-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
As ACF tech lead, I need the nightly-owasp-scan CircleCI workflow to run successfully and exclude non-TDP URLs in scan report #1534
Comments
Ticket needs to be refined further before being picked up. @ADPennington will continue to monitor. If success rate falls further (50% or below), she will make a note and will bring issue back up in a future backlog refinement. |
it's been a tough week for owasp. this is just an update for awareness. Realizing that we didnt decide on the baseline for the success rate monitoring. 90 days feels a bit long, I recommend 30 days (we're still above the threshold), since we provide monthly updates to OCIO. cc: @valcollignon @lfrohlich @abottoms-coder |
@ADPennington 30 days makes sense to me. Thanks for continuing to monitor. |
2/14 Update: Backend scan step continues to fail. We've now had 9 consecutive days of owasp job failure (see below) and will soon reach the 50% threshold. cc: @abottoms-coder @lfrohlich @valcollignon I've been investigating how long it takes for the zap results to be produced since the default timeout in CI is 10 min. Some notes:
|
2/15 Update:
|
2/28 update: Currently testing on
Will monitor results for next couple of days. |
3/2 Update:
cc: @abottoms-coder @lfrohlich |
3/3 Update:
|
Demoed by @abottoms-coder on 3/15/2022 |
Context:
the nightly OWASP scans have been timing out more frequently, at the backend scan step. As a reminder, we run these security vulnerability scans and store them in the staging backend (for now) to meet ACF OCIO compliance standards (ref).
See screenshot of workflow 30-day success rate as of 2/15 below:
![1534_216](https://user-images.githubusercontent.com/63075587/154284503-4a72473d-220b-43c6-b9ef-f1308d3401a6.PNG)
The error message in the job is:
Too long with no output (exceeded 10m0s): context deadline exceeded
. According to CircleCI documentation, 10 minutes is the default timeout setting, and some suggestions are offered therein to resolve, including increasing the timeout.After some investigations noted in the 2/14 and 2/15 comments below, we decided that we need to increase the timeout and also prevent the non-TDP URLs from being scanned for security vulnerabilities which appears to be the root cause of the timeout.
ACs:
Tasks:
qasp review
Supporting Documentation:
The text was updated successfully, but these errors were encountered: