Deltares · ekkelenkamp · Aug 14, 2023
diff --git a/tests/docker/zap/README.md b/tests/docker/zap/README.md
@@ -1,29 +1,11 @@
-# Configure the web service to be used by the web oc. On teamcity we do something similar like this:
+# nginx.conf
 
-cat > tests/docker/zap/weboc-nginx/app-config.json <<EOL
-{
-"VUE_APP_FEWS_WEBSERVICES_URL": "my webservice url",
-"VUE_APP_MAPBOX_TOKEN": "my token"
-}
-EOL
+The zap scanner run using NGINX. Specific security headers are added to the config to make the Web OC mostly compliant.
+In some cases the ZAP tool will report a warning that cannot be prevented. The following is a list of warnings and the reason they cannot be prevented:
 
-# Copy the latest weboc build to the ngnix build directory and build the nginx image with the weboc (we may also use a volume mount instead).
+-   CSP: style-src unsafe-inline: The web framework used by the Web OC (Vue JS) is using inline css.
+-   Sub Resource Integrity Attribute Missing: Not supported by the googles fonts css: <link rel="stylesheet" href="https://fonts.googleapis.com/css. See also: https://github.com/google/fonts/issues/473
+  - Timestamp Disclosure - Unix. False positive on: /js/chunk-vendors.ce1436d0.js
 
-docker compose --project-directory . build
-
-# Create a network to allow the zap scanner to connect to the weboc container.
-docker network create zapnet
-# Run the weboc detached.
-docker run -d --net zapnet --name weboc-nginx -t deltares/delft-fews/weboc-nginx:latest
-# Run the scanner until completion.
-docker run --name weboc-zap --net zapnet -v c:/temp/zap:/zap/wrk/:rw -t owasp/zap2docker-stable zap-full-scan.py -t http://weboc-nginx -g gen.conf -r report.html -x report.xml -J report.json
-
-# When doen, the report is in the zap directory
-
-docker stop weboc-zap
-docker rm weboc-zap
-docker stop weboc-nginx
-docker rm weboc-nginx
-docker image rm  deltares/delft-fews/weboc-nginx
-
-# After zap has generated the report.xml the zap2junit.xsl transformation will create a junit compliant version from it.
+# After zap has generated the report.xml the zap2junit.xsl transformation can be used to create a junit compliant version from it.
+# This can be used by teamcity to generate a test report.
diff --git a/tests/docker/zap/docker-compose.yaml b/tests/docker/zap/docker-compose.yaml
@@ -1,22 +1,22 @@
 version: '3'
-
+# De weboc is expected to be in de weboc folder.
+# The nginx.con file adds security related headers.
+# On windows the volume mounts need to be absolute paths. PWD is not working.
 services:
   # https://cli.vuejs.org/guide/deployment.html#docker-nginx
   nginx-weboc:
-    container_name: weboc-nginx
-    build:
-      context: weboc-nginx
-      dockerfile: Dockerfile
-    image: deltares/delft-fews/weboc-nginx:latest
+    container_name: nginx-weboc
+    image: nginx:latest
+    volumes:
+      - ${PWD}/weboc:/app:rw
+      - ${PWD}/nginx.conf:/etc/nginx/nginx.conf
     restart: always
     ports:
       - "80:80"
 
   zap:
     container_name: zap
     image: owasp/zap2docker-stable
-    command: "zap-full-scan.py -t http://weboc-nginx -g gen.conf -r report.html -x report.xml -J report.json"
+    command: "zap-full-scan.py -t http://nginx-weboc -j -g gen.conf -r report.html -x report.xml -J report.json"
     volumes:
-      - d:/temp/zap/report:/zap/wrk/:rw
-
-
+      - /tmp/zap/report:/zap/wrk/:rw
diff --git a/tests/docker/zap/nginx.conf b/tests/docker/zap/nginx.conf
@@ -0,0 +1,34 @@
+worker_processes 4;
+
+events { worker_connections 1024; }
+
+http {
+    server {
+        listen 80;
+        root  /app;
+        include /etc/nginx/mime.types;
+        server_tokens off;
+
+#       Avoid false positive Cloud Metadata Potentially Exposed
+        location /latest/meta-data {
+           deny all;
+           return 403;
+        }
+
+        location / {
+            add_header Cache-Control "public";
+            add_header X-Frame-Options "SAMEORIGIN";
+            add_header X-XSS-Protection "1; mode=block";
+            add_header Referrer-Policy "no-referrer-when-downgrade";
+            add_header Permissions-Policy "fullscreen=(self)";
+            add_header X-Content-Type-Options nosniff;
+            add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+
+#           unsafe-inline cannot be avoided for Vuejs applications.
+#           Sub Resource Integrity Attribute Missing. Google fonts doesn't support this: https://github.com/google/fonts/issues/473
+            add_header Content-Security-Policy "default-src 'self' blob: https://api.mapbox.com https://events.mapbox.com https://basemaps.cartocdn.com https://tiles-a.basemaps.cartocdn.com https://tiles-b.basemaps.cartocdn.com https://tiles-c.basemaps.cartocdn.com https://tiles-d.basemaps.cartocdn.com https://rwsos-dataservices-ont.avi.deltares.nl https://tiles.basemaps.cartocdn.com; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data:;";
+
+            try_files $uri /index.html =404;
+        }
+    }
+}
diff --git a/tests/docker/zap/weboc-nginx/Dockerfile b/tests/docker/zap/weboc-nginx/Dockerfile
diff --git a/tests/docker/zap/weboc-nginx/nginx.conf b/tests/docker/zap/weboc-nginx/nginx.conf
diff --git a/tests/docker/zap/zap2junit.xsl b/tests/docker/zap/zap2junit.xsl
@@ -2,8 +2,8 @@
 <xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 	<xsl:output method="xml" indent="yes"/>
 
-	<!-- When set to 0, informational risks are skipped.	-->
-	<xsl:variable name="riskCodeLimit" select="0"/>
+	<!-- When set to 1, minor risks are skipped.-->
+	<xsl:variable name="riskCodeLimit" select="1"/>
 
 	<xsl:param name="sourceFolder"/>