mercedes-benz / sechub Goto Github PK

At the moment we got only basic authentication - secured by HTTPS.

For better User ID handling, corporate integration etc. we will provide openID connect

Checkmarx adapter does currently fail when source files are empty.

E.g. :

Caused by: com.daimler.sechub.adapter.AdapterException: __[SECHUB-UID:18b606d1-6729-486f-83d1-50ea0c7634ed]__ CheckmarxAdapterV1:The queuing has failed:Failed to start scanning due to one of following reasons: source folder is empty, all source files are of an unsupported language or file format

On response we got only one finding with text:
"description" : "Security product 'CHECKMARX' failed, so cannot give a correct answer.",

We could handle this in future in one of the following variants:

1. Show a dedicated finding (warning) that no sources where uploaded
   and do not call any product . So no matter which product this would be always same.
2. Let it as is - means being product specific response.... not nice
3. SecHub accepts this always as "green" - no source, no cry...
   So no matter which product this would be always same.

When description is not set (canceled ) while creating a project, a NoSuchElementException raises

At the moment a deployment in cluster environment - e.g. kubernetes - has got following problem:

When we a upgrade deployed server versions to next version, the running server instances will be stopped.... so also the JVMs... means also every running SecHub Job inside... After the new deployments these jobs are lost.

The easiest way to handle this, is to integrate a switch option into sechub administration and sechub scheduler.

Usecases:

• Admin stops scheduling
• Admin restarts scheduling
• Admin gets information about scheduling status (stopped,running, amount of waiting scheduled Jobs)

When sheduling is enabled/disabled a notification to admins shall be sent, so it's clear what happend (when disabled no job processing happens...)

Publish SecHub on github.com as OSS under MIT license

At AnonymousSignupRestController there is a usage of
@CrossOrigin
but without any restriction.

https://spring.io/guides/gs/rest-service-cors/
describes how to setup this.

The best way would be to make the origins configurable. If this is possible by using spring value here should be checked.
Otherwise maybe cors filtering could be an option.

By allowing any location to call this, this could lead to a security problem (maybe)

Change jenkins pipeline script for releses so client and server artifacts are archived.

Necessary for upload at https://github.com/Daimler/sechub/releases

Currently the teamId used in checkmarx product executor is fix.

Because checkmarx does group users by teamId and has no other option to reduce visibility
of scans, we must change the behaviour.

A project scan should have always its own project team id instead of fix one.

But this could lead either into automated teamId creation for new projects, or if not possible by rest API this will become part of the onboarding process.

Situation

Netsparker has (currently) following permission model:

user1a (=Team1 = Team1 admin)
|_user1b
|_user1c

user2a (=Team2 = Team2 admin)
|_user2b
|_user2c

so when user1a scans something user1b and user1c will have access to all of these results. But user2a,user2b,user2c will not have access.

At the moment we provide only one Team means, when we would give users access to netsparker UI, they will see all results .

Wanted

Every project user should only see its own project results.

Obstacles

One thought solution was to define a team for every sechub project and give access to users
inside this team only.

Unfortunately netsparker users must all have unique email adresses and we got a 1:1 mapping between team admin and users, means when we got a user which is in project1 and project2 we could not manage this situation - except when we add two different email addresses (means accounts) to same person! So a solution by just setting up for netsparker teams for each sechub project will not work!

Solution

Netsparker provides a mechanism called "website groups". Inside these groups you can give explicit permissions. Having a website group defined those scans are no longer visible for all users but only dedicated ones.

Example:

user1a (=Team1 = Team1 admin)
|_user1b
|_user1c
|_website-group1 (contains. test1.example.com)
   |_assign user1b to this group
|_website-group2 (contains. test2.example.com)
   |_assign user2b to this group

In the example before user2b has only access t o scans for test2.example.com.

