From 01e704feef162eb51e98ac5a4078e17b7f55ed4d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Dec 2023 14:42:06 +0000 Subject: [PATCH 01/16] Bump actions/upload-artifact from 3 to 4 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/documentation-build.yml | 4 ++-- .github/workflows/gradle.yml | 16 ++++++++-------- .github/workflows/publish-libraries.yml | 4 ++-- .../workflows/release-client-server-pds.yml | 18 +++++++++--------- .github/workflows/release-pds-tools.yml | 4 ++-- .../workflows/release-wrapper-checkmarx.yml | 4 ++-- .github/workflows/release-wrapper-owaspzap.yml | 4 ++-- .github/workflows/release-wrapper-xray.yml | 4 ++-- 8 files changed, 29 insertions(+), 29 deletions(-) diff --git a/.github/workflows/documentation-build.yml b/.github/workflows/documentation-build.yml index 000632bf9a..f9aa171a3c 100644 --- a/.github/workflows/documentation-build.yml +++ b/.github/workflows/documentation-build.yml @@ -74,14 +74,14 @@ jobs: # Upload documentation # ----------------------------------------- - name: Archive documentation HTML - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-docs-html path: sechub-doc/build/docs/final-html/ retention-days: 14 - name: Archive documentation PDF - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-docs-pdf path: sechub-doc/build/docs/asciidoc/*.pdf diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml index e47cd4e133..4f3b4f4e16 100644 --- a/.github/workflows/gradle.yml +++ b/.github/workflows/gradle.yml @@ -72,7 +72,7 @@ jobs: # ----------------------------------------- - name: Archive combined test report if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: combined-sechub-testreport path: build/reports/combined-report @@ -80,7 +80,7 @@ jobs: - name: Archive sechub server artifacts if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-server path: sechub-server/build/libs @@ -88,21 +88,21 @@ jobs: - name: Archive pds server artifacts if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-pds path: sechub-pds/build/libs - name: Archive pds tools artifacts if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-pds-tools path: sechub-pds-tools/build/libs - name: Archive developer tools artifacts if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-developertools path: sechub-developertools/build/libs @@ -110,7 +110,7 @@ jobs: - name: Archive sechub client artifacts if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-client path: sechub-cli/build/go @@ -118,14 +118,14 @@ jobs: - name: Archive sechub integration test report artifacts if: always() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: sechub-integrationtest-test-reports path: sechub-integrationtest/build/sechub-test-reports retention-days: 14 - name: Archive openAPI3 JSON files - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-api-spec path: sechub-doc/build/api-spec/ diff --git a/.github/workflows/publish-libraries.yml b/.github/workflows/publish-libraries.yml index eb954ebb50..66feda8335 100644 --- a/.github/workflows/publish-libraries.yml +++ b/.github/workflows/publish-libraries.yml @@ -55,14 +55,14 @@ jobs: # ----------------------------------------- - name: Archive combined test report if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: combined-sechub-testreport path: build/reports/combined-report retention-days: 14 - name: Archive GIT status if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: git-status.txt path: build/reports/git-status.txt diff --git a/.github/workflows/release-client-server-pds.yml b/.github/workflows/release-client-server-pds.yml index ca8afe445f..33b8f61791 100644 --- a/.github/workflows/release-client-server-pds.yml +++ b/.github/workflows/release-client-server-pds.yml @@ -200,7 +200,7 @@ jobs: # ----------------------------------------- - name: Archive combined test report if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: combined-sechub-testreport path: build/reports/combined-report @@ -208,7 +208,7 @@ jobs: - name: Archive GIT status if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: git-status.txt path: build/reports/git-status.txt @@ -216,7 +216,7 @@ jobs: - name: Archive sechub server artifacts if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-server path: sechub-server/build/libs @@ -224,14 +224,14 @@ jobs: - name: Archive pds server artifacts if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-pds path: sechub-pds/build/libs - name: Archive developer tools artifacts if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-developertools path: sechub-developertools/build/libs @@ -239,7 +239,7 @@ jobs: - name: Archive sechub client artifacts if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-client path: sechub-cli/build/go @@ -258,21 +258,21 @@ jobs: # Upload documentation # ----------------------------------------- - name: Archive documentation HTML - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-docs-html path: sechub-doc/build/docs/final-html/ retention-days: 14 - name: Archive documentation PDF - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-docs-pdf path: sechub-doc/build/docs/asciidoc/*.pdf retention-days: 14 - name: Archive openAPI3 JSON files - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-api-spec path: sechub-doc/build/api-spec/ diff --git a/.github/workflows/release-pds-tools.yml b/.github/workflows/release-pds-tools.yml index c2d5049be8..9799229aad 100644 --- a/.github/workflows/release-pds-tools.yml +++ b/.github/workflows/release-pds-tools.yml @@ -111,7 +111,7 @@ jobs: - name: Archive GIT status if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: git-status.txt path: build/reports/git-status.txt @@ -119,7 +119,7 @@ jobs: - name: Archive PDS-Tools cli artifact if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-pds-tools path: sechub-pds-tools/build/libs diff --git a/.github/workflows/release-wrapper-checkmarx.yml b/.github/workflows/release-wrapper-checkmarx.yml index 41a12913d0..01ee037518 100644 --- a/.github/workflows/release-wrapper-checkmarx.yml +++ b/.github/workflows/release-wrapper-checkmarx.yml @@ -99,7 +99,7 @@ jobs: - name: Archive GIT status if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: git-status.txt path: build/reports/git-status.txt @@ -107,7 +107,7 @@ jobs: - name: Archive Checkmarx Wrapper libs directory if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-wrapper-checkmarx path: sechub-wrapper-checkmarx/build/libs diff --git a/.github/workflows/release-wrapper-owaspzap.yml b/.github/workflows/release-wrapper-owaspzap.yml index 84488d24d9..5ebd58693c 100644 --- a/.github/workflows/release-wrapper-owaspzap.yml +++ b/.github/workflows/release-wrapper-owaspzap.yml @@ -100,7 +100,7 @@ jobs: - name: Archive GIT status if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: git-status.txt path: build/reports/git-status.txt @@ -108,7 +108,7 @@ jobs: - name: Archive OWASP-ZAP Wrapper libs directory if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-wrapper-owasp-zap path: sechub-wrapper-owasp-zap/build/libs diff --git a/.github/workflows/release-wrapper-xray.yml b/.github/workflows/release-wrapper-xray.yml index 240aa3ffd0..620118f6ec 100644 --- a/.github/workflows/release-wrapper-xray.yml +++ b/.github/workflows/release-wrapper-xray.yml @@ -99,7 +99,7 @@ jobs: - name: Archive GIT status if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: git-status.txt path: build/reports/git-status.txt @@ -107,7 +107,7 @@ jobs: - name: Archive Xray Wrapper libs directory if: always() - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-wrapper-xray path: sechub-wrapper-xray/build/libs From a410a6481d5167baf2fe8027e4f7f9a07da6ca4d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Dec 2023 14:42:31 +0000 Subject: [PATCH 02/16] Bump gradle/gradle-build-action from 2.9.0 to 2.11.1 Bumps [gradle/gradle-build-action](https://github.com/gradle/gradle-build-action) from 2.9.0 to 2.11.1. - [Release notes](https://github.com/gradle/gradle-build-action/releases) - [Commits](https://github.com/gradle/gradle-build-action/compare/842c587ad8aa4c68eeba24c396e15af4c2e9f30a...982da8e78c05368c70dac0351bb82647a9e9a5d2) --- updated-dependencies: - dependency-name: gradle/gradle-build-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/documentation-build.yml | 2 +- .github/workflows/gradle.yml | 2 +- .github/workflows/publish-libraries.yml | 2 +- .github/workflows/release-client-server-pds.yml | 2 +- .github/workflows/release-pds-tools.yml | 2 +- .github/workflows/release-wrapper-checkmarx.yml | 2 +- .github/workflows/release-wrapper-owaspzap.yml | 2 +- .github/workflows/release-wrapper-xray.yml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/documentation-build.yml b/.github/workflows/documentation-build.yml index 000632bf9a..39a44dcc36 100644 --- a/.github/workflows/documentation-build.yml +++ b/.github/workflows/documentation-build.yml @@ -43,7 +43,7 @@ jobs: distribution: temurin - name: Set up Gradle - uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a + uses: gradle/gradle-build-action@982da8e78c05368c70dac0351bb82647a9e9a5d2 with: cache-read-only: false diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml index e47cd4e133..387619bd4f 100644 --- a/.github/workflows/gradle.yml +++ b/.github/workflows/gradle.yml @@ -28,7 +28,7 @@ jobs: distribution: temurin - name: Set up Gradle - uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a + uses: gradle/gradle-build-action@982da8e78c05368c70dac0351bb82647a9e9a5d2 with: cache-read-only: false diff --git a/.github/workflows/publish-libraries.yml b/.github/workflows/publish-libraries.yml index eb954ebb50..20f2e48e2a 100644 --- a/.github/workflows/publish-libraries.yml +++ b/.github/workflows/publish-libraries.yml @@ -34,7 +34,7 @@ jobs: distribution: temurin - name: Set up Gradle - uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a + uses: gradle/gradle-build-action@982da8e78c05368c70dac0351bb82647a9e9a5d2 with: cache-read-only: false diff --git a/.github/workflows/release-client-server-pds.yml b/.github/workflows/release-client-server-pds.yml index ca8afe445f..4f7867c2c8 100644 --- a/.github/workflows/release-client-server-pds.yml +++ b/.github/workflows/release-client-server-pds.yml @@ -94,7 +94,7 @@ jobs: distribution: temurin - name: Set up Gradle - uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a + uses: gradle/gradle-build-action@982da8e78c05368c70dac0351bb82647a9e9a5d2 with: cache-read-only: false diff --git a/.github/workflows/release-pds-tools.yml b/.github/workflows/release-pds-tools.yml index c2d5049be8..8203a70fa3 100644 --- a/.github/workflows/release-pds-tools.yml +++ b/.github/workflows/release-pds-tools.yml @@ -52,7 +52,7 @@ jobs: distribution: temurin - name: Set up Gradle - uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a + uses: gradle/gradle-build-action@982da8e78c05368c70dac0351bb82647a9e9a5d2 with: cache-read-only: false diff --git a/.github/workflows/release-wrapper-checkmarx.yml b/.github/workflows/release-wrapper-checkmarx.yml index 41a12913d0..af1a24f830 100644 --- a/.github/workflows/release-wrapper-checkmarx.yml +++ b/.github/workflows/release-wrapper-checkmarx.yml @@ -42,7 +42,7 @@ jobs: distribution: temurin - name: Set up Gradle - uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a + uses: gradle/gradle-build-action@982da8e78c05368c70dac0351bb82647a9e9a5d2 with: cache-read-only: false diff --git a/.github/workflows/release-wrapper-owaspzap.yml b/.github/workflows/release-wrapper-owaspzap.yml index 84488d24d9..9b446c229a 100644 --- a/.github/workflows/release-wrapper-owaspzap.yml +++ b/.github/workflows/release-wrapper-owaspzap.yml @@ -43,7 +43,7 @@ jobs: distribution: temurin - name: Set up Gradle - uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a + uses: gradle/gradle-build-action@982da8e78c05368c70dac0351bb82647a9e9a5d2 with: cache-read-only: false diff --git a/.github/workflows/release-wrapper-xray.yml b/.github/workflows/release-wrapper-xray.yml index 240aa3ffd0..4376431ac7 100644 --- a/.github/workflows/release-wrapper-xray.yml +++ b/.github/workflows/release-wrapper-xray.yml @@ -42,7 +42,7 @@ jobs: distribution: temurin - name: Set up Gradle - uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a + uses: gradle/gradle-build-action@982da8e78c05368c70dac0351bb82647a9e9a5d2 with: cache-read-only: false From ef9355945e689b57101cefc378a6f93923d82f54 Mon Sep 17 00:00:00 2001 From: Sven Dolderer Date: Wed, 20 Dec 2023 16:03:36 +0100 Subject: [PATCH 03/16] gradle call improved #2762 --- .github/workflows/release-wrapper-xray.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-wrapper-xray.yml b/.github/workflows/release-wrapper-xray.yml index 240aa3ffd0..f8cc25a606 100644 --- a/.github/workflows/release-wrapper-xray.yml +++ b/.github/workflows/release-wrapper-xray.yml @@ -86,7 +86,7 @@ jobs: # Build SecHub Xray Wrapper # ----------------------------------------- - name: Build Xray Wrapper - run: ./gradlew :sechub-wrapper-xray + run: ./gradlew :sechub-wrapper-xray:buildWrapperXray # ----------------------------------------- # Upload build artifacts From 06537a8892efbf982ee952a2f441ab4eb1eaa497 Mon Sep 17 00:00:00 2001 From: Sven Dolderer Date: Thu, 21 Dec 2023 10:53:52 +0100 Subject: [PATCH 04/16] correct company name --- sechub-pds-solutions/xray/helm/pds-xray/LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sechub-pds-solutions/xray/helm/pds-xray/LICENSE b/sechub-pds-solutions/xray/helm/pds-xray/LICENSE index 486d271d72..2926a35b5f 100644 --- a/sechub-pds-solutions/xray/helm/pds-xray/LICENSE +++ b/sechub-pds-solutions/xray/helm/pds-xray/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2023 Mercedes-Benz Tech Innovation TSS GmbH +Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal From b59dbf5d15b3fcca1212b739d0662f4b2d450ed3 Mon Sep 17 00:00:00 2001 From: Sven Dolderer Date: Thu, 21 Dec 2023 11:29:30 +0100 Subject: [PATCH 05/16] yaml template coding convention updated #2774 --- .../techdoc/03_coding_conventions.adoc | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/sechub-doc/src/docs/asciidoc/documents/techdoc/03_coding_conventions.adoc b/sechub-doc/src/docs/asciidoc/documents/techdoc/03_coding_conventions.adoc index 13244ab720..152eace5ca 100644 --- a/sechub-doc/src/docs/asciidoc/documents/techdoc/03_coding_conventions.adoc +++ b/sechub-doc/src/docs/asciidoc/documents/techdoc/03_coding_conventions.adoc @@ -87,8 +87,11 @@ pds: ---- ==== Templates -When we define YAML templates - e.g. for HELM charts - the template statement shall -start at the first column without indention. +When defining YAML templates - e.g. for HELM charts + +- a template statement (e.g. `- if` or `- end`) shall start at the first column without indention +- nested template statements shall be indented (see example below) +- place inserted values indented like normal YAML. (Use `| trim` if appropriate) .Example [source,yaml] @@ -99,19 +102,18 @@ start at the first column without indention. