add to ZAP rules

OWASP · Nov 28, 2024 · 25a6e79 · 25a6e79
1 parent 336882d
commit 25a6e79
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 8 deletions.
diff --git a/.github/workflows/.zap-rules-web.tsv b/.github/workflows/.zap-rules-web.tsv
@@ -1,12 +1,13 @@
-10110	OUTOFSCOPE	.*vendor.*\.js
-10110	OUTOFSCOPE	.*graph-test.*\.js
+10062	OUTOFSCOPE	.*_bom\..*
+10094	OUTOFSCOPE	.*_bom\..*
 10099	OUTOFSCOPE	.*vendor.*\.js
 10099	OUTOFSCOPE	.*diagram-edit.*\.js
 10099	OUTOFSCOPE	.*app.*\.js
+10110	OUTOFSCOPE	.*vendor.*\.js
+10110	OUTOFSCOPE	.*graph-test.*\.js
 10110	OUTOFSCOPE	.*diagram-edit.*\.js
-10062	OUTOFSCOPE	.*_bom\..*
-10094	OUTOFSCOPE	.*_bom\..*
 10110	OUTOFSCOPE	.*jquery\.min\.js
+10003	IGNORE	Javascript libraries handled by dependabot
 10055	IGNORE	CSP: script-src unsafe-eval
 10063	IGNORE	Permissions Policy Header Not Set
 40039	IGNORE	Web Cache Deception
diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
@@ -415,7 +415,7 @@ jobs:
             -e ENCRYPTION_KEYS='${{ secrets.CI_SESSION_ENCRYPTION_KEYS }}' \
             -e NODE_ENV='development' \
             -e SERVER_API_PROTOCOL='http' \
-            ${{ env.IMAGE_NAME }}
+            ${{ env.IMAGE_NAME }}-arm64
 
       - name: Checkout
         uses: actions/checkout@v4.2.0

diff --git a/.github/workflows/release-windows.yaml b/.github/workflows/release-windows.yaml
@@ -0,0 +1,49 @@
+name: Windows release
+
+on:
+  workflow_dispatch:
+
+# for security reasons the github actions are pinned to specific release versions
+jobs:
+
+  desktop_windows:
+    name: Windows installer
+    runs-on: windows-latest
+    defaults:
+      run:
+        working-directory: td.vue
+
+    steps:
+      - name: Check out
+        uses: actions/checkout@v4.2.0
+
+      - name: Use node LTS 20.14.0
+        uses: actions/setup-node@v4.1.0
+        with:
+          node-version: '20.14.0'
+
+      - name: Cache NPM dir
+        uses: actions/cache@v4.1.1
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+            ${{ runner.os }}-
+
+      - name: Install clean packages
+        run: npm clean-install
+
+      - name: Build Windows executable
+        # code signing done later using Extended Verification (EV) with a hardware key
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: npm run build:desktop -- --windows --publish always
+
+      - name: Save SBOM artifact
+        uses: actions/upload-artifact@v4.4.0
+        with:
+          name: sboms-desktop-windows-site
+          path: './td.vue/dist-desktop/bundled/.sbom/*'
+          include-hidden-files: true
+          if-no-files-found: error
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -4,8 +4,7 @@ name: Release pipeline
 on:
   push:
     tags:
-      - v2.?.?
-      - v2.?.?-RC?
+      - v2.?.*
   workflow_dispatch:
 
 env:
@@ -159,7 +158,9 @@ jobs:
 
       - name: Build Windows executable
         # code signing done later using Extended Verification (EV) with a hardware key
-        run: npm run build:desktop -- --windows --publish never
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: npm run build:desktop -- --windows --publish always
 
       - name: Save SBOM artifact
         uses: actions/upload-artifact@v4.4.0