Merge pull request #362 from nci-ats/dev

Sprint 7 v0.0.15

.codeclimate.yml

@@ -3,7 +3,8 @@ engines:
     enabled: true
     config:
       languages:
-      - javascript
+        javascript:
+          mass_threshold: 100
   eslint:
     enabled: true
   fixme:

README.md

@@ -18,7 +18,7 @@
 
 A repository for the development of an API to support the public facing ePermit system to connect to the related Forest Service database, the Special Use Data System (SUDS) located in the National Resource Management System.
 
-This repository is being development under a task order of the Agile Blanket Purchase Agreement.
+This repository is being developed under a task order of the Agile Blanket Purchase Agreement.
 
 ## Setup
 
@@ -78,6 +78,8 @@ The Moxai package is a dependency for testing and was built specifically for thi
 
 The controllers/index.js file has random control number generation logic that should be removed when the mock API is replaced with the Basic API.
 
+If the swagger is checked against a swagger validator it will report that it is invalid. We are allowing the swagger to stay invalid because we felt it would be more valuable for developers to have an example data model for temp-outfitter permits, rather than have every part of the swagger be valid.
+
 ## Point of Contact and Notifications
 
 You can report issues and submit questions by opening a new [Issue](https://help.github.com/articles/creating-an-issue/) in GitHub. You can [Watch](https://help.github.com/articles/watching-repositories/) this repo to receive notifications from GitHub when a new issue is posted, when an existing issue’s status is updated, and when a pull request is created.

docs/security-report.md

@@ -0,0 +1,66 @@
+# Security Report
+
+Security testing for this application was performed using OWASP ZAP 2.6 on Mac OS using the https://fs-epermit-dev.herokuapp.com URL. The security testing tool simulates attacks on the website, analyzes the results, and presents a report on the website's vulnerabilities. 
+
+Testing of this URL resulted in a single alert: "Web Browser XSS Protection Not Enabled." This alert should be disregarded, however. Helmet, an npm package used with this application, uses the cross-site scripting (abbreviated "XSS") flag if it is safe to do so. However, as the [Helmet documentation](https://helmetjs.github.io/docs/xss-filter/) explains, this "header causes some even worse security vulnerabilities in older versions of Internet Explorer, so it’s wise to disable it there." In other words, the header's absence, which OWASP ZAP has flagged, is necessary for security. We have also inspected the issue in modern browsers and verified that the XSS flag is properly set.
+
+The full results of the OWASP ZAP vulnerability test are provided below for reference. They are also available in [this screenshot](https://github.com/nci-ats/fs-middlelayer-api/blob/feat/reports/docs/security_screenshot.png). 
+
+## ZAP Scanning Report
+
+### Summary of Alerts
+
+| Risk Level | Number of Alerts |
+| --- | --- |
+| High | 0 |
+| Medium | 0 |
+| Low | 1 |
+| Informational | 0 |
+
+### Alert Detail
+
+#### Web Browser XSS Protection Not Enabled
+
+##### Low (Medium)
+
+##### Description
+
+Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
+
+- URL: [https://fs-epermit-dev.herokuapp.com/](https://fs-epermit-dev.herokuapp.com/)
+- Method: `GET`
+- Parameter: `X-XSS-Protection`
+- Evidence: `X-XSS-Protection: 0`
+
+Instances: 1
+
+### Solution
+
+Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
+
+##### Other information
+
+The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: 
+
+X-XSS-Protection: 1; mode=block
+
+X-XSS-Protection: 1; report=http://www.example.com/xss
+
+The following values would disable it: 
+
+X-XSS-Protection: 0
+
+The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).
+
+Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).</p>
+
+#### Reference
+
+- https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
+- https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/
+
+##### CWE Id : 933
+
+##### WASC Id : 14
+
+##### Source ID : 3

mocks/basic.json

@@ -153,7 +153,7 @@
 				}
 			}
 		},
-		"/contact/orgcode": {
+		"/contact/organization": {
 			"post": {
 				"tags": [
 					"Contact Organization"
@@ -205,7 +205,7 @@
 								"cityName": "Washington",
 								"stateCode": "DC",
 								"postalCode": "12345",
-								"contact": "987654321",
+								"contCn": "987654321",
 								"createdDate": "2016-06-04",								
 								"programArea": "SUDS",
 								"securityId": "0102"								
@@ -231,7 +231,7 @@
       					"examples": {
         					"application/json": {
         						"areaCode": "555",
-								"contact": "987654321",
+								"contCn": "987654321",
 								"createdDate": "2016-06-04",
 								"phoneNumber": "555-1234",
 								"phoneNumberType": "MOBILE",