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ .Chart.Name }}-policy + name: {{ .Chart.Name }}-policy spec: - podSelector: - matchLabels: - name: {{ .Chart.Name }} + podSelector: + matchLabels: + name: {{ .Chart.Name }} -{{- if .Values.networkPolicy.ingress }} - ingress: -{{ .Values.networkPolicy.ingress | toYaml | indent 4 }} + {{- if .Values.networkPolicy.ingress }} + ingress: + {{ .Values.networkPolicy.ingress | toYaml | indent 4 | trim }} {{- end }} {{- end }} - ---- From 167c71d612f24f654663bb1ea58ad50cc902df3c Mon Sep 17 00:00:00 2001 From: haerter-tss <98736006+haerter-tss@users.noreply.github.com> Date: Fri, 22 Dec 2023 08:17:59 +0100 Subject: [PATCH 06/16] Adds IaC / KICS pds-solution (#2770) * Initial pds kics draft * Removed sechub.json; corrected assets * Updated pds base image version * Fixed kics.sh & kics_mock.sh location * Fixed dockerfile; Added IaC to deployment.yaml * Fixed readme * Added script that extends default CWE * Fix for location in report * Fixed mocked results * Update README.adoc * Update sechub-pds-solutions/iac/helm/pds-iac/Chart.yaml Co-authored-by: Sven <59958584+sven-dmlr@users.noreply.github.com> * Various requested fixes * Apply suggestions from code review Co-authored-by: Sven <59958584+sven-dmlr@users.noreply.github.com> * Added git branch for kics * Removed false url * Fixed indentation --------- Co-authored-by: Sven <59958584+sven-dmlr@users.noreply.github.com> --- .../iac/01-start-single-docker-compose.sh | 20 + ...rt-single-sechub-network-docker-compose.sh | 20 + ...op-single-sechub-network-docker-compose.sh | 6 + sechub-pds-solutions/iac/10-create-image.sh | 60 + sechub-pds-solutions/iac/20-push-image.sh | 5 + .../iac/50-start-multiple-docker-compose.sh | 29 + ...-multiple-object-storage-docker-compose.sh | 30 + sechub-pds-solutions/iac/README.adoc | 421 +++++++ .../iac/docker-compose_pds_iac.yaml | 23 + .../iac/docker-compose_pds_iac_cluster.yaml | 50 + ...ompose_pds_iac_cluster_object_storage.yaml | 69 + ...cker-compose_pds_iac_external-network.yaml | 24 + .../iac/docker/IaC-Debian.dockerfile | 120 ++ .../iac/docker/mocks/kics-mock.sarif.json | 1106 +++++++++++++++++ .../iac/docker/pds-config.json | 18 + .../iac/docker/scripts/kics.sh | 93 ++ .../iac/docker/scripts/kics_mock.sh | 6 + sechub-pds-solutions/iac/env | 4 + sechub-pds-solutions/iac/env-database | 9 + .../iac/helm/pds-iac/.helmignore | 25 + .../iac/helm/pds-iac/Chart.yaml | 16 + sechub-pds-solutions/iac/helm/pds-iac/LICENSE | 21 + .../iac/helm/pds-iac/README.md | 4 + .../helm/pds-iac/templates/deployment.yaml | 124 ++ .../helm/pds-iac/templates/networkpolicy.yaml | 18 + .../iac/helm/pds-iac/templates/service.yaml | 13 + .../iac/helm/pds-iac/values.yaml | 78 ++ sechub-solution/helm/sechub-server/Chart.yaml | 3 +- .../sechub-server/templates/deployment.yaml | 15 + sechub-solution/setup-pds/executors/kics.json | 39 + sechub-solution/setup-pds/setup-kics.sh | 19 + 31 files changed, 2487 insertions(+), 1 deletion(-) create mode 100755 sechub-pds-solutions/iac/01-start-single-docker-compose.sh create mode 100755 sechub-pds-solutions/iac/05-start-single-sechub-network-docker-compose.sh create mode 100755 sechub-pds-solutions/iac/05-stop-single-sechub-network-docker-compose.sh create mode 100755 sechub-pds-solutions/iac/10-create-image.sh create mode 100755 sechub-pds-solutions/iac/20-push-image.sh create mode 100755 sechub-pds-solutions/iac/50-start-multiple-docker-compose.sh create mode 100755 sechub-pds-solutions/iac/51-start-multiple-object-storage-docker-compose.sh create mode 100644 sechub-pds-solutions/iac/README.adoc create mode 100644 sechub-pds-solutions/iac/docker-compose_pds_iac.yaml create mode 100644 sechub-pds-solutions/iac/docker-compose_pds_iac_cluster.yaml create mode 100644 sechub-pds-solutions/iac/docker-compose_pds_iac_cluster_object_storage.yaml create mode 100644 sechub-pds-solutions/iac/docker-compose_pds_iac_external-network.yaml create mode 100644 sechub-pds-solutions/iac/docker/IaC-Debian.dockerfile create mode 100644 sechub-pds-solutions/iac/docker/mocks/kics-mock.sarif.json create mode 100644 sechub-pds-solutions/iac/docker/pds-config.json create mode 100755 sechub-pds-solutions/iac/docker/scripts/kics.sh create mode 100755 sechub-pds-solutions/iac/docker/scripts/kics_mock.sh create mode 100644 sechub-pds-solutions/iac/env create mode 100644 sechub-pds-solutions/iac/env-database create mode 100644 sechub-pds-solutions/iac/helm/pds-iac/.helmignore create mode 100644 sechub-pds-solutions/iac/helm/pds-iac/Chart.yaml create mode 100644 sechub-pds-solutions/iac/helm/pds-iac/LICENSE create mode 100644 sechub-pds-solutions/iac/helm/pds-iac/README.md create mode 100644 sechub-pds-solutions/iac/helm/pds-iac/templates/deployment.yaml create mode 100644 sechub-pds-solutions/iac/helm/pds-iac/templates/networkpolicy.yaml create mode 100644 sechub-pds-solutions/iac/helm/pds-iac/templates/service.yaml create mode 100644 sechub-pds-solutions/iac/helm/pds-iac/values.yaml create mode 100644 sechub-solution/setup-pds/executors/kics.json create mode 100755 sechub-solution/setup-pds/setup-kics.sh diff --git a/sechub-pds-solutions/iac/01-start-single-docker-compose.sh b/sechub-pds-solutions/iac/01-start-single-docker-compose.sh new file mode 100755 index 0000000000..e638f901cb --- /dev/null +++ b/sechub-pds-solutions/iac/01-start-single-docker-compose.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +cd $(dirname "$0") +source "../../sechub-solutions-shared/scripts/9999-env-file-helper.sh" + +ENVIRONMENT_FILES_FOLDER="../shared/environment" +ENVIRONMENT_FILE=".env-single" + +# Only variables from .env can be used in the Docker-Compose file +# all other variables are only available in the container +setup_environment_file ".env" "env" "$ENVIRONMENT_FILES_FOLDER/env-base-image" +setup_environment_file "$ENVIRONMENT_FILE" "$ENVIRONMENT_FILES_FOLDER/env-base" + +# Use Docker BuildKit +export BUILDKIT_PROGRESS=plain +export DOCKER_BUILDKIT=1 + +echo "Starting single container." +docker compose --file docker-compose_pds_iac.yaml up --build --remove-orphans diff --git a/sechub-pds-solutions/iac/05-start-single-sechub-network-docker-compose.sh b/sechub-pds-solutions/iac/05-start-single-sechub-network-docker-compose.sh new file mode 100755 index 0000000000..b17b8b2132 --- /dev/null +++ b/sechub-pds-solutions/iac/05-start-single-sechub-network-docker-compose.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +cd $(dirname "$0") +source "../../sechub-solutions-shared/scripts/9999-env-file-helper.sh" + +ENVIRONMENT_FILES_FOLDER="../shared/environment" +ENVIRONMENT_FILE=".env-single" + +# Only variables from .env can be used in the Docker-Compose file +# all other variables are only available in the container +setup_environment_file ".env" "env" +setup_environment_file "$ENVIRONMENT_FILE" "$ENVIRONMENT_FILES_FOLDER/env-base" + +# Use Docker BuildKit +export BUILDKIT_PROGRESS=plain +export DOCKER_BUILDKIT=1 + +echo "Starting single container." +docker compose --file docker-compose_pds_iac_external-network.yaml up --build --remove-orphans diff --git a/sechub-pds-solutions/iac/05-stop-single-sechub-network-docker-compose.sh b/sechub-pds-solutions/iac/05-stop-single-sechub-network-docker-compose.sh new file mode 100755 index 0000000000..4ee567a933 --- /dev/null +++ b/sechub-pds-solutions/iac/05-stop-single-sechub-network-docker-compose.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +cd "$(dirname "$0")" || exit 1 + +docker compose --file docker-compose_pds_iac_external-network.yaml down --remove-orphans \ No newline at end of file diff --git a/sechub-pds-solutions/iac/10-create-image.sh b/sechub-pds-solutions/iac/10-create-image.sh new file mode 100755 index 0000000000..9aa0b62a4f --- /dev/null +++ b/sechub-pds-solutions/iac/10-create-image.sh @@ -0,0 +1,60 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +cd `dirname $0` + +REGISTRY="$1" +VERSION="$2" +BASE_IMAGE="$3" + +usage() { + cat - < +Builds a docker image of SecHub PDS with IaC +for with tag . +Required: ; for example ghcr.io/mercedes-benz/sechub/pds-base:v0.32.1 + +Additionally these environment variables can be defined: +- IAC_VERSION - IaC version to use. E.g. 2.9.5 +EOF +} + +FAILED=false +if [[ -z "$REGISTRY" ]] ; then + echo "Please provide a docker registry server as 1st parameter." + FAILED=true +fi + +if [[ -z "$VERSION" ]] ; then + echo "Please provide a version for the container as 2nd parameter." + FAILED=true +fi + +if [[ -z "$BASE_IMAGE" ]]; then + echo "Please provide a base image as 3rd parameter." + FAILED=true +fi + +if $FAILED ; then + usage + exit 1 +fi + +BUILD_ARGS="--build-arg BASE_IMAGE=$BASE_IMAGE" +echo ">> Base image: $BASE_IMAGE" + +if [[ ! -z "$IAC_VERSION" ]] ; then + echo ">> IaC version: $IAC_VERSION" + BUILD_ARGS="$BUILD_ARGS --build-arg IAC_VERSION=$IAC_VERSION" +fi + +# Use Docker BuildKit +export BUILDKIT_PROGRESS=plain +export DOCKER_BUILDKIT=1 + +echo "docker build --pull --no-cache $BUILD_ARGS --tag "$REGISTRY:$VERSION" --file docker/IaC-Debian.dockerfile docker/" +docker build --pull --no-cache $BUILD_ARGS \ + --tag "$REGISTRY:$VERSION" \ + --file docker/IaC-Debian.dockerfile docker/ +docker tag "$REGISTRY:$VERSION" "$REGISTRY:latest" diff --git a/sechub-pds-solutions/iac/20-push-image.sh b/sechub-pds-solutions/iac/20-push-image.sh new file mode 100755 index 0000000000..01695ddd57 --- /dev/null +++ b/sechub-pds-solutions/iac/20-push-image.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +cd `dirname $0` +../../sechub-solutions-shared/scripts/20-push-image.sh "$1" "$2" "$3" diff --git a/sechub-pds-solutions/iac/50-start-multiple-docker-compose.sh b/sechub-pds-solutions/iac/50-start-multiple-docker-compose.sh new file mode 100755 index 0000000000..c51c246d5d --- /dev/null +++ b/sechub-pds-solutions/iac/50-start-multiple-docker-compose.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +REPLICAS="$1" + +cd $(dirname "$0") +source "../../sechub-solutions-shared/scripts/9999-env-file-helper.sh" + +ENVIRONMENT_FILES_FOLDER="../shared/environment" +ENVIRONMENT_FILE=".env-cluster" + +# Only variables from .env can be used in the Docker-Compose file +# all other variables are only available in the container +setup_environment_file ".env" "env" +setup_environment_file "$ENVIRONMENT_FILE" "$ENVIRONMENT_FILES_FOLDER/env-base" "$ENVIRONMENT_FILES_FOLDER/env-cluster" "env-database" + +if [[ -z "$REPLICAS" ]] +then + echo "Starting single container." + REPLICAS=1 +else + echo "Starting cluster of $REPLICAS containers." +fi + +# Use Docker BuildKit +export BUILDKIT_PROGRESS=plain +export DOCKER_BUILDKIT=1 + +docker compose --file docker-compose_pds_iac_cluster.yaml up --scale pds-iac=$REPLICAS --build --remove-orphans diff --git a/sechub-pds-solutions/iac/51-start-multiple-object-storage-docker-compose.sh b/sechub-pds-solutions/iac/51-start-multiple-object-storage-docker-compose.sh new file mode 100755 index 0000000000..4a01c37e8b --- /dev/null +++ b/sechub-pds-solutions/iac/51-start-multiple-object-storage-docker-compose.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +REPLICAS="$1" + +cd $(dirname "$0") +source "../../sechub-solutions-shared/scripts/9999-env-file-helper.sh" + +ENVIRONMENT_FILES_FOLDER="../shared/environment" +ENVIRONMENT_FILE=".env-cluster-object-storage" + +# Only variables from .env can be used in the Docker-Compose file +# all other variables are only available in the container +setup_environment_file ".env" "env" +setup_environment_file "$ENVIRONMENT_FILE" "$ENVIRONMENT_FILES_FOLDER/env-base" "$ENVIRONMENT_FILES_FOLDER/env-cluster" "$ENVIRONMENT_FILES_FOLDER/env-object-storage" "env-database" + + +if [[ -z "$REPLICAS" ]] +then + echo "Starting single container." + REPLICAS=1 +else + echo "Starting cluster of $REPLICAS containers." +fi + +# Use Docker BuildKit +export BUILDKIT_PROGRESS=plain +export DOCKER_BUILDKIT=1 + +docker compose --file docker-compose_pds_iac_cluster_object_storage.yaml up --scale pds-iac=$REPLICAS --build --remove-orphans \ No newline at end of file diff --git a/sechub-pds-solutions/iac/README.adoc b/sechub-pds-solutions/iac/README.adoc new file mode 100644 index 0000000000..b85af7dc4e --- /dev/null +++ b/sechub-pds-solutions/iac/README.adoc @@ -0,0 +1,421 @@ +// SPDX-License-Identifier: MIT + +:toc: +:numbered: + += IaC + PDS + +Infrastructure as Code (IaC) is the practice of defining and managing computing infrastructure using code, which enables developers to automate the creation, configuration, and management of infrastructure resources. By combining IaC with the SecHub https://mercedes-benz.github.io/sechub/latest/sechub-product-delegation-server.html[Product Delegation Server (PDS)] in a container, IaC can be used with SecHub. Another scenario is to use IaC+PDS standalone. + +The combination of IaC and PDS makes it possible to run both inside a Kubernetes cluser or virtual machines. + +This folder contains the necessary scripts to run IaC+PDS inside a container locally. Additionally, it contains scripts to build and push the PDS + IaC container to your container registry and a Helm chart to install and run IaC+PDS in a Kubernetes cluster. + +== Currently used tools +=== KICS +https://github.com/Checkmarx/kics[KICS] is a free and open source IaC commandline scanning tool + +== Run Locally + +This is the easiest way to get started. + +=== Requirements + +Docker and Docker-Compose need to be installed: + +. https://docs.docker.com/engine/install/[Install Docker] + +. Linux: https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user[Use Docker as non Root user] + +. https://docs.docker.com/compose/install/[Install Docker-Compose] + +=== Single Instance + +Start a single instance by using the Bash wrapper script which does setup everything <<_automatic,automatically>> for you. + +==== Scan script + +The folder contains a start script which does the <<_manually, manual>> steps for you: + +---- +./01-start-docker-compose.sh +---- + +==== Together with SecHub + +The container will be started and attached to the `sechub` Network. + +WARNING: Make sure the SecHub container is running. + +. Start container: ++ +---- +./05-start-single-sechub-network-docker-compose.sh +---- + +=== Scan + +The steps required to scan with the PDS. Scan manually if you are new to the PDS. Use the script, if you are tired of typing the same commands over and over again. + +==== Scan Script + +It is recommended to start with a manual <<_scan>> the first time using the PDS. However, after some time typing in the commands becomes very tedious. To improve on the experience you can scan using this script. + +. Set the environment variables ++ +---- +export PDS_SERVER=https://: +export PDS_USERID=admin +export PDS_APITOKEN="" +export PDS_PRODUCT_IDENTFIER=PDS_KICS +---- ++ +For example: ++ +---- +export PDS_SERVER=https://localhost:8444 +export PDS_USERID=admin +export PDS_APITOKEN="pds-apitoken" +export PDS_PRODUCT_IDENTFIER=PDS_KICS +---- ++ +[NOTE] +Those values are the default values from `env-initial` and `env-cluster-initial` files. In case you run PDS+IaC in Kubernetes or other environments those values will be different. + +. Scan by providing a `ZIP` folder with Go source code. ++ +---- +cd ../shared/ +./01-test.sh +---- ++ +For example: ++ +---- +cd ../shared/ +./01-test.sh ~/myproject.zip +---- + +=== Cluster + +The cluster is created locally via `docker-compose`. + +==== Shared Volume + +The cluster uses a shared volume defined in `docker-compose`. Docker allows to create volumes which can be used by multiple instances to upload files to. Reading, extracting and analysing the files is done in the IaC+PDS container. + +The cluster consists of a PostgreSQL database, a Nginx loadbalancer and one or more PDS server. + +image::../shared/media/cluster_shared_volume.svg[Components of cluster with shared volume] + +===== Start Script + +Starting several IaC+PDS instances: + +---- +./50-start-multiple-docker-compose.sh +---- + +Example of starting 3 IaC+PDS instances: + +---- +./50-start-multiple-docker-compose.sh 3 +---- + +==== Object Storage + +The cluster uses an object storage to store files. The cluster uses https://github.com/chrislusf/seaweedfs[SeaweedFS] (S3 compatible) to store files. The PDS instance(s) use the object storage to upload files to. Reading, extracting and analysing the files is done in the IaC+PDS container. + +The cluster consists of a PostgreSQL database, a Nginx loadbalancer, a SeaweedFS object storage and one or more PDS server. + +image::../shared/media/cluster_object_storage.svg[Components of cluster with object storage] + +===== Start Script + +Starting several IaC+PDS instances + +---- +./51-start-multiple-object-storage-docker-compose.sh +---- + +Example of starting 3 IaC+PDS instances + +---- +./51-start-multiple-object-storage-docker-compose.sh 3 +---- + +=== Change the Configuration + +There are several configuration options available for the IaC+PDS `docker-compose` files. Have a look at `env-example` for more details. + +=== Troubleshooting + +This section contains information about how to troubleshoot IaC+PDS if something goes wrong. + +==== Access the container + +---- +docker exec -it pds-iac bash +---- + +==== Java Application Remote Debugging of PDS + +. Set `JAVA_ENABLE_DEBUG=true` in the `.env` file + +. Connect via remote debugging to the `pds` ++ +connect via CLI ++ +---- +jdb -attach localhost:15024 +---- ++ +TIP: https://www.baeldung.com/java-application-remote-debugging[Java Application Remote Debugging] and https://www.tutorialspoint.com/jdb/jdb_basic_commands.htm[JDB - Basic Commands] ++ +or connect via IDE (e. g. Eclipse IDE, VSCodium, Eclipse Theia, IntelliJ etc.). ++ +TIP: https://www.eclipse.org/community/eclipse_newsletter/2017/june/article1.php[Debugging the Eclipse IDE for Java Developers] + +== Build Image and Push to Registry + +Build container images and push them to registry to run IaC+PDS on virtual machines, Kubernetes or any other distributed system. + +=== Build Image + +Build the container image. + +==== Build + +. Using the default image: ++ +---- +./10-create-image.sh my.registry.example.org/sechub/pds_iac v0.1 +---- + +. Using your own base image: ++ +---- +./10-create-image.sh my.registry.example.org/sechub/pds_iac v0.1 "my.registry.example.org/debian:11-slim" +---- + +=== Push Image to Registry + +Push the container image to a registry. + +* Push the version tag only ++ +---- +./20-push-image.sh my.registry.example.org/sechub/pds_iac v0.1 +---- + +* Push the version and `latest` tags ++ +---- +./20-push-image.sh my.registry.example.org/sechub/pds_iac v0.1 yes +---- + +== Kubernetes + +https://kubernetes.io/[Kubernetes] is an open-source container-orchestration system. This sections explains how to deploy and run PDS+IaC in Kubernetes. + +=== Helm + +https://helm.sh/[Helm] is a package manager for Kubernetes. + +==== Requierments + +* https://helm.sh/docs/intro/install/[Helm] installed +* `pds_iac` image pushed to registry + +==== Installation + +. Create a `myvalues.yaml` configuration file ++ +A minimal example configuration file with one instance: ++ +[source,yaml] +---- +replicaCount: 1 + +image: + registry: my.registry.example.org/sechub/pds_iac + tag: latest + +pds: + startMode: localserver + +users: + admin: + id: "admin" + apiToken: "{noop}" + technical: + id: "techuser" + apiToken: "{noop}" + +storage: + local: + enabled: true + +networkPolicy: + enabled: true + ingress: + - from: + - podSelector: + matchLabels: + name: sechub-server + - podSelector: + matchLabels: + name: sechub-adminserver +---- ++ +An example configuration file with 3 replicas, postgresql and object storage: ++ +[source,yaml] +---- +replicaCount: 3 + +image: + registry: my.registry.example.org/sechub/pds_iac + tag: latest + +pds: + startMode: localserver + keepContainerAliveAfterPDSCrashed: true + +users: + admin: + id: "admin" + apiToken: "{noop}" + technical: + id: "techuser" + apiToken: "{noop}" + + +database: + postgres: + enabled: true + connection: "jdbc:postgresql://:/" + username: "" + password: "" + +storage: + local: + enabled: false + s3: + enabled: true + endpoint: "https://:443" + bucketname: "" + accesskey: "" + secretkey: "" + +networkPolicy: + enabled: true + ingress: + - from: + - podSelector: + matchLabels: + name: sechub-server + - podSelector: + matchLabels: + name: sechub-adminserver +---- ++ +[TIP] +To generate passwords use `tr -dc A-Za-z0-9 install…` to install the helm chart into another namespace in the Kubernetes cluster. + +. List pods ++ +---- +kubectl get pods +NAME READY STATUS RESTARTS AGE +pds-iac-545f5bc8-7s6rh 1/1 Running 0 1m43s +pds-iac-545f5bc8-px9cs 1/1 Running 0 1m43s +pds-iac-545f5bc8-t52p6 1/1 Running 0 3m + +---- + +. Forward port of one of the pods to own machine ++ +---- +kubectl port-forward pds-iac-545f5bc8-7s6rh 8444:8444 +---- + +. Scan as explained in <<_scan>>. + +==== Upgrade + +In case, `my-values.yaml` was changed. Simply, use `helm upgrade` to update the deployment. `helm` will handle scaling up and down as well as changing the configuration. + +---- +helm upgrade --values my-values.yaml pds-iac helm/pds-iac/ +---- + +==== Uninstall + +. Helm list ++ +---- +helm list +NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION +pds-iac my-namespace 1 2021-06-24 21:54:37.668489822 +0200 CEST deployed pds-iac-0.1.0 0.21.0 +---- + +. Helm uninstall ++ +---- +helm uninstall pds-iac +---- + +=== Troubleshooting + +* Access deployment events. ++ +---- +kubectl describe pod pds-iac-545f5bc8-7s6rh +… +Events: + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal Scheduled 1m default-scheduler Successfully assigned sechub-dev/pds-iac-749fcb8d7f-jjqwn to kube-node01 + Normal Pulling 54s kubelet Pulling image "my.registry.example.org/sechub/pds_iac:v0.1" + Normal Pulled 40s kubelet Successfully pulled image "my.registry.example.org/sechub/pds_iac:v0.1" in 13.815348799s + Normal Created 15s kubelet Created container pds-iac + Normal Started 10s kubelet Started container pds-iac +---- + +* Access container logs. ++ +---- +kubectl logs pds-iac-545f5bc8-7s6rh + + . ____ _ __ _ _ + /\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \ +( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \ + \\/ ___)| |_)| | | | | || (_| | ) ) ) ) + ' |____| .__|_| |_|_| |_\__, | / / / / + =========|_|==============|___/=/_/_/_/ + :: Spring Boot :: (v2.4.0) + +2021-06-09 14:46:07.310 INFO 7 --- [ main] d.s.p.ProductDelegationServerApplication : Starting ProductDelegationServerApplication using Java 11.0.11 on pds-iac-749fcb8d7f-jjqwn with PID 7 (/pds/sechub-pds-0.21.0.jar started by iac in /workspace) +2021-06-09 14:46:07.312 INFO 7 --- [ main] d.s.p.ProductDelegationServerApplication : The following profiles are active: pds_localserver +2021-06-09 14:46:08.945 INFO 7 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat] +2021-06-09 14:46:08.945 INFO 7 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.39] +2021-06-09 14:46:09.000 INFO 7 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext +2021-06-09 14:46:09.228 INFO 7 --- [ main] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Starting... +2021-06-09 14:46:09.485 INFO 7 --- [ main] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Start completed. +2021-06-09 14:46:10.243 INFO 7 --- [ main] c.d.s.p.m.PDSHeartBeatTriggerService : Heartbeat service created with 1000 millisecondss initial delay and 60000 millisecondss as fixed delay +2021-06-09 14:46:10.439 INFO 7 --- [ main] c.d.s.pds.batch.PDSBatchTriggerService : Scheduler service created with 100 millisecondss initial delay and 500 millisecondss as fixed delay +2021-06-09 14:46:13.192 INFO 7 --- [ main] d.s.p.ProductDelegationServerApplication : Started ProductDelegationServerApplication in 6.783 seconds (JVM running for 7.27) +2021-06-09 14:46:14.206 INFO 7 --- [ scheduling-1] c.d.s.p.m.PDSHeartBeatTriggerService : Heartbeat will be initialized +2021-06-09 14:46:14.206 INFO 7 --- [ scheduling-1] c.d.s.p.m.PDSHeartBeatTriggerService : Create new server hearbeat +2021-06-09 14:46:14.255 INFO 7 --- [ scheduling-1] c.d.s.p.m.PDSHeartBeatTriggerService : heartbeat update - serverid:IAC_CLUSTER, heartbeatuuid:a46b97b2-4cfb-449d-a171-42b255c4aab8, cluster-member-data:{"hostname":"pds-iac-749fcb8d7f-jjqwn","ip":"192.168.129.206","port":8444,"heartBeatTimestamp":"2021-06-09T14:46:14.207113","executionState":{"queueMax":50,"jobsInQueue":0,"entries":[]}} +---- diff --git a/sechub-pds-solutions/iac/docker-compose_pds_iac.yaml b/sechub-pds-solutions/iac/docker-compose_pds_iac.yaml new file mode 100644 index 0000000000..83c0cda537 --- /dev/null +++ b/sechub-pds-solutions/iac/docker-compose_pds_iac.yaml @@ -0,0 +1,23 @@ +# SPDX-License-Identifier: MIT + +version: "3" +services: + pds-iac: + build: + args: + - BASE_IMAGE=${BASE_IMAGE} + context: docker/ + dockerfile: IaC-Debian.dockerfile + container_name: pds-iac + env_file: + - .env + - .env-single + ports: + - "127.0.0.1:8444:8444" + - "127.0.0.1:15024:15024" + networks: + - "internal" + volumes: + - ./docker/scripts:/scripts +networks: + internal: diff --git a/sechub-pds-solutions/iac/docker-compose_pds_iac_cluster.yaml b/sechub-pds-solutions/iac/docker-compose_pds_iac_cluster.yaml new file mode 100644 index 0000000000..6da224d655 --- /dev/null +++ b/sechub-pds-solutions/iac/docker-compose_pds_iac_cluster.yaml @@ -0,0 +1,50 @@ +# SPDX-License-Identifier: MIT + +version: "3" +services: + pds-iac: + build: + args: + - BASE_IMAGE=${BASE_IMAGE} + context: docker/ + dockerfile: IaC-Debian.dockerfile + env_file: + - .env + - .env-cluster + networks: + - "internal" + volumes: + - "shared_volume:/shared_volumes/uploads" + - ./docker/scripts:/scripts + depends_on: + - database + + loadbalancer: + build: + context: ../shared/docker/loadbalancer + args: + - PDS_SOLUTION=pds-iac + env_file: + - .env-cluster + networks: + - "internal" + depends_on: + - pds-iac + ports: + - "127.0.0.1:8444:8444" + + database: + build: + context: ../shared/docker/database + env_file: + - .env-cluster + networks: + - "internal" + ports: + - "127.0.0.1:5432:5432" + +networks: + internal: + +volumes: + shared_volume: diff --git a/sechub-pds-solutions/iac/docker-compose_pds_iac_cluster_object_storage.yaml b/sechub-pds-solutions/iac/docker-compose_pds_iac_cluster_object_storage.yaml new file mode 100644 index 0000000000..c92a837c77 --- /dev/null +++ b/sechub-pds-solutions/iac/docker-compose_pds_iac_cluster_object_storage.yaml @@ -0,0 +1,69 @@ +# SPDX-License-Identifier: MIT + +version: "3" +services: + pds-iac: + build: + args: + - BASE_IMAGE=${BASE_IMAGE} + context: docker/ + dockerfile: IaC-Debian.dockerfile + env_file: + - .env + - .env-cluster-object-storage + networks: + - internal + depends_on: + - database + - object-storage + volumes: + - ./docker/scripts:/scripts + + loadbalancer: + build: + context: ../shared/docker/loadbalancer + args: + - PDS_SOLUTION=pds-iac + env_file: + - .env-cluster-object-storage + networks: + - internal + depends_on: + - pds-iac + ports: + - "127.0.0.1:8444:8444" + + database: + build: + context: ../shared/docker/database + env_file: + - .env-cluster-object-storage + networks: + - internal + ports: + - "127.0.0.1:5432:5432" + + object-storage: + build: + context: ../shared/docker/object-storage + env_file: + - .env-cluster-object-storage + networks: + internal: + # A fixed IP address is necessary + # otherwise the AWS S3 client used by + # the PDS cannot resolve the address + ipv4_address: 10.42.43.7 + ports: + - "127.0.0.1:9000:9000" + - "127.0.0.1:9333:9333" + - "127.0.0.1:8080:8080" + +networks: + internal: + driver: bridge + ipam: + driver: default + config: + - subnet: 10.42.43.0/24 + gateway: 10.42.43.1 diff --git a/sechub-pds-solutions/iac/docker-compose_pds_iac_external-network.yaml b/sechub-pds-solutions/iac/docker-compose_pds_iac_external-network.yaml new file mode 100644 index 0000000000..c47215b097 --- /dev/null +++ b/sechub-pds-solutions/iac/docker-compose_pds_iac_external-network.yaml @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: MIT + +version: "3" +services: + pds-iac: + build: + args: + - BASE_IMAGE=${BASE_IMAGE} + context: docker/ + dockerfile: IaC-Debian.dockerfile + container_name: pds-iac + hostname: pds-iac + env_file: + - .env + - .env-single + networks: + - "sechub" + volumes: + - ./docker/scripts:/scripts + +networks: + sechub: + external: true + name: "sechub" diff --git a/sechub-pds-solutions/iac/docker/IaC-Debian.dockerfile b/sechub-pds-solutions/iac/docker/IaC-Debian.dockerfile new file mode 100644 index 0000000000..221d55ef49 --- /dev/null +++ b/sechub-pds-solutions/iac/docker/IaC-Debian.dockerfile @@ -0,0 +1,120 @@ +# SPDX-License-Identifier: MIT + +#------------------- +# Global Variables +#------------------- + +# The