Dmp 5453 add securitymd

.github/renovate.json

@@ -3,5 +3,6 @@
   "extends": [
     "local>hmcts/.github:renovate-config",
     "local>hmcts/.github//renovate/automerge-minor"
-  ]
+  ],
+  "timezone": "Europe/London"
 }

Create.CSV.Data/Accept_Transcriber_Details_PATCH_CSV.ps1

@@ -5,7 +5,7 @@ WITH RankedTranscriptions AS (
         transcription.tra_id,
         transcription.created_by,
         courthouse.cth_id,
-        '\"' || REPLACE(courthouse.display_name, '\"', '\"\"') || '\"' AS courthouse_name,
+        courthouse.display_name AS courthouse_name,
         user_account.usr_id,        
         user_account.user_email_address,
         'PerfTester@01' AS "Password",

Create.CSV.Data/GetCourtHouse_And_CourtRooms_CSV.ps1

@@ -1,12 +1,12 @@
 # SQL query to be executed
 $query = @"
 SELECT 
-    '\"' || darts.courtroom.cth_id || '\"' AS cth_id,
-    '\"' || darts.courtroom.courtroom_name || '\"' AS courtroom_name,
-    '\"' || darts.courtroom.ctr_id || '\"' AS ctr_id,
-    '\"' || REPLACE(darts.courthouse.courthouse_name, '\"', '\"\"') || '\"' AS courthouse_name,
-    '\"' || darts.courthouse.display_name || '\"' AS display_name,
-    '\"' || darts.courthouse.courthouse_code || '\"' AS courthouse_code
+    darts.courtroom.cth_id AS cth_id,
+    darts.courtroom.courtroom_name AS courtroom_name,
+    darts.courtroom.ctr_id AS ctr_id,
+    REPLACE(darts.courthouse.courthouse_name, '\"', '\"\"') AS courthouse_name,
+    darts.courthouse.display_name AS display_name,
+    darts.courthouse.courthouse_code AS courthouse_code
 FROM 
     darts.courtroom
 INNER JOIN 

Create.CSV.Data/GetPerfCourtClerk_Users_CSV.ps1

@@ -7,7 +7,7 @@ WITH UserDetails AS (
         'PerfTester@01'               AS Password,
         ua.user_name, 
         sgch.cth_id,
-        '\"' || REPLACE(ch.display_name, '\"', '\"\"') || '\"' AS courthouse_name,
+        ch.display_name AS courthouse_name,
         ch.courthouse_code,
         'CourtClerk'                 AS Type,
         ROW_NUMBER() OVER (PARTITION BY ua.usr_id ORDER BY RANDOM()) AS courthouse_rn

Create.CSV.Data/GetPerfCourtManager_Users_CSV.ps1

@@ -7,7 +7,7 @@ WITH UserDetails AS (
         'PerfTester@01' AS Password,
         ua.user_name, 
         sgch.cth_id,               
-        '\"' || REPLACE(ch.display_name, '\"', '\"\"') || '\"' AS courthouse_name,
+        ch.display_name AS courthouse_name,
         ch.courthouse_code,
         'CourtManager' AS Type,
         ROW_NUMBER() OVER (PARTITION BY ua.usr_id ORDER BY RANDOM()) AS courthouse_rn

Create.CSV.Data/GetPerfJudge_Users_CSV.ps1

@@ -7,7 +7,7 @@ WITH UserDetails AS (
         'PerfTester@01' AS Password,
         ua.user_name, 
         urch.cth_id,
-        '\"' || REPLACE(ch.display_name, '\"', '\"\"') || '\"' AS courthouse_name,
+        ch.display_name AS courthouse_name,
         ch.courthouse_code,
         'Judge' AS Type,
         ROW_NUMBER() OVER (PARTITION BY ua.usr_id ORDER BY RANDOM()) AS courthouse_rn

