akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity
Files
eec8c28fb3c2e8c0bc387bb3139184b8d67f1b21
Charon/docs/security/archive/2026-02-06-validation-report.md
T
akanealw eec8c28fb3
Go Benchmark / Performance Regression Check (push) Has been cancelled
Details
Cerberus Integration / Cerberus Security Stack Integration (push) Has been cancelled
Details
Upload Coverage to Codecov / Backend Codecov Upload (push) Has been cancelled
Details
Upload Coverage to Codecov / Frontend Codecov Upload (push) Has been cancelled
Details
CodeQL - Analyze / CodeQL analysis (go) (push) Has been cancelled
Details
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Has been cancelled
Details
CrowdSec Integration / CrowdSec Bouncer Integration (push) Has been cancelled
Details
Docker Build, Publish & Test / build-and-push (push) Has been cancelled
Details
Quality Checks / Auth Route Protection Contract (push) Has been cancelled
Details
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Has been cancelled
Details
Quality Checks / Backend (Go) (push) Has been cancelled
Details
Quality Checks / Frontend (React) (push) Has been cancelled
Details
Rate Limit integration / Rate Limiting Integration (push) Has been cancelled
Details
Security Scan (PR) / Trivy Binary Scan (push) Has been cancelled
Details
Supply Chain Verification (PR) / Verify Supply Chain (push) Has been cancelled
Details
WAF integration / Coraza WAF Integration (push) Has been cancelled
Details
Docker Build, Publish & Test / Security Scan PR Image (push) Has been cancelled
Details
Repo Health Check / Repo health (push) Has been cancelled
Details
History Rewrite Dry-Run / Dry-run preview for history rewrite (push) Has been cancelled
Details
Prune Renovate Branches / prune (push) Has been cancelled
Details
Renovate / renovate (push) Has been cancelled
Details
Nightly Build & Package / sync-development-to-nightly (push) Has been cancelled
Details
Nightly Build & Package / Trigger Nightly Validation Workflows (push) Has been cancelled
Details
Nightly Build & Package / build-and-push-nightly (push) Has been cancelled
Details
Nightly Build & Package / test-nightly-image (push) Has been cancelled
Details
Nightly Build & Package / verify-nightly-supply-chain (push) Has been cancelled
Details
Update GeoLite2 Checksum / update-checksum (push) Has been cancelled
Details
Container Registry Prune / prune-ghcr (push) Has been cancelled
Details
Container Registry Prune / prune-dockerhub (push) Has been cancelled
Details
Container Registry Prune / summarize (push) Has been cancelled
Details
Supply Chain Verification / Verify SBOM (push) Has been cancelled
Details
Supply Chain Verification / Verify Release Artifacts (push) Has been cancelled
Details
Supply Chain Verification / Verify Docker Image Supply Chain (push) Has been cancelled
Details
Monitor Caddy Major Release / check-caddy-major (push) Has been cancelled
Details
Weekly Nightly to Main Promotion / Verify Nightly Branch Health (push) Has been cancelled
Details
Weekly Nightly to Main Promotion / Create Promotion PR (push) Has been cancelled
Details
Weekly Nightly to Main Promotion / Trigger Missing Required Checks (push) Has been cancelled
Details
Weekly Nightly to Main Promotion / Notify on Failure (push) Has been cancelled
Details
Weekly Nightly to Main Promotion / Workflow Summary (push) Has been cancelled
Details
Weekly Security Rebuild / Security Rebuild & Scan (push) Has been cancelled
Details
changed perms
2026-04-22 18:19:14 +00:00

69 lines
3.4 KiB
Markdown
Executable File
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Security Validation Report - Feb 2026
**Date:** 2026-02-06
**Scope:** E2E Test Validation & Container Security Scan
**Status:** 🔴 FAIL
## 1. Executive Summary
Validation of the recent security enforcement updates revealed that while the core functionality is operational (frontend and backend are responsive), there are meaningful regression failures in E2E tests, specifically related to accessibility compliance and keyboard navigation. Additionally, a potentially flaky or timeout-prone behavior was observed in the CrowdSec diagnostics suite.
## 2. E2E Test Failures
The following tests failed during the `firefox` project execution against the E2E environment (`http://127.0.0.1:8080`).
### 2.1. Accessibility Failures (Severity: Medium)
**Test:** `tests/security/crowdsec-config.spec.ts`
**Case:** `CrowdSec Configuration @security Accessibility should have accessible form controls`
**Error:**
```text
Error: expect(received).toBeTruthy()
Received: null
Location: crowdsec-config.spec.ts:296:28
```
**Analysis:** Input fields in the CrowdSec configuration form are missing accessible labels (via `aria-label`, `aria-labelledby`, or `<label for="...">`). This violates WCAG 2.1 guidelines and causes test failure.
### 2.2. Keyboard Navigation Failures (Severity: Medium)
**Test:** `tests/security/crowdsec-decisions.spec.ts`
**Case:** `CrowdSec Banned IPs Management Accessibility should be keyboard navigable`
**Error:**
```text
Error: expect(locator).toBeVisible() failed
Locator: locator(':focus')
Expected: visible
```
**Analysis:** The "Banned IPs" card or table does not properly handle initial focus or tab navigation, resulting in focus being lost or placed on a non-visible element.
### 2.3. Test Interruption / Potential Timeout (Severity: Low/Flaky)
**Test:** `tests/security/crowdsec-diagnostics.spec.ts`
**Case:** `CrowdSec Diagnostics Connectivity Checks should optionally report console reachability`
**Status:** Interrupted
**Analysis:** The test runner execution was interrupted or timed out on this specific test. Backend logs confirm the connectivity endpoint `/api/v1/admin/crowdsec/diagnostics/connectivity` responded successfully in ~166ms, suggesting the issue might be client-side (Playwright) or network race condition waiting for the next step.
## 3. Security Scan Results (Trivy)
**Image:** `charon:local` (Debian 13.3)
**Overall:** 2 HIGH, 0 CRITICAL
| Library | Vulnerability | Severity | Fixed Version | Title |
| :--- | :--- | :--- | :--- | :--- |
| `libc-bin` | CVE-2026-0861 | HIGH | *(None)* | glibc: Integer overflow in memalign |
| `libc6` | CVE-2026-0861 | HIGH | *(None)* | glibc: Integer overflow in memalign |
**Analysis:**
The vulnerabilities are detected in the base OS (`glibc`). Currently, there is no fixed version available in the upstream repositories for this Debian version. These are considered **Acceptable Risks** for the moment until upstream patches are released.
## 4. Recommendations
1. **Remediate Accessibility:** Update `CrowdSecConfig` React component to add `aria-label` to form inputs, specifically those used for configuration toggles or text fields.
2. **Fix Focus Management:** Ensure the Banned IPs table has a valid tab order and visually indicates focus.
3. **Monitor Flakiness:** Re-run diagnostics tests in isolation to confirm if the interruption is persistent.
4. **Accept Risk (OS):** Acknowledge the `glibc` vulnerabilities and schedule a base image update check in 30 days.
Reference in New Issue View Git Blame Copy Permalink