image argument needs to be placed on top +ARG BASE_IMAGE + +# Build args +ARG GO="go1.20.4.linux-amd64.tar.gz" + +# Artifact folder +ARG PDS_ARTIFACT_FOLDER="/artifacts" + +#------------------- +# Builder +#------------------- + +FROM ${BASE_IMAGE} AS builder + +# Build args +ARG GO +ARG PDS_ARTIFACT_FOLDER + +ARG BUILD_FOLDER="/build" +ARG GIT_URL_KICS="https://github.com/Checkmarx/kics.git" +ARG GIT_BRANCH_KICS="master" + +ENV DOWNLOAD_FOLDER="/downloads" +ENV PATH="/usr/local/go/bin:$PATH" + +USER root + +RUN mkdir --parent "$PDS_ARTIFACT_FOLDER" "$DOWNLOAD_FOLDER" + +RUN export DEBIAN_FRONTEND=noninteractive && \ + apt-get update && \ + apt-get install --quiet --assume-yes wget w3m git && \ + apt-get clean + +# Install Go +RUN cd "$DOWNLOAD_FOLDER" && \ + # Get checksum from Go download site + GO_CHECKSUM=`w3m https://go.dev/dl/ | grep "$GO" | tail -1 | awk '{print $6}'` && \ + # create checksum file + echo "$GO_CHECKSUM $GO" > "$GO.sha256sum" && \ + # download Go + wget --no-verbose https://go.dev/dl/"${GO}" && \ + # verify that the checksum and the checksum of the file are same + sha256sum --check "$GO.sha256sum" && \ + # extract Go + tar --extract --file "$GO" --directory /usr/local/ && \ + # remove go tar.gz + rm "$GO" + +# Build Kics +RUN mkdir --parent "$BUILD_FOLDER" && \ + cd "$BUILD_FOLDER" && \ + # Clone Kics + git clone "$GIT_URL_KICS" --depth 1 --branch "$GIT_BRANCH_KICS" && \ + cd "kics" && \ + # Downloads Go packages + go mod vendor && \ + # Build kics + go build -o ./bin/kics cmd/console/main.go && \ + # copy kics binary + mkdir --parents "$PDS_ARTIFACT_FOLDER/kics/" && \ + cp bin/kics --target-directory "$PDS_ARTIFACT_FOLDER/kics/" && \ + # copy assets + cp --recursive assets --target-directory "$PDS_ARTIFACT_FOLDER/kics/" + +#------------------- +# PDS Image +#------------------- + +FROM ${BASE_IMAGE} + +# The remaining arguments need to be placed after the `FROM` +# See: https://ryandaniels.ca/blog/docker-dockerfile-arg-from-arg-trouble/ + +LABEL org.opencontainers.image.source="https://github.com/mercedes-benz/sechub" +LABEL org.opencontainers.image.title="SecHub IaC+PDS Image" +LABEL org.opencontainers.image.description="A container which combines Infrastructure as Code tools with the SecHub Product Delegation Server (PDS)" +LABEL maintainer="SecHub FOSS Team" + +ARG PDS_ARTIFACT_FOLDER + +ENV PATH "$TOOL_FOLDER/kics:$PATH" +#ARG GO="go1.20.4.linux-amd64.tar.gz" +#ARG IAC_VERSION="2.13.1" + +# Environment variables in container +#ENV IAC_VERSION="${IAC_VERSION}" + +USER root + +COPY --from=builder "$PDS_ARTIFACT_FOLDER" "$TOOL_FOLDER" + +# Copy mock folder +COPY mocks "$MOCK_FOLDER" + +# Copy PDS configfile +COPY pds-config.json "$PDS_FOLDER/pds-config.json" + +RUN export DEBIAN_FRONTEND=noninteractive && \ + apt-get update && \ + apt-get --assume-yes upgrade && \ + apt-get --assume-yes install w3m wget jq && \ + apt-get --assume-yes clean + +# Copy scripts +COPY scripts $SCRIPT_FOLDER +RUN chmod --recursive +x $SCRIPT_FOLDER + +# Set workspace +WORKDIR "$WORKSPACE" + +# Switch from root to non-root user +USER "$USER" \ No newline at end of file diff --git a/sechub-pds-solutions/iac/docker/mocks/kics-mock.sarif.json b/sechub-pds-solutions/iac/docker/mocks/kics-mock.sarif.json new file mode 100644 index 0000000000..80a50f2f1e --- /dev/null +++ b/sechub-pds-solutions/iac/docker/mocks/kics-mock.sarif.json @@ -0,0 +1,1106 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "KICS", + "version": "development", + "fullName": "Keeping Infrastructure as Code Secure", + "informationUri": "https://www.kics.io/", + "rules": [ + { + "id": "62232513-b16f-4010-83d7-51d0e1d45426", + "name": "OSS Bucket Public Access Enabled", + "shortDescription": { + "text": "OSS Bucket Public Access Enabled" + }, + "fullDescription": { + "text": "OSS Bucket should have public access disabled" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#acl", + "relationships": [ + { + "target": { + "id": "CAT001", + "index": 5, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "1b4565c0-4877-49ac-ab03-adebbccd42ae", + "name": "RDS DB Instance Publicly Accessible", + "shortDescription": { + "text": "RDS DB Instance Publicly Accessible" + }, + "fullDescription": { + "text": "'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#security_ips", + "relationships": [ + { + "target": { + "id": "CAT007", + "index": 12, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "7a1ee8a9-71be-4b11-bb70-efb62d16863b", + "name": "RDS Instance SSL Action Disabled", + "shortDescription": { + "text": "RDS Instance SSL Action Disabled" + }, + "fullDescription": { + "text": "ssl_action parameter should be set to Open for RDS instances" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#ssl_action", + "relationships": [ + { + "target": { + "id": "CAT009", + "index": 14, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "c065b98e-1515-4991-9dca-b602bd6a2fbb", + "name": "Action Trail Logging For All Regions Disabled", + "shortDescription": { + "text": "Action Trail Logging For All Regions Disabled" + }, + "fullDescription": { + "text": "Action Trail Logging for all regions should be enabled" + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/actiontrail_trail#trail_region", + "relationships": [ + { + "target": { + "id": "CAT010", + "index": 1, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "f20e97f9-4919-43f1-9be9-f203cd339cdd", + "name": "OSS Bucket Encryption Using CMK Disabled", + "shortDescription": { + "text": "OSS Bucket Encryption Using CMK Disabled" + }, + "fullDescription": { + "text": "OSS Bucket should have encryption enabled using Customer Master Key" + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#server_side_encryption_rule", + "relationships": [ + { + "target": { + "id": "CAT006", + "index": 11, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "05db341e-de7d-4972-a106-3e2bd5ee53e1", + "name": "OSS Bucket Logging Disabled", + "shortDescription": { + "text": "OSS Bucket Logging Disabled" + }, + "fullDescription": { + "text": "OSS Bucket should have logging enabled, for better visibility of resources and objects." + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#logging", + "relationships": [ + { + "target": { + "id": "CAT010", + "index": 1, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "70919c0b-2548-4e6b-8d7a-3d84ab6dabba", + "name": "OSS Bucket Versioning Disabled", + "shortDescription": { + "text": "OSS Bucket Versioning Disabled" + }, + "fullDescription": { + "text": "OSS Bucket should have versioning enabled" + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#versioning", + "relationships": [ + { + "target": { + "id": "CAT003", + "index": 6, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "dc158941-28ce-481d-a7fa-dc80761edf46", + "name": "RDS Instance Retention Period Not Recommended", + "shortDescription": { + "text": "RDS Instance Retention Period Not Recommended" + }, + "fullDescription": { + "text": "RDS Instance SQL Retention Period should be greater than 180" + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#sql_collector_config_value", + "relationships": [ + { + "target": { + "id": "CAT010", + "index": 1, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "7db8bd7e-9772-478c-9ec5-4bc202c5686f", + "name": "OSS Bucket Lifecycle Rule Disabled", + "shortDescription": { + "text": "OSS Bucket Lifecycle Rule Disabled" + }, + "fullDescription": { + "text": "OSS Bucket should have lifecycle rule enabled and set to true" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#lifecycle_rule", + "relationships": [ + { + "target": { + "id": "CAT003", + "index": 6, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "8f98334a-99aa-4d85-b72a-1399ca010413", + "name": "OSS Bucket Transfer Acceleration Disabled", + "shortDescription": { + "text": "OSS Bucket Transfer Acceleration Disabled" + }, + "fullDescription": { + "text": "OSS Bucket should have transfer acceleration enabled" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#transfer_acceleration", + "relationships": [ + { + "target": { + "id": "CAT002", + "index": 10, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "140869ea-25f2-40d4-a595-0c0da135114e", + "name": "RDS Instance Log Connections Disabled", + "shortDescription": { + "text": "RDS Instance Log Connections Disabled" + }, + "fullDescription": { + "text": "'log_connections' parameter should be set to ON for RDS instances" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters", + "relationships": [ + { + "target": { + "id": "CAT010", + "index": 1, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "d53f4123-f8d8-4224-8cb3-f920b151cc98", + "name": "RDS Instance Log Disconnections Disabled", + "shortDescription": { + "text": "RDS Instance Log Disconnections Disabled" + }, + "fullDescription": { + "text": "log_disconnections parameter should be set to ON for RDS instances" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters", + "relationships": [ + { + "target": { + "id": "CAT010", + "index": 1, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + }, + { + "id": "a597e05a-c065-44e7-9cc8-742f572a504a", + "name": "RDS Instance Log Duration Disabled", + "shortDescription": { + "text": "RDS Instance Log Duration Disabled" + }, + "fullDescription": { + "text": "log_duration parameter should be set to ON for RDS instances" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters", + "relationships": [ + { + "target": { + "id": "CAT010", + "index": 1, + "toolComponent": { + "name": "Categories", + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "index": 0 + } + } + }, + { + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } + } + ] + } + ] + } + }, + "results": [ + { + "ruleId": "62232513-b16f-4010-83d7-51d0e1d45426", + "ruleIndex": 0, + "kind": "fail", + "message": { + "text": "'acl' is public-read-write" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/bucket.tf" + }, + "region": { + "startLine": 7 + } + } + } + ] + }, + { + "ruleId": "1b4565c0-4877-49ac-ab03-adebbccd42ae", + "ruleIndex": 1, + "kind": "fail", + "message": { + "text": "'0.0.0.0' is in 'security_ips' list" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/rds.tf" + }, + "region": { + "startLine": 9 + } + } + } + ] + }, + { + "ruleId": "7a1ee8a9-71be-4b11-bb70-efb62d16863b", + "ruleIndex": 2, + "kind": "fail", + "message": { + "text": "'ssl_action' is not defined" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/rds.tf" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "c065b98e-1515-4991-9dca-b602bd6a2fbb", + "ruleIndex": 3, + "kind": "fail", + "message": { + "text": "'event_rw' is not set to All" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/trail.tf" + }, + "region": { + "startLine": 7 + } + } + } + ] + }, + { + "ruleId": "c065b98e-1515-4991-9dca-b602bd6a2fbb", + "ruleIndex": 3, + "kind": "fail", + "message": { + "text": "'trail_region' is not set to All" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/trail.tf" + }, + "region": { + "startLine": 8 + } + } + } + ] + }, + { + "ruleId": "f20e97f9-4919-43f1-9be9-f203cd339cdd", + "ruleIndex": 4, + "kind": "fail", + "message": { + "text": "[trail].policy does not have server side encryption rule and kms master key id defined" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/trail.tf" + }, + "region": { + "startLine": 11 + } + } + } + ] + }, + { + "ruleId": "f20e97f9-4919-43f1-9be9-f203cd339cdd", + "ruleIndex": 4, + "kind": "fail", + "message": { + "text": "[bad_bucket].policy does not have server side encryption rule and kms master key id defined" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/bucket.tf" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "05db341e-de7d-4972-a106-3e2bd5ee53e1", + "ruleIndex": 5, + "kind": "fail", + "message": { + "text": "bad_bucket does not have logging enabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/bucket.tf" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "05db341e-de7d-4972-a106-3e2bd5ee53e1", + "ruleIndex": 5, + "kind": "fail", + "message": { + "text": "trail does not have logging enabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/trail.tf" + }, + "region": { + "startLine": 11 + } + } + } + ] + }, + { + "ruleId": "70919c0b-2548-4e6b-8d7a-3d84ab6dabba", + "ruleIndex": 6, + "kind": "fail", + "message": { + "text": "'versioning' is missing" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/trail.tf" + }, + "region": { + "startLine": 11 + } + } + } + ] + }, + { + "ruleId": "70919c0b-2548-4e6b-8d7a-3d84ab6dabba", + "ruleIndex": 6, + "kind": "fail", + "message": { + "text": "'versioning' is missing" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/bucket.tf" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "dc158941-28ce-481d-a7fa-dc80761edf46", + "ruleIndex": 7, + "kind": "fail", + "message": { + "text": "'sql_collector_status' is not defined" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/rds.tf" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "dc158941-28ce-481d-a7fa-dc80761edf46", + "ruleIndex": 7, + "kind": "fail", + "message": { + "text": "'sql_collector_config_value' is not defined" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/rds.tf" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "7db8bd7e-9772-478c-9ec5-4bc202c5686f", + "ruleIndex": 8, + "kind": "fail", + "message": { + "text": "'lifecycle_rule' is not set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/bucket.tf" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "7db8bd7e-9772-478c-9ec5-4bc202c5686f", + "ruleIndex": 8, + "kind": "fail", + "message": { + "text": "'lifecycle_rule' is not set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/trail.tf" + }, + "region": { + "startLine": 11 + } + } + } + ] + }, + { + "ruleId": "8f98334a-99aa-4d85-b72a-1399ca010413", + "ruleIndex": 9, + "kind": "fail", + "message": { + "text": "'transfer_acceleration' is missing" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/bucket.tf" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "8f98334a-99aa-4d85-b72a-1399ca010413", + "ruleIndex": 9, + "kind": "fail", + "message": { + "text": "'transfer_acceleration' is missing" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/trail.tf" + }, + "region": { + "startLine": 11 + } + } + } + ] + }, + { + "ruleId": "140869ea-25f2-40d4-a595-0c0da135114e", + "ruleIndex": 10, + "kind": "fail", + "message": { + "text": "'log_connections' parameter is not defined" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/rds.tf" + }, + "region": { + "startLine": 16 + } + } + } + ] + }, + { + "ruleId": "d53f4123-f8d8-4224-8cb3-f920b151cc98", + "ruleIndex": 