Create.CSV.Data/GetPerfLanguage_Shop_Users_CSV.ps1

@@ -7,7 +7,7 @@ WITH UserDetails AS (
         'PerfTester@01' AS Password,
         ua.user_name, 
         urch.cth_id,
-        '\"' || REPLACE(ch.display_name, '\"', '\"\"') || '\"' AS courthouse_name,
+        ch.display_name AS courthouse_name,
         ch.courthouse_code,
         'LanguageShop' AS Type,
         ROW_NUMBER() OVER (PARTITION BY ua.usr_id ORDER BY RANDOM()) AS courthouse_rn

Create.CSV.Data/GetPerfTranscirber_Users_CSV.ps1

@@ -7,7 +7,7 @@ WITH UserDetails AS (
         'PerfTester@01' AS Password,
         ua.user_name, 
         urch.cth_id,
-        '\"' || REPLACE(ch.display_name, '\"', '\"\"') || '\"' AS courthouse_name,
+        ch.display_name AS courthouse_name,
         ch.courthouse_code,
         'Transcriber' AS Type,
         ROW_NUMBER() OVER (PARTITION BY ua.usr_id ORDER BY RANDOM()) AS courthouse_rn

SECURITY.md

@@ -0,0 +1,65 @@
+# Security Policy
+
+## Purpose
+
+This document outlines how security vulnerabilities should be reported for this
+repository.
+
+HMCTS is committed to responsible vulnerability disclosure and to addressing
+legitimate security issues in a timely and coordinated manner.
+
+## Reporting a vulnerability
+
+If you believe you have identified a security vulnerability in this repository, please report it by email to: 
+
+HMCTSVulnerabilityDisclosure@justice.gov.uk
+
+This email address is the sole approved point of contact for vulnerability disclosures relating to HMCTS-owned repositories and services.
+
+Please **do not** create public GitHub issues or pull requests to report security vulnerabilities.
+
+## What to Include in a Report
+
+When reporting a vulnerability, please provide as much of the following information as possible:
+
+- The repository, service, or component affected
+- A clear description of the vulnerability
+- Steps required to reproduce the issue
+- Any non-destructive proof of concept or exploitation details
+
+Where available, the following additional information is helpful:
+
+- The suspected vulnerability type (for example, an OWASP category)
+- Relevant logs, screenshot or error messages
+
+Reports do not need to be fully validated before submission. If you are unsure whether an issue is exploitable or security-relevant, you are still encouraged to report it.
+
+## Responsible Disclosure Guidelines
+
+When investigating or reporting a vulnerability affecting HMCTS systems, reporters must not:
+
+- Break the law or breach applicable regulations
+- Access unnecessary, excessive, or unrelated data
+- Modify or delete data
+- Perform denial-of-service or other disruptive testing
+- Use high-intensity, invasive, or destructive scanning techniques
+- Publicly disclose the vulnerability before it has been addressed
+- Attempt social engineering, Phishing, or physical attacks
+- Demand payment or compensation in exchange for disclosure
+
+These guidelines are intended to protect users, services, and data while allowing good-faith security research.
+
+
+## Bug Bounty
+
+HMCTS does not operate a paid bug bounty programme.
+
+## Code of Conduct
+
+All contributors and reporters are expected to act in good faith and in accordance with applicable laws and professional standards.
+
+## Further Reading
+
+- https://www.ncsc.gov.uk/information/vulnerability-reporting
+- https://www.gov.uk/help/report-vulnerability
+- https://github.com/Trewaters/security-README

build.gradle

@@ -16,10 +16,20 @@ repositories {
 dependencyCheck {
     suppressionFile = 'config/owasp/suppressions.xml'
 }
-
+ext {
+    log4JVersion = "2.25.2"
+}
 dependencies {
     gatling group: 'org.postgresql', name: 'postgresql', version: '42.7.4'
     gatling 'com.github.hmcts:juror-generation-support-library:1.5.4'
+    gatlingCompileOnly 'org.projectlombok:lombok:1.18.42'
+    gatlingAnnotationProcessor 'org.projectlombok:lombok:1.18.42'
+
+
+    gatling group: 'com.github.hmcts.java-logging', name: 'logging', version: '6.1.9'
+
+    gatling group: 'org.apache.logging.log4j', name: 'log4j-api', version: log4JVersion
+    gatling group: 'org.apache.logging.log4j', name: 'log4j-to-slf4j', version: log4JVersion
 }
 
