eclipse-tractusx · drcgjung · Feb 19, 2024 · Feb 19, 2024
diff --git a/.github/workflows/DAST.yml b/.github/workflows/DAST.yml
@@ -0,0 +1,128 @@
+---
+#
+#  Copyright (c) 2024 ZF Friedrichshafen AG
+#  Copyright (c) 2024 T-Systems International GmbH
+#  Copyright (c) 2024 Contributors to the Eclipse Foundation
+#
+#  See the NOTICE file(s) distributed with this work for additional
+#  information regarding copyright ownership.
+#
+#  This program and the accompanying materials are made available under the
+#  terms of the Apache License, Version 2.0 which is available at
+#  https://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#
+name: ZAP_ALL
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+jobs:
+  zap_scan1:
+    runs-on: ubuntu-latest
+    name: OWASP ZAP API Scan
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          ref: main
+          fetch-depth: 0
+
+      - name: API Test 1
+        id: api_test_1
+        run: |
+          # Perform API Test 1 and capture the response
+          response=$(curl -w "%{http_code}" -v GET https://knowledge.int.demo.catena-x.net/oem-provider-agent3/sparql?query=SELECT%20%3Fs%20WHERE%20%7B%20%3Fs%20%3Chttp%3A%2F%2Fwww.w3.org%2F1999%2F02%2F22-rdf-syntax-ns%23type%3E%20%3Chttps%3A%2F%2Fw3id.org%2Fcatenax%2Fontology%2Fvehicle%23Part%3E.%20%7D%20LIMIT%2010 --user "${{ secrets.BASIC_AUTH_USER }}:${{ secrets.BASIC_AUTH_PASSWORD }}")
+          echo "Response: $response"
+
+      - name: API Test 2
+        id: api_test_2
+        run: |
+          # Perform API Test 2 and capture the response
+          response=$(curl -w "%{http_code}" -X GET https://knowledge.int.demo.catena-x.net/oem-provider-agent3/sparql?query=SELECT%20%3Fs%20WHERE%20%7B%20%3Fs%20%3Chttp%3A%2F%2Fwww.w3.org%2F1999%2F02%2F22-rdf-syntax-ns%23type%3E%20%3Chttps%3A%2F%2Fw3id.org%2Fcatenax%2Fontology%2Fvehicle%23Part%3E.%20%7D%20LIMIT%2010 --header "Authorization: Basic ${{ secrets.BASIC_AUTH_TOKEN }}")
+          echo "Response: $response"
+
+      - name: API Test 3
+        id: api_test_3
+        run: |
+          # Perform API Test 3 and capture the response
+          response=$(curl -X POST https://knowledge.int.demo.catena-x.net/oem-edc-control/BPNL00000003COJN/management/v2/assets/request --header "X-Api-Key: ${{ secrets.API_KEY }}")
+          echo "Response: $response"
+
+      - name: API Test 4
+        id: api_test_4
+        run: |
+          # Perform API Test 4 and capture the response
+          response=$(curl -X GET https://knowledge.int.demo.catena-x.net/tiera-edc-data/BPNL00000003CPIY/api/agent?query=SELECT%20%3Fs%20%3Fp%20%3Fo%20WHERE%20%7B%20%3Fs%20%3Fp%20%3Fo.%7D%20LIMIT%2010 --header "Authorization: Bearer ${{ secrets.OAUTH2 }}")
+          echo "Response: $response"
+
+      - name: Generating report skeletons
+        if: success() || failure()
+        run: |
+          touch API_report.html
+          chmod a+w API_report.html
+          ls -lrt
+
+      - name: Run ZAP API scan
+        run: |
+          set +e
+
+          echo "Pulling ZAP image..."
+          docker pull ghcr.io/zaproxy/zaproxy:stable -q
+          echo "Starting ZAP Docker container..."
+          docker run -v ${GITHUB_WORKSPACE}:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py -t docs/openapi.json -f openapi -r API_report.html -T 1
+
+          echo "... done."
+
+      - name: Upload HTML report
+        if: success() || failure()
+        uses: actions/upload-artifact@v3
+        with:
+          name: ZAP_API scan report
+          path: ./API_report.html
+          retention-days: 1
+
+  zap_scan2:
+    runs-on: ubuntu-latest
+    name: OWASP ZAP FULL Scan
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          ref: main
+
+      - name: Generating report skeletons
+        if: success() || failure()
+        run: |
+          touch fullscan_report.html
+          chmod a+w fullscan_report.html
+          ls -lrt
+
+      - name: Perform ZAP FULL scan
+        run: |
+          set +e
+
+          echo "Pulling ZAP image..."
+          docker pull ghcr.io/zaproxy/zaproxy:stable -q
+          echo "Starting ZAP Docker container..."
+          docker run -v ${GITHUB_WORKSPACE}:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py -t https://knowledge.int.demo.catena-x.net -r fullscan_report.html -T 1
+
+          echo "... done."
+
+      - name: Upload HTML report
+        if: success() || failure()
+        uses: actions/upload-artifact@v3
+        with:
+          name: ZAP_FULL scan report
+          path: ./fullscan_report.html
+          retention-days: 1
diff --git a/.github/workflows/kics.yml b/.github/workflows/kics.yml
@@ -1,6 +1,6 @@
 ---
 #
-#  Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation
+#  Copyright (c) 2021, 2024 Contributors to the Eclipse Foundation
 #
 #  See the NOTICE file(s) distributed with this work for additional
 #  information regarding copyright ownership.
@@ -32,9 +32,7 @@ on:
 
   workflow_dispatch:
 
-  # Since rules may change should run regularily
-  schedule:
-    - cron: "0 0 * * *"
+
 
 jobs:
   analyze:

diff --git a/docs/README.md b/docs/README.md
@@ -1,5 +1,5 @@
 <!--
- * Copyright (c) 2022,2023 Contributors to the Eclipse Foundation
+ * Copyright (c) 2022,2024 Contributors to the Eclipse Foundation
  *
  * See the NOTICE file(s) distributed with this work for additional
  * information regarding copyright ownership.
@@ -20,7 +20,7 @@
 
 # Tractus-X Knowledge Agents Reference Implementation (KA-RI) Documentation 
 
-In the Knowledge Agent Architecture, an Agent is any component which speaks and/or enacts a Semantic Web protocol, such as SPARQL.
+In the Knowledge Agent Architecture, an Agent is any component which speaks and/or enacts a Semantic Web protocol, such as SPARQL. So agents share a common [Open Api Specifaction](openapi.json) of which they implement a particular profile, i.e., a sub-protocol.
 
 Binding Agents are the intermediate layer between the dataspace (represented by the Matchmaking Agent that is connected to any Agent-Enabled Application and/or the Agent-Enabled Connector) and your business data & functions.