25 lines
1.5 KiB
Markdown
25 lines
1.5 KiB
Markdown
# Questions
|
|
|
|
## Part 3
|
|
|
|
- **Q3.1**: Setup your CI/CD pipeline with an additional SAST solution. I propose that you use `semgrep` for this task. Get your inspiration here: https://semgrep.dev/for/gitlab and https://docs.gitlab.com/ee/user/application_security/sast/
|
|
- **Q3.2**: Describe the found problems (alerts) in the `calculator app` (in the original code, git tag `v3.0`)
|
|
- **Q3.3**: Install DAST OWASP ZAP on your host or in a Docker. Play with OWASP ZAP, analyze the calculator code
|
|
- **Q3.4**: Implement a DAST solution in your pipeline. Get some inspiration here https://docs.gitlab.com/ee/user/application_security/dast/ . Describe what you have integrated in your pipeline. *Note: you must ensure that your application is running while you are testing!*
|
|
- **Q3.5 (optional)**: Normally, the provided code has some bugs, which are discovered by SAST solution. Describe the found bugs (in the original code, git tag `v3.0`) and provide solution to remediate the problems. Indicate which commit/tag contains the corrected code
|
|
- **Q3.6 (optional)**: Describe the found bugs (in the original code, git tag `v3.0`) with DAST and provide solution to remediate the problems. Indicate which commit/tag contains the corrected code. Do corrections only in the provided code (no libraries)
|
|
|
|
|
|
# Answers - Part 3
|
|
|
|
## Q3.2
|
|
|
|
For some reasons, semgrep works locally, but not on GitLab. Here is the report when runned locally.
|
|
|
|
|
|
|
|
## Q3.3
|
|
|
|
After performing a scan, we can see a few alerts as seen on this screenshot :
|
|
|
|
 |