 // Default gatlingRun configuration

src/gatling/java/simulations/Scripts/DartsApi/AudioGETPreviewSimulation.java

@@ -6,16 +6,18 @@
 import simulations.Scripts.Utilities.AppConfig.EnvironmentURL;
 import io.gatling.javaapi.core.*;
 import io.gatling.javaapi.http.*;
+import simulations.Scripts.Utilities.HttpUtil;
 
 import static io.gatling.javaapi.core.CoreDsl.*;
 import static io.gatling.javaapi.http.HttpDsl.*;
+import simulations.Scripts.Utilities.HttpUtil;
 
 
 public class AudioGETPreviewSimulation extends Simulation {   
   {
 
-    final HttpProtocolBuilder httpProtocol = http
-        .proxy(Proxy(AppConfig.PROXY_HOST, AppConfig.PROXY_PORT))
+    final HttpProtocolBuilder httpProtocol =
+        HttpUtil.getHttpProtocol()
         .baseUrl(EnvironmentURL.B2B_Login.getUrl())
         .inferHtmlResources();
 

src/gatling/java/simulations/Scripts/DartsApi/AudioPostSimulation.java

@@ -9,12 +9,13 @@
 
 import static io.gatling.javaapi.core.CoreDsl.*;
 import static io.gatling.javaapi.http.HttpDsl.*;
+import simulations.Scripts.Utilities.HttpUtil;
 
 
 public class AudioPostSimulation extends Simulation {   
   {
-    final HttpProtocolBuilder httpProtocol = http
-        .proxy(Proxy(AppConfig.PROXY_HOST, AppConfig.PROXY_PORT))
+    final HttpProtocolBuilder httpProtocol =
+        HttpUtil.getHttpProtocol()
         .baseUrl(EnvironmentURL.B2B_Login.getUrl())
         .inferHtmlResources();
 

src/gatling/java/simulations/Scripts/DartsApi/AudioRequestDeleteSimulation.java

@@ -9,12 +9,13 @@
 
 import static io.gatling.javaapi.core.CoreDsl.*;
 import static io.gatling.javaapi.http.HttpDsl.*;
+import simulations.Scripts.Utilities.HttpUtil;
 
 
 public class AudioRequestDeleteSimulation extends Simulation {   
   {
-    final HttpProtocolBuilder httpProtocol = http
-        .proxy(Proxy(AppConfig.PROXY_HOST, AppConfig.PROXY_PORT))
+    final HttpProtocolBuilder httpProtocol =
+        HttpUtil.getHttpProtocol()
         .baseUrl(EnvironmentURL.B2B_Login.getUrl())
         .inferHtmlResources();
 

src/gatling/java/simulations/Scripts/DartsApi/AudioRequestGetDownloadSimulation.java

@@ -8,13 +8,14 @@
 
 import static io.gatling.javaapi.core.CoreDsl.*;
 import static io.gatling.javaapi.http.HttpDsl.*;
+import simulations.Scripts.Utilities.HttpUtil;
 
 
 public class AudioRequestGetDownloadSimulation extends Simulation {   
   {
 
-    final HttpProtocolBuilder httpProtocol = http
-    //    .proxy(Proxy(AppConfig.PROXY_HOST, AppConfig.PROXY_PORT))
+    final HttpProtocolBuilder httpProtocol =
+    HttpUtil.getHttpProtocol()
         .baseUrl(EnvironmentURL.B2B_Login.getUrl())
         .inferHtmlResources();
 

src/gatling/java/simulations/Scripts/DartsApi/AudioRequestGetPlayBackSimulation.java

