diff --git a/.github/workflows/_build+publish-pds-solution.yml b/.github/workflows/_build+publish-pds-solution.yml index 444e543f7a..84d62b692a 100644 --- a/.github/workflows/_build+publish-pds-solution.yml +++ b/.github/workflows/_build+publish-pds-solution.yml @@ -70,6 +70,7 @@ jobs: export SCANCODE_VERSION export SPDX_TOOL_VERSION export TERN_VERSION + export XRAY_WRAPPER_VERSION export DOCKER_REGISTRY="${ACTIONS_SECHUB_REGISTRY}/pds-${PDS_SOLUTION}" export VERSION_TAG=`./09-compute-image-tag.sh ${PDS_VERSION}` export BASE_IMAGE="${ACTIONS_SECHUB_REGISTRY}/pds-base:${PDS_VERSION}" diff --git a/.github/workflows/build+publish-all-pds-solutions.yml b/.github/workflows/build+publish-all-pds-solutions.yml index 1a2a754c70..edde06f975 100644 --- a/.github/workflows/build+publish-all-pds-solutions.yml +++ b/.github/workflows/build+publish-all-pds-solutions.yml @@ -20,12 +20,6 @@ jobs: pds-solution: checkmarx pds-version: ${{ inputs.pds-version }} - call_build_pds-loc: - uses: mercedes-benz/sechub/.github/workflows/_build+publish-pds-solution.yml@develop - with: - pds-solution: loc - pds-version: ${{ inputs.pds-version }} - # 2023-06-12: findsecuritybugs deactivated due to upstream fix is not yet released # call_build_pds-findsecuritybugs: # uses: mercedes-benz/sechub/.github/workflows/_build+publish-pds-solution.yml@develop @@ -45,6 +39,18 @@ jobs: pds-solution: gosec pds-version: ${{ inputs.pds-version }} + call_build_pds-iac: + uses: mercedes-benz/sechub/.github/workflows/_build+publish-pds-solution.yml@develop + with: + pds-solution: iac + pds-version: ${{ inputs.pds-version }} + + call_build_pds-loc: + uses: mercedes-benz/sechub/.github/workflows/_build+publish-pds-solution.yml@develop + with: + pds-solution: loc + pds-version: ${{ inputs.pds-version }} + call_build_pds-multi: uses: mercedes-benz/sechub/.github/workflows/_build+publish-pds-solution.yml@develop with: @@ -74,3 +80,9 @@ jobs: with: pds-solution: tern pds-version: ${{ inputs.pds-version }} + + call_build_pds-xray: + uses: mercedes-benz/sechub/.github/workflows/_build+publish-pds-solution.yml@develop + with: + pds-solution: xray + pds-version: ${{ inputs.pds-version }} diff --git a/.github/workflows/documentation-build.yml b/.github/workflows/documentation-build.yml index 000632bf9a..a0bd1d933c 100644 --- a/.github/workflows/documentation-build.yml +++ b/.github/workflows/documentation-build.yml @@ -37,18 +37,18 @@ jobs: fetch-depth: 0 - name: Set up JDK 17 - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 with: java-version: 17 distribution: temurin - name: Set up Gradle - uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a + uses: gradle/gradle-build-action@982da8e78c05368c70dac0351bb82647a9e9a5d2 with: cache-read-only: false - name: Set up Go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 with: go-version: 1.20.4 @@ -74,14 +74,14 @@ jobs: # Upload documentation # ----------------------------------------- - name: Archive documentation HTML - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-docs-html path: sechub-doc/build/docs/final-html/ retention-days: 14 - name: Archive documentation PDF - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-docs-pdf path: sechub-doc/build/docs/asciidoc/*.pdf diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml index e47cd4e133..5b1f05a5ba 100644 --- a/.github/workflows/gradle.yml +++ b/.github/workflows/gradle.yml @@ -22,18 +22,18 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - name: Set up JDK 17 - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 with: java-version: 17 distribution: temurin - name: Set up Gradle - uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a + uses: gradle/gradle-build-action@982da8e78c05368c70dac0351bb82647a9e9a5d2 with: cache-read-only: false - name: Set up Go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 with: go-version: 1.20.4 @@ -72,7 +72,7 @@ jobs: # ----------------------------------------- - name: Archive combined test report if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: combined-sechub-testreport path: build/reports/combined-report @@ -80,7 +80,7 @@ jobs: - name: Archive sechub server artifacts if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-server path: sechub-server/build/libs @@ -88,21 +88,21 @@ jobs: - name: Archive pds server artifacts if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-pds path: sechub-pds/build/libs - name: Archive pds tools artifacts if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-pds-tools path: sechub-pds-tools/build/libs - name: Archive developer tools artifacts if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-developertools path: sechub-developertools/build/libs @@ -110,7 +110,7 @@ jobs: - name: Archive sechub client artifacts if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-client path: sechub-cli/build/go @@ -118,14 +118,14 @@ jobs: - name: Archive sechub integration test report artifacts if: always() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-integrationtest-test-reports path: sechub-integrationtest/build/sechub-test-reports retention-days: 14 - + - name: Archive openAPI3 JSON files - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-api-spec path: sechub-doc/build/api-spec/ diff --git a/.github/workflows/publish-libraries.yml b/.github/workflows/publish-libraries.yml index eb954ebb50..afc20e038b 100644 --- a/.github/workflows/publish-libraries.yml +++ b/.github/workflows/publish-libraries.yml @@ -28,13 +28,13 @@ jobs: # Build - name: Set up JDK 17 - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 with: java-version: 17 distribution: temurin - name: Set up Gradle - uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a + uses: gradle/gradle-build-action@982da8e78c05368c70dac0351bb82647a9e9a5d2 with: cache-read-only: false @@ -55,14 +55,14 @@ jobs: # ----------------------------------------- - name: Archive combined test report if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: combined-sechub-testreport path: build/reports/combined-report retention-days: 14 - name: Archive GIT status if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: git-status.txt path: build/reports/git-status.txt diff --git a/.github/workflows/release-client-server-pds.yml b/.github/workflows/release-client-server-pds.yml index ca8afe445f..3da54ed914 100644 --- a/.github/workflows/release-client-server-pds.yml +++ b/.github/workflows/release-client-server-pds.yml @@ -88,18 +88,18 @@ jobs: # Setup + Caching # ---------------------- - name: Set up JDK 17 - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 with: java-version: 17 distribution: temurin - name: Set up Gradle - uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a + uses: gradle/gradle-build-action@982da8e78c05368c70dac0351bb82647a9e9a5d2 with: cache-read-only: false - name: Set up Go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 with: go-version: 1.20.4 @@ -200,7 +200,7 @@ jobs: # ----------------------------------------- - name: Archive combined test report if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: combined-sechub-testreport path: build/reports/combined-report @@ -208,7 +208,7 @@ jobs: - name: Archive GIT status if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: git-status.txt path: build/reports/git-status.txt @@ -216,7 +216,7 @@ jobs: - name: Archive sechub server artifacts if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-server path: sechub-server/build/libs @@ -224,14 +224,14 @@ jobs: - name: Archive pds server artifacts if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-pds path: sechub-pds/build/libs - name: Archive developer tools artifacts if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-developertools path: sechub-developertools/build/libs @@ -239,7 +239,7 @@ jobs: - name: Archive sechub client artifacts if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-client path: sechub-cli/build/go @@ -258,21 +258,21 @@ jobs: # Upload documentation # ----------------------------------------- - name: Archive documentation HTML - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-docs-html path: sechub-doc/build/docs/final-html/ retention-days: 14 - name: Archive documentation PDF - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-docs-pdf path: sechub-doc/build/docs/asciidoc/*.pdf retention-days: 14 - name: Archive openAPI3 JSON files - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-api-spec path: sechub-doc/build/api-spec/ diff --git a/.github/workflows/release-pds-tools.yml b/.github/workflows/release-pds-tools.yml index c2d5049be8..c42b4980f9 100644 --- a/.github/workflows/release-pds-tools.yml +++ b/.github/workflows/release-pds-tools.yml @@ -46,13 +46,13 @@ jobs: # Setup + Caching # ---------------------- - name: Set up JDK 17 - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 with: java-version: 17 distribution: temurin - name: Set up Gradle - uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a + uses: gradle/gradle-build-action@982da8e78c05368c70dac0351bb82647a9e9a5d2 with: cache-read-only: false @@ -111,7 +111,7 @@ jobs: - name: Archive GIT status if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: git-status.txt path: build/reports/git-status.txt @@ -119,7 +119,7 @@ jobs: - name: Archive PDS-Tools cli artifact if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-pds-tools path: sechub-pds-tools/build/libs diff --git a/.github/workflows/release-wrapper-checkmarx.yml b/.github/workflows/release-wrapper-checkmarx.yml index 41a12913d0..d8cc15978d 100644 --- a/.github/workflows/release-wrapper-checkmarx.yml +++ b/.github/workflows/release-wrapper-checkmarx.yml @@ -36,13 +36,13 @@ jobs: # Setup + Caching # ---------------------- - name: Set up JDK 17 - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 with: java-version: 17 distribution: temurin - name: Set up Gradle - uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a + uses: gradle/gradle-build-action@982da8e78c05368c70dac0351bb82647a9e9a5d2 with: cache-read-only: false @@ -99,7 +99,7 @@ jobs: - name: Archive GIT status if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: git-status.txt path: build/reports/git-status.txt @@ -107,7 +107,7 @@ jobs: - name: Archive Checkmarx Wrapper libs directory if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-wrapper-checkmarx path: sechub-wrapper-checkmarx/build/libs diff --git a/.github/workflows/release-wrapper-owaspzap.yml b/.github/workflows/release-wrapper-owaspzap.yml index 84488d24d9..1b45a23172 100644 --- a/.github/workflows/release-wrapper-owaspzap.yml +++ b/.github/workflows/release-wrapper-owaspzap.yml @@ -37,13 +37,13 @@ jobs: # Setup + Caching # ---------------------- - name: Set up JDK 17 - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 with: java-version: 17 distribution: temurin - name: Set up Gradle - uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a + uses: gradle/gradle-build-action@982da8e78c05368c70dac0351bb82647a9e9a5d2 with: cache-read-only: false @@ -100,7 +100,7 @@ jobs: - name: Archive GIT status if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: git-status.txt path: build/reports/git-status.txt @@ -108,7 +108,7 @@ jobs: - name: Archive OWASP-ZAP Wrapper libs directory if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-wrapper-owasp-zap path: sechub-wrapper-owasp-zap/build/libs diff --git a/.github/workflows/release-wrapper-xray.yml b/.github/workflows/release-wrapper-xray.yml index 240aa3ffd0..f257d5e043 100644 --- a/.github/workflows/release-wrapper-xray.yml +++ b/.github/workflows/release-wrapper-xray.yml @@ -36,13 +36,13 @@ jobs: # Setup + Caching # ---------------------- - name: Set up JDK 17 - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 with: java-version: 17 distribution: temurin - name: Set up Gradle - uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a + uses: gradle/gradle-build-action@982da8e78c05368c70dac0351bb82647a9e9a5d2 with: cache-read-only: false @@ -86,7 +86,7 @@ jobs: # Build SecHub Xray Wrapper # ----------------------------------------- - name: Build Xray Wrapper - run: ./gradlew :sechub-wrapper-xray + run: ./gradlew :sechub-wrapper-xray:buildWrapperXray # ----------------------------------------- # Upload build artifacts @@ -99,7 +99,7 @@ jobs: - name: Archive GIT status if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: git-status.txt path: build/reports/git-status.txt @@ -107,7 +107,7 @@ jobs: - name: Archive Xray Wrapper libs directory if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-wrapper-xray path: sechub-wrapper-xray/build/libs diff --git a/sechub-doc/src/docs/asciidoc/documents/techdoc/03_coding_conventions.adoc b/sechub-doc/src/docs/asciidoc/documents/techdoc/03_coding_conventions.adoc index 13244ab720..152eace5ca 100644 --- a/sechub-doc/src/docs/asciidoc/documents/techdoc/03_coding_conventions.adoc +++ b/sechub-doc/src/docs/asciidoc/documents/techdoc/03_coding_conventions.adoc @@ -87,8 +87,11 @@ pds: ---- ==== Templates -When we define YAML templates - e.g. for HELM charts - the template statement shall -start at the first column without indention. +When defining YAML templates - e.g. for HELM charts + +- a template statement (e.g. `- if` or `- end`) shall start at the first column without indention +- nested template statements shall be indented (see example below) +- place inserted values indented like normal YAML. (Use `| trim` if appropriate) .Example [source,yaml] @@ -99,19 +102,18 @@ start at the first column without indention. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ .Chart.Name }}-policy + name: {{ .Chart.Name }}-policy spec: - podSelector: - matchLabels: - name: {{ .Chart.Name }} + podSelector: + matchLabels: + name: {{ .Chart.Name }} -{{- if .Values.networkPolicy.ingress }} - ingress: -{{ .Values.networkPolicy.ingress | toYaml | indent 4 }} + {{- if .Values.networkPolicy.ingress }} + ingress: + {{ .Values.networkPolicy.ingress | toYaml | indent 4 | trim }} {{- end }} {{- end }} - ---- diff --git a/sechub-pds-solutions/gitleaks/tests/README.adoc b/sechub-pds-solutions/gitleaks/tests/README.adoc index d9e3caff7c..8e8148a50a 100644 --- a/sechub-pds-solutions/gitleaks/tests/README.adoc +++ b/sechub-pds-solutions/gitleaks/tests/README.adoc @@ -5,10 +5,18 @@ . Download `sechub-pds-tools-cli-x.y.z.jar` from the releases: https://github.com/mercedes-benz/sechub/releases/. . Copy `sechub-pds-tools-cli-x.y.z.jar` into this folder. -. Run system test +. Run system tests + -Example: +Run all tests example: + ---- -java -jar sechub-pds-tools-cli-1.1.0.jar systemtest --file systemtest_local.json --pds-solutions-rootfolder ../../ --sechub-solution-rootfolder ../../../sechub-solution +java -jar sechub-pds-tools-cli-1.2.0.jar systemtest --file systemtest_local.json --pds-solutions-rootfolder ../../ --sechub-solution-rootfolder ../../../sechub-solution ---- ++ +Run specific tests: ++ +---- +java -jar sechub-pds-tools-cli-1.2.0.jar systemtest --file systemtest_local.json --pds-solutions-rootfolder ../../ --sechub-solution-rootfolder ../../../sechub-solution --run-tests wrongsecrets +---- + + diff --git a/sechub-pds-solutions/gitleaks/tests/clone_repo.sh b/sechub-pds-solutions/gitleaks/tests/clone_repo.sh index 54a98cc134..36c82494a4 100755 --- a/sechub-pds-solutions/gitleaks/tests/clone_repo.sh +++ b/sechub-pds-solutions/gitleaks/tests/clone_repo.sh @@ -13,7 +13,7 @@ fi if [[ -z "$vulnerable_repo" ]] then echo "No vulnerable application repository provided" - exit 1 + exit 2 fi cd "$current_test_folder" diff --git a/sechub-pds-solutions/gitleaks/tests/copy_sanitycheck_files.sh b/sechub-pds-solutions/gitleaks/tests/copy_sanitycheck_files.sh new file mode 100755 index 0000000000..6545959f07 --- /dev/null +++ b/sechub-pds-solutions/gitleaks/tests/copy_sanitycheck_files.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +current_test_folder="$1" + +if [[ ! -d "$current_test_folder" ]] +then + echo "Target folder is empty" + exit 1 +fi + +cd `dirname $0` + +echo "copy sanity check testdata folder" +cp -r sanity-check-testdata/ "$current_test_folder/sanity-check" + diff --git a/sechub-pds-solutions/gitleaks/tests/sanity-check-testdata/my-readme.md b/sechub-pds-solutions/gitleaks/tests/sanity-check-testdata/my-readme.md new file mode 100644 index 0000000000..6e67d3d66f --- /dev/null +++ b/sechub-pds-solutions/gitleaks/tests/sanity-check-testdata/my-readme.md @@ -0,0 +1,35 @@ +Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Et malesuada fames ac turpis egestas integer. Sapien et ligula ullamcorper malesuada. Lacus laoreet non curabitur gravida arcu ac tortor. myPassword="Mzc5OGFlZTMyOWFhOWY3NDZjMjY2YjliYTk5MmVlZGFkYTI2ODFiMjA0MGM0ZWQ4M2NmOWJkMjE4 +NjlhMmEwYzRkOTAzMmYxOWNhN2ZmZjkxMjM1ODA0MmNhYjRmZWE2YjAwYzBlNDBiNmM1N2Y3M2Uw" +NTFlYTVjMWYyMjAzMjUgIC0K Diam in arcu cursus euismod. Sem fringilla ut morbi tincidunt. Sed enim ut sem viverra. Cras sed felis eget velit aliquet sagittis id consectetur purus. Laoreet suspendisse interdum consectetur libero id faucibus nisl tincidunt eget. +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCm+uKpK6vB4RZx +KKi8u/JMixIjh7c1pCOdXEqTAIZ0//rNOIHGodeD8PtRejA+KpAM1IcY191G+x3y +vsZzwoXWq9dRBIB3pj0mzwveRUuLIr1cnA8Beb4tonh5+Z/L+HvwuVK45mhYOYyS +VPd3BeiMCRPFmWdGG0meJHn7wHJKeEYNLg8QLcVEUBe/dzmZ3KR5MVVERG2qofYC +5HzXtbmq9AVjHzYgoXc+r6oD/8XDqXnhLqlTfhWRn1TgE47SeCXoZfnqyFQBhQ1f +rGBR1xRhd9TIehFlGyPQv2AHTxfrLNhIIP72BIwZR+XW6jTJ3mucqmUmdFFAIJoF +KlFzW/ZlAgMBAAECggEADyo566NLtg/7Ocu3h2yKVOlMfG2W9ggyM9ht7WveykF1 +Ra4cGy4XpKP+LygpuXukGYYzvs3cCtZDoggxfdHs1dJFe9Ys1LEEXMHxEf65HanK +CN8jfb7QxtQ6nNlO6fdnSjWKjcBfOaQAYEnXL7gZpp4sbYXBG1zfEr29Vl/kAV9F +QevkrTkzHsjtf1DH2KvvKDEyHVQkmld2WRZe0kWVZ0uHs5fjRXtrJskMC65/YqCn +rxwxyjrGPxwZPrGR7DtaMY6htpyJ0Cac5Vqh8uEvtFc2iGEpSA6KtLOw/dPXYB93 +P4OkIQTgWf+gSIUi59a5AmVEfDaGxtT8QF4cCJ1/AQKBgQC7mL4whiOEseSikQyd +7FjSkn18B+UOe9jj7aAEao2J6UQQKIVahyun1PoIBi4ibT9Zn/GVh9FpQ89smRy/ +20jOEatp3+RE+EVajso790yX6g5xvZ3Kv13DMr+5B1kkfZvSOsrSyUKhesT4nVWq +S/2rrXoePNUR4NqDxgFqmy2tcwKBgQDj3a2FX3b3+HBvUkaD35bAhPeIyH2RfAeq +JTyPc9lnof3Dt92xC8DLMGkfuTyEUkimdV9yfK63k+eiTsHK7lscGco//TPeUX0S +pTRolvcbMkwEF5rUA67Olc88RJHxMWa6ZaR3rF7CwOvGVkAXsnP7acHfn4OXkmF7 +LYKE1bTWxwKBgQCeEsPX8X/GVXvZfC3MeJYTwXpZY/Gf9b25ucaHUh234sYGc46C +zLl9b1nMHyEKw1GJPNv9aveLIqeK063FAIrlkUAGM7GOaEFQYFeKlgSFUaUgNG3c +pMnmLEIfMFDuDaWaTQ4Q9aPem6uT7kd7+xJicggfqJTFvtmCBfu1j9K6fwKBgFdb +dBuutqhoSYqUC06hWGUkVNXOrz0oRLP5JJeGfXGai/QNuGMYs2fyfkrYNBgyh4Gx +e88jd8QPYv05nlgTO0CxrnULuGfh68ZLKaVzQvbdOIFVH1lqtAilLFbZnu3N16lc +MEpk/ctCNOHLzTSIiKh5Kgd2Wvev+clEcEZGu9afAoGAbYNkz04UgVz2S4iFjcxh +EAk9jSoebzkn3HgWyHPzPXkTLtqRl34WdbFne45blC1IXj6sHp9+alj8BAEUdHys +9SNUD3Sk4H3AzcFbo1gI9R7adFouDC6VdqMaquhaqZwDlSTritC9WJx6F8jdQlPl +AF+FBitzrTxC4BHuRMLzvbc= +-----END PRIVATE KEY----- +Augue interdum velit euismod in pellentesque massa placerat duis. Eu mi bibendum neque egestas congue quisque egestas diam in. Eget nunc lobortis mattis aliquam faucibus purus in massa. + +Password generated with: echo -n "mashed potato" | sha512sum - | base64 +Private key generated with: openssl genrsa 2048 \ No newline at end of file diff --git a/sechub-pds-solutions/gitleaks/tests/systemtest_local.json b/sechub-pds-solutions/gitleaks/tests/systemtest_local.json index e8f757c0b4..dcbfd75ea1 100644 --- a/sechub-pds-solutions/gitleaks/tests/systemtest_local.json +++ b/sechub-pds-solutions/gitleaks/tests/systemtest_local.json @@ -1,116 +1,202 @@ { - "setup": { - "local": { - "secHub": { - "admin": { - "userId": "admin", - "apiToken": "myTop$ecret!" - }, - "start": [ - { - "script": { - "path": "./01-start-single-docker-compose.sh" - } - } - ], - "configure": { - "executors": [ - { - "pdsProductId": "PDS_GITLEAKS", - "name": "system-test-gitleakes", - "parameters": { - "sechub.productexecutor.pds.adapter.resilience.retry.wait.milliseconds": 3000, - "sechub.productexecutor.pds.adapter.resilience.retry.max": 20, - "pds.config.use.sechub.storage": false - } - } - ] - }, - "stop": [ - { - "script": { - "path": "./01-stop-single-docker-compose.sh" - } - } - ] - }, - "pdsSolutions": [ - { - "name": "gitleaks", - "url": "https://pds-gitleaks:8444/", - "waitForAvailable": false, - "start": [ - { - "script": { - "path": "./05-start-single-sechub-network-docker-compose.sh" - } - } - ], - "stop": [ - { - "script": { - "path": "./05-stop-single-sechub-network-docker-compose.sh" - } - } - ], - "techUser": { - "userId": "techuser", - "apiToken": "pds-apitoken" - } + "setup": { + "local": { + "secHub": { + "start": [ + { + "script": { + "path": "./01-start-single-docker-compose.sh" + } + } + ], + "configure": { + "executors": [ + { + "pdsProductId": "PDS_GITLEAKS", + "name": "system-test-gitleakes", + "parameters": { + "sechub.productexecutor.pds.adapter.resilience.retry.wait.milliseconds": 3000, + "sechub.productexecutor.pds.adapter.resilience.retry.max": 20, + "pds.config.use.sechub.storage": false + } + } + ] + }, + "stop": [ + { + "script": { + "path": "./01-stop-single-docker-compose.sh" + } + } + ] + }, + "pdsSolutions": [ + { + "name": "gitleaks", + "url": "https://pds-gitleaks:8444/", + "waitForAvailable": false, + "start": [ + { + "script": { + "path": "./05-start-single-sechub-network-docker-compose.sh" + } + } + ], + "stop": [ + { + "script": { + "path": "./05-stop-single-sechub-network-docker-compose.sh" + } + } + ] + } + ] } - ] - } - }, - "tests": [ - { - "name": "unsafe-bank", - "prepare": [ + }, + "tests": [ { - "script": { - "arguments": [ - "${runtime.currentTestFolder}", - "https://github.com/lucideus-repo/UnSAFE_Bank" + "name": "sanity-check", + "comment": "This checks if the solution works at all. It is very fast. Can be used to test if system testframework has some problems at all.", + "prepare": [ + { + "script": { + "arguments": [ + "${runtime.currentTestFolder}" + ], + "path": "./copy_sanitycheck_files.sh" + } + } ], - "path": "./clone_repo.sh" - } - } - ], - "execute": { - "runSecHubJob": { - "uploads": [ - { - "sourceFolder": "UnSAFE_Bank", - "referenceId": "code" - } - ], - "secretScan": { - "use": [ - "code" + "execute": { + "runSecHubJob": { + "uploads": [ + { + "sourceFolder": "sanity-check", + "referenceId": "files" + } + ], + "secretScan": { + "use": [ + "files" + ] + } + } + }, + "assert": [ + { + "sechubResult": { + "hasTrafficLight": "YELLOW", + "containsStrings": { + "values": [ + "result", + "SUCCESS", + "jobUUID", + "reportVersion", + "MEDIUM", + "severity", + "my-readme.md" + ] + } + } + } ] - } - } - }, - "assert": [ + }, + { + "name": "wrongsecrets", + "prepare": [ + { + "script": { + "arguments": [ + "${runtime.currentTestFolder}", + "https://github.com/OWASP/wrongsecrets.git" + ], + "path": "./clone_repo.sh" + } + } + ], + "execute": { + "runSecHubJob": { + "uploads": [ + { + "sourceFolder": "wrongsecrets", + "referenceId": "application" + } + ], + "secretScan": { + "use": [ + "application" + ] + } + } + }, + "assert": [ + { + "sechubResult": { + "hasTrafficLight": "YELLOW", + "containsStrings": { + "values": [ + "result", + "SUCCESS", + "jobUUID", + "reportVersion", + "MEDIUM", + "severity", + "wrongsecrets/src/main/resources/application.properties" + ] + } + } + } + ] + }, { - "sechubResult": { - "hasTrafficLight": "YELLOW", - "containsStrings": { - "values": [ - "result", - "SUCCESS", - "jobUUID", - "reportVersion", - "MEDIUM", - "severity", - "UnSAFE_Bank/Backend/src/api/application/config/database.php" - ] + "name": "unsafe-bank", + "prepare": [ + { + "script": { + "arguments": [ + "${runtime.currentTestFolder}", + "https://github.com/lucideus-repo/UnSAFE_Bank" + ], + "path": "./clone_repo.sh" + } + } + ], + "execute": { + "runSecHubJob": { + "uploads": [ + { + "sourceFolder": "UnSAFE_Bank", + "referenceId": "code" + } + ], + "secretScan": { + "use": [ + "code" + ] + } + } }, - "equalsFile": { - "path": "sechub-report-UnSAFE_Bank.json" - } - } + "assert": [ + { + "sechubResult": { + "hasTrafficLight": "YELLOW", + "containsStrings": { + "values": [ + "result", + "SUCCESS", + "jobUUID", + "reportVersion", + "MEDIUM", + "severity", + "UnSAFE_Bank/Backend/src/api/application/config/database.php" + ] + }, + "equalsFile": { + "path": "sechub-report-UnSAFE_Bank.json" + } + } + } + ] } - ] - } - ] + ] } \ No newline at end of file diff --git a/sechub-pds-solutions/iac/01-start-single-docker-compose.sh b/sechub-pds-solutions/iac/01-start-single-docker-compose.sh new file mode 100755 index 0000000000..e638f901cb --- /dev/null +++ b/sechub-pds-solutions/iac/01-start-single-docker-compose.