Merge pull request #62 from ADORSYS-GIS/55-setup-owasp-zap-for-online…

…-banking-appe8

55 setup owasp zap for online banking appe8

.github/workflows/develop.yaml

@@ -83,3 +83,39 @@ jobs:
       - name: Run Unit and Integration Tests
         run: mvn verify -s ~/.m2/settings.xml -Dmaven.javadoc.skip=true
 
+  security-scan:
+         runs-on: ubuntu-latest
+         needs: build  # Ensures that the security scan runs only if the build job succeeds
+
+         steps:
+           # Step 1: Checkout code
+          - name: Checkout code
+            uses: actions/checkout@v4
+
+           # Step 2: Set up Java
+          - name: Set up Java 17
+            uses: actions/setup-java@v4
+            with:
+             java-version: '17'
+             distribution: 'temurin'
+
+           # Step 3: Run OWASP Dependency-Check
+          - name: Run OWASP Dependency-Check
+            uses: dependency-check/Dependency-Check_Action@main
+            env:
+           # actions/setup-java@v1 changes JAVA_HOME so it needs to be reset to match the depcheck image
+              JAVA_HOME: /opt/jdk
+            with:
+             project: 'webank-onlinebanking'
+             path: '.'
+             format: 'HTML'
+             out: 'reports'  
+             args: >
+              --failOnCVSS 5
+            # Step 4: Upload the Dependency-Check report as an artifact
+          - name: Upload Dependency Check report
+            uses: actions/upload-artifact@v3
+            with:
+              name: Dependency-Check Report
+              path: ${{ github.workspace }}/reports
+

Docs/OWASP-SETUP.md

@@ -0,0 +1,91 @@
+# OWASP Dependency-Check Integration in Multi-Module Maven Project
+
+## Overview
+
+This document provides the configuration and setup details for integrating **OWASP Dependency-Check** into a multi-module Maven project. The goal is to ensure that **all modules** within the project are properly scanned for vulnerabilities in their dependencies.
+
+## Prerequisites
+
+- Maven 3.x or higher
+- OWASP Dependency-Check plugin (version `11.1.0` or newer)
+- A multi-module Maven project setup
+
+## Project Structure
+
+The project has the following directory structure:
+
+root-pom.xml  
+├── obs  
+│ └── pom.xml  
+├── online-banking-app  
+│ └── pom.xml  
+└── target
+
+### Root `pom.xml`
+
+The parent POM (`root-pom.xml`) contains the common configurations and plugin definitions shared by all modules in the project. The OWASP Dependency-Check plugin is configured in this POM so that it can be inherited by child modules.
+
+## OWASP Dependency-Check Plugin Configuration
+
+### Parent `pom.xml` (root-pom.xml)
+
+In the root `pom.xml`, define the OWASP Dependency-Check plugin in the `<build>` section to ensure it is inherited by all child modules:
+
+```xml
+<build>
+    <plugins>
+        <!-- OWASP Dependency-Check Plugin -->
+        <plugin>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <version>${owasp.dependency.check.version}</version>
+            <executions>
+                <execution>
+                    <goals>
+                        <goal>check</goal>
+                        <goal>update-only</goal>
+                    </goals>
+                </execution>
+            </executions>
+            <configuration>
+                <aggregate>true</aggregate>
+                <failBuildOnCVSS>0</failBuildOnCVSS>
+            </configuration>
+        </plugin>
+    </plugins>
+</build>
+```
+
+### Running the Plugin
+Once the OWASP Dependency-Check plugin is configured in the root POM, you can run the checks for all modules by executing the following Maven command from the root of the project:
+```mvn clean install``` or ```mvn dependency-check:check```
+
+### Viewing the Report
+
+After the build completes, the Dependency-Check plugin will generate a detailed report of any vulnerabilities found in the dependencies. The report will be saved in the following directory:
+```target/dependency-check-report``` of each project module
+
+### Troubleshooting
+
+**If you encounter issues where the modules are not being scanned:**
+
+1. Check that the child modules inherit the parent POM correctly.
+
+2. Ensure that the dependency-check-maven plugin version is correct 
+(version **11.1.0** in our case case).
+
+3. Verify that the executions block is correctly set up in the root POM.
+
+4. Ensure there are no exclusions or misconfigurations that could prevent the scan from running on a module.
+
+
+### Regular Database Updates
+It is important to keep the OWASP Dependency-Check database up to date. You can configure periodic updates for the vulnerability database using the **update-only** goal:
+
+```mvn dependency-check:update-only```
+
+This command will only update the vulnerability database, ensuring you are scanning with the latest data.
+
+### Conclusion
+
+With this setup, the OWASP Dependency-Check plugin will automatically scan all modules in the multi-module Maven project for known security vulnerabilities in their dependencies. This helps ensure that the project remains secure and that any vulnerabilities are identified early.