So this solves our problem and we have no

Consequences

• If you need to separate results because of need of multi tenancy you are currently forced
  to create website groups (manual) and add users to these website groups (manual)

Continous integration build fails with

groovy.lang.MissingPropertyException: No such property: failed for class: groovy.lang.Binding
	at groovy.lang.Binding.getVariable(Binding.java:63)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:270)
	at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:289)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:293)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:269)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:269)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:269)
	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.getProperty(SandboxInvoker.java:29)
	at com.cloudbees.groovy.cps.impl.PropertyAccessBlock.rawGet(PropertyAccessBlock.java:20)
	at WorkflowScript.run(WorkflowScript:62)
	at ___cps.transform___(Native Method)
	at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.get(PropertyishBlock.java:74)
	at com.cloudbees.groovy.cps.LValueBlock$GetAdapter.receive(LValueBlock.java:30)
	at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.fixName(PropertyishBlock.java:66)
	at sun.reflect.GeneratedMethodAccessor170.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
	at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
	at com.cloudbees.groovy.cps.Next.step(Next.java:83)
	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:174)
	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:163)
	at org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:129)
	at org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:268)
	at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:163)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:18)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:51)
	at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:186)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:370)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$200(CpsThreadGroup.java:93)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:282)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:270)
	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:64)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:131)
	at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
	at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:59)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
Finished: FAILURE

Currently every MessageID is listed as ONE list, also the PlantUML file overview is a ONE picture.

At the moment this works. But when having some additional messages we will get problems in overview and in readability of document.

So we should introduce a grouping mechanism (maybe another enum, used inside MessageId enum) to make smaller PlantUml views and to have a structured list inside documentation.

Asciidoctor documentation parts rendered as html output shall be available as github pages.

https://pages.github.com/

Decided to use master/docs variant because easier to maintain (master is always leading branch so documentation is always valid)

For first steps there shall be examples, ready to use with integration test server, so users can do first steps easily.

Link to a "first steps with sechub" video on YouTube.

At the beginning of sechub there was a Profile "DEMO_MODE" for presentation.

This profile must be removed - when somebody wants a demo without having access to real security products, the INTEGRATION_TEST profile can be used.

Update to newer spring boot version

There are some outdated information at techdoc, chapter 2.4 and 3 which have to be fixed

Situation

We got the situation that some security products do not scale good enough and can block other project scans by just one full fat big scan. And when only one instance is running all others must wait...

Very , very painful for other projects.

Wanted

High critical projects (time) should be processes faster, even when there are many existing parts in queue.

How could we achieve this?

Idea 1: Security Environments

An administrator defines something like "security-environment". There exists a default
environment which is used by every project (fallback) not being assigned to a specific environment.

Inside the environment an administrator can define a configuration setup for dedicated products. "e.g. something like 'VIP-project-XYZ' would be defined as an environment and has got not default scan server as target, but a dedicated one.

Only an administrator can change this setup. The setup should be product specific. So every adapter must be able to operate with this settings. Easiest way could be to use a JSON text file which represents products id and a general key value strucuture. On later admin web ui the content should be graphical by providing a key value UI...

Risks/Problems

• How to provide secrets for products here?

Delete project does not work inside admin ui for test scenario3 on integration-test-server

Steps to reproduce:

• start integration test server
• start admin ui
• create test data (scenario3)
• delete project scenario3_project1

I got following message inside UI:

[EXECUTE] DeleteProjectAction-1566973605364
ERROR:
status code::405, text:,body:
{"status":405,"error":"Method Not Allowed","message":"Request method 'POST' not supported","details":[],"timeStamp":"Wed Aug 28 08:26:50 CEST 2019"}
sent
[DONE]

Currently we got same situation for go client as for admin ui, see #8 :
Everybody able to see processes on server side does also see api token used by calling
sechub client.

SECHUB_APITOKEN environment shall be an addition to existing code. It shall be downward compatible. But a warning should be printed out when user is using argument instead of env entry.

Currently website name for netsparker is generated by md5 of complete root target uri.

For example:
http://testserver.your.corp.example.com:8082

but if you have change your website from HTTP only o HTTPS, you will have
https://testserver.your.corp.example.com:8082 which leads to another MD5 value, which leads on next scan to a new created website (in netsparker).

Unfortunately netsparker does not allow this because the former scanned http pages are (correctly) recognized as duplicates.

