AMP-31140 : Actions before TruBudget AUdit

.github/workflows/security.yml

@@ -0,0 +1,283 @@
+name: Security Scan
+
+on:
+  push:
+    # Scan the default branch directly on merge; feature branches are covered
+    # by the pull_request trigger below, avoiding duplicate runs.
+    branches:
+      - develop
+      - main
+  pull_request:
+    branches: [ "**" ]
+  schedule:
+    # Re-scan every Monday at 06:00 UTC to catch newly published CVEs.
+    # Runs on the default branch; push/PR triggers cover all other branches.
+    - cron: '0 6 * * 1'
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: 'PR number to scan (optional — leave blank to scan the branch selected above)'
+        required: false
+        type: string
+        default: ''
+
+permissions:
+  contents: read
+
+jobs:
+  # -----------------------------------------------------------------------
+  # Resolve the exact commit to scan.
+  # - Automatic triggers (push / PR / schedule): use the triggering SHA.
+  # - Manual (workflow_dispatch, no pr_number): use the branch selected in
+  #   the "Run workflow" UI — GitHub checks out that branch automatically.
+  # - Manual (workflow_dispatch + pr_number): fetch the PR head SHA via API.
+  # -----------------------------------------------------------------------
+  setup:
+    name: Resolve target ref
+    runs-on: ubuntu-latest
+    outputs:
+      ref: ${{ steps.resolve.outputs.ref }}
+    steps:
+      - name: Resolve checkout ref
+        id: resolve
+        run: |
+          PR="${{ inputs.pr_number }}"
+          if [ -n "$PR" ]; then
+            if ! [[ "$PR" =~ ^[0-9]+$ ]]; then
+              echo "::error::pr_number must be numeric, got: ${PR}"
+              exit 1
+            fi
+            DATA=$(curl -sf \
+              -H "Authorization: Bearer ${{ github.token }}" \
+              "https://api.github.com/repos/${{ github.repository }}/pulls/${PR}")
+            STATE=$(echo "$DATA" | jq -r '.state')
+            if [ "$STATE" != "open" ]; then
+              echo "::error::PR #${PR} is not open (state: ${STATE})"
+              exit 1
+            fi
+            HEAD_REF=$(echo "$DATA" | jq -r '.head.ref')
+            HEAD_SHA=$(echo "$DATA" | jq -r '.head.sha')
+            echo "Scanning PR #${PR}: branch=${HEAD_REF} sha=${HEAD_SHA}"
+            echo "ref=${HEAD_SHA}" >> $GITHUB_OUTPUT
+          else
+            echo "ref=${{ github.sha }}" >> $GITHUB_OUTPUT
+          fi
+
+  # -----------------------------------------------------------------------
+  # Job 1: OWASP Dependency-Check (Java / Maven artifacts)
+  # Uses the official GHA action which downloads a pre-built NVD snapshot,
+  # avoiding the raw NVD API stream that causes 524 timeouts in CI.
+  # -----------------------------------------------------------------------
+  owasp-maven:
+    name: OWASP Dependency-Check (Maven)
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    needs: setup
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.setup.outputs.ref }}
+
+      - name: Create report output directory
+        run: mkdir -p amp/target/dependency-check-report
+
+      - name: Run OWASP Dependency-Check
+        uses: dependency-check/Dependency-Check_Action@main
+        id: owasp
+        continue-on-error: true
+        with:
+          project: 'amp'
+          # Scan the Maven module directory; the action resolves dependencies from pom.xml
+          path: 'amp'
+          format: 'ALL'
+          out: 'amp/target/dependency-check-report'
+          args: >
+            --nvdApiKey ${{ secrets.NVD_API_KEY }}
+            --nvdApiDelay 10000
+            --failOnCVSS 7
+            --suppression /github/workspace/security/owasp-suppressions.xml
+            --scan /github/workspace/amp/ckeditor_4.4.6
+            --disableNodeAudit
+            --enableExperimental
+
+      - name: Upload HTML report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: owasp-dependency-check-report
+          path: amp/target/dependency-check-report/
+          retention-days: 30
+          if-no-files-found: warn
+
+      - name: Show report directory (debug)
+        if: always()
+        run: |
+          echo "=== Dependency-Check output ==="
+          find . -path "*/dependency-check*" -print 2>/dev/null || true
+
+      - name: Fail if OWASP found CVEs
+        if: steps.owasp.outcome == 'failure'
+        run: exit 1
+
+  # -----------------------------------------------------------------------
+  # Job 2: npm audit — all frontend packages
+  # -----------------------------------------------------------------------
+  npm-audit:
+    name: npm audit (Frontend)
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    needs: setup
+
+    strategy:
+      fail-fast: false
+      matrix:
+        package:
+          - path: amp/TEMPLATE/reamp
+            name: reamp
+          - path: amp/TEMPLATE/ampTemplate/amp-state
+            name: amp-state
+          - path: amp/TEMPLATE/ampTemplate/amp-boilerplate
