Closed Bug 1403247 Opened 7 years ago Closed 7 years ago

Fix up simple ZAP failures

Categories

(Taskcluster :: Services, enhancement)

Product:
Taskcluster
Component:
Services
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dustin, Assigned: dustin)

References

(
URL
)

Details

That's tc-lib-app v1.1.0. Next steps are to upgrade services.
https://github.com/taskcluster/taskcluster-lib-app/pull/13 I pushed a secrets version that bombed out today. It *might* have failed because of this, but I don't think so -- my read of the express-sslify source is that it just didn't do anything when passed a boolean. In which case, the theory is that there was a random network error in heroku that broke the deployment, and with luck that won't recur.
dustin@jemison ~ $ curl -i https://taskcluster-secrets-staging.herokuapp.com/v1/secrets | grep Secu Content-Security-Policy: report-uri /__cspreport__;default-src 'none';frame-ancestors 'none'; so hopefully we see that notching up in the next baseline scan. Assuming so, it's easy enough to deploy to most of the other services.
It notched down, because it's an API now :( Here are the latest failures, organized by failure with affected apps: WARN-NEW: Strict-Transport-Security Header Not Set [10035] x 3 schemas references public-artifacts WARN-NEW: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] x 2 secrets tools github auth scheduler queue purge-cache provisioner notify login index hooks github ec2-manager cloud-mirror aws-provisioner docs WARN-NEW: Cross-Domain JavaScript Source File Inclusion [10017] x 1 login docs WARN-NEW: Information Disclosure - Debug Error Messages [10023] x 4 docs WARN-NEW: Cookie Without SameSite Attribute [10054] x 4 login WARN-NEW: The JavaScript file 'jquery.min.js' includes a vulnerable version of the library 'jquery' [322420463] x 2 login docs WARN-NEW: Application Error Disclosure [90022] x 12 docs FAIL-NEW: X-Frame-Options Header Not Set [10020] x 3 login docs FAIL-NEW: X-Content-Type-Options Header Missing [10021] x 1 secrets github auth scheduler queue purge-cache provisioner notify login index login github ec2-manager cloud-mirror aws-provisioner docs FAIL-NEW: Content Security Policy (CSP) Header Not Set [10038] x 6 github auth scheduler queue purge-cache provisioner notify login index login github events ec2-manager cloud-mirror aws-provisioner docs FAIL-NEW: Strict-Transport-Security Header Not Set [10035] x 5 secrets statsum scheduler login events docs FAIL-NEW: Cross-Domain Misconfiguration [10098] x 2 secrets github auth scheduler queue purge-cache provisioner notify login index login github ec2-manager cloud-mirror aws-provisioner FAIL-NEW: Cookie No HttpOnly Flag [10010] x 2 login FAIL-NEW: Absence of Anti-CSRF Tokens [10202] x 6 login docs
Depends on: 1404461
Depends on: 1408474
Depends on: 1408475
Depends on: 1408476
Depends on: 1408477
Depends on: 1408478
Depends on: 1412005
Depends on: 1421330
We've fixed a bunch of these -- the easier / more intelligible anyway. I'm going to call this a draw..
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Component: Platform and Services → Services
You need to log in before you can comment on or make changes to this bug.