So we must change the name creation and no longer use
http://testserver.your.corp.example.com:8082
but
testserver.your.corp.example.com:8082
as identifier!

we also will not long use MD5 for names, but use only hostname + _ + port

so name in former example will be:
testserver.your.corp.example.com_8082

when no port is given, we set "DEFAULT"
testserver.your.corp.example.com_default

About

To prevent full hard drives there should be a option to automatically remove old scan data.

Wanted

As an administrator I can configure a "auto cleanup configuration" and after which age a Job and it's data will be automatically dropped.

Solution

Configuration

Usecases

UC:Administrator updates auto cleanup configuration

Domain:administration

• REST API for admin domain
• Stores new configuration inside database
• An event with message id AUTO_CLEANUP_CONFIGURATION_CHANGEDis triggered containing the calculated days for auto cleaning
• Introduce a AdministrationConfig database table like already exist for scheduler : SchedulerConfig (adopt behavior, just for administration domain)
• Enhance AdministrationConfig and introduce time field auto_cleanup_in_days - per default 0, means auto cleanup disabled

UC: Administrator fetches auto cleanup configuration

Domain: administration

• REST API for admin domain
• Open API generation check
• When no cleanup configuration existed before, a default will be returned with "0 month" - so still being disabled

UC: Auto clean execution by system (technical use case)

Domain: scan

• Rename old ScanConfig to ScanMappingConfig and all related parts (like services etc.) - will be done with #1059
• Introduce new ScanConfig and adopt like done inside introduce time field auto_cleanup_in_days - per default 0, means auto cleanup disabled
• on AUTO_CLEANUP_CONFIGURATION_CHANGED the days for cleanup are fetched from event and stored in db
• Introduce ScanAutoCleanupTriggerService which is annotated with @schedule and is configurable by SpringValue annotion
• delete old scan_product_result entries
• delete old scan_project_log entries
• we currently do NOT delete scan_report entries at the moment, this will be done with #1010 because currently we can only use these database rows for statistics

Domain: schedule

• on AUTO_CLEANUP_CONFIGURATION_CHANGED the days for cleanup are fetched from event and stored in db
• Introduce ScheduleAutoCleanupTriggerService which is annotated with @schedule and is configurable by SpringValue annotion
• drops old schedule_sechub_job entries

Domain: administration

• on AUTO_CLEANUP_CONFIGURATION_CHANGED the days for cleanup are fetched from event and stored in db
• Introduce a AdministrationAutoCleanupConfig which represents the auto cleanup configuration
  This configuration contains a "remove-jobs-older-than" field which contains a "time-unit" and "amount" entry.
• Introduce AdministrationAutoCleanupTriggerService which is annotated with @schedule and is configurable by SpringValue annotion. Does use the AdministrationConfigService to fetch data
• AdministrationAutoCleanupService : deletes old adm_job_information entries

Documentation

• Rest doc
• Use case documentation are descriptive (+ don't forget the technical use cases)
• Short explanation of concept "auto cleanup" inside "concepts"
• The format of the time unit can be defined in "days", "weeks", "month", "years". This must be documented

Integration test

• setup an integration test (difficult but should be possible)

With #19 sechub will automatically remove old scan results stored in SecHub database.
Out of scope there is the delete of scan data inside security products itself.

If this issue is done/necessary, we have to do following:

• introduce a new event which has to be triggered by Job implemented in #19
• implement a service which is able to read the product results, get corresponding data for product
  itself from result and trigger product adapter to delete
• enhance adapter interface and implementations to provide the delete

At the moment web scans are only done unauthenticated.
This reduces possibility of finding vulnerabilities much.

Current config (anonymous only)

{

	"apiVersion": "1.0",

	"webScan"   : {
               "uris": ["https://productfailure.demo.example.org"]
         }
}

Provided login mechanism

Some web scanners provide different authentication methods:

• basic
• form based
  • automated
  • scripted
  • recorded

We want to provide all of them without being product specific.
Basic and form based automated are simple - for "scripting or "recorded" this will be tricky.

Handle basic login

just provide product with information

Handle form based automated login

just provide product with information

Handle recorded or scripted logins

"Recorded" is a little bit "evil" when wanting to be product independent. Scripting as well. To solve this we will provide a scripting part where operations can be described in a very simple way. A product dependent script will be generated. If the product needs a recorded script/file, we will generate the record entry... All necessary metadata should be available when defining necessary script steps inside configuration.