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +cd $(dirname "$0") +source "../../sechub-solutions-shared/scripts/9999-env-file-helper.sh" + +ENVIRONMENT_FILES_FOLDER="../shared/environment" +ENVIRONMENT_FILE=".env-single" + +# Only variables from .env can be used in the Docker-Compose file +# all other variables are only available in the container +setup_environment_file ".env" "env" "$ENVIRONMENT_FILES_FOLDER/env-base-image" +setup_environment_file "$ENVIRONMENT_FILE" "$ENVIRONMENT_FILES_FOLDER/env-base" + +# Use Docker BuildKit +export BUILDKIT_PROGRESS=plain +export DOCKER_BUILDKIT=1 + +echo "Starting single container." +docker compose --file docker-compose_pds_iac.yaml up --build --remove-orphans diff --git a/sechub-pds-solutions/iac/05-start-single-sechub-network-docker-compose.sh b/sechub-pds-solutions/iac/05-start-single-sechub-network-docker-compose.sh new file mode 100755 index 0000000000..b17b8b2132 --- /dev/null +++ b/sechub-pds-solutions/iac/05-start-single-sechub-network-docker-compose.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +cd $(dirname "$0") +source "../../sechub-solutions-shared/scripts/9999-env-file-helper.sh" + +ENVIRONMENT_FILES_FOLDER="../shared/environment" +ENVIRONMENT_FILE=".env-single" + +# Only variables from .env can be used in the Docker-Compose file +# all other variables are only available in the container +setup_environment_file ".env" "env" +setup_environment_file "$ENVIRONMENT_FILE" "$ENVIRONMENT_FILES_FOLDER/env-base" + +# Use Docker BuildKit +export BUILDKIT_PROGRESS=plain +export DOCKER_BUILDKIT=1 + +echo "Starting single container." +docker compose --file docker-compose_pds_iac_external-network.yaml up --build --remove-orphans diff --git a/sechub-pds-solutions/iac/05-stop-single-sechub-network-docker-compose.sh b/sechub-pds-solutions/iac/05-stop-single-sechub-network-docker-compose.sh new file mode 100755 index 0000000000..4ee567a933 --- /dev/null +++ b/sechub-pds-solutions/iac/05-stop-single-sechub-network-docker-compose.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +cd "$(dirname "$0")" || exit 1 + +docker compose --file docker-compose_pds_iac_external-network.yaml down --remove-orphans \ No newline at end of file diff --git a/sechub-pds-solutions/iac/09-compute-image-tag.sh b/sechub-pds-solutions/iac/09-compute-image-tag.sh new file mode 100755 index 0000000000..503eff7642 --- /dev/null +++ b/sechub-pds-solutions/iac/09-compute-image-tag.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# SPDX-License-Identifier: MIT + +# Compute image version tag for container image +# 1st argument is the pds-base version + +VERSION_TAG="" +if [ -n "$1" ]; then + VERSION_TAG="$1" +else + # This should not happen, but in this case we just use the current date + VERSION_TAG="`date +%Y-%m-%d`" +fi + +# Use date of build, because there are multiple tools contained +VERSION_TAG+="_`date +%Y-%m-%d`" + +echo $VERSION_TAG diff --git a/sechub-pds-solutions/iac/10-create-image.sh b/sechub-pds-solutions/iac/10-create-image.sh new file mode 100755 index 0000000000..9aa0b62a4f --- /dev/null +++ b/sechub-pds-solutions/iac/10-create-image.sh @@ -0,0 +1,60 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +cd `dirname $0` + +REGISTRY="$1" +VERSION="$2" +BASE_IMAGE="$3" + +usage() { + cat - < +Builds a docker image of SecHub PDS with IaC +for with tag . +Required: ; for example ghcr.io/mercedes-benz/sechub/pds-base:v0.32.1 + +Additionally these environment variables can be defined: +- IAC_VERSION - IaC version to use. E.g. 2.9.5 +EOF +} + +FAILED=false +if [[ -z "$REGISTRY" ]] ; then + echo "Please provide a docker registry server as 1st parameter." + FAILED=true +fi + +if [[ -z "$VERSION" ]] ; then + echo "Please provide a version for the container as 2nd parameter." + FAILED=true +fi + +if [[ -z "$BASE_IMAGE" ]]; then + echo "Please provide a base image as 3rd parameter." + FAILED=true +fi + +if $FAILED ; then + usage + exit 1 +fi + +BUILD_ARGS="--build-arg BASE_IMAGE=$BASE_IMAGE" +echo ">> Base image: $BASE_IMAGE" + +if [[ ! -z "$IAC_VERSION" ]] ; then + echo ">> IaC version: $IAC_VERSION" + BUILD_ARGS="$BUILD_ARGS --build-arg IAC_VERSION=$IAC_VERSION" +fi + +# Use Docker BuildKit +export BUILDKIT_PROGRESS=plain +export DOCKER_BUILDKIT=1 + +echo "docker build --pull --no-cache $BUILD_ARGS --tag "$REGISTRY:$VERSION" --file docker/IaC-Debian.dockerfile docker/" +docker build --pull --no-cache $BUILD_ARGS \ + --tag "$REGISTRY:$VERSION" \ + --file docker/IaC-Debian.dockerfile docker/ +docker tag "$REGISTRY:$VERSION" "$REGISTRY:latest" diff --git a/sechub-pds-solutions/iac/20-push-image.sh b/sechub-pds-solutions/iac/20-push-image.sh new file mode 100755 index 0000000000..01695ddd57 --- /dev/null +++ b/sechub-pds-solutions/iac/20-push-image.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +cd `dirname $0` +../../sechub-solutions-shared/scripts/20-push-image.sh "$1" "$2" "$3" diff --git a/sechub-pds-solutions/iac/50-start-multiple-docker-compose.sh b/sechub-pds-solutions/iac/50-start-multiple-docker-compose.sh new file mode 100755 index 0000000000..c51c246d5d --- /dev/null +++ b/sechub-pds-solutions/iac/50-start-multiple-docker-compose.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +REPLICAS="$1" + +cd $(dirname "$0") +source "../../sechub-solutions-shared/scripts/9999-env-file-helper.sh" + +ENVIRONMENT_FILES_FOLDER="../shared/environment" +ENVIRONMENT_FILE=".env-cluster" + +# Only variables from .env can be used in the Docker-Compose file +# all other variables are only available in the container +setup_environment_file ".env" "env" +setup_environment_file "$ENVIRONMENT_FILE" "$ENVIRONMENT_FILES_FOLDER/env-base" "$ENVIRONMENT_FILES_FOLDER/env-cluster" "env-database" + +if [[ -z "$REPLICAS" ]] +then + echo "Starting single container." + REPLICAS=1 +else + echo "Starting cluster of $REPLICAS containers." +fi + +# Use Docker BuildKit +export BUILDKIT_PROGRESS=plain +export DOCKER_BUILDKIT=1 + +docker compose --file docker-compose_pds_iac_cluster.yaml up --scale pds-iac=$REPLICAS --build --remove-orphans diff --git a/sechub-pds-solutions/iac/51-start-multiple-object-storage-docker-compose.sh b/sechub-pds-solutions/iac/51-start-multiple-object-storage-docker-compose.sh new file mode 100755 index 0000000000..4a01c37e8b --- /dev/null +++ b/sechub-pds-solutions/iac/51-start-multiple-object-storage-docker-compose.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +REPLICAS="$1" + +cd $(dirname "$0") +source "../../sechub-solutions-shared/scripts/9999-env-file-helper.sh" + +ENVIRONMENT_FILES_FOLDER="../shared/environment" +ENVIRONMENT_FILE=".env-cluster-object-storage" + +# Only variables from .env can be used in the Docker-Compose file +# all other variables are only available in the container +setup_environment_file ".env" "env" +setup_environment_file "$ENVIRONMENT_FILE" "$ENVIRONMENT_FILES_FOLDER/env-base" "$ENVIRONMENT_FILES_FOLDER/env-cluster" "$ENVIRONMENT_FILES_FOLDER/env-object-storage" "env-database" + + +if [[ -z "$REPLICAS" ]] +then + echo "Starting single container." + REPLICAS=1 +else + echo "Starting cluster of $REPLICAS containers." +fi + +# Use Docker BuildKit +export BUILDKIT_PROGRESS=plain +export DOCKER_BUILDKIT=1 + +docker compose --file docker-compose_pds_iac_cluster_object_storage.yaml up --scale pds-iac=$REPLICAS --build --remove-orphans \ No newline at end of file diff --git a/sechub-pds-solutions/iac/README.adoc b/sechub-pds-solutions/iac/README.adoc new file mode 100644 index 0000000000..b85af7dc4e --- /dev/null +++ b/sechub-pds-solutions/iac/README.adoc @@ -0,0 +1,421 @@ +// SPDX-License-Identifier: MIT + +:toc: +:numbered: + += IaC + PDS + +Infrastructure as Code (IaC) is the practice of defining and managing computing infrastructure using code, which enables developers to automate the creation, configuration, and management of infrastructure resources. By combining IaC with the SecHub https://mercedes-benz.github.io/sechub/latest/sechub-product-delegation-server.html[Product Delegation Server (PDS)] in a container, IaC can be used with SecHub. Another scenario is to use IaC+PDS standalone. + +The combination of IaC and PDS makes it possible to run both inside a Kubernetes cluser or virtual machines. + +This folder contains the necessary scripts to run IaC+PDS inside a container locally. Additionally, it contains scripts to build and push the PDS + IaC container to your container registry and a Helm chart to install and run IaC+PDS in a Kubernetes cluster. + +== Currently used tools +=== KICS +https://github.com/Checkmarx/kics[KICS] is a free and open source IaC commandline scanning tool + +== Run Locally + +This is the easiest way to get started. + +=== Requirements + +Docker and Docker-Compose need to be installed: + +. https://docs.docker.com/engine/install/[Install Docker] + +. Linux: https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user[Use Docker as non Root user] + +. https://docs.docker.com/compose/install/[Install Docker-Compose] + +=== Single Instance + +Start a single instance by using the Bash wrapper script which does setup everything <<_automatic,automatically>> for you. + +==== Scan script + +The folder contains a start script which does the <<_manually, manual>> steps for you: + +---- +./01-start-docker-compose.sh +---- + +==== Together with SecHub + +The container will be started and attached to the `sechub` Network. + +WARNING: Make sure the SecHub container is running. + +. Start container: ++ +---- +./05-start-single-sechub-network-docker-compose.sh +---- + +=== Scan + +The steps required to scan with the PDS. Scan manually if you are new to the PDS. Use the script, if you are tired of typing the same commands over and over again. + +==== Scan Script + +It is recommended to start with a manual <<_scan>> the first time using the PDS. However, after some time typing in the commands becomes very tedious. To improve on the experience you can scan using this script. + +. Set the environment variables ++ +---- +export PDS_SERVER=https://: +export PDS_USERID=admin +export PDS_APITOKEN="" +export PDS_PRODUCT_IDENTFIER=PDS_KICS +---- ++ +For example: ++ +---- +export PDS_SERVER=https://localhost:8444 +export PDS_USERID=admin +export PDS_APITOKEN="pds-apitoken" +export PDS_PRODUCT_IDENTFIER=PDS_KICS +---- ++ +[NOTE] +Those values are the default values from `env-initial` and `env-cluster-initial` files. In case you run PDS+IaC in Kubernetes or other environments those values will be different. + +. Scan by providing a `ZIP` folder with Go source code. ++ +---- +cd ../shared/ +./01-test.sh +---- ++ +For example: ++ +---- +cd ../shared/ +./01-test.sh ~/myproject.zip +---- + +=== Cluster + +The cluster is created locally via `docker-compose`. + +==== Shared Volume + +The cluster uses a shared volume defined in `docker-compose`. Docker allows to create volumes which can be used by multiple instances to upload files to. Reading, extracting and analysing the files is done in the IaC+PDS container. + +The cluster consists of a PostgreSQL database, a Nginx loadbalancer and one or more PDS server. + +image::../shared/media/cluster_shared_volume.svg[Components of cluster with shared volume] + +===== Start Script + +Starting several IaC+PDS instances: + +---- +./50-start-multiple-docker-compose.sh +---- + +Example of starting 3 IaC+PDS instances: + +---- +./50-start-multiple-docker-compose.sh 3 +---- + +==== Object Storage + +The cluster uses an object storage to store files. The cluster uses https://github.com/chrislusf/seaweedfs[SeaweedFS] (S3 compatible) to store files. The PDS instance(s) use the object storage to upload files to. Reading, extracting and analysing the files is done in the IaC+PDS container. + +The cluster consists of a PostgreSQL database, a Nginx loadbalancer, a SeaweedFS object storage and one or more PDS server. + +image::../shared/media/cluster_object_storage.svg[Components of cluster with object storage] + +===== Start Script + +Starting several IaC+PDS instances + +---- +./51-start-multiple-object-storage-docker-compose.sh +---- + +Example of starting 3 IaC+PDS instances + +---- +./51-start-multiple-object-storage-docker-compose.sh 3 +---- + +=== Change the Configuration + +There are several configuration options available for the IaC+PDS `docker-compose` files. Have a look at `env-example` for more details. + +=== Troubleshooting + +This section contains information about how to troubleshoot IaC+PDS if something goes wrong. + +==== Access the container + +---- +docker exec -it pds-iac bash +---- + +==== Java Application Remote Debugging of PDS + +. Set `JAVA_ENABLE_DEBUG=true` in the `.env` file + +. Connect via remote debugging to the `pds` ++ +connect via CLI ++ +---- +jdb -attach localhost:15024 +---- ++ +TIP: https://www.baeldung.com/java-application-remote-debugging[Java Application Remote Debugging] and https://www.tutorialspoint.com/jdb/jdb_basic_commands.htm[JDB - Basic Commands] ++ +or connect via IDE (e. g. Eclipse IDE, VSCodium, Eclipse Theia, IntelliJ etc.). ++ +TIP: https://www.eclipse.org/community/eclipse_newsletter/2017/june/article1.php[Debugging the Eclipse IDE for Java Developers] + +== Build Image and Push to Registry + +Build container images and push them to registry to run IaC+PDS on virtual machines, Kubernetes or any other distributed system. + +=== Build Image + +Build the container image. + +==== Build + +. Using the default image: ++ +---- +./10-create-image.sh my.registry.example.org/sechub/pds_iac v0.1 +---- + +. Using your own base image: ++ +---- +./10-create-image.sh my.registry.example.org/sechub/pds_iac v0.1 "my.registry.example.org/debian:11-slim" +---- + +=== Push Image to Registry + +Push the container image to a registry. + +* Push the version tag only ++ +---- +./20-push-image.sh my.registry.example.org/sechub/pds_iac v0.1 +---- + +* Push the version and `latest` tags ++ +---- +./20-push-image.sh my.registry.example.org/sechub/pds_iac v0.1 yes +---- + +== Kubernetes + +https://kubernetes.io/[Kubernetes] is an open-source container-orchestration system. This sections explains how to deploy and run PDS+IaC in Kubernetes. + +=== Helm + +https://helm.sh/[Helm] is a package manager for Kubernetes. + +==== Requierments + +* https://helm.sh/docs/intro/install/[Helm] installed +* `pds_iac` image pushed to registry + +==== Installation + +. Create a `myvalues.yaml` configuration file ++ +A minimal example configuration file with one instance: ++ +[source,yaml] +---- +replicaCount: 1 + +image: + registry: my.registry.example.org/sechub/pds_iac + tag: latest + +pds: + startMode: localserver + +users: + admin: + id: "admin" + apiToken: "{noop}" + technical: + id: "techuser" + apiToken: "{noop}" + +storage: + local: + enabled: true + +networkPolicy: + enabled: true + ingress: + - from: + - podSelector: + matchLabels: + name: sechub-server + - podSelector: + matchLabels: + name: sechub-adminserver +---- ++ +An example configuration file with 3 replicas, postgresql and object storage: ++ +[source,yaml] +---- +replicaCount: 3 + +image: + registry: my.registry.example.org/sechub/pds_iac + tag: latest + +pds: + startMode: localserver + keepContainerAliveAfterPDSCrashed: true + +users: + admin: + id: "admin" + apiToken: "{noop}" + technical: + id: "techuser" + apiToken: "{noop}" + + +database: + postgres: + enabled: true + connection: "jdbc:postgresql://:/" + username: "" + password: "" + +storage: + local: + enabled: false + s3: + enabled: true + endpoint: "https://:443" + bucketname: "" + accesskey: "" + secretkey: "" + +networkPolicy: + enabled: true + ingress: + - from: + - podSelector: + matchLabels: + name: sechub-server + - podSelector: + matchLabels: + name: sechub-adminserver +---- ++ +[TIP] +To generate passwords use `tr -dc A-Za-z0-9 install…` to install the helm chart into another namespace in the Kubernetes cluster. + +. List pods ++ +---- +kubectl get pods +NAME READY STATUS RESTARTS AGE +pds-iac-545f5bc8-7s6rh 1/1 Running 0 1m43s +pds-iac-545f5bc8-px9cs 1/1 Running 0 1m43s +pds-iac-545f5bc8-t52p6 1/1 Running 0 3m + +---- + +. Forward port of one of the pods to own machine ++ +---- +kubectl port-forward pds-iac-545f5bc8-7s6rh 8444:8444 +---- + +. Scan as explained in <<_scan>>. + +==== Upgrade + +In case, `my-values.yaml` was changed. Simply, use `helm upgrade` to update the deployment. `helm` will handle scaling up and down as well as changing the configuration. + +---- +helm upgrade --values my-values.yaml pds-iac helm/pds-iac/ +---- + +==== Uninstall + +. Helm list ++ +---- +helm list +NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION +pds-iac my-namespace 1 2021-06-24 21:54:37.668489822 +0200 CEST deployed pds-iac-0.1.0 0.21.0 +---- + +. Helm uninstall ++ +---- +helm uninstall pds-iac +---- + +=== Troubleshooting + +* Access deployment events. ++ +---- +kubectl describe pod pds-iac-545f5bc8-7s6rh +… +Events: + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal Scheduled 1m default-scheduler Successfully assigned sechub-dev/pds-iac-749fcb8d7f-jjqwn to kube-node01 + Normal Pulling 54s kubelet Pulling image "my.registry.example.org/sechub/pds_iac:v0.1" + Normal Pulled 40s kubelet Successfully pulled image "my.registry.example.org/sechub/pds_iac:v0.1" in 13.815348799s + Normal Created 15s kubelet Created container pds-iac + Normal Started 10s kubelet Started container pds-iac +---- + +* Access container logs. ++ +---- +kubectl logs pds-iac-545f5bc8-7s6rh + + . ____ _ __ _ _ + /\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \ +( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \ + \\/ ___)| |_)| | | | | || (_| | ) ) ) ) + ' |____| .__|_| |_|_| |_\__, | / / / / + =========|_|==============|___/=/_/_/_/ + :: Spring Boot :: (v2.4.0) + +2021-06-09 14:46:07.310 INFO 7 --- [ main] d.s.p.ProductDelegationServerApplication : Starting ProductDelegationServerApplication using Java 11.0.11 on pds-iac-749fcb8d7f-jjqwn with PID 7 (/pds/sechub-pds-0.21.0.jar started by iac in /workspace) +2021-06-09 14:46:07.312 INFO 7 --- [ main] d.s.p.ProductDelegationServerApplication : The following profiles are active: pds_localserver +2021-06-09 14:46:08.945 INFO 7 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat] +2021-06-09 14:46:08.945 INFO 7 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.39] +2021-06-09 14:46:09.000 INFO 7 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext +2021-06-09 14:46:09.228 INFO 7 --- [ main] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Starting... +2021-06-09 14:46:09.485 INFO 7 --- [ main] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Start completed. +2021-06-09 14:46:10.243 INFO 7 --- [ main] c.d.s.p.m.PDSHeartBeatTriggerService : Heartbeat service created with 1000 millisecondss initial delay and 60000 millisecondss as fixed delay +2021-06-09 14:46:10.439 INFO 7 --- [ main] c.d.s.pds.batch.PDSBatchTriggerService : Scheduler service created with 100 millisecondss initial delay and 500 millisecondss as fixed delay +2021-06-09 14:46:13.192 INFO 7 --- [ main] d.s.p.ProductDelegationServerApplication : Started ProductDelegationServerApplication in 6.783 seconds (JVM running for 7.27) +2021-06-09 14:46:14.206 INFO 7 --- [ scheduling-1] c.d.s.p.m.PDSHeartBeatTriggerService : Heartbeat will be initialized +2021-06-09 14:46:14.206 INFO 7 --- [ scheduling-1] c.d.s.p.m.PDSHeartBeatTriggerService : Create new server hearbeat +2021-06-09 14:46:14.255 INFO 7 --- [ scheduling-1] c.d.s.p.m.PDSHeartBeatTriggerService : heartbeat update - serverid:IAC_CLUSTER, heartbeatuuid:a46b97b2-4cfb-449d-a171-42b255c4aab8, cluster-member-data:{"hostname":"pds-iac-749fcb8d7f-jjqwn","ip":"192.168.129.206","port":8444,"heartBeatTimestamp":"2021-06-09T14:46:14.207113","executionState":{"queueMax":50,"jobsInQueue":0,"entries":[]}} +---- diff --git a/sechub-pds-solutions/iac/docker-compose_pds_iac.yaml b/sechub-pds-solutions/iac/docker-compose_pds_iac.yaml new file mode 100644 index 0000000000..83c0cda537 --- /dev/null +++ b/sechub-pds-solutions/iac/docker-compose_pds_iac.yaml @@ -0,0 +1,23 @@ +# SPDX-License-Identifier: MIT + +version: "3" +services: + pds-iac: + build: + args: + - BASE_IMAGE=${BASE_IMAGE} + context: docker/ + dockerfile: IaC-Debian.dockerfile + container_name: pds-iac + env_file: + - .env + - .env-single + ports: + - "127.0.0.1:8444:8444" + - "127.0.0.1:15024:15024" + networks: + - "internal" + volumes: + - ./docker/scripts:/scripts +networks: + internal: diff --git a/sechub-pds-solutions/iac/docker-compose_pds_iac_cluster.yaml b/sechub-pds-solutions/iac/docker-compose_pds_iac_cluster.yaml new file mode 100644 index 0000000000..6da224d655 --- /dev/null +++ b/sechub-pds-solutions/iac/docker-compose_pds_iac_cluster.yaml @@ -0,0 +1,50 @@ +# SPDX-License-Identifier: MIT + +version: "3" +services: + pds-iac: + build: + args: + - BASE_IMAGE=${BASE_IMAGE} + context: docker/ + dockerfile: IaC-Debian.dockerfile + env_file: + - .env + - .env-cluster + networks: + - "internal" + volumes: + - "shared_volume:/shared_volumes/uploads" + - ./docker/scripts:/scripts + depends_on: + - database + + loadbalancer: + build: + context: ../shared/docker/loadbalancer + args: + - PDS_SOLUTION=pds-iac + env_file: + - .env-cluster + networks: + - "internal" + depends_on: + - pds-iac + ports: + - "127.0.0.1:8444:8444" + + database: + build: + context: ../shared/docker/database + env_file: + - .env-cluster + networks: + - "internal" + ports: + - "127.0.0.1:5432:5432" + +networks: + internal: + +volumes: + shared_volume: diff --git a/sechub-pds-solutions/iac/docker-compose_pds_iac_cluster_object_storage.yaml b/sechub-pds-solutions/iac/docker-compose_pds_iac_cluster_object_storage.yaml new file mode 100644 index 0000000000..c92a837c77 --- /dev/null +++ b/sechub-pds-solutions/iac/docker-compose_pds_iac_cluster_object_storage.yaml @@ -0,0 +1,69 @@ +# SPDX-License-Identifier: MIT + +version: "3" +services: + pds-iac: + build: + args: + - BASE_IMAGE=${BASE_IMAGE} + context: docker/ + dockerfile: IaC-Debian.dockerfile + env_file: + - .env + - .env-cluster-object-storage + networks: + - internal + depends_on: + - database + - object-storage + volumes: + - ./docker/scripts:/scripts + + loadbalancer: + build: + context: ../shared/docker/loadbalancer + args: + - PDS_SOLUTION=pds-iac + env_file: + - .env-cluster-object-storage + networks: + - internal + depends_on: + - pds-iac + ports: + - "127.0.0.1:8444:8444" + + database: + build: + context: ../shared/docker/database + env_file: + - .env-cluster-object-storage + networks: + - internal + ports: + - "127.0.0.1:5432:5432" + + object-storage: + build: + context: ../shared/docker/object-storage + env_file: + - .env-cluster-object-storage + networks: + internal: + # A fixed IP address is necessary + # otherwise the AWS S3 client used by + # the PDS cannot resolve the address + ipv4_address: 10.42.43.7 + ports: + - "127.0.0.1:9000:9000" + - "127.0.0.1:9333:9333" + - "127.0.0.1:8080:8080" + +networks: + internal: + driver: bridge + ipam: + driver: default + config: + - subnet: 10.42.43.0/24 + gateway: 10.42.43.1 diff --git a/sechub-pds-solutions/iac/docker-compose_pds_iac_external-network.yaml b/sechub-pds-solutions/iac/docker-compose_pds_iac_external-network.yaml new file mode 100644 index 0000000000..c47215b097 --- /dev/null +++ b/sechub-pds-solutions/iac/docker-compose_pds_iac_external-network.yaml @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: MIT + +version: "3" +services: + pds-iac: + build: + args: + - BASE_IMAGE=${BASE_IMAGE} + context: docker/ + dockerfile: IaC-Debian.dockerfile + container_name: pds-iac + hostname: pds-iac + env_file: + - .env + - .env-single + networks: + - "sechub" + volumes: + - ./docker/scripts:/scripts + +networks: + sechub: + external: true + name: "sechub" diff --git a/sechub-pds-solutions/iac/docker/IaC-Debian.dockerfile b/sechub-pds-solutions/iac/docker/IaC-Debian.dockerfile new file mode 100644 index 0000000000..221d55ef49 --- /dev/null +++ b/sechub-pds-solutions/iac/docker/IaC-Debian.dockerfile @@ -0,0 +1,120 @@ +# SPDX-License-Identifier: MIT + +#------------------- +# Global Variables +#------------------- + +# The image argument needs to be placed on top +ARG BASE_IMAGE + +# Build args +ARG GO="go1.20.4.linux-amd64.tar.gz" + +# Artifact folder +ARG PDS_ARTIFACT_FOLDER="/artifacts" + +#------------------- +# Builder +#------------------- + +FROM ${BASE_IMAGE} AS builder + +# Build args +ARG GO +ARG PDS_ARTIFACT_FOLDER + +ARG BUILD_FOLDER="/build" +ARG GIT_URL_KICS="https://github.com/Checkmarx/kics.git" +ARG GIT_BRANCH_KICS="master" + +ENV DOWNLOAD_FOLDER="/downloads" +ENV PATH="/usr/local/go/bin:$PATH" + +USER root + +RUN mkdir --parent "$PDS_ARTIFACT_FOLDER" "$DOWNLOAD_FOLDER" + +RUN export DEBIAN_FRONTEND=noninteractive && \ + apt-get update && \ + apt-get install --quiet --assume-yes wget w3m git && \ + apt-get clean + +# Install Go +RUN cd "$DOWNLOAD_FOLDER" && \ + # Get checksum from Go download site + GO_CHECKSUM=`w3m https://go.dev/dl/ | grep "$GO" | tail -1 | awk '{print $6}'` && \ + # create checksum file + echo "$GO_CHECKSUM $GO" > "$GO.sha256sum" && \ + # download Go + wget --no-verbose https://go.dev/dl/"${GO}" && \ + # verify that the checksum and the checksum of the file are same + sha256sum --check "$GO.sha256sum" && \ + # extract Go + tar --extract --file "$GO" --directory /usr/local/ && \ + # remove go tar.gz + rm "$GO" + +# Build Kics +RUN mkdir --parent "$BUILD_FOLDER" && \ + cd "$BUILD_FOLDER" && \ + # Clone Kics + git clone "$GIT_URL_KICS" --depth 1 --branch "$GIT_BRANCH_KICS" && \ + cd "kics" && \ + # Downloads Go packages + go mod vendor && \ + # Build kics + go build -o ./bin/kics cmd/console/main.go && \ + # copy kics binary + mkdir --parents "$PDS_ARTIFACT_FOLDER/kics/" && \ + cp bin/kics --target-directory "$PDS_ARTIFACT_FOLDER/kics/" && \ + # copy assets + cp --recursive assets --target-directory "$PDS_ARTIFACT_FOLDER/kics/" + +#------------------- +# PDS Image +#------------------- + +FROM ${BASE_IMAGE} + +# The remaining arguments need to be placed after the `FROM` +# See: https://ryandaniels.ca/blog/docker-dockerfile-arg-from-arg-trouble/ + +LABEL org.opencontainers.image.source="https://github.com/mercedes-benz/sechub" +LABEL org.opencontainers.image.title="SecHub IaC+PDS Image" +LABEL org.opencontainers.image.description="A container which combines Infrastructure as Code tools with the SecHub Product Delegation Server (PDS)" +LABEL maintainer="SecHub FOSS Team" + +ARG PDS_ARTIFACT_FOLDER + +ENV PATH "$TOOL_FOLDER/kics:$PATH" +#ARG GO="go1.20.4.linux-amd64.tar.gz" +#ARG IAC_VERSION="2.13.1" + +# Environment variables in container +#ENV IAC_VERSION="${IAC_VERSION}" + +USER root + +COPY --from=builder "$PDS_ARTIFACT_FOLDER" "$TOOL_FOLDER" + +# Copy mock folder +COPY mocks "$MOCK_FOLDER" + +# Copy PDS configfile +COPY pds-config.json "$PDS_FOLDER/pds-config.json" + +RUN export DEBIAN_FRONTEND=noninteractive && \ + apt-get update && \ + apt-get --assume-yes upgrade && \ + apt-get --assume-yes install w3m wget jq && \ + apt-get --assume-yes clean + +# Copy scripts +COPY scripts $SCRIPT_FOLDER +RUN chmod --recursive +x $SCRIPT_FOLDER + +# Set workspace +WORKDIR "$WORKSPACE" + +# Switch from root to non-root user +USER "$USER" \ No newline at end of file diff --git a/sechub-pds-solutions/iac/docker/mocks/kics-mock.sarif.json b/sechub-pds-solutions/iac/docker/mocks/kics-mock.sarif.json new file mode 100644 index 0000000000..80a50f2f1e --- /dev/null +++ b/sechub-pds-solutions/iac/docker/mocks/kics-mock.sarif.json @@ -0,0 +1,1106 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "KICS", + "version": "development", + "fullName": "Keeping Infrastructure as Code Secure", + "informationUri": "https://www.kics.io/", + "rules": [ + { + "id": "62232513-b16f-4010-83d7-51d0e1d45426", + "name": "OSS Bucket Public Access Enabled", + "shortDescription": { + "text": "OSS Bucket Public Access Enabled" + }, + "fullDescription": { + "text": "OSS Bucket should have public access disabled" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#acl", + "relationships": [ + { + "target": { + "id": "CAT001", + "index": 5, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "1b4565c0-4877-49ac-ab03-adebbccd42ae", + "name": "RDS DB Instance Publicly Accessible", + "shortDescription": { + "text": "RDS DB Instance Publicly Accessible" + }, + "fullDescription": { + "text": "'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#security_ips", + "relationships": [ + { + "target": { + "id": "CAT007", + "index": 12, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "7a1ee8a9-71be-4b11-bb70-efb62d16863b", + "name": "RDS Instance SSL Action Disabled", + "shortDescription": { + "text": "RDS Instance SSL Action Disabled" + }, + "fullDescription": { + "text": "ssl_action parameter should be set to Open for RDS instances" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#ssl_action", + "relationships": [ + { + "target": { + "id": "CAT009", + "index": 14, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "c065b98e-1515-4991-9dca-b602bd6a2fbb", + "name": "Action Trail Logging For All Regions Disabled", + "shortDescription": { + "text": "Action Trail Logging For All Regions Disabled" + }, + "fullDescription": { + "text": "Action Trail Logging for all regions should be enabled" + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/actiontrail_trail#trail_region", + "relationships": [ + { + "target": { + "id": "CAT010", + "index": 1, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "f20e97f9-4919-43f1-9be9-f203cd339cdd", + "name": "OSS Bucket Encryption Using CMK Disabled", + "shortDescription": { + "text": "OSS Bucket Encryption Using CMK Disabled" + }, + "fullDescription": { + "text": "OSS Bucket should have encryption enabled using Customer Master Key" + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#server_side_encryption_rule", + "relationships": [ + { + "target": { + "id": "CAT006", + "index": 11, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "05db341e-de7d-4972-a106-3e2bd5ee53e1", + "name": "OSS Bucket Logging Disabled", + "shortDescription": { + "text": "OSS Bucket Logging Disabled" + }, + "fullDescription": { + "text": "OSS Bucket should have logging enabled, for better visibility of resources and objects." + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#logging", + "relationships": [ + { + "target": { + "id": "CAT010", + "index": 1, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "70919c0b-2548-4e6b-8d7a-3d84ab6dabba", + "name": "OSS Bucket Versioning Disabled", + "shortDescription": { + "text": "OSS Bucket Versioning Disabled" + }, + "fullDescription": { + "text": "OSS Bucket should have versioning enabled" + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#versioning", + "relationships": [ + { + "target": { + "id": "CAT003", + "index": 6, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "dc158941-28ce-481d-a7fa-dc80761edf46", + "name": "RDS Instance Retention Period Not Recommended", + "shortDescription": { + "text": "RDS Instance Retention Period Not Recommended" + }, + "fullDescription": { + "text": "RDS Instance SQL Retention Period should be greater than 180" + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#sql_collector_config_value", + "relationships": [ + { + "target": { + "id": "CAT010", + "index": 1, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "7db8bd7e-9772-478c-9ec5-4bc202c5686f", + "name": "OSS Bucket Lifecycle Rule Disabled", + "shortDescription": { + "text": "OSS Bucket Lifecycle Rule Disabled" + }, + "fullDescription": { + "text": "OSS Bucket should have lifecycle rule enabled and set to true" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#lifecycle_rule", + "relationships": [ + { + "target": { + "id": "CAT003", + "index": 6, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "8f98334a-99aa-4d85-b72a-1399ca010413", + "name": "OSS Bucket Transfer Acceleration Disabled", + "shortDescription": { + "text": "OSS Bucket Transfer Acceleration Disabled" + }, + "fullDescription": { + "text": "OSS Bucket should have transfer acceleration enabled" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#transfer_acceleration", + "relationships": [ + { + "target": { + "id": "CAT002", + "index": 10, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "140869ea-25f2-40d4-a595-0c0da135114e", + "name": "RDS Instance Log Connections Disabled", + "shortDescription": { + "text": "RDS Instance Log Connections Disabled" + }, + "fullDescription": { + "text": "'log_connections' parameter should be set to ON for RDS instances" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters", + "relationships": [ + { + "target": { + "id": "CAT010", + "index": 1, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "d53f4123-f8d8-4224-8cb3-f920b151cc98", + "name": "RDS Instance Log Disconnections Disabled", + "shortDescription": { + "text": "RDS Instance Log Disconnections Disabled" + }, + "fullDescription": { + "text": "log_disconnections parameter should be set to ON for RDS instances" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters", + "relationships": [ + { + "target": { + "id": "CAT010", + "index": 1, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "a597e05a-c065-44e7-9cc8-742f572a504a", + "name": "RDS Instance Log Duration Disabled", + "shortDescription": { + "text": "RDS Instance Log Duration Disabled" + }, + "fullDescription": { + "text": "log_duration parameter should be set to ON for RDS instances" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters", + "relationships": [ + { + "target": { + "id": "CAT010", + "index": 1, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + } + ] + } + }, + "results": [ + { + "ruleId": "62232513-b16f-4010-83d7-51d0e1d45426", + "ruleIndex": 0, + "kind": "fail", + "message": { + "text": "'acl' is public-read-write" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/bucket.tf" + }, + "region": { + "startLine": 7 + } + } + } + ] + }, + { + "ruleId": "1b4565c0-4877-49ac-ab03-adebbccd42ae", + "ruleIndex": 1, + "kind": "fail", + "message": { + "text": "'0.0.0.0' is in 'security_ips' list" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/rds.tf" + }, + "region": { + "startLine": 9 + } + } + } + ] + }, + { + "ruleId": "7a1ee8a9-71be-4b11-bb70-efb62d16863b", + "ruleIndex": 2, + "kind": "fail", + "message": { + "text": "'ssl_action' is not defined" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/rds.tf" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "c065b98e-1515-4991-9dca-b602bd6a2fbb", + "ruleIndex": 3, + "kind": "fail", + "message": { + "text": "'event_rw' is not set to All" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/trail.tf" + }, + "region": { + "startLine": 7 + } + } + } + ] + }, + { + "ruleId": "c065b98e-1515-4991-9dca-b602bd6a2fbb", + "ruleIndex": 3, + "kind": "fail", + "message": { + "text": "'trail_region' is not set to All" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/trail.tf" + }, + "region": { + "startLine": 8 + } + } + } + ] + }, + { + "ruleId": "f20e97f9-4919-43f1-9be9-f203cd339cdd", + "ruleIndex": 4, + "kind": "fail", + "message": { + "text": "[trail].policy does not have server side encryption rule and kms master key id defined" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/trail.tf" + }, + "region": { + "startLine": 11 + } + } + } + ] + }, + { + "ruleId": "f20e97f9-4919-43f1-9be9-f203cd339cdd", + "ruleIndex": 4, + "kind": "fail", + "message": { + "text": "[bad_bucket].policy does not have server side encryption rule and kms master key id defined" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/bucket.tf" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "05db341e-de7d-4972-a106-3e2bd5ee53e1", + "ruleIndex": 5, + "kind": "fail", + "message": { + "text": "bad_bucket does not have logging enabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/bucket.tf" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "05db341e-de7d-4972-a106-3e2bd5ee53e1", + "ruleIndex": 5, + "kind": "fail", + "message": { + "text": "trail does not have logging enabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/trail.tf" + }, + "region": { + "startLine": 11 + } + } + } + ] + }, + { + "ruleId": "70919c0b-2548-4e6b-8d7a-3d84ab6dabba", + "ruleIndex": 6, + "kind": "fail", + "message": { + "text": "'versioning' is missing" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/trail.tf" + }, + "region": { + "startLine": 11 + } + } + } + ] + }, + { + "ruleId": "70919c0b-2548-4e6b-8d7a-3d84ab6dabba", + "ruleIndex": 6, + "kind": "fail", + "message": { + "text": "'versioning' is missing" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/bucket.tf" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "dc158941-28ce-481d-a7fa-dc80761edf46", + "ruleIndex": 7, + "kind": "fail", + "message": { + "text": "'sql_collector_status' is not defined" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/rds.tf" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "dc158941-28ce-481d-a7fa-dc80761edf46", + "ruleIndex": 7, + "kind": "fail", + "message": { + "text": "'sql_collector_config_value' is not defined" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/rds.tf" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "7db8bd7e-9772-478c-9ec5-4bc202c5686f", + "ruleIndex": 