-01-10.md](archive/grype_sbom_remediation_2026-01-10.md)
From the QA report:
**Status**: ✅ Complete - Deployed to production
### CodeQL Go
---
- Rule: `go/email-injection` (**CRITICAL**)
- Location: `backend/internal/services/mail_service.go` (reported around lines ~222, ~340, ~393)
## Guidelines for Creating New Specs
### CodeQL JS
When starting a new project, create a detailed specification in this file following the [Spec-Driven Workflow v1](.github/instructions/spec-driven-workflow-v1.instructions.md) format.
- Rule: `js/incomplete-hostname-regexp` (**HIGH**)
- Location: `frontend/src/pages/__tests__/ProxyHosts-extra.test.tsx` (reported around line ~252)
### Required Sections
### Trivy
1. **Problem Statement** - What issue are we solving?
2. **Root Cause Analysis** - Why does the problem exist?
3. **Solution Design** - How will we solve it?
4. **Implementation Plan** - Step-by-step tasks
5. **Testing Strategy** - How will we validate success?
6. **Success Criteria** - What defines "done"?
QA report note: Trivy filesystem scan may be picking up **workspace caches/artifacts** (e.g., `.cache/go/pkg/mod/...` and other generated directories) in addition to repo-tracked files, while the **image scan may already be clean**.
### Archiving Completed Specs
## Step 0 — Trivy triage (required first)
When a specification is complete:
Objective: Re-run the current Trivy task and determine whether HIGH/CRITICAL findings are attributable to:
- **Repo-tracked paths** (e.g., `backend/go.mod`, `backend/go.sum`, `Dockerfile`, `frontend/`, etc.), or
- **Generated/cache paths** under the workspace (e.g., `.cache/`, `**/*.cover`, `codeql-db-*`, temporary build outputs).
1. Create implementation summary in `docs/implementation/`
2. Move spec to `docs/plans/archive/` with timestamp
3. Update this file with completion notice
Steps:
1. Run **Security: Trivy Scan**.
2. For each HIGH/CRITICAL item, record the affected file path(s) reported by Trivy.
3. Classify each finding:
- **Repo-tracked**: path is under version control (or clearly part of the shipped build artifact, e.g., the built `app/charon` binary or image layers).
- **Scan-scope noise**: path is a workspace cache/artifact directory not intended as deliverable input.
---
Decision outcomes:
- If HIGH/CRITICAL are **repo-tracked / shipped** → remediate by upgrading only the affected components to Trivys fixed versions (see Workstreams C/D).
- If HIGH/CRITICAL are **only cache/artifact paths** → treat as scan-scope noise and align Trivy scan scope to repo contents by excluding those directories (without disabling scanners or suppressing findings).
## Archive Location
## Workstreams (by role)
Completed and archived specifications can be found in:
- [docs/plans/archive/](archive/)
### Workstream A — Backend (Backend_Dev): Fix `go/email-injection`
---
Objective: Ensure no untrusted data can inject additional headers/body content into SMTP `DATA`.
Implementation direction (minimal + CodeQL-friendly):
1. **Centralize email header construction** (avoid raw `fmt.Sprintf("%s: %s\r\n", ...)` with untrusted input).
2. **Reject** header values containing `\r` or `\n` (and other control characters if feasible).
3. Ensure email addresses are created using strict parsing/formatting (`net/mail`) and avoid concatenating raw address strings.
4. Add unit tests that attempt CRLF injection in subject/from/to and assert the send/build path rejects it.
Acceptance criteria:
- CodeQL Go scan shows **0** `go/email-injection` findings.
- Backend unit tests cover the rejection paths.
### Workstream B — Frontend (Frontend_Dev): Fix `js/incomplete-hostname-regexp`
Objective: Remove an “incomplete hostname regex” pattern flagged by CodeQL.
Preferred change:
- Replace hostname regex usage with an exact string match (or an anchored + escaped regex like `^link\.example\.com$`).
Acceptance criteria:
- CodeQL JS scan shows **0** `js/incomplete-hostname-regexp` findings.
### Workstream C — Container / embedded binaries (DevOps): Fix Trivy image finding
Objective: Ensure the built image does not ship `crowdsec`/`cscli` binaries that embed vulnerable `github.com/expr-lang/expr v1.17.2`.
Implementation direction:
1. If any changes are made to `Dockerfile` (including the CrowdSec build stage), rebuild the image (**no-cache recommended**) before validating.
2. Prefer **bumping the pinned CrowdSec version** in `Dockerfile` to a release that already depends on `expr >= 1.17.7`.
3. If no suitable CrowdSec release is available, patch the build in the CrowdSec build stage similarly to the existing Caddy stage override (force `expr@1.17.7` before building).
Acceptance criteria:
- Trivy image scan reports **0 HIGH/CRITICAL**.
### Workstream D — Go module upgrades (Backend_Dev + QA_Security): Fix Trivy repo scan findings
Objective: Eliminate Trivy filesystem-scan HIGH/CRITICAL findings without over-upgrading unrelated dependencies.
Implementation direction (conditional; driven by Step 0 triage):
1. If Trivy attributes HIGH/CRITICAL to `backend/go.mod` / `backend/go.sum` **or** to the built `app/charon` binary:
- Bump **only the specific Go modules Trivy flags** to Trivys fixed versions.
- Run `go mod tidy` and ensure builds/tests stay green.
2. If Trivy attributes HIGH/CRITICAL **only** to workspace caches / generated artifacts (e.g., `.cache/go/pkg/mod/...`):
- Treat as scan-scope noise and align Trivys filesystem scan scope to repo-tracked content by excluding those directories.
- This is **not** gate weakening: scanners stay enabled and the project must still achieve **0 HIGH/CRITICAL** in Trivy outputs.
Acceptance criteria:
- Trivy scan reports **0 HIGH/CRITICAL**.
## Validation (VS Code tasks)
Run tasks in this order (only run frontend ones if Workstream B changes anything under `frontend/`):
1. **Build: Backend**
2. **Test: Backend with Coverage**
3. **Security: CodeQL All (CI-Aligned)**
4. **Security: Trivy Scan** (explicitly verify **both** filesystem-scan and image-scan outputs are **0 HIGH/CRITICAL**)
5. **Lint: Pre-commit (All Files)**
If any changes are made to `Dockerfile` / CrowdSec build stage:
6. **Build & Run: Local Docker Image No-Cache** (recommended)
7. **Security: Trivy Scan** (re-verify image scan after rebuild)
If `frontend/` changes are made:
6. **Lint: TypeScript Check**
7. **Test: Frontend with Coverage**
8. **Lint: Frontend**
## Handoff checklist
- Attach updated `codeql-results-*.sarif` and Trivy artifacts for **both filesystem and image** outputs to the QA rerun.
- Confirm the QA reports pass/fail criteria are satisfied (no HIGH/CRITICAL findings).
**Note**: This file should only contain ONE active specification at a time. Archive completed work before starting new projects.