Merge pull request #614 from Lombiq/issue/OSOE-351

OSOE-351: Offer security checks in Lombiq.UITestingToolbox

.github/actions/spelling/allow.txt

@@ -13,6 +13,7 @@ Overconstrained
 parallelizable
 qrcode
 retriable
+Runtimes
 sanitizers
 scrollbars
 shortcutting

.github/actions/spelling/excludes.txt

@@ -1,6 +1,9 @@
 Assets/Vendors/
 \QLombiq.VueJs.Tests.UI/Assets/Media/\E.*\.mjpeg$
 ^\Qtest/Lombiq.UITestingToolbox/Lombiq.Tests.UI/Constants/CommonDisplayResolutions.cs\E$
+^\Qtest/Lombiq.UITestingToolbox/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlanFragments/\E.*.yml$
+^\Qtest/Lombiq.UITestingToolbox/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/\E.*.yml$
+^\Qtest/Lombiq.UITestingToolbox/Lombiq.Tests.UI.Samples/Tests/CustomZapAutomationFrameworkPlan.yml\E$
 ^\Qtools/Lombiq.GitHub.Actions/\E
 \QUnmanagedNodeModules/\E
 \QUploadingTestFileDOCX.docx\E$

.github/workflows/build-and-test-windows.yml

@@ -42,6 +42,9 @@ jobs:
       ui-test-parallelism: 0
       build-create-binary-log: "true"
       blame-hang-timeout: "5m"
+      # Running ZAP for security scans in Docker under GHA Windows runners won't work since such virtualization is not
+      # supported by GHA.
+      test-filter: "FullyQualifiedName!~SecurityScanningTests"
 
   build-and-test-standard-runners:
     # Since dev builds are not awaited by anyone, they can run on the slower free runners.
@@ -55,6 +58,9 @@ jobs:
       set-up-azurite: "true"
       build-create-binary-log: "true"
       blame-hang-timeout: "5m"
+      # Running ZAP for security scans in Docker under GHA Windows runners won't work since such virtualization is not
+      # supported by GHA.
+      test-filter: "FullyQualifiedName!~SecurityScanningTests"
 
   build-and-test-nuget-test:
     if: github.ref_name == github.event.repository.default_branch || 
@@ -67,6 +73,9 @@ jobs:
       build-directory: NuGetTest
       timeout-minutes: 25
       blame-hang-timeout: "5m"
+      # Running ZAP for security scans in Docker under GHA Windows runners won't work since such virtualization is not
+      # supported by GHA.
+      test-filter: "FullyQualifiedName!~SecurityScanningTests"
 
   powershell-static-code-analysis:
     if: github.ref_name == github.event.repository.default_branch || 

NuGetTest/src/Lombiq.OSOCE.NuGet.Web/Lombiq.OSOCE.NuGet.Web.csproj

@@ -47,8 +47,8 @@
     <PackageReference Include="Lombiq.Privacy" Version="7.0.2-alpha.2.osoe-638" />
     <PackageReference Include="Lombiq.Privacy.Samples" Version="7.0.2-alpha.2.osoe-638" />
     <PackageReference Include="Lombiq.SetupExtensions" Version="5.0.0" />
-    <PackageReference Include="Lombiq.Tests.UI.AppExtensions" Version="8.2.1-alpha.1.osoe-733" />
-    <PackageReference Include="Lombiq.Tests.UI.Shortcuts" Version="8.2.1-alpha.1.osoe-733" />
+    <PackageReference Include="Lombiq.Tests.UI.AppExtensions" Version="8.2.1-alpha.6.osoe-351" />
+    <PackageReference Include="Lombiq.Tests.UI.Shortcuts" Version="8.2.1-alpha.6.osoe-351" />
     <PackageReference Include="Lombiq.UIKit" Version="6.0.1-alpha.0.osoe-638" />
     <PackageReference Include="Lombiq.VueJs" Version="3.0.1-alpha.0.osoe-638" />
     <PackageReference Include="Lombiq.VueJs.Samples" Version="3.0.1-alpha.0.osoe-638" />