+            name: amp-boilerplate
+          - path: amp/TEMPLATE/ampTemplate/amp-filter
+            name: amp-filter
+          - path: amp/TEMPLATE/ampTemplate/amp-translate
+            name: amp-translate
+          - path: amp/TEMPLATE/ampTemplate/amp-url
+            name: amp-url
+          - path: amp/TEMPLATE/ampTemplate/amp-settings
+            name: amp-settings
+          - path: amp/TEMPLATE/ampTemplate/gis-layers-manager
+            name: gis-layers-manager
+          - path: amp/TEMPLATE/ampTemplate/dashboard/dev
+            name: dashboard
+          - path: amp/TEMPLATE/ampTemplate/gisModule/dev
+            name: gisModule
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.setup.outputs.ref }}
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '16'
+
+      - name: npm install (no scripts)
+        working-directory: ${{ matrix.package.path }}
+        run: npm install --ignore-scripts --prefer-offline 2>&1 || true
+
+      - name: Install npm-audit-html
+        run: npm install -g npm-audit-html --prefer-offline 2>&1 || true
+
+      - name: npm audit
+        id: audit
+        working-directory: ${{ matrix.package.path }}
+        # Continue so all packages are scanned; the summary step decides outcome
+        continue-on-error: true
+        run: |
+          npm audit \
+            --audit-level high \
+            --json \
+            > /tmp/${{ matrix.package.name }}-audit.json 2>&1
+
+      - name: Print audit summary
+        if: always()
+        working-directory: ${{ matrix.package.path }}
+        run: |
+          FILE="/tmp/${{ matrix.package.name }}-audit.json"
+          if command -v jq &>/dev/null && [ -f "$FILE" ]; then
+            echo "### ${{ matrix.package.name }} vulnerability counts"
+            jq '{
+              critical: (.metadata.vulnerabilities.critical // 0),
+              high:     (.metadata.vulnerabilities.high     // 0),
+              moderate: (.metadata.vulnerabilities.moderate // 0),
+              low:      (.metadata.vulnerabilities.low      // 0)
+            }' "$FILE"
+          fi
+
+      - name: Generate HTML report
+        if: always()
+        run: |
+          FILE="/tmp/${{ matrix.package.name }}-audit.json"
+          if [ -f "$FILE" ]; then
+            npm-audit-html --input "$FILE" --output "/tmp/${{ matrix.package.name }}-audit.html" 2>/dev/null || true
+          fi
+
+      - name: Upload audit report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: npm-audit-${{ matrix.package.name }}
+          path: |
+            /tmp/${{ matrix.package.name }}-audit.html
+            /tmp/${{ matrix.package.name }}-audit.json
+          retention-days: 30
+
+      - name: Fail on HIGH or CRITICAL findings
+        working-directory: ${{ matrix.package.path }}
+        run: |
+          FILE="/tmp/${{ matrix.package.name }}-audit.json"
+          if [ ! -f "$FILE" ]; then exit 0; fi
+          HIGH=$(jq '.metadata.vulnerabilities.high // 0' "$FILE")
+          CRIT=$(jq '.metadata.vulnerabilities.critical // 0' "$FILE")
+          TOTAL=$(( HIGH + CRIT ))
+          if [ "$TOTAL" -gt 0 ]; then
+            echo "::error::${{ matrix.package.name }}: ${CRIT} critical + ${HIGH} high vulnerabilities found. Run 'npm audit' in ${{ matrix.package.path }} for details."
+            exit 1
+          fi
+
+  # -----------------------------------------------------------------------
+  # Job 3: Trivy — container image CVE scan (runs on push to main / PRs)
+  # Catches OS-level CVEs that OWASP cannot see (e.g. base image packages)
+  # -----------------------------------------------------------------------
+  trivy-image:
+    name: Trivy (Container Image)
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    needs: setup
+    # Only scan the image on pushes to main/master or on PRs targeting them,
+    # to avoid redundant scans on every feature branch push.
+    if: |
+      github.event_name == 'pull_request' ||
+      github.ref == 'refs/heads/main' ||
+      github.ref == 'refs/heads/master' ||
+      github.event_name == 'schedule' ||
+      github.event_name == 'workflow_dispatch'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.setup.outputs.ref }}
+
+      - name: Build Docker image (no push)
+        working-directory: amp
+        run: |
+          docker build \
+            --build-arg BUILD_SOURCE=security-scan \
+            --build-arg AMP_URL=http://localhost/ \
+            -t amp-security-scan:${{ github.sha }} \
+            . || echo "::warning::Docker build failed; skipping Trivy image scan"
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@v0.36.0
+        with:
+          image-ref: 'amp-security-scan:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'HIGH,CRITICAL'
+          exit-code: '1'
+          ignore-unfixed: true
+        continue-on-error: true
+
+      - name: Upload Trivy SARIF artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-sarif
+          path: trivy-results.sarif
+          retention-days: 30