11, + "kind": "fail", + "message": { + "text": "'log_disconnections' parameter is not defined" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/rds.tf" + }, + "region": { + "startLine": 16 + } + } + } + ] + }, + { + "ruleId": "a597e05a-c065-44e7-9cc8-742f572a504a", + "ruleIndex": 12, + "kind": "fail", + "message": { + "text": "'log_duration' parameter is not defined" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "alicloud/rds.tf" + }, + "region": { + "startLine": 16 + } + } + } + ] + } + ], + "taxonomies": [ + { + "guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", + "name": "Categories", + "fullDescription": { + "text": "This taxonomy contains the types an issue can assume" + }, + "shortDescription": { + "text": "Vulnerabilities categories" + }, + "taxa": [ + { + "id": "CAT000", + "name": "Undefined Category", + "shortDescription": { + "text": "Category is not defined" + }, + "fullDescription": { + "text": "Category is not defined" + } + }, + { + "id": "CAT010", + "name": "Observability", + "shortDescription": { + "text": "Logging and Monitoring" + }, + "fullDescription": { + "text": "Logging and Monitoring" + } + }, + { + "id": "CAT008", + "name": "Insecure Defaults", + "shortDescription": { + "text": "Configurations that are insecure by default" + }, + "fullDescription": { + "text": "Configurations that are insecure by default" + } + }, + { + "id": "CAT012", + "name": "Secret Management", + "shortDescription": { + "text": "Secret and Key management" + }, + "fullDescription": { + "text": "Secret and Key management" + } + }, + { + "id": "CAT014", + "name": "Structure and Semantics", + "shortDescription": { + "text": "Malformed document structure or inadequate semantics" + }, + "fullDescription": { + "text": "Malformed document structure or inadequate semantics" + } + }, + { + "id": "CAT001", + "name": "Access Control", + "shortDescription": { + "text": "Service permission and identity management" + }, + "fullDescription": { + "text": "Service permission and identity management" + } + }, + { + "id": "CAT003", + "name": "Backup", + "shortDescription": { + "text": "Survivability and Recovery" + }, + "fullDescription": { + "text": "Survivability and Recovery" + } + }, + { + "id": "CAT004", + "name": "Best Practices", + "shortDescription": { + "text": "Metadata management" + }, + "fullDescription": { + "text": "Metadata management" + } + }, + { + "id": "CAT011", + "name": "Resource Management", + "shortDescription": { + "text": "Resource and privilege limit configuration" + }, + "fullDescription": { + "text": "Resource and privilege limit configuration" + } + }, + { + "id": "CAT015", + "name": "Bill Of Materials", + "shortDescription": { + "text": "List of resources provisioned" + }, + "fullDescription": { + "text": "List of resources provisioned" + } + }, + { + "id": "CAT002", + "name": "Availability", + "shortDescription": { + "text": "Reliability and Scalability" + }, + "fullDescription": { + "text": "Reliability and Scalability" + } + }, + { + "id": "CAT006", + "name": "Encryption", + "shortDescription": { + "text": "Data Security and Encryption configuration" + }, + "fullDescription": { + "text": "Data Security and Encryption configuration" + } + }, + { + "id": "CAT007", + "name": "Insecure Configurations", + "shortDescription": { + "text": "Configurations which expose the application unnecessarily" + }, + "fullDescription": { + "text": "Configurations which expose the application unnecessarily" + } + }, + { + "id": "CAT005", + "name": "Build Process", + "shortDescription": { + "text": "Insecure configurations when building/deploying" + }, + "fullDescription": { + "text": "Insecure configurations when building/deploying" + } + }, + { + "id": "CAT009", + "name": "Networking and Firewall", + "shortDescription": { + "text": "Network port exposure and firewall configuration" + }, + "fullDescription": { + "text": "Network port exposure and firewall configuration" + } + }, + { + "id": "CAT013", + "name": "Supply-Chain", + "shortDescription": { + "text": "Dependency version management" + }, + "fullDescription": { + "text": "Dependency version management" + } + } + ] + }, + { + "name": "CWE", + "version": "4.13", + "releaseDateUtc": "2023-12-08", + "guid": "33333333-0000-1111-8888-000000000000", + "informationUri": "https://cwe.mitre.org/data/published/cwe_v4.13.pdf/", + "downloadUri": "https://cwe.mitre.org/data/xml/cwec_v4.13.xml.zip", + "organization": "MITRE", + "shortDescription": { + "text": "The MITRE Common Weakness Enumeration" + }, + "contents": [ + "localizedData", + "nonLocalizedData" + ], + "isComprehensive": true, + "minimumRequiredLocalizedDataSemanticVersion": "4.13", + "taxa": [ + { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "name": "OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration", + "shortDescription": { + "text": "Weaknesses in this category are related to the A05 category Security Misconfiguration in the OWASP Top Ten 2021." + }, + "defaultConfiguration": { + "level": "warning" + } + } + ] + } + ] + } + ] + } diff --git a/sechub-pds-solutions/iac/docker/pds-config.json b/sechub-pds-solutions/iac/docker/pds-config.json new file mode 100644 index 0000000000..e49217ce8f --- /dev/null +++ b/sechub-pds-solutions/iac/docker/pds-config.json @@ -0,0 +1,18 @@ +{ + "apiVersion": "1.0", + "serverId": "IAC_CLUSTER", + "products": [ + { + "id": "PDS_KICS", + "path": "/pds/scripts/kics.sh", + "scanType": "codeScan", + "description": "Runs the Infrastructure-as-Code security checker Kics." + }, + { + "id": "PDS_KICS_MOCK", + "path": "/pds/scripts/kics_mock.sh", + "scanType": "codeScan", + "description": "Runs Kics mock. It returns a fixed result file." + } + ] +} diff --git a/sechub-pds-solutions/iac/docker/scripts/kics.sh b/sechub-pds-solutions/iac/docker/scripts/kics.sh new file mode 100755 index 0000000000..ee56d82e95 --- /dev/null +++ b/sechub-pds-solutions/iac/docker/scripts/kics.sh @@ -0,0 +1,93 @@ +#!/usr/bin/env sh +# SPDX-License-Identifier: MIT + +scan_results_folder="$PDS_JOB_WORKSPACE_LOCATION/results" + +echo "" +echo "----------" +echo "Kics Setup" +echo "----------" +echo "" + +if [ "$PDS_JOB_HAS_EXTRACTED_SOURCES" = "true" ] +then + echo "Found sources to scan." +else + echo "" + echo "ERROR: No sources found." + echo "" + echo "Workspace location structure:" + echo "" + tree "$PDS_JOB_WORKSPACE_LOCATION" + exit 1 +fi + +echo "" +echo "-------------" +echo "Starting scan" +echo "-------------" +echo "" + +echo "Starting Kics" +cd $PDS_JOB_SOURCECODE_UNZIPPED_FOLDER +kics scan --ci --exclude-categories "Best practices" --disable-full-descriptions --report-formats "sarif" --output-path "$scan_results_folder" --path "." + +####################################################################################################################### +# Workaround: Since there are no CWEs we add a fixed CWE taxonomy to the SARIF report for false-positive handling # +# This won't be needed anymore once Checkmarx adds CWEs to their reports # +####################################################################################################################### + +cat $scan_results_folder/results.sarif | jq '.runs[].taxonomies += [{ + "name": "CWE", + "version": "4.13", + "releaseDateUtc": "2023-12-08", + "guid": "33333333-0000-1111-8888-000000000000", + "informationUri": "https://cwe.mitre.org/data/published/cwe_v4.13.pdf/", + "downloadUri": "https://cwe.mitre.org/data/xml/cwec_v4.13.xml.zip", + "organization": "MITRE", + "shortDescription": { + "text": "The MITRE Common Weakness Enumeration" + }, + "contents": [ + "localizedData", + "nonLocalizedData" + ], + "isComprehensive": true, + "minimumRequiredLocalizedDataSemanticVersion": "4.13", + "taxa": [ + { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "name": "OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration", + "shortDescription": { + "text": "Weaknesses in this category are related to the A05 category Security Misconfiguration in the OWASP Top Ten 2021." + }, + "defaultConfiguration": { + "level": "warning" + } + } + ] + }]' > $scan_results_folder/intermediate.sarif + +cat $scan_results_folder/intermediate.sarif | jq '.runs[].tool.driver.rules[].relationships += [{ + "target": { + "id": "1349", + "guid": "33333333-0000-1111-8888-111111111111", + "toolComponent": { + "name": "CWE", + "guid": "33333333-0000-1111-8888-000000000000" + } + } +}]' > $scan_results_folder/results-fixedcwe.sarif + +mv $scan_results_folder/results-fixedcwe.sarif $scan_results_folder/results.sarif + +###################### +# End of workaround # +###################### + +echo "Copy result file" +echo "Results folder: $scan_results_folder" +tree "$scan_results_folder" + +cp "$scan_results_folder/results.sarif" "$PDS_JOB_RESULT_FILE" \ No newline at end of file diff --git a/sechub-pds-solutions/iac/docker/scripts/kics_mock.sh b/sechub-pds-solutions/iac/docker/scripts/kics_mock.sh new file mode 100755 index 0000000000..9b1318e50e --- /dev/null +++ b/sechub-pds-solutions/iac/docker/scripts/kics_mock.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env sh +# SPDX-License-Identifier: MIT + +# Mock is scan output of: https://github.com/Contrast-Security-OSS/go-test-bench +echo "Running PDS Kics Mock" +cp "$MOCK_FOLDER/kics-mock.sarif.json" "$PDS_JOB_RESULT_FILE" \ No newline at end of file diff --git a/sechub-pds-solutions/iac/env b/sechub-pds-solutions/iac/env new file mode 100644 index 0000000000..867bd18493 --- /dev/null +++ b/sechub-pds-solutions/iac/env @@ -0,0 +1,4 @@ +# The base image to use +# uncomment to use local image +# BASE_IMAGE="pds-base_pds" +BASE_IMAGE="ghcr.io/mercedes-benz/sechub/pds-base" \ No newline at end of file diff --git a/sechub-pds-solutions/iac/env-database b/sechub-pds-solutions/iac/env-database new file mode 100644 index 0000000000..d3c9ad6e5f --- /dev/null +++ b/sechub-pds-solutions/iac/env-database @@ -0,0 +1,9 @@ +# The database start mode +# debug - starts only the container +# server - initializes and starts the database +DATABASE_START_MODE=server +POSTGRES_ENABLED=true +DATABASE_CONNECTION=jdbc:postgresql://database:5432/pds?currentSchema=iac +DATABASE_PASSWORD='top$ecret' +DATABASE_USERNAME=iac + diff --git a/sechub-pds-solutions/iac/helm/pds-iac/.helmignore b/sechub-pds-solutions/iac/helm/pds-iac/.helmignore new file mode 100644 index 0000000000..1785d7ac79 --- /dev/null +++ b/sechub-pds-solutions/iac/helm/pds-iac/.helmignore @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: MIT + +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/sechub-pds-solutions/iac/helm/pds-iac/Chart.yaml b/sechub-pds-solutions/iac/helm/pds-iac/Chart.yaml new file mode 100644 index 0000000000..1166f4d17f --- /dev/null +++ b/sechub-pds-solutions/iac/helm/pds-iac/Chart.yaml @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: MIT + +apiVersion: v2 +name: pds-iac +description: SecHub PDS + IaC tools as Helm chart for Kubernetes + +type: application + +maintainers: + - name: Jeremias Eppler + - name: Rouven Haertel + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 1.0.0 diff --git a/sechub-pds-solutions/iac/helm/pds-iac/LICENSE b/sechub-pds-solutions/iac/helm/pds-iac/LICENSE new file mode 100644 index 0000000000..2926a35b5f --- /dev/null +++ b/sechub-pds-solutions/iac/helm/pds-iac/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. \ No newline at end of file diff --git a/sechub-pds-solutions/iac/helm/pds-iac/README.md b/sechub-pds-solutions/iac/helm/pds-iac/README.md new file mode 100644 index 0000000000..d7c1ee3c20 --- /dev/null +++ b/sechub-pds-solutions/iac/helm/pds-iac/README.md @@ -0,0 +1,4 @@ + +# IaC + PDS + +This Helm chart enables one to deploy IaC and the [SecHub Product Delegation Server (PDS)](https://mercedes-benz.github.io/sechub/latest/sechub-product-delegation-server.html) into a Kubernetes environment. It is recommended to use IaC + PDS together with [SecHub](https://mercedes-benz.github.io/sechub/). \ No newline at end of file diff --git a/sechub-pds-solutions/iac/helm/pds-iac/templates/deployment.yaml b/sechub-pds-solutions/iac/helm/pds-iac/templates/deployment.yaml new file mode 100644 index 0000000000..a67df5db0e --- /dev/null +++ b/sechub-pds-solutions/iac/helm/pds-iac/templates/deployment.yaml @@ -0,0 +1,124 @@ +# SPDX-License-Identifier: MIT + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Chart.Nme }} + labels: + name: {{ .Chart.Name }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + name: {{ .Chart.Name }} + template: + metadata: + labels: + name: {{ .Chart.Name }} + spec: + securityContext: + runAsUser: 2323 # user id of the application user. (overrides settings in the Dockerfile) + runAsGroup: 2323 # group id of the application group. (overrides setings in the Dockerfile) + fsGroup: 2323 # group id of the application group. Set in the Dockerfile. This group has write access to the volumes. + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.registry }}:{{ .Values.image.tag }}" + resources: + requests: + memory: "{{ .Values.resources.requests.memory }}" + limits: + memory: "{{ .Values.resources.limits.memory }}" + env: + - name: PDS_START_MODE + value: "{{ .Values.pds.startMode }}" + - name: ADMIN_USERID + value: "{{ .Values.users.admin.id }}" + - name: ADMIN_APITOKEN + value: "{{ .Values.users.admin.apiToken }}" + - name: TECHUSER_USERID + value: "{{ .Values.users.technical.id }}" + - name: TECHUSER_APITOKEN + value: "{{ .Values.users.technical.apiToken }}" + - name: PDS_MAX_FILE_UPLOAD_BYTES + value: "{{ .Values.pds.maxFileUploadBytes }}" + - name: PDS_CONFIG_EXECUTE_QUEUE_MAX + value: "{{ .Values.pds.config.execute.queueMax }}" + - name: PDS_CONFIG_EXECUTE_WORKER_THREAD_COUNT + value: "{{ .Values.pds.config.execute.workerThreadCount }}" + - name: PDS_HEARTBEAT_LOGGING + value: "{{ .Values.pds.heartbeatLogging }}" +{{- if .Values.pds.logging.type.enabled }} + - name: LOGGING_TYPE + value: {{ .Values.pds.logging.type.appenderName }} +{{- end }} +{{- if .Values.pds.debug.keepReportsInWorkspace }} + - name: SECHUB_PDS_WORKSPACE_AUTOCLEAN_DISABLED + value: "true" +{{- end }} +{{- if .Values.pds.javaDebug.enabled }} + - name: JAVA_ENABLE_DEBUG + value: "true" +{{- end }} +{{- if .Values.pds.keepContainerAliveAfterPDSCrashed }} + - name: KEEP_CONTAINER_ALIVE_AFTER_PDS_CRASHED + value: "true" +{{- end }} +{{- if .Values.database.postgres.enabled }} + - name: POSTGRES_ENABLED + value: "true" + - name: DATABASE_CONNECTION + value: "{{ .Values.database.postgres.connection }}" + - name: DATABASE_USERNAME + value: "{{ .Values.database.postgres.username }}" + - name: DATABASE_PASSWORD + value: "{{ .Values.database.postgres.password }}" +{{- end }} + # limit database connection pool + - name: SPRING_DATASOURCE_HIKARI_MINIMUMIDLE + value: "1" + - name: SPRING_DATASOURCE_HIKARI_MAXIMUMPOOLSIZE + value: "2" + + # Storage priority in order: local, s3, shared volume + # Meaning if local is enabled local will be used, + # regardless of other storage configurations. +{{- if .Values.storage.local.enabled }} + - name: SHARED_VOLUME_UPLOAD_DIR + value: "/shared_volumes/uploads" +{{- else if .Values.storage.s3.enabled }} + - name: S3_ENABLED + value: "true" + - name: S3_ENDPOINT + value: {{ .Values.storage.s3.endpoint }} + - name: S3_BUCKETNAME + value: {{ .Values.storage.s3.bucketname }} + - name: S3_ACCESSKEY + value: {{ .Values.storage.s3.accesskey }} + - name: S3_SECRETKEY + value: {{ .Values.storage.s3.secretkey }} +{{- else if .Values.storage.sharedVolume.enabled }} + - name: SHARED_VOLUME_UPLOAD_DIR + value: "{{ .Values.storage.sharedVolume.upload.dir }}" +{{- end}} + ports: + - name: pds-https-port + containerPort: 8444 + startupProbe: + httpGet: + scheme: HTTPS + path: /api/anonymous/check/alive + port: pds-https-port + periodSeconds: 1 + failureThreshold: 300 + # probe every 1s x 300 = 5 mins before restart of container + successThreshold: 1 + timeoutSeconds: 1 + livenessProbe: + httpGet: + scheme: HTTPS + path: /api/anonymous/check/alive + port: pds-https-port + periodSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + timeoutSeconds: 3 diff --git a/sechub-pds-solutions/iac/helm/pds-iac/templates/networkpolicy.yaml b/sechub-pds-solutions/iac/helm/pds-iac/templates/networkpolicy.yaml new file mode 100644 index 0000000000..b8bd77258a --- /dev/null +++ b/sechub-pds-solutions/iac/helm/pds-iac/templates/networkpolicy.yaml @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: MIT + +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ .Chart.Name }}-policy +spec: + podSelector: + matchLabels: + name: {{ .Chart.Name }} + +{{- if .Values.networkPolicy.ingress }} + ingress: + {{ .Values.networkPolicy.ingress | toYaml | indent 4 | trim }} +{{- end }} + +{{- end }} diff --git a/sechub-pds-solutions/iac/helm/pds-iac/templates/service.yaml b/sechub-pds-solutions/iac/helm/pds-iac/templates/service.yaml new file mode 100644 index 0000000000..546b6ee2fa --- /dev/null +++ b/sechub-pds-solutions/iac/helm/pds-iac/templates/service.yaml @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: MIT + +apiVersion: v1 +kind: Service +metadata: + name: {{ .Chart.Name }} +spec: + selector: + name: {{ .Chart.Name }} + ports: + - protocol: TCP + port: 8444 + targetPort: 8444 \ No newline at end of file diff --git a/sechub-pds-solutions/iac/helm/pds-iac/values.yaml b/sechub-pds-solutions/iac/helm/pds-iac/values.yaml new file mode 100644 index 0000000000..8272c3ef67 --- /dev/null +++ b/sechub-pds-solutions/iac/helm/pds-iac/values.yaml @@ -0,0 +1,78 @@ +# SPDX-License-Identifier: MIT + +# This is a sample values file containing the defaults. + +replicaCount: 1 + +image: + registry: "ghcr.io/mercedes-benz/sechub/pds-iac" + tag: "latest" + +resources: + requests: + # Initial container memory size + memory: 256Mi + limits: + # Maximum container memory size + memory: 1Gi + +pds: + startMode: localserver + # Maximum upload size for source code: 50 MiB by default (50 * 1024 * 1024 = 52428800) + maxFileUploadBytes: "52428800" + config: + execute: + # Maximal accepted queue size (new job requests will be denied and thus cached on SecHub server) + queueMax: 10 + # Maximum number of jobs that are processed in parallel by PDS + workerThreadCount: 10 + heartbeatLogging: "true" + logging: + type: + enabled: false + appenderName: "LOGSTASH_JSON" + debug: + keepReportsInWorkspace: false + javaDebug: + enabled: false + keepContainerAliveAfterPDSCrashed: false + +users: + technical: + id: "techuser" + apiToken: "" + admin: + id: "admin" + apiToken: "" + +storage: + local: + enabled: true + s3: + enabled: false + endpoint: "https://:" + bucketname: "" + accesskey: "" + secretkey: "" + sharedVolume: + enabled: false + upload: + dir: "/mount/nfs/shares/" + +database: + postgres: + enabled: false + connection: "jdbc:postgresql://database:5432/pds" + username: "pds_iac" + password: "" + +networkPolicy: + enabled: false + ingress: + - from: + - podSelector: + matchLabels: + name: sechub-server + - podSelector: + matchLabels: + name: sechub-adminserver diff --git a/sechub-solution/helm/sechub-server/Chart.yaml b/sechub-solution/helm/sechub-server/Chart.yaml index 7438f7c508..4601374265 100644 --- a/sechub-solution/helm/sechub-server/Chart.yaml +++ b/sechub-solution/helm/sechub-server/Chart.yaml @@ -14,4 +14,5 @@ maintainers: # This is the chart version. # This version number should be incremented each time you make changes to the chart and its templates. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.2.0 + +version: 1.3.0 \ No newline at end of file diff --git a/sechub-solution/helm/sechub-server/templates/deployment.yaml b/sechub-solution/helm/sechub-server/templates/deployment.yaml index c23f67a7d0..35933f4548 100644 --- a/sechub-solution/helm/sechub-server/templates/deployment.yaml +++ b/sechub-solution/helm/sechub-server/templates/deployment.yaml @@ -414,6 +414,21 @@ spec: name: secret-pds-gosec key: techuser_password {{- end }} +{{- if .Values.pdsIaC.enabled }} +# ----------------------------------------------------------------------------------------------# +# - Scope: PDS-IaC +# --------------------------------------------------------------------------------------------- # + - name: SECHUB_PDS_IAC_USERID + valueFrom: + secretKeyRef: + name: secret-pds-iac + key: techuser_username + - name: SECHUB_PDS_IAC_PASSWORD + valueFrom: + secretKeyRef: + name: secret-pds-iac + key: techuser_password +{{- end }} {{- if .Values.pdsLoc.enabled }} # ----------------------------------------------------------------------------------------------# # - Scope: PDS-Loc diff --git a/sechub-solution/setup-pds/executors/kics.json b/sechub-solution/setup-pds/executors/kics.json new file mode 100644 index 0000000000..cc3957bdd4 --- /dev/null +++ b/sechub-solution/setup-pds/executors/kics.json @@ -0,0 +1,39 @@ +{ + "name": "pds-kics", + "productIdentifier": "PDS_CODESCAN", + "executorVersion": 1, + "enabled": true, + "setup": { + "baseURL": "https://pds-iac:8444", + "credentials": { + "user": "techuser", + "password": "pds-apitoken" + }, + "jobParameters": [ + { + "key": "pds.config.productidentifier", + "value": "PDS_KICS" + }, + { + "key": "pds.config.use.sechub.storage", + "value": false + }, + { + "key": "pds.mocking.disabled", + "value": true + }, + { + "key": "sechub.productexecutor.pds.timeout.minutes", + "value": 60 + }, + { + "key": "sechub.productexecutor.pds.timetowait.nextcheck.milliseconds", + "value": 500 + }, + { + "key": "sechub.productexecutor.pds.trustall.certificates", + "value": true + } + ] + } +} \ No newline at end of file diff --git a/sechub-solution/setup-pds/setup-kics.sh b/sechub-solution/setup-pds/setup-kics.sh new file mode 100755 index 0000000000..36fd204079 --- /dev/null +++ b/sechub-solution/setup-pds/setup-kics.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +declare -r SCRIPT_PARAMETERS=" " + +cd $(dirname "$0") +source 8900-helper.sh +source 8901-check-setup.sh + +check_sechub_server_setup "$0" "$SCRIPT_PARAMETERS" + +user="kicsuser" +project="test-kics" +executor_file_name="kics" +profile="pds-kics" + +setup_project_user_executor_profile "$project" "$user" "$executor_file_name" "$profile" + +setup_complete_message_for_tool "kics" "$user" "$project" From adae0f558102bc32f967cd87776c727c72903ac4 Mon Sep 17 00:00:00 2001 From: haerter-tss <98736006+haerter-tss@users.noreply.github.com> Date: Fri, 22 Dec 2023 10:31:42 +0100 Subject: [PATCH 07/16] Fixed typo in deployment.yaml (#2777) --- sechub-pds-solutions/iac/helm/pds-iac/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sechub-pds-solutions/iac/helm/pds-iac/templates/deployment.yaml b/sechub-pds-solutions/iac/helm/pds-iac/templates/deployment.yaml index a67df5db0e..b3b207fa89 100644 --- a/sechub-pds-solutions/iac/helm/pds-iac/templates/deployment.yaml +++ b/sechub-pds-solutions/iac/helm/pds-iac/templates/deployment.yaml @@ -3,7 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Chart.Nme }} + name: {{ .Chart.Name }} labels: name: {{ .Chart.Name }} spec: From 244392f433ae1250f6eeddf3b399634eedc5a31e Mon Sep 17 00:00:00 2001 From: Sven Dolderer Date: Fri, 22 Dec 2023 12:48:10 +0100 Subject: [PATCH 08/16] docker build extended #2762 - builder stages introduced - options: copy + download - obsolete jdk install removed (java is already installed) - BUILDER_BASE_IMAGE made configurable --- sechub-pds-solutions/xray/10-create-image.sh | 17 +++- .../xray/docker/Xray-Debian.dockerfile | 93 +++++++++++++++---- .../xray/docker/copy/README.adoc | 2 + sechub-pds-solutions/xray/env | 10 ++ 4 files changed, 101 insertions(+), 21 deletions(-) create mode 100644 sechub-pds-solutions/xray/docker/copy/README.adoc diff --git a/sechub-pds-solutions/xray/10-create-image.sh b/sechub-pds-solutions/xray/10-create-image.sh index d6adc8b653..9a696a7fe3 100755 --- a/sechub-pds-solutions/xray/10-create-image.sh +++ b/sechub-pds-solutions/xray/10-create-image.sh @@ -7,6 +7,8 @@ REGISTRY="$1" VERSION="$2" BASE_IMAGE="$3" +DEFAULT_BUILD_TYPE=download + usage() { cat - < with tag . Required: ; for example ghcr.io/mercedes-benz/sechub/pds-base Additionally these environment variables can be defined: -- XRAY_WRAPPER_VERSION - xray version to use. E.g. 2.9.5 +- BUILD_TYPE - The build type of the Checkmarx-Wrapper. Defaults to "$DEFAULT_BUILD_TYPE" +- BUILDER_BASE_IMAGE - Base image for the build containers (see dockerfile) +- XRAY_WRAPPER_VERSION - xray wrapper version to use. E.g. 1.0.0 EOF } @@ -44,6 +48,17 @@ fi BUILD_ARGS="--build-arg BASE_IMAGE=$BASE_IMAGE" echo ">> Base image: $BASE_IMAGE" +if [[ -z "$BUILD_TYPE" ]] ; then + BUILD_TYPE="$DEFAULT_BUILD_TYPE" +fi +BUILD_ARGS+=" --build-arg BUILD_TYPE=$BUILD_TYPE" +echo ">> - Build type: $BUILD_TYPE" + +if [[ ! -z "$BUILDER_BASE_IMAGE" ]] ; then + BUILD_ARGS+=" --build-arg BUILDER_BASE_IMAGE=$BUILDER_BASE_IMAGE" + echo ">> - Builder base image: $BUILDER_BASE_IMAGE" +fi + if [[ ! -z "$XRAY_WRAPPER_VERSION" ]] ; then echo ">> Xray version: $XRAY_WRAPPER_VERSION" BUILD_ARGS="$BUILD_ARGS --build-arg XRAY_WRAPPER_VERSION=$XRAY_WRAPPER_VERSION" diff --git a/sechub-pds-solutions/xray/docker/Xray-Debian.dockerfile b/sechub-pds-solutions/xray/docker/Xray-Debian.dockerfile index 97cb5a3b7d..570c8447ff 100644 --- a/sechub-pds-solutions/xray/docker/Xray-Debian.dockerfile +++ b/sechub-pds-solutions/xray/docker/Xray-Debian.dockerfile @@ -2,20 +2,83 @@ # The image argument needs to be placed on top ARG BASE_IMAGE -FROM ${BASE_IMAGE} -# The remaining arguments need to be placed after the `FROM` -# See: https://ryandaniels.ca/blog/docker-dockerfile-arg-from-arg-trouble/ +# Build Args +# Build type can be "copy" or "download" +ARG BUILD_TYPE +ARG XRAY_WRAPPER_VERSION="1.0.0" + +# The base image of the builder +ARG BUILDER_BASE_IMAGE="debian:12-slim" +ARG ARTIFACT_FOLDER="/artifacts" + + +#------------------- +# Builder Download +#------------------- +# (downloads a released Xray-Wrapper jar) + +FROM ${BUILDER_BASE_IMAGE} AS builder-download + +ARG ARTIFACT_FOLDER +ARG XRAY_WRAPPER_VERSION + +RUN mkdir --parent "$ARTIFACT_FOLDER" + +RUN export DEBIAN_FRONTEND=noninteractive && \ + apt-get update && \ + apt-get install --assume-yes wget && \ + apt-get clean + +# Download the Xray Wrapper +RUN cd "$ARTIFACT_FOLDER" && \ + # download wrapper jar + wget --no-verbose "https://github.com/mercedes-benz/sechub/releases/download/v$XRAY_WRAPPER_VERSION-xray-wrapper/sechub-pds-wrapper-xray-$XRAY_WRAPPER_VERSION.jar" && \ + # download checksum file + wget --no-verbose "https://github.com/mercedes-benz/sechub/releases/download/v$XRAY_WRAPPER_VERSION-xray-wrapper/sechub-pds-wrapper-xray-$XRAY_WRAPPER_VERSION.jar.sha256sum" && \ + # verify the checksum + sha256sum --check "sechub-pds-wrapper-xray-$XRAY_WRAPPER_VERSION.jar.sha256sum" + + +#------------------- +# Builder Copy Jar +#------------------- +# (copies the Xray-Wrapper jar from local subdirectory "copy") + +FROM ${BUILDER_BASE_IMAGE} AS builder-copy + +ARG ARTIFACT_FOLDER +ARG XRAY_WRAPPER_VERSION + +RUN mkdir --parent "$ARTIFACT_FOLDER" + +# Copy +COPY copy/sechub-pds-wrapper-xray-$XRAY_WRAPPER_VERSION.jar "$ARTIFACT_FOLDER" + + +#------------------- +# Builder +#------------------- + +FROM builder-${BUILD_TYPE} as builder +RUN echo "build stage" + + +#------------------- +# PDS + Xray Image +#------------------- + +FROM ${BASE_IMAGE} LABEL org.opencontainers.image.source="https://github.com/mercedes-benz/sechub" LABEL org.opencontainers.image.title="SecHub Xray+PDS Image" LABEL org.opencontainers.image.description="A container which combines Xray Wrapper with the SecHub Product Delegation Server (PDS)" LABEL maintainer="SecHub FOSS Team" -USER root +ARG ARTIFACT_FOLDER +ARG XRAY_WRAPPER_VERSION -# Build Args -ARG XRAY_WRAPPER_VERSION="0.0.0" +USER root # Copy mock folder COPY mocks "$MOCK_FOLDER" @@ -30,22 +93,12 @@ COPY pds-config.json "$PDS_FOLDER/pds-config.json" RUN export DEBIAN_FRONTEND=noninteractive && \ apt-get update && \ apt-get --assume-yes upgrade && \ - apt-get --assume-yes install openjdk-17-jre wget skopeo jq && \ + apt-get --assume-yes install wget skopeo jq && \ apt-get --assume-yes clean -# TODO: Install SecHub XRAY wrapper from github - #RUN cd "$TOOL_FOLDER" && \ - # # download checksum file - # wget --no-verbose "https://github.com/mercedes-benz/sechub/releases/download/v$Xlink" && \ - # # download wrapper jar - # wget --no-verbose "https://github.com/mercedes-benz/sechub/releases/download/v$link" && \ - # # verify that the checksum and the checksum of the file are same - # sha256sum --check sechub-pds-wrapperxray-$XRAY_WRAPPER_VERSION.jar.sha256sum && \ - # ln -s sechub-pds-wrapperxray-$XRAY_WRAPPER_VERSION.jar wrapperxray.jar - -# workaround until release -COPY sechub-pds-wrapper-xray-$XRAY_WRAPPER_VERSION.jar "$TOOL_FOLDER/sechub-pds-wrapper-xray-$XRAY_WRAPPER_VERSION.jar" -RUN ln -s "$TOOL_FOLDER/sechub-pds-wrapper-xray-$XRAY_WRAPPER_VERSION.jar" "$TOOL_FOLDER/wrapper-xray.jar" +# Copy Xray-Wrapper jar from builder +COPY --from=builder "$ARTIFACT_FOLDER" "$TOOL_FOLDER" +RUN ln -s "sechub-pds-wrapper-xray-$XRAY_WRAPPER_VERSION.jar" "$TOOL_FOLDER/wrapper-xray.jar" # Set workspace WORKDIR "$WORKSPACE" diff --git a/sechub-pds-solutions/xray/docker/copy/README.adoc b/sechub-pds-solutions/xray/docker/copy/README.adoc new file mode 100644 index 0000000000..baa59a03b3 --- /dev/null +++ b/sechub-pds-solutions/xray/docker/copy/README.adoc @@ -0,0 +1,2 @@ +// SPDX-License-Identifier: MIT +Place a single Xray-Wrapper Jar into this folder. diff --git a/sechub-pds-solutions/xray/env b/sechub-pds-solutions/xray/env index d8b1101c08..ec7da32d29 100644 --- a/sechub-pds-solutions/xray/env +++ b/sechub-pds-solutions/xray/env @@ -5,3 +5,13 @@ XRAY_ARTIFACTORY=change-me XRAY_DOCKER_REGISTRY=change-me XRAY_USERNAME=change-me XRAY_PASSWORD=change-me + +# The build type of the Xray-Wrapper +# Possible values are: +# - copy (copies jar into container) +# - download (downloads the jar from github.com releases) +BUILD_TYPE=download + +# The Xray Wrapper version to use +# See: https://github.com/mercedes-benz/sechub/releases +XRAY_WRAPPER_VERSION="1.0.0" From 647330d2e665bd4df542a9b5645e8f25b823a845 Mon Sep 17 00:00:00 2001 From: Sven Dolderer Date: Fri, 22 Dec 2023 12:56:55 +0100 Subject: [PATCH 09/16] added pds-xray to image build scripts #2762 --- .../workflows/_build+publish-pds-solution.yml | 1 + .../build+publish-all-pds-solutions.yml | 6 ++++++ .../xray/09-compute-image-tag.sh | 19 +++++++++++++++++++ 3 files changed, 26 insertions(+) create mode 100755 sechub-pds-solutions/xray/09-compute-image-tag.sh diff --git a/.github/workflows/_build+publish-pds-solution.yml b/.github/workflows/_build+publish-pds-solution.yml index 444e543f7a..84d62b692a 100644 --- a/.github/workflows/_build+publish-pds-solution.yml +++ b/.github/workflows/_build+publish-pds-solution.yml @@ -70,6 +70,7 @@ jobs: export SCANCODE_VERSION export SPDX_TOOL_VERSION export TERN_VERSION + export XRAY_WRAPPER_VERSION export DOCKER_REGISTRY="${ACTIONS_SECHUB_REGISTRY}/pds-${PDS_SOLUTION}" export VERSION_TAG=`./09-compute-image-tag.sh ${PDS_VERSION}` export BASE_IMAGE="${ACTIONS_SECHUB_REGISTRY}/pds-base:${PDS_VERSION}" diff --git a/.github/workflows/build+publish-all-pds-solutions.yml b/.github/workflows/build+publish-all-pds-solutions.yml index 1a2a754c70..370786f06c 100644 --- a/.github/workflows/build+publish-all-pds-solutions.yml +++ b/.github/workflows/build+publish-all-pds-solutions.yml @@ -74,3 +74,9 @@ jobs: with: pds-solution: tern pds-version: ${{ inputs.pds-version }} + + call_build_pds-xray: + uses: mercedes-benz/sechub/.github/workflows/_build+publish-pds-solution.yml@develop + with: + pds-solution: xray + pds-version: ${{ inputs.pds-version }} diff --git a/sechub-pds-solutions/xray/09-compute-image-tag.sh b/sechub-pds-solutions/xray/09-compute-image-tag.sh new file mode 100755 index 0000000000..5d5314d72e --- /dev/null +++ b/sechub-pds-solutions/xray/09-compute-image-tag.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# SPDX-License-Identifier: MIT + +# Compute image version tag for container image +# 1st argument is the pds-base version + +VERSION_TAG="" +if [ -n "$1" ]; then + VERSION_TAG="$1" +else + # This should not happen, but in this case we just use the current date + VERSION_TAG="`date +%Y-%m-%d`" +fi + +if [[ -n "$XRAY_WRAPPER_VERSION" ]] ; then + VERSION_TAG+="_$XRAY_WRAPPER_VERSION" +fi + +echo $VERSION_TAG From 7fc18b44f3c92843857b5a46828e002c0f8afebc Mon Sep 17 00:00:00 2001 From: Sven Dolderer Date: Fri, 22 Dec 2023 15:19:27 +0100 Subject: [PATCH 10/16] script for tag computing added #2779 --- .../iac/09-compute-image-tag.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100755 sechub-pds-solutions/iac/09-compute-image-tag.sh diff --git a/sechub-pds-solutions/iac/09-compute-image-tag.sh b/sechub-pds-solutions/iac/09-compute-image-tag.sh new file mode 100755 index 0000000000..1af78f6199 --- /dev/null +++ b/sechub-pds-solutions/iac/09-compute-image-tag.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# SPDX-License-Identifier: MIT + +# Compute image version tag for container image +# 1st argument is the pds-base version + +VERSION_TAG="" +if [ -n "$1" ]; then + VERSION_TAG="$1" +else + # This should not happen, but in this case we just use the current date + VERSION_TAG="`date +%Y-%m-%d`" +fi + +# Use date of build, because there are multiple tools contained +VERSION_TAG+="_`date +%Y%m%d`" + +echo $VERSION_TAG From 250d7ba6ff8a0755c743de74e1151fcc4db52bec Mon Sep 17 00:00:00 2001 From: Sven Dolderer Date: Fri, 22 Dec 2023 15:23:00 +0100 Subject: [PATCH 11/16] added pds-iac build #2779 --- .../build+publish-all-pds-solutions.yml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build+publish-all-pds-solutions.yml b/.github/workflows/build+publish-all-pds-solutions.yml index 370786f06c..edde06f975 100644 --- a/.github/workflows/build+publish-all-pds-solutions.yml +++ b/.github/workflows/build+publish-all-pds-solutions.yml @@ -20,12 +20,6 @@ jobs: pds-solution: checkmarx pds-version: ${{ inputs.pds-version }} - call_build_pds-loc: - uses: mercedes-benz/sechub/.github/workflows/_build+publish-pds-solution.yml@develop - with: - pds-solution: loc - pds-version: ${{ inputs.pds-version }} - # 2023-06-12: findsecuritybugs deactivated due to upstream fix is not yet released # call_build_pds-findsecuritybugs: # uses: mercedes-benz/sechub/.github/workflows/_build+publish-pds-solution.yml@develop @@ -45,6 +39,18 @@ jobs: pds-solution: gosec pds-version: ${{ inputs.pds-version }} + call_build_pds-iac: + uses: mercedes-benz/sechub/.github/workflows/_build+publish-pds-solution.yml@develop + with: + pds-solution: iac + pds-version: ${{ inputs.pds-version }} + + call_build_pds-loc: + uses: mercedes-benz/sechub/.github/workflows/_build+publish-pds-solution.yml@develop + with: + pds-solution: loc + pds-version: ${{ inputs.pds-version }} + call_build_pds-multi: uses: mercedes-benz/sechub/.github/workflows/_build+publish-pds-solution.yml@develop with: From d417204ee6309176cdf644e5ec5a30ec86af8575 Mon Sep 17 00:00:00 2001 From: Sven Dolderer Date: Fri, 22 Dec 2023 15:26:04 +0100 Subject: [PATCH 12/16] make date more readable #2779 --- sechub-pds-solutions/iac/09-compute-image-tag.sh | 2 +- sechub-pds-solutions/loc/09-compute-image-tag.sh | 2 +- sechub-pds-solutions/multi/09-compute-image-tag.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/sechub-pds-solutions/iac/09-compute-image-tag.sh b/sechub-pds-solutions/iac/09-compute-image-tag.sh index 1af78f6199..503eff7642 100755 --- a/sechub-pds-solutions/iac/09-compute-image-tag.sh +++ b/sechub-pds-solutions/iac/09-compute-image-tag.sh @@ -13,6 +13,6 @@ else fi # Use date of build, because there are multiple tools contained -VERSION_TAG+="_`date +%Y%m%d`" +VERSION_TAG+="_`date +%Y-%m-%d`" echo $VERSION_TAG diff --git a/sechub-pds-solutions/loc/09-compute-image-tag.sh b/sechub-pds-solutions/loc/09-compute-image-tag.sh index 1af78f6199..503eff7642 100755 --- a/sechub-pds-solutions/loc/09-compute-image-tag.sh +++ b/sechub-pds-solutions/loc/09-compute-image-tag.sh @@ -13,6 +13,6 @@ else fi # Use date of build, because there are multiple tools contained -VERSION_TAG+="_`date +%Y%m%d`" +VERSION_TAG+="_`date +%Y-%m-%d`" echo $VERSION_TAG diff --git a/sechub-pds-solutions/multi/09-compute-image-tag.sh b/sechub-pds-solutions/multi/09-compute-image-tag.sh index 1af78f6199..503eff7642 100755 --- a/sechub-pds-solutions/multi/09-compute-image-tag.sh +++ b/sechub-pds-solutions/multi/09-compute-image-tag.sh @@ -13,6 +13,6 @@ else fi # Use date of build, because there are multiple tools contained -VERSION_TAG+="_`date +%Y%m%d`" +VERSION_TAG+="_`date +%Y-%m-%d`" echo $VERSION_TAG From f717cd70b62d4a9d4731de18064757b747da7e35 Mon Sep 17 00:00:00 2001 From: Sven Dolderer Date: Wed, 3 Jan 2024 10:35:05 +0100 Subject: [PATCH 13/16] switch from tag checksum for actions/upload-artifact --- .github/workflows/gradle.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml index 4f3b4f4e16..15369e0899 100644 --- a/.github/workflows/gradle.yml +++ b/.github/workflows/gradle.yml @@ -118,12 +118,12 @@ jobs: - name: Archive sechub integration test report artifacts if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: name: sechub-integrationtest-test-reports path: sechub-integrationtest/build/sechub-test-reports retention-days: 14 - + - name: Archive openAPI3 JSON files uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 with: From 7173ea10b0a4cdd22097c65e568e3eac85040388 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 3 Jan 2024 09:44:11 +0000 Subject: [PATCH 14/16] Bump actions/setup-go from 4.1.0 to 5.0.0 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.1.0 to 5.0.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/93397bea11091df50f3d7e59dc26a7711a8bcfbe...0c52d547c9bc32b1aa3301fd7a9cb496313a4491) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/documentation-build.yml | 2 +- .github/workflows/gradle.yml | 2 +- .github/workflows/release-client-server-pds.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/documentation-build.yml b/.github/workflows/documentation-build.yml index 4f7a5a46cb..cdad13549c 100644 --- a/.github/workflows/documentation-build.yml +++ b/.github/workflows/documentation-build.yml @@ -48,7 +48,7 @@ jobs: cache-read-only: false - name: Set up Go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 with: go-version: 1.20.4 diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml index e5bce5edd7..1de6f5d33b 100644 --- a/.github/workflows/gradle.yml +++ b/.github/workflows/gradle.yml @@ -33,7 +33,7 @@ jobs: cache-read-only: false - name: Set up Go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 with: go-version: 1.20.4 diff --git a/.github/workflows/release-client-server-pds.yml b/.github/workflows/release-client-server-pds.yml index cf84905202..074ee80d42 100644 --- a/.github/workflows/release-client-server-pds.yml +++ b/.github/workflows/release-client-server-pds.yml @@ -99,7 +99,7 @@ jobs: cache-read-only: false - name: Set up Go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 with: go-version: 1.20.4 From 88de82041a8b44dfe2320fc483a03ea39b05501f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 3 Jan 2024 09:47:00 +0000 Subject: [PATCH 15/16] Bump actions/setup-java from 3.13.0 to 4.0.0 Bumps [actions/setup-java](https://github.com/actions/setup-java) from 3.13.0 to 4.0.0. - [Release notes](https://github.com/actions/setup-java/releases) - [Commits](https://github.com/actions/setup-java/compare/0ab4596768b603586c0de567f2430c30f5b0d2b0...387ac29b308b003ca37ba93a6cab5eb57c8f5f93) --- updated-dependencies: - dependency-name: actions/setup-java dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/documentation-build.yml | 2 +- .github/workflows/gradle.yml | 2 +- .github/workflows/publish-libraries.yml | 2 +- .github/workflows/release-client-server-pds.yml | 2 +- .github/workflows/release-pds-tools.yml | 2 +- .github/workflows/release-wrapper-checkmarx.yml | 2 +- .github/workflows/release-wrapper-owaspzap.yml | 2 +- .github/workflows/release-wrapper-xray.yml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/documentation-build.yml b/.github/workflows/documentation-build.yml index 4f7a5a46cb..1fb6982454 100644 --- a/.github/workflows/documentation-build.yml +++ b/.github/workflows/documentation-build.yml @@ -37,7 +37,7 @@ jobs: fetch-depth: 0 - name: Set up JDK 17 - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 with: java-version: 17 distribution: temurin diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml index e5bce5edd7..7eb27afb84 100644 --- a/.github/workflows/gradle.yml +++ b/.github/workflows/gradle.yml @@ -22,7 +22,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - name: Set up JDK 17 - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 with: java-version: 17 distribution: temurin diff --git a/.github/workflows/publish-libraries.yml b/.github/workflows/publish-libraries.yml index bfe265555a..afc20e038b 100644 --- a/.github/workflows/publish-libraries.yml +++ b/.github/workflows/publish-libraries.yml @@ -28,7 +28,7 @@ jobs: # Build - name: Set up JDK 17 - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 with: java-version: 17 distribution: temurin diff --git a/.github/workflows/release-client-server-pds.yml b/.github/workflows/release-client-server-pds.yml index cf84905202..77ad071ebd 100644 --- a/.github/workflows/release-client-server-pds.yml +++ b/.github/workflows/release-client-server-pds.yml @@ -88,7 +88,7 @@ jobs: # Setup + Caching # ---------------------- - name: Set up JDK 17 - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 with: java-version: 17 distribution: temurin diff --git a/.github/workflows/release-pds-tools.yml b/.github/workflows/release-pds-tools.yml index 4037265a93..c42b4980f9 100644 --- a/.github/workflows/release-pds-tools.yml +++ b/.github/workflows/release-pds-tools.yml @@ -46,7 +46,7 @@ jobs: # Setup + Caching # ---------------------- - name: Set up JDK 17 - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 with: java-version: 17 distribution: temurin diff --git a/.github/workflows/release-wrapper-checkmarx.yml b/.github/workflows/release-wrapper-checkmarx.yml index 20975b9662..d8cc15978d 100644 --- a/.github/workflows/release-wrapper-checkmarx.yml +++ b/.github/workflows/release-wrapper-checkmarx.yml @@ -36,7 +36,7 @@ jobs: # Setup + Caching # ---------------------- - name: Set up JDK 17 - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 with: java-version: 17 distribution: temurin diff --git a/.github/workflows/release-wrapper-owaspzap.yml b/.github/workflows/release-wrapper-owaspzap.yml index cbc900b174..1b45a23172 100644 --- a/.github/workflows/release-wrapper-owaspzap.yml +++ b/.github/workflows/release-wrapper-owaspzap.yml @@ -37,7 +37,7 @@ jobs: # Setup + Caching # ---------------------- - name: Set up JDK 17 - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 with: java-version: 17 distribution: temurin diff --git a/.github/workflows/release-wrapper-xray.yml b/.github/workflows/release-wrapper-xray.yml index dab3b9bf47..f257d5e043 100644 --- a/.github/workflows/release-wrapper-xray.yml +++ b/.github/workflows/release-wrapper-xray.yml @@ -36,7 +36,7 @@ jobs: # Setup + Caching # ---------------------- - name: Set up JDK 17 - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 with: java-version: 17 distribution: temurin From ff2f6d14eaaf83b108510eccdeff05e486934437 Mon Sep 17 00:00:00 2001 From: Jeeppler Date: Thu, 4 Jan 2024 10:23:15 +0100 Subject: [PATCH 16/16] New system tests for Kics and GitLeaks #2771 (#2783) * New system tests for Kics and GitLeaks #2771 - add wrong secrets and sanity check to GitLeaks test suite - add system tests for Kics #2771w * Changes