@@ -9,14 +9,15 @@
 
 import static io.gatling.javaapi.core.CoreDsl.*;
 import static io.gatling.javaapi.http.HttpDsl.*;
+import simulations.Scripts.Utilities.HttpUtil;
 
 
 public class AudioRequestGetPlayBackSimulation extends Simulation {   
   {
     final FeederBuilder<String> feeder = csv(AppConfig.AUDIO_REQUEST_POST_FILE_PATH).random();
 
-    final HttpProtocolBuilder httpProtocol = http
-    //    .proxy(Proxy(AppConfig.PROXY_HOST, AppConfig.PROXY_PORT))
+    final HttpProtocolBuilder httpProtocol =
+    HttpUtil.getHttpProtocol()
         .baseUrl(EnvironmentURL.B2B_Login.getUrl())
         .inferHtmlResources();
 

src/gatling/java/simulations/Scripts/DartsApi/AudioRequestGetSimulation.java

@@ -9,13 +9,14 @@
 
 import static io.gatling.javaapi.core.CoreDsl.*;
 import static io.gatling.javaapi.http.HttpDsl.*;
+import simulations.Scripts.Utilities.HttpUtil;
 
 
 public class AudioRequestGetSimulation extends Simulation {   
   {
 
-    final HttpProtocolBuilder httpProtocol = http
-        .proxy(Proxy(AppConfig.PROXY_HOST, AppConfig.PROXY_PORT))
+    final HttpProtocolBuilder httpProtocol =
+        HttpUtil.getHttpProtocol()
         .baseUrl(EnvironmentURL.B2B_Login.getUrl())
         .inferHtmlResources();
 

src/gatling/java/simulations/Scripts/DartsApi/AudioRequestPostSimulation.java

@@ -9,12 +9,13 @@
 
 import static io.gatling.javaapi.core.CoreDsl.*;
 import static io.gatling.javaapi.http.HttpDsl.*;
+import simulations.Scripts.Utilities.HttpUtil;
 
 public class AudioRequestPostSimulation extends Simulation {   
   {
 
-    final HttpProtocolBuilder httpProtocol = http
-        .proxy(Proxy(AppConfig.PROXY_HOST, AppConfig.PROXY_PORT))
+    final HttpProtocolBuilder httpProtocol =
+        HttpUtil.getHttpProtocol()
         .baseUrl(EnvironmentURL.B2B_Login.getUrl())
         .inferHtmlResources();
 
@@ -25,7 +26,7 @@ public class AudioRequestPostSimulation extends Simulation {
         );
 
     setUp(
-        scn1.injectOpen(constantUsersPerSec(1).during(1)).protocols(httpProtocol));
+         scn1.injectOpen(atOnceUsers(1)).protocols(httpProtocol));
 
     }    
 }

src/gatling/java/simulations/Scripts/DartsApi/AutomatedTasks/RunApplyRetentionCaseAssociatedObjectsTaskSimulation.java

@@ -9,12 +9,13 @@
 
 import static io.gatling.javaapi.core.CoreDsl.*;
 import static io.gatling.javaapi.http.HttpDsl.*;
+import simulations.Scripts.Utilities.HttpUtil;
 
 
 public class RunApplyRetentionCaseAssociatedObjectsTaskSimulation extends Simulation {   
   {
-    final HttpProtocolBuilder httpProtocol = http
-        .proxy(Proxy(AppConfig.PROXY_HOST, AppConfig.PROXY_PORT))
+    final HttpProtocolBuilder httpProtocol =
+        HttpUtil.getHttpProtocol()
         .baseUrl(EnvironmentURL.B2B_Login.getUrl())
         .inferHtmlResources();
 

src/gatling/java/simulations/Scripts/DartsApi/AutomatedTasks/RunApplyRetentionTaskSimulation.java

