Merge branch 'FinalProject_main' into use_docker_compose

.devcontainer/Dockerfile

@@ -1,13 +0,0 @@
-ARG VARIANT=17-bullseye
-FROM mcr.microsoft.com/vscode/devcontainers/java:0-${VARIANT}
-
-ARG NODE_VERSION="none"
-RUN if [ "${NODE_VERSION}" != "none" ]; then su vscode -c "umask 0002 && . /usr/local/share/nvm/nvm.sh && nvm install ${NODE_VERSION} 2>&1"; fi
-
-ARG USER=vscode
-VOLUME /home/$USER/.m2
-VOLUME /home/$USER/.gradle
-
-ARG JAVA_VERSION=17.0.7-ms
-RUN sudo mkdir /home/$USER/.m2 /home/$USER/.gradle && sudo chown $USER:$USER /home/$USER/.m2 /home/$USER/.gradle
-RUN bash -lc '. /usr/local/sdkman/bin/sdkman-init.sh && sdk install java $JAVA_VERSION && sdk use java $JAVA_VERSION'

.vs/ProjectSettings.json

@@ -0,0 +1,3 @@
+{
+  "CurrentProjectSetting": null
+}

.vs/VSWorkspaceState.json

@@ -0,0 +1,12 @@
+{
+  "ExpandedNodes": [
+    "",
+    "\\.devcontainer",
+    "\\.github",
+    "\\.mvn",
+    "\\gradle",
+    "\\src"
+  ],
+  "SelectedNode": "\\src\\main",
+  "PreviewInSolutionExplorer": false
+}

Dockerfile

@@ -12,7 +12,7 @@ COPY mvnw pom.xml ./
 COPY src ./src
 
 # Package the application
-RUN ./mvnw package
+RUN ./mvnw clean package
 
 # Copy the JAR file to the app directory
 COPY target/*.jar app.jar
@@ -21,4 +21,4 @@ COPY target/*.jar app.jar
 CMD ["java", "-jar", "app.jar"]
 
 # Expose the port the app runs on
-EXPOSE 8080
+EXPOSE 8080

automation.sh

@@ -0,0 +1,43 @@
+# use this by running sh automation.sh in Terminal
+
+
+echo "####################################################"
+echo "Stop and remove all running containers..."
+echo "docker stop $(docker ps -a -q)"
+docker stop $(docker ps -a -q)
+
+# remove the stopped docker containers
+echo "docker system prune -af"
+docker rm -v -f $(docker ps -qa)
+
+# uncomment this to remove the images too
+#docker system prune -af
+
+echo "####################################################"
+echo "Create a network..."
+echo "docker network create --driver bridge petclinic-net"
+docker network create --driver bridge petclinic-net
+
+echo "####################################################"
+echo "Build and run container..."
+echo "build . -t spring_image"
+echo "docker run -itd -p:8080:8080 --name spring-petclinic spring_image"
+docker build . -t spring_image
+docker run -itd -p 8080:8080 --network petclinic-net --name spring-petclinic spring_image
+
+
+
+echo "####################################################"
+echo "Running OWASP ZAP"
+
+# Pull the latest stable OWASP ZAP image
+docker pull ghcr.io/zaproxy/zaproxy:stable
+
+echo "Running OWASP ZAP scan..."
+docker run --rm -t --network petclinic-net \
+  -v $(pwd)/zap-report:/zap/wrk:rw \
+  ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
+  -t http://localhost:8080 -g gen.conf -r zap-report.html
+
+
+echo "Scan complete. Report saved as zap-report.html"

zap-report/gen.conf

@@ -0,0 +1,69 @@
+# zap-baseline rule configuration file
+# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
+# Only the rule identifiers are used - the names are just for info
+# You can add your own messages to each rule by appending them after a tab on each line.
+10003	WARN	(Vulnerable JS Library (Powered by Retire.js))
+10009	WARN	(In Page Banner Information Leak)
+10010	WARN	(Cookie No HttpOnly Flag)
+10011	WARN	(Cookie Without Secure Flag)
+10015	WARN	(Re-examine Cache-control Directives)
+10017	WARN	(Cross-Domain JavaScript Source File Inclusion)
+10019	WARN	(Content-Type Header Missing)
+10020	WARN	(Anti-clickjacking Header)
+10021	WARN	(X-Content-Type-Options Header Missing)
+10023	WARN	(Information Disclosure - Debug Error Messages)
+10024	WARN	(Information Disclosure - Sensitive Information in URL)
+10025	WARN	(Information Disclosure - Sensitive Information in HTTP Referrer Header)
+10026	WARN	(HTTP Parameter Override)
+10027	WARN	(Information Disclosure - Suspicious Comments)
+10028	WARN	(Open Redirect)
+10029	WARN	(Cookie Poisoning)
+10030	WARN	(User Controllable Charset)
+10031	WARN	(User Controllable HTML Element Attribute (Potential XSS))
+10032	WARN	(Viewstate)
+10033	WARN	(Directory Browsing)
+10034	WARN	(Heartbleed OpenSSL Vulnerability (Indicative))
+10035	WARN	(Strict-Transport-Security Header)
+10036	WARN	(HTTP Server Response Header)
+10037	WARN	(Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s))
+10038	WARN	(Content Security Policy (CSP) Header Not Set)
+10039	WARN	(X-Backend-Server Header Information Leak)
+10040	WARN	(Secure Pages Include Mixed Content)
+10041	WARN	(HTTP to HTTPS Insecure Transition in Form Post)
+10042	WARN	(HTTPS to HTTP Insecure Transition in Form Post)
+10043	WARN	(User Controllable JavaScript Event (XSS))
+10044	WARN	(Big Redirect Detected (Potential Sensitive Information Leak))
+10049	WARN	(Content Cacheability)
+10050	WARN	(Retrieved from Cache)
+10052	WARN	(X-ChromeLogger-Data (XCOLD) Header Information Leak)
+10054	WARN	(Cookie without SameSite Attribute)
+10055	WARN	(CSP)
+10056	WARN	(X-Debug-Token Information Leak)
+10057	WARN	(Username Hash Found)
+10061	WARN	(X-AspNet-Version Response Header)
+10062	WARN	(PII Disclosure)
+10063	WARN	(Permissions Policy Header Not Set)
+10096	WARN	(Timestamp Disclosure)
+10097	WARN	(Hash Disclosure)
+10098	WARN	(Cross-Domain Misconfiguration)
+10099	WARN	(Source Code Disclosure)
+10105	WARN	(Weak Authentication Method)
+10108	WARN	(Reverse Tabnabbing)
+10109	WARN	(Modern Web Application)
+10110	WARN	(Dangerous JS Functions)
+10111	WARN	(Authentication Request Identified)
+10112	WARN	(Session Management Response Identified)
+10113	WARN	(Verification Request Identified)
+10115	WARN	(Script Served From Malicious Domain (polyfill))
+10202	WARN	(Absence of Anti-CSRF Tokens)
+2	WARN	(Private IP Disclosure)
+3	WARN	(Session ID in URL Rewrite)
+50001	WARN	(Script Passive Scan Rules)
+90001	WARN	(Insecure JSF ViewState)
+90002	WARN	(Java Serialization Object)
+90003	WARN	(Sub Resource Integrity Attribute Missing)
+90004	WARN	(Insufficient Site Isolation Against Spectre Vulnerability)
+90011	WARN	(Charset Mismatch)
+90022	WARN	(Application Error Disclosure)
+90030	WARN	(WSDL File Detection)
+90033	WARN	(Loosely Scoped Cookie)