8, + "kind": "fail", + "message": { + "text": "'lifecycle_rule' is not set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/bucket.tf" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "7db8bd7e-9772-478c-9ec5-4bc202c5686f", + "ruleIndex": 8, + "kind": "fail", + "message": { + "text": "'lifecycle_rule' is not set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/trail.tf" + }, + "region": { + "startLine": 11 + } + } + } + ] + }, + { + "ruleId": "8f98334a-99aa-4d85-b72a-1399ca010413", + "ruleIndex": 9, + "kind": "fail", + "message": { + "text": "'transfer_acceleration' is missing" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/bucket.tf" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "8f98334a-99aa-4d85-b72a-1399ca010413", + "ruleIndex": 9, + "kind": "fail", + "message": { + "text": "'transfer_acceleration' is missing" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/trail.tf" + }, + "region": { + "startLine": 11 + } + } + } + ] + }, + { + "ruleId": "140869ea-25f2-40d4-a595-0c0da135114e", + "ruleIndex": 10, + "kind": "fail", + "message": { + "text": "'log_connections' parameter is not defined" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/rds.tf" + }, + "region": { + "startLine": 16 + } + } + } + ] + }, + { + "ruleId": "d53f4123-f8d8-4224-8cb3-f920b151cc98", + "ruleIndex": 11, + "kind": "fail", + "message": { + "text": "'log_disconnections' parameter is not defined" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/rds.tf" + }, + "region": { + "startLine": 16 + } + } + } + ] + }, + { + "ruleId": "a597e05a-c065-44e7-9cc8-742f572a504a", + "ruleIndex": 12, + "kind": "fail", + "message": { + "text": "'log_duration' parameter is not defined" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/rds.tf" + }, + "region": { + "startLine": 16 + } + } + } + ] + } + ], + "taxonomies": [ + { + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "name": "Categories", + "fullDescription": { + "text": "This taxonomy contains the types an issue can assume" + }, + "shortDescription": { + "text": "Vulnerabilities categories" + }, + "taxa": [ + { + "id": "CAT000", + "name": "Undefined Category", + "shortDescription": { + "text": "Category is not defined" + }, + "fullDescription": { + "text": "Category is not defined" + } + }, + { + "id": "CAT010", + "name": "Observability", + "shortDescription": { + "text": "Logging and Monitoring" + }, + "fullDescription": { + "text": "Logging and Monitoring" + } + }, + { + "id": "CAT008", + "name": "Insecure Defaults", + "shortDescription": { + "text": "Configurations that are insecure by default" + }, + "fullDescription": { + "text": "Configurations that are insecure by default" + } + }, + { + "id": "CAT012", + "name": "Secret Management", + "shortDescription": { + "text": "Secret and Key management" + }, + "fullDescription": { + "text": "Secret and Key management" + } + }, + { + "id": "CAT014", + "name": "Structure and Semantics", + "shortDescription": { + "text": "Malformed document structure or inadequate semantics" + }, + "fullDescription": { + "text": "Malformed document structure or inadequate semantics" + } + }, + { + "id": "CAT001", + "name": "Access Control", + "shortDescription": { + "text": "Service permission and identity management" + }, + "fullDescription": { + "text": "Service permission and identity management" + } + }, + { + "id": "CAT003", + "name": "Backup", + "shortDescription": { + "text": "Survivability and Recovery" + }, + "fullDescription": { + "text": "Survivability and Recovery" + } + }, + { + "id": "CAT004", + "name": "Best Practices", + "shortDescription": { + "text": "Metadata management" + }, + "fullDescription": { + "text": "Metadata management" + } + }, + { + "id": "CAT011", + "name": "Resource Management", + "shortDescription": { + "text": "Resource and privilege limit configuration" + }, + "fullDescription": { + "text": "Resource and privilege limit configuration" + } + }, + { + "id": "CAT015", + "name": "Bill Of Materials", + "shortDescription": { + "text": "List of resources provisioned" + }, + "fullDescription": { + "text": "List of resources provisioned" + } + }, + { + "id": "CAT002", + "name": "Availability", + "shortDescription": { + "text": "Reliability and Scalability" + }, + "fullDescription": { + "text": "Reliability and Scalability" + } + }, + { + "id": "CAT006", + "name": "Encryption", + "shortDescription": { + "text": "Data Security and Encryption configuration" + }, + "fullDescription": { + "text": "Data Security and Encryption configuration" + } + }, + { + "id": "CAT007", + "name": "Insecure Configurations", + "shortDescription": { + "text": "Configurations which expose the application unnecessarily" + }, + "fullDescription": { + "text": "Configurations which expose the application unnecessarily" + } + }, + { + "id": "CAT005", + "name": "Build Process", + "shortDescription": { + "text": "Insecure configurations when building/deploying" + }, + "fullDescription": { + "text": "Insecure configurations when building/deploying" + } + }, + { + "id": "CAT009", + "name": "Networking and Firewall", + "shortDescription": { + "text": "Network port exposure and firewall configuration" + }, + "fullDescription": { + "text": "Network port exposure and firewall configuration" + } + }, + { + "id": "CAT013", + "name": "Supply-Chain", + "shortDescription": { + "text": "Dependency version management" + }, + "fullDescription": { + "text": "Dependency version management" + } + } + ] + }, + { + "name": "CWE", + "version": "4.13", + "releaseDateUtc": "2023-12-08", + "guid": "33333333-0000-1111-8888-000000000000", + "informationUri": "https://cwe.mitre.org/data/published/cwe_v4.13.pdf/", + "downloadUri": "https://cwe.mitre.org/data/xml/cwec_v4.13.xml.zip", + "organization": "MITRE", + "shortDescription": { + "text": "The MITRE Common Weakness Enumeration" + }, + "contents": [ + "localizedData", + "nonLocalizedData" + ], + "isComprehensive": true, + "minimumRequiredLocalizedDataSemanticVersion": "4.13", + "taxa": [ + { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "name": "OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration", + "shortDescription": { + "text": "Weaknesses in this category are related to the A05 category Security Misconfiguration in the OWASP Top Ten 2021." + }, + "defaultConfiguration": { + "level": "warning" + } + } + ] + } + ] + } + ] + } diff --git a/sechub-pds-solutions/iac/docker/pds-config.json b/sechub-pds-solutions/iac/docker/pds-config.json new file mode 100644 index 0000000000..e49217ce8f --- /dev/null +++ b/sechub-pds-solutions/iac/docker/pds-config.json @@ -0,0 +1,18 @@ +{ + "apiVersion": "1.0", + "serverId": "IAC_CLUSTER", + "products": [ + { + "id": "PDS_KICS", + "path": "/pds/scripts/kics.sh", + "scanType": "codeScan", + "description": "Runs the Infrastructure-as-Code security checker Kics." + }, + { + "id": "PDS_KICS_MOCK", + "path": "/pds/scripts/kics_mock.sh", + "scanType": "codeScan", + "description": "Runs Kics mock. It returns a fixed result file." + } + ] +} diff --git a/sechub-pds-solutions/iac/docker/scripts/kics.sh b/sechub-pds-solutions/iac/docker/scripts/kics.sh new file mode 100755 index 0000000000..ee56d82e95 --- /dev/null +++ b/sechub-pds-solutions/iac/docker/scripts/kics.sh @@ -0,0 +1,93 @@ +#!/usr/bin/env sh +# SPDX-License-Identifier: MIT + +scan_results_folder="$PDS_JOB_WORKSPACE_LOCATION/results" + +echo "" +echo "----------" +echo "Kics Setup" +echo "----------" +echo "" + +if [ "$PDS_JOB_HAS_EXTRACTED_SOURCES" = "true" ] +then + echo "Found sources to scan." +else + echo "" + echo "ERROR: No sources found." + echo "" + echo "Workspace location structure:" + echo "" + tree "$PDS_JOB_WORKSPACE_LOCATION" + exit 1 +fi + +echo "" +echo "-------------" +echo "Starting scan" +echo "-------------" +echo "" + +echo "Starting Kics" +cd $PDS_JOB_SOURCECODE_UNZIPPED_FOLDER +kics scan --ci --exclude-categories "Best practices" --disable-full-descriptions --report-formats "sarif" --output-path "$scan_results_folder" --path "." + +####################################################################################################################### +# Workaround: Since there are no CWEs we add a fixed CWE taxonomy to the SARIF report for false-positive handling # +# This won't be needed anymore once Checkmarx adds CWEs to their reports # +####################################################################################################################### + +cat $scan_results_folder/results.sarif | jq '.runs[].taxonomies += [{ + "name": "CWE", + "version": "4.13", + "releaseDateUtc": "2023-12-08", + "guid": "33333333-0000-1111-8888-000000000000", + "informationUri": "https://cwe.mitre.org/data/published/cwe_v4.13.pdf/", + "downloadUri": "https://cwe.mitre.org/data/xml/cwec_v4.13.xml.zip", + "organization": "MITRE", + "shortDescription": { + "text": "The MITRE Common Weakness Enumeration" + }, + "contents": [ + "localizedData", + "nonLocalizedData" + ], + "isComprehensive": true, + "minimumRequiredLocalizedDataSemanticVersion": "4.13", + "taxa": [ + { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "name": "OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration", + "shortDescription": { + "text": "Weaknesses in this category are related to the A05 category Security Misconfiguration in the OWASP Top Ten 2021." + }, + "defaultConfiguration": { + "level": "warning" + } + } + ] + }]' > $scan_results_folder/intermediate.sarif + +cat $scan_results_folder/intermediate.sarif | jq '.runs[].tool.driver.rules[].relationships += [{ + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } +}]' > $scan_results_folder/results-fixedcwe.sarif + +mv $scan_results_folder/results-fixedcwe.sarif $scan_results_folder/results.sarif + +###################### +# End of workaround # +###################### + +echo "Copy result file" +echo "Results folder: $scan_results_folder" +tree "$scan_results_folder" + +cp "$scan_results_folder/results.sarif" "$PDS_JOB_RESULT_FILE" \ No newline at end of file diff --git a/sechub-pds-solutions/iac/docker/scripts/kics_mock.sh b/sechub-pds-solutions/iac/docker/scripts/kics_mock.sh new file mode 100755 index 0000000000..9b1318e50e --- /dev/null +++ b/sechub-pds-solutions/iac/docker/scripts/kics_mock.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env sh +# SPDX-License-Identifier: MIT + +# Mock is scan output of: https://github.com/Contrast-Security-OSS/go-test-bench +echo "Running PDS Kics Mock" +cp "$MOCK_FOLDER/kics-mock.sarif.json" "$PDS_JOB_RESULT_FILE" \ No newline at end of file diff --git a/sechub-pds-solutions/iac/env b/sechub-pds-solutions/iac/env new file mode 100644 index 0000000000..867bd18493 --- /dev/null +++ b/sechub-pds-solutions/iac/env @@ -0,0 +1,4 @@ +# The base image to use +# uncomment to use local image +# BASE_IMAGE="pds-base_pds" +BASE_IMAGE="ghcr.io/mercedes-benz/sechub/pds-base" \ No newline at end of file diff --git a/sechub-pds-solutions/iac/env-database b/sechub-pds-solutions/iac/env-database new file mode 100644 index 0000000000..d3c9ad6e5f --- /dev/null +++ b/sechub-pds-solutions/iac/env-database @@ -0,0 +1,9 @@ +# The database start mode +# debug - starts only the container +# server - initializes and starts the database +DATABASE_START_MODE=server +POSTGRES_ENABLED=true +DATABASE_CONNECTION=jdbc:postgresql://database:5432/pds?currentSchema=iac +DATABASE_PASSWORD='top$ecret' +DATABASE_USERNAME=iac + diff --git a/sechub-pds-solutions/iac/helm/pds-iac/.helmignore b/sechub-pds-solutions/iac/helm/pds-iac/.helmignore new file mode 100644 index 0000000000..1785d7ac79 --- /dev/null +++ b/sechub-pds-solutions/iac/helm/pds-iac/.helmignore @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: MIT + +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/sechub-pds-solutions/iac/helm/pds-iac/Chart.yaml b/sechub-pds-solutions/iac/helm/pds-iac/Chart.yaml new file mode 100644 index 0000000000..1166f4d17f --- /dev/null +++ b/sechub-pds-solutions/iac/helm/pds-iac/Chart.yaml @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: MIT + +apiVersion: v2 +name: pds-iac +description: SecHub PDS + IaC tools as Helm chart for Kubernetes + +type: application + +maintainers: + - name: Jeremias Eppler + - name: Rouven Haertel + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 1.0.0 diff --git a/sechub-pds-solutions/iac/helm/pds-iac/LICENSE b/sechub-pds-solutions/iac/helm/pds-iac/LICENSE new file mode 100644 index 0000000000..2926a35b5f --- /dev/null +++ b/sechub-pds-solutions/iac/helm/pds-iac/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. \ No newline at end of file diff --git a/sechub-pds-solutions/iac/helm/pds-iac/README.md b/sechub-pds-solutions/iac/helm/pds-iac/README.md new file mode 100644 index 0000000000..d7c1ee3c20 --- /dev/null +++ b/sechub-pds-solutions/iac/helm/pds-iac/README.md @@ -0,0 +1,4 @@ + +# IaC + PDS + +This Helm chart enables one to deploy IaC and the [SecHub Product Delegation Server (PDS)](https://mercedes-benz.github.io/sechub/latest/sechub-product-delegation-server.html) into a Kubernetes environment. It is recommended to use IaC + PDS together with [SecHub](https://mercedes-benz.github.io/sechub/). \ No newline at end of file diff --git a/sechub-pds-solutions/iac/helm/pds-iac/templates/deployment.yaml b/sechub-pds-solutions/iac/helm/pds-iac/templates/deployment.yaml new file mode 100644 index 0000000000..b3b207fa89 --- /dev/null +++ b/sechub-pds-solutions/iac/helm/pds-iac/templates/deployment.yaml @@ -0,0 +1,124 @@ +# SPDX-License-Identifier: MIT + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Chart.Name }} + labels: + name: {{ .Chart.Name }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + name: {{ .Chart.Name }} + template: + metadata: + labels: + name: {{ .Chart.Name }} + spec: + securityContext: + runAsUser: 2323 # user id of the application user. (overrides settings in the Dockerfile) + runAsGroup: 2323 # group id of the application group. (overrides setings in the Dockerfile) + fsGroup: 2323 # group id of the application group. Set in the Dockerfile. This group has write access to the volumes. + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.registry }}:{{ .Values.image.tag }}" + resources: + requests: + memory: "{{ .Values.resources.requests.memory }}" + limits: + memory: "{{ .Values.resources.limits.memory }}" + env: + - name: PDS_START_MODE + value: "{{ .Values.pds.startMode }}" + - name: ADMIN_USERID + value: "{{ .Values.users.admin.id }}" + - name: ADMIN_APITOKEN + value: "{{ .Values.users.admin.apiToken }}" + - name: TECHUSER_USERID + value: "{{ .Values.users.technical.id }}" + - name: TECHUSER_APITOKEN + value: "{{ .Values.users.technical.apiToken }}" + - name: PDS_MAX_FILE_UPLOAD_BYTES + value: "{{ .Values.pds.maxFileUploadBytes }}" + - name: PDS_CONFIG_EXECUTE_QUEUE_MAX + value: "{{ .Values.pds.config.execute.queueMax }}" + - name: PDS_CONFIG_EXECUTE_WORKER_THREAD_COUNT + value: "{{ .Values.pds.config.execute.workerThreadCount }}" + - name: PDS_HEARTBEAT_LOGGING + value: "{{ .Values.pds.heartbeatLogging }}" +{{- if .Values.pds.logging.type.enabled }} + - name: LOGGING_TYPE + value: {{ .Values.pds.logging.type.appenderName }} +{{- end }} +{{- if .Values.pds.debug.keepReportsInWorkspace }} + - name: SECHUB_PDS_WORKSPACE_AUTOCLEAN_DISABLED + value: "true" +{{- end }} +{{- if .Values.pds.javaDebug.enabled }} + - name: JAVA_ENABLE_DEBUG + value: "true" +{{- end }} +{{- if .Values.pds.keepContainerAliveAfterPDSCrashed }} + - name: KEEP_CONTAINER_ALIVE_AFTER_PDS_CRASHED + value: "true" +{{- end }} +{{- if .Values.database.postgres.enabled }} + - name: POSTGRES_ENABLED + value: "true" + - name: DATABASE_CONNECTION + value: "{{ .Values.database.postgres.connection }}" + - name: DATABASE_USERNAME + value: "{{ .Values.database.postgres.username }}" + - name: DATABASE_PASSWORD + value: "{{ .Values.database.postgres.password }}" +{{- end }} + # limit database connection pool + - name: SPRING_DATASOURCE_HIKARI_MINIMUMIDLE + value: "1" + - name: SPRING_DATASOURCE_HIKARI_MAXIMUMPOOLSIZE + value: "2" + + # Storage priority in order: local, s3, shared volume + # Meaning if local is enabled local will be used, + # regardless of other storage configurations. +{{- if .Values.storage.local.enabled }} + - name: SHARED_VOLUME_UPLOAD_DIR + value: "/shared_volumes/uploads" +{{- else if .Values.storage.s3.enabled }} + - name: S3_ENABLED + value: "true" + - name: S3_ENDPOINT + value: {{ .Values.storage.s3.endpoint }} + - name: S3_BUCKETNAME + value: {{ .Values.storage.s3.bucketname }} + - name: S3_ACCESSKEY + value: {{ .Values.storage.s3.accesskey }} + - name: S3_SECRETKEY + value: {{ .Values.storage.s3.secretkey }} +{{- else if .Values.storage.sharedVolume.enabled }} + - name: SHARED_VOLUME_UPLOAD_DIR + value: "{{ .Values.storage.sharedVolume.upload.dir }}" +{{- end}} + ports: + - name: pds-https-port + containerPort: 8444 + startupProbe: + httpGet: + scheme: HTTPS + path: /api/anonymous/check/alive + port: pds-https-port + periodSeconds: 1 + failureThreshold: 300 + # probe every 1s x 300 = 5 mins before restart of container + successThreshold: 1 + timeoutSeconds: 1 + livenessProbe: + httpGet: + scheme: HTTPS + path: /api/anonymous/check/alive + port: pds-https-port + periodSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + timeoutSeconds: 3 diff --git a/sechub-pds-solutions/iac/helm/pds-iac/templates/networkpolicy.yaml b/sechub-pds-solutions/iac/helm/pds-iac/templates/networkpolicy.yaml new file mode 100644 index 0000000000..b8bd77258a --- /dev/null +++ b/sechub-pds-solutions/iac/helm/pds-iac/templates/networkpolicy.yaml @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: MIT + +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ .Chart.Name }}-policy +spec: + podSelector: + matchLabels: + name: {{ .Chart.Name }} + +{{- if .Values.networkPolicy.ingress }} + ingress: + {{ .Values.networkPolicy.ingress | toYaml | indent 4 | trim }} +{{- end }} + +{{- end }} diff --git a/sechub-pds-solutions/iac/helm/pds-iac/templates/service.yaml b/sechub-pds-solutions/iac/helm/pds-iac/templates/service.yaml new file mode 100644 index 0000000000..546b6ee2fa --- /dev/null +++ b/sechub-pds-solutions/iac/helm/pds-iac/templates/service.yaml @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: MIT + +apiVersion: v1 +kind: Service +metadata: + name: {{ .Chart.Name }} +spec: + selector: + name: {{ .Chart.Name }} + ports: + - protocol: TCP + port: 8444 + targetPort: 8444 \ No newline at end of file diff --git a/sechub-pds-solutions/iac/helm/pds-iac/values.yaml b/sechub-pds-solutions/iac/helm/pds-iac/values.yaml new file mode 100644 index 0000000000..8272c3ef67 --- /dev/null +++ b/sechub-pds-solutions/iac/helm/pds-iac/values.yaml @@ -0,0 +1,78 @@ +# SPDX-License-Identifier: MIT + +# This is a sample values file containing the defaults. + +replicaCount: 1 + +image: + registry: "ghcr.io/mercedes-benz/sechub/pds-iac" + tag: "latest" + +resources: + requests: + # Initial container memory size + memory: 256Mi + limits: + # Maximum container memory size + memory: 1Gi + +pds: + startMode: localserver + # Maximum upload size for source code: 50 MiB by default (50 * 1024 * 1024 = 52428800) + maxFileUploadBytes: "52428800" + config: + execute: + # Maximal accepted queue size (new job requests will be denied and thus cached on SecHub server) + queueMax: 10 + # Maximum number of jobs that are processed in parallel by PDS + workerThreadCount: 10 + heartbeatLogging: "true" + logging: + type: + enabled: false + appenderName: "LOGSTASH_JSON" + debug: + keepReportsInWorkspace: false + javaDebug: + enabled: false + keepContainerAliveAfterPDSCrashed: false + +users: + technical: + id: "techuser" + apiToken: "" + admin: + id: "admin" + apiToken: "" + +storage: + local: + enabled: true + s3: + enabled: false + endpoint: "https://:" + bucketname: "" + accesskey: "" + secretkey: "" + sharedVolume: + enabled: false + upload: + dir: "/mount/nfs/shares/" + +database: + postgres: + enabled: false + connection: "jdbc:postgresql://database:5432/pds" + username: "pds_iac" + password: "" + +networkPolicy: + enabled: false + ingress: + - from: + - podSelector: + matchLabels: + name: sechub-server + - podSelector: + matchLabels: + name: sechub-adminserver diff --git a/sechub-pds-solutions/iac/tests/README.adoc b/sechub-pds-solutions/iac/tests/README.adoc new file mode 100644 index 0000000000..3914faec29 --- /dev/null +++ b/sechub-pds-solutions/iac/tests/README.adoc @@ -0,0 +1,14 @@ +// SPDX-License-Identifier: MIT += System Tests + +== Steps + +. Download `sechub-pds-tools-cli-x.y.z.jar` from the releases: https://github.com/mercedes-benz/sechub/releases/. +. Copy `sechub-pds-tools-cli-x.y.z.jar` into this folder. +. Run system tests ++ +Run all system tests example: ++ +---- +java -jar sechub-pds-tools-cli-1.2.0.jar systemtest --file systemtest_local_kics.json --pds-solutions-rootfolder ../../ --sechub-solution-rootfolder ../../../sechub-solution +---- diff --git a/sechub-pds-solutions/iac/tests/clone_repo.sh b/sechub-pds-solutions/iac/tests/clone_repo.sh new file mode 100755 index 0000000000..36c82494a4 --- /dev/null +++ b/sechub-pds-solutions/iac/tests/clone_repo.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +current_test_folder="$1" +vulnerable_repo="$2" + +if [[ ! -d "$current_test_folder" ]] +then + echo "Target folder is empty" + exit 1 +fi + +if [[ -z "$vulnerable_repo" ]] +then + echo "No vulnerable application repository provided" + exit 2 +fi + +cd "$current_test_folder" + +echo "cloning: $vulnerable_repo" +git clone "$vulnerable_repo" \ No newline at end of file diff --git a/sechub-pds-solutions/iac/tests/copy_sanitycheck_files.sh b/sechub-pds-solutions/iac/tests/copy_sanitycheck_files.sh new file mode 100755 index 0000000000..6545959f07 --- /dev/null +++ b/sechub-pds-solutions/iac/tests/copy_sanitycheck_files.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +current_test_folder="$1" + +if [[ ! -d "$current_test_folder" ]] +then + echo "Target folder is empty" + exit 1 +fi + +cd `dirname $0` + +echo "copy sanity check testdata folder" +cp -r sanity-check-testdata/ "$current_test_folder/sanity-check" + diff --git a/sechub-pds-solutions/iac/tests/sanity-check-testdata/Dockerfile b/sechub-pds-solutions/iac/tests/sanity-check-testdata/Dockerfile new file mode 100644 index 0000000000..c35f1b5f5e --- /dev/null +++ b/sechub-pds-solutions/iac/tests/sanity-check-testdata/Dockerfile @@ -0,0 +1 @@ +FROM scratch diff --git a/sechub-pds-solutions/iac/tests/systemtest_local_kics.json b/sechub-pds-solutions/iac/tests/systemtest_local_kics.json new file mode 100644 index 0000000000..0201b1cde2 --- /dev/null +++ b/sechub-pds-solutions/iac/tests/systemtest_local_kics.json @@ -0,0 +1,173 @@ +{ + "setup": { + "local": { + "secHub": { + "start": [ + { + "script": { + "path": "./01-start-single-docker-compose.sh" + } + } + ], + "configure": { + "executors": [ + { + "pdsProductId": "PDS_KICS", + "name": "system-test-codescan-gosec", + "parameters": { + "sechub.productexecutor.pds.adapter.resilience.retry.wait.milliseconds": 3000, + "sechub.productexecutor.pds.adapter.resilience.retry.max": 20, + "pds.config.use.sechub.storage": false + } + } + ] + }, + "stop": [ + { + "script": { + "path": "./01-stop-single-docker-compose.sh" + } + } + ] + }, + "pdsSolutions": [ + { + "name": "iac", + "url": "https://pds-iac:8444/", + "waitForAvailable": false, + "start": [ + { + "script": { + "path": "./05-start-single-sechub-network-docker-compose.sh" + } + } + ], + "stop": [ + { + "script": { + "path": "./05-stop-single-sechub-network-docker-compose.sh" + } + } + ] + } + ] + } + }, + "tests": [ + { + "name": "sanity-check", + "comment": "This checks if the solution works at all. It is very fast. Can be used to test if system testframework has some problems at all.", + "prepare": [ + { + "script": { + "arguments": [ + "${runtime.currentTestFolder}" + ], + "path": "./copy_sanitycheck_files.sh" + } + } + ], + "execute": { + "runSecHubJob": { + "uploads": [ + { + "sourceFolder": "sanity-check" + } + ], + "codeScan": {} + } + }, + "assert": [ + { + "sechubResult": { + "hasTrafficLight": "GREEN" + } + } + ] + }, + { + "name": "terragoat", + "prepare": [ + { + "script": { + "arguments": [ + "${runtime.currentTestFolder}", + "https://github.com/bridgecrewio/terragoat" + ], + "path": "./clone_repo.sh" + } + } + ], + "execute": { + "runSecHubJob": { + "uploads": [ + { + "sourceFolder": "terragoat" + } + ], + "codeScan": {} + } + }, + "assert": [ + { + "sechubResult": { + "hasTrafficLight": "RED", + "containsStrings": { + "values": [ + "result", + "SUCCESS", + "jobUUID", + "reportVersion", + "HIGH", + "severity", + "terragoat/terraform/azure/sql.tf" + ] + } + } + } + ] + }, + { + "name": "wrongsecrets", + "prepare": [ + { + "script": { + "arguments": [ + "${runtime.currentTestFolder}", + "https://github.com/OWASP/wrongsecrets.git" + ], + "path": "./clone_repo.sh" + } + } + ], + "execute": { + "runSecHubJob": { + "uploads": [ + { + "sourceFolder": "wrongsecrets" + } + ], + "codeScan": {} + } + }, + "assert": [ + { + "sechubResult": { + "hasTrafficLight": "RED", + "containsStrings": { + "values": [ + "result", + "SUCCESS", + "jobUUID", + "reportVersion", + "HIGH", + "severity", + "wrongsecrets/okteto/k8s/secret-challenge-ctf-deployment.yml" + ] + } + } + } + ] + } + ] +} \ No newline at end of file diff --git a/sechub-pds-solutions/loc/09-compute-image-tag.sh b/sechub-pds-solutions/loc/09-compute-image-tag.sh index 1af78f6199..503eff7642 100755 --- a/sechub-pds-solutions/loc/09-compute-image-tag.sh +++ b/sechub-pds-solutions/loc/09-compute-image-tag.sh @@ -13,6 +13,6 @@ else fi # Use date of build, because there are multiple tools contained -VERSION_TAG+="_`date +%Y%m%d`" +VERSION_TAG+="_`date +%Y-%m-%d`" echo $VERSION_TAG diff --git a/sechub-pds-solutions/multi/09-compute-image-tag.sh b/sechub-pds-solutions/multi/09-compute-image-tag.sh index 1af78f6199..503eff7642 100755 --- a/sechub-pds-solutions/multi/09-compute-image-tag.sh +++ b/sechub-pds-solutions/multi/09-compute-image-tag.sh @@ -13,6 +13,6 @@ else fi # Use date of build, because there are multiple tools contained -VERSION_TAG+="_`date +%Y%m%d`" +VERSION_TAG+="_`date +%Y-%m-%d`" echo $VERSION_TAG diff --git a/sechub-pds-solutions/xray/09-compute-image-tag.sh b/sechub-pds-solutions/xray/09-compute-image-tag.sh new file mode 100755 index 0000000000..5d5314d72e --- /dev/null +++ b/sechub-pds-solutions/xray/09-compute-image-tag.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# SPDX-License-Identifier: MIT + +# Compute image version tag for container image +# 1st argument is the pds-base version + +VERSION_TAG="" +if [ -n "$1" ]; then + VERSION_TAG="$1" +else + # This should not happen, but in this case we just use the current date + VERSION_TAG="`date +%Y-%m-%d`" +fi + +if [[ -n "$XRAY_WRAPPER_VERSION" ]] ; then + VERSION_TAG+="_$XRAY_WRAPPER_VERSION" +fi + +echo $VERSION_TAG diff --git a/sechub-pds-solutions/xray/10-create-image.sh b/sechub-pds-solutions/xray/10-create-image.sh index d6adc8b653..9a696a7fe3 100755 --- a/sechub-pds-solutions/xray/10-create-image.sh +++ b/sechub-pds-solutions/xray/10-create-image.sh @@ -7,6 +7,8 @@ REGISTRY="$1" VERSION="$2" BASE_IMAGE="$3" +DEFAULT_BUILD_TYPE=download + usage() { cat - < with tag . Required: ; for example ghcr.io/mercedes-benz/sechub/pds-base Additionally these environment variables can be defined: -- XRAY_WRAPPER_VERSION - xray version to use. E.g. 2.9.5 +- BUILD_TYPE - The build type of the Checkmarx-Wrapper. Defaults to "$DEFAULT_BUILD_TYPE" +- BUILDER_BASE_IMAGE - Base image for the build containers (see dockerfile) +- XRAY_WRAPPER_VERSION - xray wrapper version to use. E.g. 1.0.0 EOF } @@ -44,6 +48,17 @@ fi BUILD_ARGS="--build-arg BASE_IMAGE=$BASE_IMAGE" echo ">> Base image: $BASE_IMAGE" +if [[ -z "$BUILD_TYPE" ]] ; then + BUILD_TYPE="$DEFAULT_BUILD_TYPE" +fi +BUILD_ARGS+=" --build-arg BUILD_TYPE=$BUILD_TYPE" +echo ">> - Build type: $BUILD_TYPE" + +if [[ ! -z "$BUILDER_BASE_IMAGE" ]] ; then + BUILD_ARGS+=" --build-arg BUILDER_BASE_IMAGE=$BUILDER_BASE_IMAGE" + echo ">> - Builder base image: $BUILDER_BASE_IMAGE" +fi + if [[ ! -z "$XRAY_WRAPPER_VERSION" ]] ; then echo ">> Xray version: $XRAY_WRAPPER_VERSION" BUILD_ARGS="$BUILD_ARGS --build-arg XRAY_WRAPPER_VERSION=$XRAY_WRAPPER_VERSION" diff --git a/sechub-pds-solutions/xray/docker/Xray-Debian.dockerfile b/sechub-pds-solutions/xray/docker/Xray-Debian.dockerfile index 97cb5a3b7d..570c8447ff 100644 --- a/sechub-pds-solutions/xray/docker/Xray-Debian.dockerfile +++ b/sechub-pds-solutions/xray/docker/Xray-Debian.dockerfile @@ -2,20 +2,83 @@ # The image argument needs to be placed on top ARG BASE_IMAGE -FROM ${BASE_IMAGE} -# The remaining arguments need to be placed after the `FROM` -# See: https://ryandaniels.ca/blog/docker-dockerfile-arg-from-arg-trouble/ +# Build Args +# Build type can be "copy" or "download" +ARG BUILD_TYPE +ARG XRAY_WRAPPER_VERSION="1.0.0" + +# The base image of the builder +ARG BUILDER_BASE_IMAGE="debian:12-slim" +ARG ARTIFACT_FOLDER="/artifacts" + + +#------------------- +# Builder Download +#------------------- +# (downloads a released Xray-Wrapper jar) + +FROM ${BUILDER_BASE_IMAGE} AS builder-download + +ARG ARTIFACT_FOLDER +ARG XRAY_WRAPPER_VERSION + +RUN mkdir --parent "$ARTIFACT_FOLDER" + +RUN export DEBIAN_FRONTEND=noninteractive && \ + apt-get update && \ + apt-get install --assume-yes wget && \ + apt-get clean + +# Download the Xray Wrapper +RUN cd "$ARTIFACT_FOLDER" && \ + # download wrapper jar + wget --no-verbose "https://github.com/mercedes-benz/sechub/releases/download/v$XRAY_WRAPPER_VERSION-xray-wrapper/sechub-pds-wrapper-xray-$XRAY_WRAPPER_VERSION.jar" && \ + # download checksum file + wget --no-verbose "https://github.com/mercedes-benz/sechub/releases/download/v$XRAY_WRAPPER_VERSION-xray-wrapper/sechub-pds-wrapper-xray-$XRAY_WRAPPER_VERSION.jar.sha256sum" && \ + # verify the checksum + sha256sum --check "sechub-pds-wrapper-xray-$XRAY_WRAPPER_VERSION.jar.sha256sum" + + +#------------------- +# Builder Copy Jar +#------------------- +# (copies the Xray-Wrapper jar from local subdirectory "copy") + +FROM ${BUILDER_BASE_IMAGE} AS builder-copy + +ARG ARTIFACT_FOLDER +ARG XRAY_WRAPPER_VERSION + +RUN mkdir --parent "$ARTIFACT_FOLDER" + +# Copy +COPY copy/sechub-pds-wrapper-xray-$XRAY_WRAPPER_VERSION.jar "$ARTIFACT_FOLDER" + + +#------------------- +# Builder +#------------------- + +FROM builder-${BUILD_TYPE} as builder +RUN echo "build stage" + + +#------------------- +# PDS + Xray Image +#------------------- + +FROM ${BASE_IMAGE} LABEL org.opencontainers.image.source="https://github.com/mercedes-benz/sechub" LABEL org.opencontainers.image.title="SecHub Xray+PDS Image" LABEL org.opencontainers.image.description="A container which combines Xray Wrapper with the SecHub Product Delegation Server (PDS)" LABEL maintainer="SecHub FOSS Team" -USER root +ARG ARTIFACT_FOLDER +ARG XRAY_WRAPPER_VERSION -# Build Args -ARG XRAY_WRAPPER_VERSION="0.0.0" +USER root # Copy mock folder COPY mocks "$MOCK_FOLDER" @@ -30,22 +93,12 @@ COPY pds-config.json "$PDS_FOLDER/pds-config.json" RUN export DEBIAN_FRONTEND=noninteractive && \ apt-get update && \ apt-get --assume-yes upgrade && \ - apt-get --assume-yes install openjdk-17-jre wget skopeo jq && \ + apt-get --assume-yes install wget skopeo jq && \ apt-get --assume-yes clean -# TODO: Install SecHub XRAY wrapper from github - #RUN cd "$TOOL_FOLDER" && \ - # # download checksum file - # wget --no-verbose "https://github.com/mercedes-benz/sechub/releases/download/v$Xlink" && \ - # # download wrapper jar - # wget --no-verbose "https://github.com/mercedes-benz/sechub/releases/download/v$link" && \ - # # verify that the checksum and the checksum of the file are same - # sha256sum --check sechub-pds-wrapperxray-$XRAY_WRAPPER_VERSION.jar.sha256sum && \ - # ln -s sechub-pds-wrapperxray-$XRAY_WRAPPER_VERSION.jar wrapperxray.jar - -# workaround until release -COPY sechub-pds-wrapper-xray-$XRAY_WRAPPER_VERSION.jar "$TOOL_FOLDER/sechub-pds-wrapper-xray-$XRAY_WRAPPER_VERSION.jar" -RUN ln -s "$TOOL_FOLDER/sechub-pds-wrapper-xray-$XRAY_WRAPPER_VERSION.jar" "$TOOL_FOLDER/wrapper-xray.jar" +# Copy Xray-Wrapper jar from builder +COPY --from=builder "$ARTIFACT_FOLDER" "$TOOL_FOLDER" +RUN ln -s "sechub-pds-wrapper-xray-$XRAY_WRAPPER_VERSION.jar" "$TOOL_FOLDER/wrapper-xray.jar" # Set workspace WORKDIR "$WORKSPACE" diff --git a/sechub-pds-solutions/xray/docker/copy/README.adoc b/sechub-pds-solutions/xray/docker/copy/README.adoc new file mode 100644 index 0000000000..baa59a03b3 --- /dev/null +++ b/sechub-pds-solutions/xray/docker/copy/README.adoc @@ -0,0 +1,2 @@ +// SPDX-License-Identifier: MIT +Place a single Xray-Wrapper Jar into this folder. diff --git a/sechub-pds-solutions/xray/env b/sechub-pds-solutions/xray/env index d8b1101c08..ec7da32d29 100644 --- a/sechub-pds-solutions/xray/env +++ b/sechub-pds-solutions/xray/env @@ -5,3 +5,13 @@ XRAY_ARTIFACTORY=change-me XRAY_DOCKER_REGISTRY=change-me XRAY_USERNAME=change-me XRAY_PASSWORD=change-me + +# The build type of the Xray-Wrapper +# Possible values are: +# - copy (copies jar into container) +# - download (downloads the jar from github.com releases) +BUILD_TYPE=download + +# The Xray Wrapper version to use +# See: https://github.com/mercedes-benz/sechub/releases +XRAY_WRAPPER_VERSION="1.0.0" diff --git a/sechub-pds-solutions/xray/helm/pds-xray/LICENSE b/sechub-pds-solutions/xray/helm/pds-xray/LICENSE index 486d271d72..2926a35b5f 100644 --- a/sechub-pds-solutions/xray/helm/pds-xray/LICENSE +++ b/sechub-pds-solutions/xray/helm/pds-xray/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2023 Mercedes-Benz Tech Innovation TSS GmbH +Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/sechub-solution/helm/sechub-server/Chart.yaml b/sechub-solution/helm/sechub-server/Chart.yaml index 7438f7c508..4601374265 100644 --- a/sechub-solution/helm/sechub-server/Chart.yaml +++ b/sechub-solution/helm/sechub-server/Chart.yaml @@ -14,4 +14,5 @@ maintainers: # This is the chart version. # This version number should be incremented each time you make changes to the chart and its templates. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.2.0 + +version: 1.3.0 \ No newline at end of file diff --git a/sechub-solution/helm/sechub-server/templates/deployment.yaml b/sechub-solution/helm/sechub-server/templates/deployment.yaml index c23f67a7d0..35933f4548 100644 --- a/sechub-solution/helm/sechub-server/templates/deployment.yaml +++ b/sechub-solution/helm/sechub-server/templates/deployment.yaml @@ -414,6 +414,21 @@ spec: name: secret-pds-gosec key: techuser_password {{- end }} +{{- if .Values.pdsIaC.enabled }} +# ----------------------------------------------------------------------------------------------# +# - Scope: PDS-IaC +# --------------------------------------------------------------------------------------------- # + - name: SECHUB_PDS_IAC_USERID + valueFrom: + secretKeyRef: + name: secret-pds-iac + key: techuser_username + - name: SECHUB_PDS_IAC_PASSWORD + valueFrom: + secretKeyRef: + name: secret-pds-iac + key: techuser_password +{{- end }} {{- if .Values.pdsLoc.enabled }} # ----------------------------------------------------------------------------------------------# # - Scope: PDS-Loc diff --git a/sechub-solution/setup-pds/executors/kics.json b/sechub-solution/setup-pds/executors/kics.json new file mode 100644 index 0000000000..cc3957bdd4 --- /dev/null +++ b/sechub-solution/setup-pds/executors/kics.json @@ -0,0 +1,39 @@ +{ + "name": "pds-kics", + "productIdentifier": "PDS_CODESCAN", + "executorVersion": 1, + "enabled": true, + "setup": { + "baseURL": "https://pds-iac:8444", + "credentials": { + "user": "techuser", + "password": "pds-apitoken" + }, + "jobParameters": [ + { + "key": "pds.config.productidentifier", + "value": "PDS_KICS" + }, + { + "key": "pds.config.use.sechub.storage", + "value": false + }, + { + "key": "pds.mocking.disabled", + "value": true + }, + { + "key": "sechub.productexecutor.pds.timeout.minutes", + "value": 60 + }, + { + "key": "sechub.productexecutor.pds.timetowait.nextcheck.milliseconds", + "value": 500 + }, + { + "key": "sechub.productexecutor.pds.trustall.certificates", + "value": true + } + ] + } +} \ No newline at end of file diff --git a/sechub-solution/setup-pds/setup-kics.sh b/sechub-solution/setup-pds/setup-kics.sh new file mode 100755 index 0000000000..36fd204079 --- /dev/null +++ b/sechub-solution/setup-pds/setup-kics.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +declare -r SCRIPT_PARAMETERS=" " + +cd $(dirname "$0") +source 8900-helper.sh +source 8901-check-setup.sh + +check_sechub_server_setup "$0" "$SCRIPT_PARAMETERS" + +user="kicsuser" +project="test-kics" +executor_file_name="kics" +profile="pds-kics" + +setup_project_user_executor_profile "$project" "$user" "$executor_file_name" "$profile" + +setup_complete_message_for_tool "kics" "$user" "$project"