@@ -9,12 +9,13 @@
 
 import static io.gatling.javaapi.core.CoreDsl.*;
 import static io.gatling.javaapi.http.HttpDsl.*;
+import simulations.Scripts.Utilities.HttpUtil;
 
 
 public class RunApplyRetentionTaskSimulation extends Simulation {   
   {
-    final HttpProtocolBuilder httpProtocol = http
-        .proxy(Proxy(AppConfig.PROXY_HOST, AppConfig.PROXY_PORT))
+    final HttpProtocolBuilder httpProtocol =
+        HttpUtil.getHttpProtocol()
         .baseUrl(EnvironmentURL.B2B_Login.getUrl())
         .inferHtmlResources();
 

src/gatling/java/simulations/Scripts/DartsApi/AutomatedTasks/RunArmRpoPollingTaskSimulation.java

@@ -10,12 +10,13 @@
 
 import static io.gatling.javaapi.core.CoreDsl.*;
 import static io.gatling.javaapi.http.HttpDsl.*;
+import simulations.Scripts.Utilities.HttpUtil;
 
 
 public class RunArmRpoPollingTaskSimulation extends Simulation {   
   {
-    final HttpProtocolBuilder httpProtocol = http
-        .proxy(Proxy(AppConfig.PROXY_HOST, AppConfig.PROXY_PORT))
+    final HttpProtocolBuilder httpProtocol =
+        HttpUtil.getHttpProtocol()
         .baseUrl(EnvironmentURL.B2B_Login.getUrl())
         .inferHtmlResources();
 

src/gatling/java/simulations/Scripts/DartsApi/AutomatedTasks/RunAudioLinkingTaskSimulation.java

@@ -9,12 +9,13 @@
 
 import static io.gatling.javaapi.core.CoreDsl.*;
 import static io.gatling.javaapi.http.HttpDsl.*;
+import simulations.Scripts.Utilities.HttpUtil;
 
 
 public class RunAudioLinkingTaskSimulation extends Simulation {   
   {
-    final HttpProtocolBuilder httpProtocol = http
-        .proxy(Proxy(AppConfig.PROXY_HOST, AppConfig.PROXY_PORT))
+    final HttpProtocolBuilder httpProtocol =
+        HttpUtil.getHttpProtocol()
         .baseUrl(EnvironmentURL.B2B_Login.getUrl())
         .inferHtmlResources();
 

src/gatling/java/simulations/Scripts/DartsApi/AutomatedTasks/RunAutomatedTask11Simulation.java

@@ -9,12 +9,13 @@
 
 import static io.gatling.javaapi.core.CoreDsl.*;
 import static io.gatling.javaapi.http.HttpDsl.*;
+import simulations.Scripts.Utilities.HttpUtil;
 
 
 public class RunAutomatedTask11Simulation extends Simulation {   
   {
-    final HttpProtocolBuilder httpProtocol = http
-        .proxy(Proxy(AppConfig.PROXY_HOST, AppConfig.PROXY_PORT))
+    final HttpProtocolBuilder httpProtocol =
+        HttpUtil.getHttpProtocol()
         .baseUrl(EnvironmentURL.B2B_Login.getUrl())
         .inferHtmlResources();
 

src/gatling/java/simulations/Scripts/DartsApi/AutomatedTasks/RunCaseExpiryDeletionSimulation.java

@@ -9,12 +9,13 @@
 
 import static io.gatling.javaapi.core.CoreDsl.*;
 import static io.gatling.javaapi.http.HttpDsl.*;
+import simulations.Scripts.Utilities.HttpUtil;
 
 
 public class RunCaseExpiryDeletionSimulation extends Simulation {   
   {
-    final HttpProtocolBuilder httpProtocol = http
-        .proxy(Proxy(AppConfig.PROXY_HOST, AppConfig.PROXY_PORT))
+    final HttpProtocolBuilder httpProtocol =
+        HttpUtil.getHttpProtocol()
         .baseUrl(EnvironmentURL.B2B_Login.getUrl())
         .inferHtmlResources();