Currently we provide only a spartanic admin ui for developers.

We must provide a web admin UI for better and comfortable administration. The developer tools admin ui is only a first step or something to debug / test features etc. but not really a tool for operation.

Wanted:

• server side rendered
• shall be autark deployable
  (so can be outside normal sechub server url => not an easy target...)
• ... more

Introduce gradle task startIntegrationTestAdminUI able to start admin ui "out of the box".

As a sechub project user I want to terminate a trigger sechub job.

• when not started
• when already running

This shall be possible by

• REST API
• go client

Result shall be that the product adapters terminate the running product instances as well - if possible.

TODO

Do read (complete)

• techdoc
• architecture
• rest api
• client documentation

and fix typos, add missing parts etc.

Sechub configuration validation is not very readable.

Also we need following additional validations:

• infrascans must contain at least one IP or one URI
• webscans must contain at least one URI

At the moment we have no environment entries for starting developer admin UI.
But for security reasons this should be handled by environment entries instead.

Why this feature ?

REST calls starting with /api/admin should be better protectable by firewall / network configuration.

We provide a new profile "ADMIN_ACCESS" and make all admin rest parts only available by this profile. So we can start server with or without access to administrative parts.

Benefits:

• for integration tests we can enable ADMIN_ACCESS as well, to have got only one part and one server starting
• for production we are able to start different servers: some/one for user access and another one for admin access only which can be restricted by firewalls - e.g. port and ip access filtering
• no special configuration or additional software necessary

Direct committing to master branch is not okay.

This must be documented and an (easy) branching model defined

At the current situation we must duplicate always the information about sending/receiving a message in annoatation and the real doing inside code with same message id.

This is very cumbersome:

In next example we got REQUEST_SCHEDULER_STATUS_UPDATE always mentioned twice

@IsSendingAsyncMessage(MessageID.REQUEST_SCHEDULER_STATUS_UPDATE)
	private void sendUpdateSchedulerStatusEvent() {
		DomainMessage request = DomainMessageFactory.createEmptyRequest(MessageID.REQUEST_SCHEDULER_STATUS_UPDATE);
		eventBusService.sendAsynchron(request);
	}

Variant 1

If would be nice to have something like
DomainMessageFactory.createEmptyRequest(DomainMessageUtil.getMethodMessageId());

or another solution where we do not have to duplicate the message ids.

Additional thought: One benefit of the duplication is the possiblity to mark another (upper) method for the documentation but handle on another - this would be no longer possible than.

inside continous-integration-multibranch-pipeline.jenkins there shall be another stage for security code scanning.

We need following value defined in JENKINS
SECHUB_CODESCAN_ENABLED (default:false, than scan shall be ignored)
SECHUB_SERVER - shall be used for parameter server

We need following secure storage parts:
SECHUB_APITOKEN - the token
SECHUB_USERID shall be used for parameter userid

project name will always be sechub

Current situation: When a project is defined in SecHub without having a whitelist entry we got a NPE . Sometimes we got projects doing only a code scan, so even a empty list must be valid.

We will create an asciidoc file for the concept
sechub-doc/src/docs/asciidoc/documents/shared/concepts/false-postitive-handling/false-postitive-handling.adoc

At the moment false positive handling must be done inside the security products

But what happens when somebody switches products or does use two products for same purpose ?
=> You got false positives again.

Code scan

Mark false positives in code by developers

One thing how this could be handled very smooth by developers could be a single line comment option before the false positive
// NOSECHUB:${identifier}
E.g.
Having a medium finding like:

"description": "\n<br>Location:java/com/daimler/sechub/docgen/AsciidocGenerator.java - line:28, column:35\\n<br>For details...
"name": "Absolute Path Traversal",

A developer could add a comment before ala
// NOSECHUB:Absolute Path Traversal

SecHub would let use scan results from products, but filter the corresponding findings, by mapping with the found NOSECHUB lines.

This has the benefit, that when developers refactor their code and the method comes up at another position or even at another file the false/positive handling would be still working!