obs/obs-rest-server/pom.xml → obs/obs-rest/pom.xml

@@ -14,7 +14,7 @@
         <version>0.1-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
-    <artifactId>obs-rest-server</artifactId>
+    <artifactId>obs-rest</artifactId>
 
     <properties>
         <maven.compiler.source>17</maven.compiler.source>

obs/pom.xml

@@ -15,7 +15,7 @@
 
     <modules>
         <module>obs-rest-api</module>
-        <module>obs-rest-server</module>
+        <module>obs-rest</module>
         <module>obs-service-api</module>
         <module>obs-service-impl</module>
     </modules>

online-banking-app/pom.xml

@@ -39,7 +39,7 @@
 
 		<dependency>
 			<groupId>com.adorsys.webank</groupId>
-			<artifactId>obs-rest-server</artifactId>
+			<artifactId>obs-rest</artifactId>
 			<version>${project.version}</version>
 		</dependency>
 
@@ -70,6 +70,7 @@
 			<groupId>com.h2database</groupId>
 			<artifactId>h2</artifactId>
 		</dependency>
+
 		<dependency>
 			<groupId>org.projectlombok</groupId>
 			<artifactId>lombok</artifactId>

pom.xml

@@ -37,9 +37,10 @@
         <maven-source-plugin.version>3.0.1</maven-source-plugin.version>
         <maven-gpg-plugin.version>3.0.1</maven-gpg-plugin.version>
         <maven-pmd-plugin.version>3.21.0</maven-pmd-plugin.version>
+        <owasp.dependency.check.version>11.1.0</owasp.dependency.check.version>
 
         <!-- Spring-related versions -->
-        <spring-boot-dependencies.version>3.2.7</spring-boot-dependencies.version>
+        <spring-boot-dependencies.version>3.3.5</spring-boot-dependencies.version>
         <spring-cloud-starter-openfeign.version>4.1.0</spring-cloud-starter-openfeign.version>
         <spring-security.version>6.1.9</spring-security.version>
         <spring-plugin.version>3.0.0</spring-plugin.version>
@@ -48,7 +49,8 @@
         <!-- Other versions -->
         <springdoc-openapi-ui.version>2.3.0</springdoc-openapi-ui.version>
         <commons-collections4.version>4.3</commons-collections4.version>
-        <commons-io.version>2.14.0</commons-io.version>
+        <commons-io.version>2.17.0</commons-io.version>
+
         <jetbrains.annotations.version>15.0</jetbrains.annotations.version>
         <dbunit.version>2.6.0</dbunit.version>
         <keycloak.version>24.0.5</keycloak.version>
@@ -247,13 +249,13 @@
             <dependency>
                 <groupId>org.springdoc</groupId>
                 <artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
-                <version>2.1.0</version>
+                <version>2.6.0</version>
             </dependency>
 
             <dependency>
                 <groupId>io.swagger.core.v3</groupId>
                 <artifactId>swagger-annotations-jakarta</artifactId>
-                <version>2.2.22</version>
+                <version>2.2.25</version>
                 <scope>compile</scope>
             </dependency>
 
@@ -403,7 +405,43 @@
                 <scope>test</scope>
             </dependency>
 
+             <!-- transitive dependencies -->
+
+              <!-- Bouncy Castle -->
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk18on</artifactId>
+            <version>1.79</version> 
+        </dependency>
+
+        <!-- XMLUnit -->
+        <dependency>
+            <groupId>org.xmlunit</groupId>
+            <artifactId>xmlunit-core</artifactId>
+            <version>2.10.0</version> 
+        </dependency>
+
         </dependencies>
     </dependencyManagement>
 
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <version>${owasp.dependency.check.version}</version>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>check</goal>
+                        </goals>
+                    </execution>
+                </executions>
+                <configuration>
+                    <failOnCVSS>5</failOnCVSS>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
 </project>