116 lines
4.3 KiB
Markdown
116 lines
4.3 KiB
Markdown
# QA/Security DoD Validation Report
|
|
|
|
**Date**: 2026-01-09
|
|
**Scope**: DoD validation rerun (backend tests + lint + security scans)
|
|
**Overall Status**: ❌ FAIL
|
|
|
|
## Summary
|
|
|
|
All requested tasks completed successfully (no task execution failures). However, DoD fails due to **HIGH/CRITICAL security findings** in CodeQL and Trivy outputs.
|
|
|
|
## Frontend Change Check
|
|
|
|
**Result**: No frontend files detected as changed (no paths under `frontend/` in current workspace changes).
|
|
|
|
**Action**: Per request, skipped:
|
|
- Test: Frontend with Coverage
|
|
- Lint: TypeScript Check
|
|
|
|
Note: the pre-commit run includes a frontend TypeScript check hook, but it is not a substitute for the explicit “Frontend with Coverage” task if frontend source changes are present.
|
|
|
|
## Task Results (Required)
|
|
|
|
### 1) Test: Backend with Coverage
|
|
|
|
**Pass/Fail Criteria**:
|
|
- PASS if task exits successfully and produces a coverage result.
|
|
|
|
**Result**: ✅ PASS (task completed)
|
|
|
|
**Coverage**:
|
|
- Backend total coverage (from `go tool cover -func backend/coverage.txt`): **86.6%**
|
|
- Task output included: `coverage: 63.2% of statements` (package `backend/cmd/seed`)
|
|
|
|
### 2) Lint: Pre-commit (All Files)
|
|
|
|
**Pass/Fail Criteria**:
|
|
- PASS if all hooks complete successfully.
|
|
|
|
**Result**: ✅ PASS
|
|
|
|
### 3) Security: CodeQL All (CI-Aligned)
|
|
|
|
**Pass/Fail Criteria**:
|
|
- PASS if no HIGH/CRITICAL findings are present.
|
|
|
|
**Result**: ❌ FAIL
|
|
|
|
**Findings**:
|
|
- Go SARIF (`codeql-results-go.sarif`): **3 CRITICAL** (security severity 9.8)
|
|
- Rule: `go/email-injection` (“Email content injection”)
|
|
- Location: `backend/internal/services/mail_service.go` (lines ~222, ~340, ~393)
|
|
- JS SARIF (`codeql-results-js.sarif`): **1 HIGH** (security severity 7.8)
|
|
- Rule: `js/incomplete-hostname-regexp` (“Incomplete regular expression for hostnames”)
|
|
- Location: `frontend/src/pages/__tests__/ProxyHosts-extra.test.tsx` (line ~252)
|
|
|
|
### 4) Security: Trivy Scan
|
|
|
|
**Pass/Fail Criteria**:
|
|
- PASS if no HIGH/CRITICAL findings are present.
|
|
|
|
**Result**: ❌ FAIL
|
|
|
|
**Counts (from existing artifacts)**:
|
|
- `trivy-scan-output.txt`: **CRITICAL=1**, **HIGH=7**
|
|
- `trivy-image-scan.txt`: **CRITICAL=0**, **HIGH=1**
|
|
|
|
## Root Cause (Why DoD Failed)
|
|
|
|
### CodeQL
|
|
|
|
1) **CRITICAL** `go/email-injection` in `backend/internal/services/mail_service.go`
|
|
|
|
**Likely cause**: user-controlled or otherwise untrusted values are being used to build email content (and potentially headers) without robust validation/normalization, enabling header/body injection (e.g., newline injection).
|
|
|
|
2) **HIGH** `js/incomplete-hostname-regexp` in a frontend test
|
|
|
|
**Likely cause**: a regex used for host matching in tests does not escape `.`, so it matches more than intended.
|
|
|
|
### Trivy
|
|
|
|
**Likely cause**: one or more dependencies in the repo (Go modules and/or image contents) are pinned to vulnerable versions.
|
|
|
|
Examples extracted from `trivy-scan-output.txt` / `trivy-image-scan.txt` include (non-exhaustive):
|
|
- `golang.org/x/crypto` (CVE-2024-45337 CRITICAL; CVE-2025-22869 HIGH)
|
|
- `golang.org/x/net` (CVE-2023-39325 HIGH)
|
|
- `golang.org/x/oauth2` (CVE-2025-22868 HIGH)
|
|
- `gopkg.in/yaml.v3` (CVE-2022-28948 HIGH)
|
|
- `github.com/quic-go/quic-go` (CVE-2025-59530 HIGH)
|
|
- `github.com/expr-lang/expr` (CVE-2025-68156 HIGH)
|
|
|
|
## Proposed Remediation (No changes applied)
|
|
|
|
Per instruction: **no fixes were made**. Suggested remediation steps:
|
|
|
|
### For CodeQL `go/email-injection`
|
|
|
|
- Validate/normalize any untrusted values used in mail headers/body (especially ensuring values do not contain `\r`/`\n`).
|
|
- Use strict email address parsing/validation (e.g., Go `net/mail`) and explicit header encoding.
|
|
- Ensure subject/from/to/reply-to fields are constructed via safe libraries and reject control characters.
|
|
|
|
### For CodeQL `js/incomplete-hostname-regexp`
|
|
|
|
- Update the test regex to escape `.` and/or use a safer matcher; rerun CodeQL JS scan.
|
|
|
|
### For Trivy findings
|
|
|
|
- Upgrade impacted Go modules to versions containing fixes (follow Trivy “Fixed Version” guidance) and run `go mod tidy`.
|
|
- Re-run Trivy scan after dependency upgrades.
|
|
- If image findings remain: rebuild the image after base image upgrades and/or OS package updates.
|
|
|
|
## Artifacts
|
|
|
|
- Backend coverage profile: `backend/coverage.txt`
|
|
- CodeQL results: `codeql-results-go.sarif`, `codeql-results-js.sarif`, `codeql-results-javascript.sarif`
|
|
- Trivy results: `trivy-scan-output.txt`, `trivy-image-scan.txt`
|