NuGetTest/src/Modules/Lombiq.OSOCE.NuGet.TestModule/Lombiq.OSOCE.NuGet.TestModule.csproj

@@ -16,7 +16,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Lombiq.HelpfulLibraries" Version="8.0.2" />
+    <PackageReference Include="Lombiq.HelpfulLibraries" Version="8.1.0" />
     <PackageReference Include="OrchardCore.Module.Targets" Version="1.7.0" />
     <PackageReference Include="OrchardCore.ContentManagement" Version="1.7.0" />
     <PackageReference Include="OrchardCore.ContentTypes.Abstractions" Version="1.7.0" />

NuGetTest/test/Lombiq.OSOCE.NuGet.Tests.UI/Lombiq.OSOCE.NuGet.Tests.UI.csproj

@@ -34,7 +34,7 @@
     <PackageReference Include="Lombiq.OrchardCoreApiClient.Tests.UI" Version="4.0.1-alpha.0.osoe-638" />
     <PackageReference Include="Lombiq.Privacy.Tests.UI" Version="7.0.2-alpha.2.osoe-638" />
     <PackageReference Include="Lombiq.HelpfulExtensions.Tests.UI" Version="7.0.2-alpha.2.osoe-683" />
-    <PackageReference Include="Lombiq.Tests.UI" Version="8.2.1-alpha.1.osoe-733" />
+    <PackageReference Include="Lombiq.Tests.UI" Version="8.2.1-alpha.6.osoe-351" />
     <PackageReference Include="Lombiq.VueJs.Tests.UI" Version="3.0.1-alpha.0.osoe-638" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.7.2" />
     <PackageReference Include="xunit.runner.visualstudio" Version="2.5.1">

NuGetTest/test/Lombiq.OSOCE.NuGet.Tests.UI/Tests/SecurityScanningTests.cs

@@ -0,0 +1,27 @@
+using Lombiq.Tests.UI.SecurityScanning;
+using Shouldly;
+using System.Threading.Tasks;
+using Xunit;
+using Xunit.Abstractions;
+
+namespace Lombiq.OSOCE.NuGet.Tests.UI.Tests;
+
+public class SecurityScanningTests : UITestBase
+{
+    public SecurityScanningTests(ITestOutputHelper testOutputHelper)
+        : base(testOutputHelper)
+    {
+    }
+
+    // Only scanning the homepage, since this is just to make sure that ZAP still works from NuGet.
+    [Fact]
+    public Task BasicSecurityScanShouldPass() =>
+        ExecuteTestAfterSetupAsync(
+            context => context.RunAndAssertBaselineSecurityScanAsync(
+                configuration => configuration.ExcludeUrlWithRegex(".*:[0-9]+\\/.+"),
+                // We expect 5 alerts from ZAP. This is using "less than" not to fail the test, should ZAP be a bit
+                // inconsistent, which it can be (see https://www.zaproxy.org/faq/why-can-zap-scans-be-inconsistent/).
+                // If this starts failing after some update, then inspect the scan report in the failure dump to see if
+                // the alerts can be simply expected and this number should be increased.
+                sarifLog => sarifLog.Runs[0].Results.Count.ShouldBeLessThan(6)));
+}

NuGetTest/test/Lombiq.OSOCE.NuGet.Tests/Lombiq.OSOCE.NuGet.Tests.csproj

@@ -5,7 +5,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Lombiq.HelpfulLibraries" Version="8.0.2" />
+    <PackageReference Include="Lombiq.HelpfulLibraries" Version="8.1.0" />
     <PackageReference Include="Lombiq.Tests" Version="2.2.5" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.7.2" />
     <PackageReference Include="xunit.runner.visualstudio" Version="2.5.1">