From 9ceb9a519bec16265663e220cd23d3851ff8e102 Mon Sep 17 00:00:00 2001 From: Marko Stojanovic Date: Fri, 9 Feb 2024 12:12:14 +0100 Subject: [PATCH] Typo changes --- doc/TRUEConnector/prerequisite.md | 5 +++++ doc/configuration-list-evaluation.md | 2 +- doc/security.md | 2 +- doc/traceability_matrix.md | 20 +++++++++++--------- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/doc/TRUEConnector/prerequisite.md b/doc/TRUEConnector/prerequisite.md index 4656b3f..9da0f8c 100644 --- a/doc/TRUEConnector/prerequisite.md +++ b/doc/TRUEConnector/prerequisite.md @@ -71,6 +71,11 @@ With the following command a new key-pair is created. ssh-keygen -t rsa -b 4096 -f ~/.ssh/desktop_key-rsa ``` +* `ssh-keygen` - command used to create the public and private key pairs that SSH uses for secure communication between client and server. +* `-t rsa` - command used to create RSA (Rivest-Shamir-Adleman) key-pair widely used for secure data transmission, known for their security and efficiency +* `-b 4096` - specifies the key length, 4096 offers a good balance between security and performance, providing strong protection against brute-force attacks without being overly taxing on system resources. +* `-f ~/.ssh/desktop_key-rsa` - specifies the filename for the key file + In order to create the key, you will be asked for a password. This is the password for your key. It is recommended and considered as best practice (and also security related) to enter passphrase. It will be used as security step, avoiding the usage of a stolen or lost private key. The result of this command should be two files. The file "\~/.ssh/desktop_key-rsa" which is the private-key file, and the file "~/.ssh/desktop_key-rsa.pub" which contains your public-key file. This public-key and private-key will be securely transferred to the client. This means that keys are transferred to the client machine without exposing the content of the file, following best practices for delivering files containing sensitive data, such are password protected zip archive, uploading to some storage, and providing link to the responsible user, admin approaching to the client and copying key file from USB stick, or whatever is applicable and most suitable for the company. diff --git a/doc/configuration-list-evaluation.md b/doc/configuration-list-evaluation.md index 10c4b74..9b83dfa 100644 --- a/doc/configuration-list-evaluation.md +++ b/doc/configuration-list-evaluation.md @@ -1,4 +1,4 @@ -## Configuaration list with evaluation evidence +## Configuration list with evaluation evidence This document contains an iterative table providing details on the certification process of TRUE Connector since its initial release. The table includes information on each version's release date, submodule version, and corresponding details about evaluation evidence that influenced changes in that particular version. diff --git a/doc/security.md b/doc/security.md index 00fe83d..366ae58 100644 --- a/doc/security.md +++ b/doc/security.md @@ -4,7 +4,7 @@ The TRUE Connector uses state-of-the-art TLS 1.3 encryption for https/wss commun ## Public Key Infrastructure - PKI -For a proper set-up of the TRUE Connector, it is required to provide a certificate from a trusted Certificate Authority, such as Let's Encrypt, which is recommended for production environments. This certificate will be used to enable a TLS channel between components. +For a proper set-up of the TRUE Connector, it is required to provide a certificate from a trusted Certificate Authority, such as Let's Encrypt, which is mandatory for production environments. This certificate will be used to enable a TLS channel between components. If requested, you can create one for consumer side and one for provider side of the TRUE Connector. In that case, SAN should be split to match (consumer and provider ones should be separated) diff --git a/doc/traceability_matrix.md b/doc/traceability_matrix.md index 70ca690..a93fd5c 100644 --- a/doc/traceability_matrix.md +++ b/doc/traceability_matrix.md @@ -78,20 +78,22 @@ Status of issues can be: * Open - issues is reported by end user, team member or Dependabot * Under investigation - checking reported issue, labeling, categorizing and assigning it -* Closed - issue is patched +* Under development - working actively on bug/issue +* Ready for merge - development is done, automated test passed, PR is opened for a review +* Closed - issue is patched and merged The most recent status updates for each component are available: 1. Automated security issues reported by Dependabot -| Severity | Report Date | Issue | Affected Component | Solution | Status | -|:---------:|:-----------:|:--------------------------------------------------:|:------------------:|:---------------:|:------:| -| High | 2022-04 | json stack overflow vulnerability | ECC | Bump to v20230227 | DONE | -| Critical | 2022-02 | Arbitrary code execution in Apache Commons Text | DataApp | Bump to v1.10.0 | DONE | -| Critical | 2022-02 | Arbitrary code execution in Apache Commons Text | ECC | Bump to v1.10.0 | DONE | -| Moderate | 2022-04 | Chosen Ciphertext Attack in Jose4j | ECC | Bump to v0.9.3 | DONE | -| Moderate | 2022-01 | Improper Locking in JetBrains Kotlin | ECC | Bump to v1.6.0 | DONE | -| Moderate | 2021-01 | Timing based private key exposure in Bouncy Castle | ECC | Bump to v1.66 | DONE | +| Severity | Report Date | Issue | Affected Component | Solution | Status | +|:---------:|:-----------:|:--------------------------------------------------:|:------------------:|:-----------------:|:------:| +| High | 2022-04 | JSON stack overflow vulnerability | ECC | Bump to v20230227 | CLOSED | +| Critical | 2022-02 | Arbitrary code execution in Apache Commons Text | DataApp | Bump to v1.10.0 | CLOSED | +| Critical | 2022-02 | Arbitrary code execution in Apache Commons Text | ECC | Bump to v1.10.0 | CLOSED | +| Moderate | 2022-04 | Chosen Ciphertext Attack in Jose4j | ECC | Bump to v0.9.3 | CLOSED | +| Moderate | 2022-01 | Improper Locking in JetBrains Kotlin | ECC | Bump to v1.6.0 | CLOSED | +| Moderate | 2021-01 | Timing based private key exposure in Bouncy Castle | ECC | Bump to v1.66 | CLOSED | 2. Open issues - [ECC](https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/issues), [DataApp](https://github.com/Engineering-Research-and-Development/true-connector-basic_data_app/issues)