Over the past few weeks, I was trying to find a way of automating tests for Cross Site Scripting attacks using RefApp 2.x. Because the system has very many input-fields, it was really tiresome to manually search for XSS and then create automation scripts following E2E based workflow for each and every input in the system. Honestly speaking, it might take some good weeks to manually check all input-fields, and write selenium scripts to automatically test for each input-element. Though manually checking for XSS is the most effective option, for a big system like OMRS, it feels like a duplication of efforts.
QA tools with security automation.
Since ZAP exposed its API for use, we would just create a one selenium script that passes data to ZAP for security scanning. Zap results can then be used by the security team. This approach indirectly gives the QA team the security scanning role.
Sonarqube : This tool provides code analysis features and code security functions. Openmrs has implemented sonarqube in the openmrs-core module. But however, it is always failing.
- The sonarqube version used in OpenMRS is 6.7 which is far outdated compared to the 9.1(latest)
- Sonarqube 9.1 requires java version 11 which is supported through the Upgrade Platform core libraries 2020 GSoC project .
- There is need for us to redesign sonar-rules so that we can eliminate most false positives, so that if sonar fails, it is worth checking.
- We need to first update openmrs sonarqubeversion beforeany attempt to Set up Sonar to run against openmrs-core PRs
- Sonarqube has ability to test for XSS since version 8.4 but I am not sure if the community edition offers such services/rules.
I found out all this from the meeting with @elder16 and discussions with @isears and @sharif. As far as I know, if our goal is automating XSS tests, ZAP is more of a bomb, but, however, since Sonarqube provides code analysis features, I think it would be the best option.
Questions and resolutions
- Is there any other tool that simplifies security automations?
- Who is the best person to reach out on issues concerning OpenMRS’ Sonar?
- Do you have any opinion, suggestion, recommendation?