[Week 08] Indexer weekly security scan

[f-galland]

Weekly security scan for Wazuh 4.10.1

Wazuh 4.11.0 is based on OpenSearch 2.16.0 and OpenSearch-Dashboards 2.16.0

Scope

Pre-fork applications and packages:

• wazuh-indexer dependencies and sources (opensearch)

After the fork we will scan our new packages from our repositories.

Procedure:

Vulnerability checks

• Scan vulnerabilities in dependencies with:
  • java projects: DependencyCheck dependency-check.sh --project "My App Name" --scan "/java/application/lib"

These vulnerabilities must be updated into

• https://docs.google.com/spreadsheets/d/1m3OOWvKs10OEwWxBwXPaextsM0lumWTqHk4gYrEES50/edit#gid=0

Each vulnerability associated with our code should have an issue created to be fixed.

Code analysis:

We use code analysis tools weekly to evaluate the state of our source code. This analysis is performed against Wazuh repositories:

• wazuh-indexer

We use CodeQL as our reference tool, as it is provided and well integrated with GitHub.

This process consists on:

• running the CodeQL action on each of our repositories against the desired branch (usually the latest development branch)

Note: CodeQL runs on schedule against the default branch of the repo, which might not be the same as the latest development branch.

Notes

• We need to add checks for all included plugins
• Docker commands are no longer part of this issue.

DRI: @AlexRuiz7