Web scan

1. REST service with filter option for URL + Vulnerability
2. later: Web UI - using 1.

Infra scan

TBD

Developertools admin ui shall have an excel export for user/owner/project overview:

We need a simple export to excel were we can find

• projects, with
  • their name, owner, owner email address, assigned users, whitelists

At this issue we collect current bugs in online documentation (github pages)

By this issues the problems will be fixed inside adoc files.
When fixed we generate new html files and push them to repository - but
we do no micro pushing...

Found problems

• Description of System Properites does not describe that you have the possibility to use also ENV entries for this and how the conversion is done (standard spring way, but should be mentioned inside documentation)
• download parts in github pages must be removed, because gives no benefit
• testmode must be removed
• Fix "RestController delegates to RestController" in techdoc
• Document new Gradle tasks
• include messaging parts into techdoc (currently only available at architecture)

Publish changes

• Build new github pages and push

PROD deployment failed because SSL certificate for PROD not found/available,
output was:

WARN 7 --- [ main] ConfigServletWebServerApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.context.ApplicationContextException: Unable to start web server; nested exception is java.lang.IllegalArgumentException: Resource location must not be null

Integrate
https://www.arachni-scanner.com/

Must:

• adapter
• product executor

Maybe:

• ?

User story:

... "As a SecHub user I want to use a dedicated profile in my sechub.json file to have the possibiility to change the security tools behaviour"

Description:
We need profiles to handle specific security scenarios/needs.

E.g. a scenario like "continous-integration" shall check faster/simpler than a "check-before-release" .

Technical:

• provide profile-ids inside database
• check profiles in json valid
• provide a mapping from profile-id (for user) to internal used profile in products
• use profile part in adapter communication

At the moment SecHub does provide only 3 products in a static way.

Problems:

• All three products must be configured /prepareed
  (otherwise server start fails)
• No dynamic configuration of used products
  • No "kill switch" for products
  • No "activate" for short times /evaluation etc.

Wanted solution:

• Configuration inside database
• Rest API to enable/disable (and configure?) products

• Connect to travis CI
  • shall do all parts from jenkins CI pipeline
  • represents a quick CI visible for community, Jenkins still necessary for own builds
• Link images from travis builds to README.md in root folder

We tagged initial OSS server with version 1.0.4 and client with 1.5.0, because this were the versions used inside the former internal project.

But having multiple changes in API in next future (downward compatible but still changes) and still wanting to support only API v1.0 at the moment and wanting to show that sechub is still in development we decided to change back the initial versions:

rename v1.0.4-server -> v0.10.4-server
rename v1.5.0-client -> v0.15.0-client

SecHub is ready to use with 3 products only currently. It works, but there is still much to do!
So this will represent more the current situation

So inside this issue, we will remove the old tags and replace them with new ones

Its not recommended, but if anybody wants to use SecHub with HTTP only (e.g. when running behind a SSL proxy) this shall be provided and also described in documentation.

Tasks:

• Describe in documentation how to setup server for running only HTTP
• Make protocol changeable in developer administration UI

see https://github.com/Daimler/sechub/projects/1

We got a go client which does read the sechub.json file and does all stuff.

But at some situations - e.g. when using SecHub from another software system - using REST API is necessary instead of using the native client.

Target:
For java we could simply provide a nice, small and convenient java library for automation.

To think about
How should we do the rest calls here? Should we use spring boot (so not small any more...) or maybe just provide a helper class to create URLs easier and some POJOs and the communication could be done by callers themself.

Write a documentation for people only want to know how to operate SecHub as server in their existing infrastructure.

Former documentation does only handle developers, "users and architecture.

Situation

At the moment we only provide one SAST component: netsparker

Wanted

We want to provide OWASP ZAP as SAST component (FOSS alternative) into SecHub. See
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Solution

• We integrate Owasp zap by PDS approach.

• We use this issue as an epic until we have

  • Sereco and Report Support for OWASP
  • Full PDS integration
  • Full login support

• Work is done in "sub issues" linked inside this issue.

When some body wants to save the html report generated by sechub, the name will be
SecHub scan result"

So we got a double quote at the end.

This is a typo and also a problem when moving / copying files at linux.

Must be fixed