.gitignore

@@ -66,3 +66,6 @@ amp/src/main/java/org/digijava/module/xmlpatcher/jaxb/ConditionType.java
 amp/src/main/java/org/digijava/module/xmlpatcher/jaxb/package-info.java
 amp/src/main/java/org/digijava/module/xmlpatcher/jaxb/ConditionParam.java
 amp/src/main/java/org/digijava/module/help/jaxbi/AmpHelpType.java
+
+# ISO 27001 evidence CSVs and raw DB exports — contain personal data, never commit
+audit-evidence/evidence/

amp/TEMPLATE/ampTemplate/amp-boilerplate/package.json

@@ -54,5 +54,12 @@
   },
   "dependencies": {
     "amp-translate": "^0.0.1"
+  },
+  "overrides": {
+    "minimist": ">=1.2.6",
+    "shell-quote": ">=1.7.4",
+    "braces": ">=3.0.3",
+    "browserify-sign": ">=4.2.2",
+    "semver": ">=7.5.2"
   }
 }

amp/TEMPLATE/ampTemplate/amp-filter/package.json

@@ -52,5 +52,12 @@
   ],
   "dependencies": {
     "amp-translate": "^0.0.1"
+  },
+  "overrides": {
+    "minimist": ">=1.2.6",
+    "shell-quote": ">=1.7.4",
+    "braces": ">=3.0.3",
+    "browserify-sign": ">=4.2.2",
+    "semver": ">=7.5.2"
   }
 }

amp/TEMPLATE/ampTemplate/amp-settings/package.json

@@ -58,5 +58,12 @@
   },
   "dependencies": {
     "amp-translate": "https://github.com/devgateway/amp-translate.git"
+  },
+  "overrides": {
+    "minimist": ">=1.2.6",
+    "shell-quote": ">=1.7.4",
+    "braces": ">=3.0.3",
+    "browserify-sign": ">=4.2.2",
+    "semver": ">=7.5.2"
   }
 }

amp/TEMPLATE/ampTemplate/amp-translate/package.json

@@ -20,5 +20,12 @@
   },
   "devDependencies": {
     "brfs": "1.2.0"
+  },
+  "overrides": {
+    "minimist": ">=1.2.6",
+    "shell-quote": ">=1.7.4",
+    "braces": ">=3.0.3",
+    "browserify-sign": ">=4.2.2",
+    "semver": ">=7.5.2"
   }
 }

amp/TEMPLATE/reampv2/package.json

@@ -23,5 +23,13 @@
     "fs": "^0.0.1-security",
     "jquery-ui": "^1.10.5",
     "use-sync-external-store": "^1.2.0"
+  },
+  "overrides": {
+    "minimist": ">=1.2.6",
+    "lodash": ">=4.17.21",
+    "shell-quote": ">=1.7.4",
+    "braces": ">=3.0.3",
+    "semver": ">=7.5.2",
+    "browserify-sign": ">=4.2.2"
   }
 }

amp/context.xml

@@ -4,7 +4,11 @@
 allowLinking="true" antiJARLocking="" antiResourceLocking="" clearReferencesStopTimerThreads="true"
 clearReferencesThreadLocals="true" jndiExceptionOnFailedWrite="false" processTlds="false">
   <Environment name="hostname" value="" type="java.lang.String"/> 
-
+
+  <!-- SameSite=Lax: browser will not send the session cookie on cross-site
+       POST/PUT/DELETE requests, providing CSRF protection for all endpoints
+       including /rest/** without requiring any token in requests. -->
+  <CookieProcessor sameSiteCookies="lax" />
   <!-- PostgreSQL connection -->
   <Resource factory="org.apache.tomcat.jdbc.pool.DataSourceFactory" 
   	defaultTransactionIsolation="READ_COMMITTED"