This document shares current curated security backlog with features and capabilities that are defined in Security Jira board. Please refer Bahmni Security Posture document to get a holistic perspective.
To update JIRA details below, please type “/JIRA“ under Documentation/JIRA column & search your Jira no, click Insert.
This will show the current status on Jira board.
Categories | Capabilities / Features | Documentation/JIRA | Bahmni Lite v 1.0 Release | |
---|---|---|---|---|
1 | Trivy Secret & Vulnerability Scanning | Analyze false positives or perform quick fixes on Critical vulnerabilities reported by Trivy (First Pass) | DONE | |
2 | Perform Vulnerability check in CI (build) using Trivy and fail for Critical issues. Add secret scanning using Trivy in all Bahmni repositories | DONE | ||
3 | Machine / Node hardening | OpenSCAP for nodes / machine monitoring | DONE | |
4 | Apply daily critical security updates automatically (e.g EC2) |
-
BAH-2412Getting issue details...
STATUS
| NOT REQUIRED | |
5 | Firewall | OpenSource / Free option for Bot Management and Traffic Control for Bahmni running on Docker / K8s | NOT REQUIRED | |
6 | Document AWS WAF and Bot Management recommendation for Bahmni Lite | NOT REQUIRED | ||
7 | Security Quality Gates | Explore OWASP Zap for Bahmni Security Testing | NOT REQUIRED | |
8 | Automate Static Code Analysis using DeepSource / SonarQube → Documentation |
-
BAH-1958Getting issue details...
STATUS
| NOT REQUIRED | |
9 | Data Protection | Protect patient documents behind Login (only for older RPM based installation since docker and k8s no longer have this issue) | NOT REQUIRED | |
10 | Encrypt documents at rest (S3/FileSystem/Connected Storage/etc) e.g. Patient Documents | NOT REQUIRED | ||
11 | Identity Management | Certificates: Document secure way to generate and manage certificates | DONE | |
12 | Mitigate default credentials risk
| NOT REQUIRED | ||
13 | Cloud/Infra | Document recommendations on General Cloud hygiene | NOT REQUIRED | |
14 | Document Approach on Reporting security incident (Slack, DL etc) | NOT REQUIRED | ||
15 | Fix Critical vulnerabilities in infra namespaces | INFRA | ||
16 | Source Code Fixes | Fix Critical and High vulnerabilities in bahmni-reports repo as per the Trivy reports | DONE | |
17 | Hip and otp-service - dotnet version outdated | DONE | ||
18 | Refactor docker image creation for HIP-atomfeed and hiu-db | DONE | ||
19 | Upgrade node version in the hiu-ui repo | DONE | ||
20 | Fix security vulnerabilities in hiu module | DONE | ||
21 | Fix critical vulnerabilities in crater-atomfeed | DONE | ||
22 | Fix critical vulnerabilities in otp-service code | DONE | ||
23 | Fix Critical Vulnerabilities in rabbitmq image | DONE | ||
24 | Fix Critical Vulnerabilities in postgres image | DONE | ||
25 | openmrs-module-appointments-frontend [Fix generated as PR by Dependabot] | DONE | ||
26 | Fix hip-atomfeed critical vulnerabilities | DONE | ||
27 | Fix bahmni/crater-php Dependency Vulnerabilities | DONE | ||
28 | Fix hip service critical vulnerabilities | ABDM REQUIRED | ||
29 | Fix hiu backend critical vulnerabilities | ABDM REQUIRED | ||
30 | Fix hiu-ui critical vulnerabilities | ABDM REQUIRED | ||
31 | Fix critical vulnerabilities in ABHA verification repo. | ABDM REQUIRED | ||
32 | Fix critical vulnerabilities in Hiu-db code | ABDM REQUIRED | ||
33 | Fix Critical Vulnerabilities in Appointments, Bahmni-lab, Bahmni-web, implementer-interface and patient-Documents images/jars | REQUIRED | ||
34 | Fix Critical Vulnerabilities in the crater-atomfeed repo | REQUIRED | ||
35 | ||||
36 | WASA Testing | Clickjacking | INFRA | |
37 | Authentication bypass via response manipulation Medium | PRODUCT | ||
38 | Improper Session Management Medium | PRODUCT | ||
39 | Host Header Injection Medium | PRODUCT | ||
40 | Improper error handling Medium | PRODUCT REQUIRED |