from review #2771 --- .../gitleaks/tests/README.adoc | 14 +- .../gitleaks/tests/clone_repo.sh | 2 +- .../gitleaks/tests/copy_sanitycheck_files.sh | 16 + .../tests/sanity-check-testdata/my-readme.md | 35 ++ .../gitleaks/tests/systemtest_local.json | 300 +++++++++++------- sechub-pds-solutions/iac/tests/README.adoc | 14 + sechub-pds-solutions/iac/tests/clone_repo.sh | 22 ++ .../iac/tests/copy_sanitycheck_files.sh | 16 + .../tests/sanity-check-testdata/Dockerfile | 1 + .../iac/tests/systemtest_local_kics.json | 173 ++++++++++ 10 files changed, 482 insertions(+), 111 deletions(-) create mode 100755 sechub-pds-solutions/gitleaks/tests/copy_sanitycheck_files.sh create mode 100644 sechub-pds-solutions/gitleaks/tests/sanity-check-testdata/my-readme.md create mode 100644 sechub-pds-solutions/iac/tests/README.adoc create mode 100755 sechub-pds-solutions/iac/tests/clone_repo.sh create mode 100755 sechub-pds-solutions/iac/tests/copy_sanitycheck_files.sh create mode 100644 sechub-pds-solutions/iac/tests/sanity-check-testdata/Dockerfile create mode 100644 sechub-pds-solutions/iac/tests/systemtest_local_kics.json diff --git a/sechub-pds-solutions/gitleaks/tests/README.adoc b/sechub-pds-solutions/gitleaks/tests/README.adoc index d9e3caff7c..8e8148a50a 100644 --- a/sechub-pds-solutions/gitleaks/tests/README.adoc +++ b/sechub-pds-solutions/gitleaks/tests/README.adoc @@ -5,10 +5,18 @@ . Download `sechub-pds-tools-cli-x.y.z.jar` from the releases: https://github.com/mercedes-benz/sechub/releases/. . Copy `sechub-pds-tools-cli-x.y.z.jar` into this folder. -. Run system test +. Run system tests + -Example: +Run all tests example: + ---- -java -jar sechub-pds-tools-cli-1.1.0.jar systemtest --file systemtest_local.json --pds-solutions-rootfolder ../../ --sechub-solution-rootfolder ../../../sechub-solution +java -jar sechub-pds-tools-cli-1.2.0.jar systemtest --file systemtest_local.json --pds-solutions-rootfolder ../../ --sechub-solution-rootfolder ../../../sechub-solution ---- ++ +Run specific tests: ++ +---- +java -jar sechub-pds-tools-cli-1.2.0.jar systemtest --file systemtest_local.json --pds-solutions-rootfolder ../../ --sechub-solution-rootfolder ../../../sechub-solution --run-tests wrongsecrets +---- + + diff --git a/sechub-pds-solutions/gitleaks/tests/clone_repo.sh b/sechub-pds-solutions/gitleaks/tests/clone_repo.sh index 54a98cc134..36c82494a4 100755 --- a/sechub-pds-solutions/gitleaks/tests/clone_repo.sh +++ b/sechub-pds-solutions/gitleaks/tests/clone_repo.sh @@ -13,7 +13,7 @@ fi if [[ -z "$vulnerable_repo" ]] then echo "No vulnerable application repository provided" - exit 1 + exit 2 fi cd "$current_test_folder" diff --git a/sechub-pds-solutions/gitleaks/tests/copy_sanitycheck_files.sh b/sechub-pds-solutions/gitleaks/tests/copy_sanitycheck_files.sh new file mode 100755 index 0000000000..6545959f07 --- /dev/null +++ b/sechub-pds-solutions/gitleaks/tests/copy_sanitycheck_files.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +current_test_folder="$1" + +if [[ ! -d "$current_test_folder" ]] +then + echo "Target folder is empty" + exit 1 +fi + +cd `dirname $0` + +echo "copy sanity check testdata folder" +cp -r sanity-check-testdata/ "$current_test_folder/sanity-check" + diff --git a/sechub-pds-solutions/gitleaks/tests/sanity-check-testdata/my-readme.md b/sechub-pds-solutions/gitleaks/tests/sanity-check-testdata/my-readme.md new file mode 100644 index 0000000000..6e67d3d66f --- /dev/null +++ b/sechub-pds-solutions/gitleaks/tests/sanity-check-testdata/my-readme.md @@ -0,0 +1,35 @@ +Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Et malesuada fames ac turpis egestas integer. Sapien et ligula ullamcorper malesuada. Lacus laoreet non curabitur gravida arcu ac tortor. myPassword="Mzc5OGFlZTMyOWFhOWY3NDZjMjY2YjliYTk5MmVlZGFkYTI2ODFiMjA0MGM0ZWQ4M2NmOWJkMjE4 +NjlhMmEwYzRkOTAzMmYxOWNhN2ZmZjkxMjM1ODA0MmNhYjRmZWE2YjAwYzBlNDBiNmM1N2Y3M2Uw" +NTFlYTVjMWYyMjAzMjUgIC0K Diam in arcu cursus euismod. Sem fringilla ut morbi tincidunt. Sed enim ut sem viverra. Cras sed felis eget velit aliquet sagittis id consectetur purus. Laoreet suspendisse interdum consectetur libero id faucibus nisl tincidunt eget. +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCm+uKpK6vB4RZx +KKi8u/JMixIjh7c1pCOdXEqTAIZ0//rNOIHGodeD8PtRejA+KpAM1IcY191G+x3y +vsZzwoXWq9dRBIB3pj0mzwveRUuLIr1cnA8Beb4tonh5+Z/L+HvwuVK45mhYOYyS +VPd3BeiMCRPFmWdGG0meJHn7wHJKeEYNLg8QLcVEUBe/dzmZ3KR5MVVERG2qofYC +5HzXtbmq9AVjHzYgoXc+r6oD/8XDqXnhLqlTfhWRn1TgE47SeCXoZfnqyFQBhQ1f +rGBR1xRhd9TIehFlGyPQv2AHTxfrLNhIIP72BIwZR+XW6jTJ3mucqmUmdFFAIJoF +KlFzW/ZlAgMBAAECggEADyo566NLtg/7Ocu3h2yKVOlMfG2W9ggyM9ht7WveykF1 +Ra4cGy4XpKP+LygpuXukGYYzvs3cCtZDoggxfdHs1dJFe9Ys1LEEXMHxEf65HanK +CN8jfb7QxtQ6nNlO6fdnSjWKjcBfOaQAYEnXL7gZpp4sbYXBG1zfEr29Vl/kAV9F +QevkrTkzHsjtf1DH2KvvKDEyHVQkmld2WRZe0kWVZ0uHs5fjRXtrJskMC65/YqCn +rxwxyjrGPxwZPrGR7DtaMY6htpyJ0Cac5Vqh8uEvtFc2iGEpSA6KtLOw/dPXYB93 +P4OkIQTgWf+gSIUi59a5AmVEfDaGxtT8QF4cCJ1/AQKBgQC7mL4whiOEseSikQyd +7FjSkn18B+UOe9jj7aAEao2J6UQQKIVahyun1PoIBi4ibT9Zn/GVh9FpQ89smRy/ +20jOEatp3+RE+EVajso790yX6g5xvZ3Kv13DMr+5B1kkfZvSOsrSyUKhesT4nVWq +S/2rrXoePNUR4NqDxgFqmy2tcwKBgQDj3a2FX3b3+HBvUkaD35bAhPeIyH2RfAeq +JTyPc9lnof3Dt92xC8DLMGkfuTyEUkimdV9yfK63k+eiTsHK7lscGco//TPeUX0S +pTRolvcbMkwEF5rUA67Olc88RJHxMWa6ZaR3rF7CwOvGVkAXsnP7acHfn4OXkmF7 +LYKE1bTWxwKBgQCeEsPX8X/GVXvZfC3MeJYTwXpZY/Gf9b25ucaHUh234sYGc46C +zLl9b1nMHyEKw1GJPNv9aveLIqeK063FAIrlkUAGM7GOaEFQYFeKlgSFUaUgNG3c +pMnmLEIfMFDuDaWaTQ4Q9aPem6uT7kd7+xJicggfqJTFvtmCBfu1j9K6fwKBgFdb +dBuutqhoSYqUC06hWGUkVNXOrz0oRLP5JJeGfXGai/QNuGMYs2fyfkrYNBgyh4Gx +e88jd8QPYv05nlgTO0CxrnULuGfh68ZLKaVzQvbdOIFVH1lqtAilLFbZnu3N16lc +MEpk/ctCNOHLzTSIiKh5Kgd2Wvev+clEcEZGu9afAoGAbYNkz04UgVz2S4iFjcxh +EAk9jSoebzkn3HgWyHPzPXkTLtqRl34WdbFne45blC1IXj6sHp9+alj8BAEUdHys +9SNUD3Sk4H3AzcFbo1gI9R7adFouDC6VdqMaquhaqZwDlSTritC9WJx6F8jdQlPl +AF+FBitzrTxC4BHuRMLzvbc= +-----END PRIVATE KEY----- +Augue interdum velit euismod in pellentesque massa placerat duis. Eu mi bibendum neque egestas congue quisque egestas diam in. Eget nunc lobortis mattis aliquam faucibus purus in massa. + +Password generated with: echo -n "mashed potato" | sha512sum - | base64 +Private key generated with: openssl genrsa 2048 \ No newline at end of file diff --git a/sechub-pds-solutions/gitleaks/tests/systemtest_local.json b/sechub-pds-solutions/gitleaks/tests/systemtest_local.json index e8f757c0b4..dcbfd75ea1 100644 --- a/sechub-pds-solutions/gitleaks/tests/systemtest_local.json +++ b/sechub-pds-solutions/gitleaks/tests/systemtest_local.json @@ -1,116 +1,202 @@ { - "setup": { - "local": { - "secHub": { - "admin": { - "userId": "admin", - "apiToken": "myTop$ecret!" - }, - "start": [ - { - "script": { - "path": "./01-start-single-docker-compose.sh" - } - } - ], - "configure": { - "executors": [ - { - "pdsProductId": "PDS_GITLEAKS", - "name": "system-test-gitleakes", - "parameters": { - "sechub.productexecutor.pds.adapter.resilience.retry.wait.milliseconds": 3000, - "sechub.productexecutor.pds.adapter.resilience.retry.max": 20, - "pds.config.use.sechub.storage": false - } - } - ] - }, - "stop": [ - { - "script": { - "path": "./01-stop-single-docker-compose.sh" - } - } - ] - }, - "pdsSolutions": [ - { - "name": "gitleaks", - "url": "https://pds-gitleaks:8444/", - "waitForAvailable": false, - "start": [ - { - "script": { - "path": "./05-start-single-sechub-network-docker-compose.sh" - } - } - ], - "stop": [ - { - "script": { - "path": "./05-stop-single-sechub-network-docker-compose.sh" - } - } - ], - "techUser": { - "userId": "techuser", - "apiToken": "pds-apitoken" - } + "setup": { + "local": { + "secHub": { + "start": [ + { + "script": { + "path": "./01-start-single-docker-compose.sh" + } + } + ], + "configure": { + "executors": [ + { + "pdsProductId": "PDS_GITLEAKS", + "name": "system-test-gitleakes", + "parameters": { + "sechub.productexecutor.pds.adapter.resilience.retry.wait.milliseconds": 3000, + "sechub.productexecutor.pds.adapter.resilience.retry.max": 20, + "pds.config.use.sechub.storage": false + } + } + ] + }, + "stop": [ + { + "script": { + "path": "./01-stop-single-docker-compose.sh" + } + } + ] + }, + "pdsSolutions": [ + { + "name": "gitleaks", + "url": "https://pds-gitleaks:8444/", + "waitForAvailable": false, + "start": [ + { + "script": { + "path": "./05-start-single-sechub-network-docker-compose.sh" + } + } + ], + "stop": [ + { + "script": { + "path": "./05-stop-single-sechub-network-docker-compose.sh" + } + } + ] + } + ] } - ] - } - }, - "tests": [ - { - "name": "unsafe-bank", - "prepare": [ + }, + "tests": [ { - "script": { - "arguments": [ - "${runtime.currentTestFolder}", - "https://github.com/lucideus-repo/UnSAFE_Bank" + "name": "sanity-check", + "comment": "This checks if the solution works at all. It is very fast. Can be used to test if system testframework has some problems at all.", + "prepare": [ + { + "script": { + "arguments": [ + "${runtime.currentTestFolder}" + ], + "path": "./copy_sanitycheck_files.sh" + } + } ], - "path": "./clone_repo.sh" - } - } - ], - "execute": { - "runSecHubJob": { - "uploads": [ - { - "sourceFolder": "UnSAFE_Bank", - "referenceId": "code" - } - ], - "secretScan": { - "use": [ - "code" + "execute": { + "runSecHubJob": { + "uploads": [ + { + "sourceFolder": "sanity-check", + "referenceId": "files" + } + ], + "secretScan": { + "use": [ + "files" + ] + } + } + }, + "assert": [ + { + "sechubResult": { + "hasTrafficLight": "YELLOW", + "containsStrings": { + "values": [ + "result", + "SUCCESS", + "jobUUID", + "reportVersion", + "MEDIUM", + "severity", + "my-readme.md" + ] + } + } + } ] - } - } - }, - "assert": [ + }, + { + "name": "wrongsecrets", + "prepare": [ + { + "script": { + "arguments": [ + "${runtime.currentTestFolder}", + "https://github.com/OWASP/wrongsecrets.git" + ], + "path": "./clone_repo.sh" + } + } + ], + "execute": { + "runSecHubJob": { + "uploads": [ + { + "sourceFolder": "wrongsecrets", + "referenceId": "application" + } + ], + "secretScan": { + "use": [ + "application" + ] + } + } + }, + "assert": [ + { + "sechubResult": { + "hasTrafficLight": "YELLOW", + "containsStrings": { + "values": [ + "result", + "SUCCESS", + "jobUUID", + "reportVersion", + "MEDIUM", + "severity", + "wrongsecrets/src/main/resources/application.properties" + ] + } + } + } + ] + }, { - "sechubResult": { - "hasTrafficLight": "YELLOW", - "containsStrings": { - "values": [ - "result", - "SUCCESS", - "jobUUID", - "reportVersion", - "MEDIUM", - "severity", - "UnSAFE_Bank/Backend/src/api/application/config/database.php" - ] + "name": "unsafe-bank", + "prepare": [ + { + "script": { + "arguments": [ + "${runtime.currentTestFolder}", + "https://github.com/lucideus-repo/UnSAFE_Bank" + ], + "path": "./clone_repo.sh" + } + } + ], + "execute": { + "runSecHubJob": { + "uploads": [ + { + "sourceFolder": "UnSAFE_Bank", + "referenceId": "code" + } + ], + "secretScan": { + "use": [ + "code" + ] + } + } }, - "equalsFile": { - "path": "sechub-report-UnSAFE_Bank.json" - } - } + "assert": [ + { + "sechubResult": { + "hasTrafficLight": "YELLOW", + "containsStrings": { + "values": [ + "result", + "SUCCESS", + "jobUUID", + "reportVersion", + "MEDIUM", + "severity", + "UnSAFE_Bank/Backend/src/api/application/config/database.php" + ] + }, + "equalsFile": { + "path": "sechub-report-UnSAFE_Bank.json" + } + } + } + ] } - ] - } - ] + ] } \ No newline at end of file diff --git a/sechub-pds-solutions/iac/tests/README.adoc b/sechub-pds-solutions/iac/tests/README.adoc new file mode 100644 index 0000000000..3914faec29 --- /dev/null +++ b/sechub-pds-solutions/iac/tests/README.adoc @@ -0,0 +1,14 @@ +// SPDX-License-Identifier: MIT += System Tests + +== Steps + +. Download `sechub-pds-tools-cli-x.y.z.jar` from the releases: https://github.com/mercedes-benz/sechub/releases/. +. Copy `sechub-pds-tools-cli-x.y.z.jar` into this folder. +. Run system tests ++ +Run all system tests example: ++ +---- +java -jar sechub-pds-tools-cli-1.2.0.jar systemtest --file systemtest_local_kics.json --pds-solutions-rootfolder ../../ --sechub-solution-rootfolder ../../../sechub-solution +---- diff --git a/sechub-pds-solutions/iac/tests/clone_repo.sh b/sechub-pds-solutions/iac/tests/clone_repo.sh new file mode 100755 index 0000000000..36c82494a4 --- /dev/null +++ b/sechub-pds-solutions/iac/tests/clone_repo.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +current_test_folder="$1" +vulnerable_repo="$2" + +if [[ ! -d "$current_test_folder" ]] +then + echo "Target folder is empty" + exit 1 +fi + +if [[ -z "$vulnerable_repo" ]] +then + echo "No vulnerable application repository provided" + exit 2 +fi + +cd "$current_test_folder" + +echo "cloning: $vulnerable_repo" +git clone "$vulnerable_repo" \ No newline at end of file diff --git a/sechub-pds-solutions/iac/tests/copy_sanitycheck_files.sh b/sechub-pds-solutions/iac/tests/copy_sanitycheck_files.sh new file mode 100755 index 0000000000..6545959f07 --- /dev/null +++ b/sechub-pds-solutions/iac/tests/copy_sanitycheck_files.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: MIT + +current_test_folder="$1" + +if [[ ! -d "$current_test_folder" ]] +then + echo "Target folder is empty" + exit 1 +fi + +cd `dirname $0` + +echo "copy sanity check testdata folder" +cp -r sanity-check-testdata/ "$current_test_folder/sanity-check" + diff --git a/sechub-pds-solutions/iac/tests/sanity-check-testdata/Dockerfile b/sechub-pds-solutions/iac/tests/sanity-check-testdata/Dockerfile new file mode 100644 index 0000000000..c35f1b5f5e --- /dev/null +++ b/sechub-pds-solutions/iac/tests/sanity-check-testdata/Dockerfile @@ -0,0 +1 @@ +FROM scratch diff --git a/sechub-pds-solutions/iac/tests/systemtest_local_kics.json b/sechub-pds-solutions/iac/tests/systemtest_local_kics.json new file mode 100644 index 0000000000..0201b1cde2 --- /dev/null +++ b/sechub-pds-solutions/iac/tests/systemtest_local_kics.json @@ -0,0 +1,173 @@ +{ + "setup": { + "local": { + "secHub": { + "start": [ + { + "script": { + "path": "./01-start-single-docker-compose.sh" + } + } + ], + "configure": { + "executors": [ + { + "pdsProductId": "PDS_KICS", + "name": "system-test-codescan-gosec", + "parameters": { + "sechub.productexecutor.pds.adapter.resilience.retry.wait.milliseconds": 3000, + "sechub.productexecutor.pds.adapter.resilience.retry.max": 20, + "pds.config.use.sechub.storage": false + } + } + ] + }, + "stop": [ + { + "script": { + "path": "./01-stop-single-docker-compose.sh" + } + } + ] + }, + "pdsSolutions": [ + { + "name": "iac", + "url": "https://pds-iac:8444/", + "waitForAvailable": false, + "start": [ + { + "script": { + "path": "./05-start-single-sechub-network-docker-compose.sh" + } + } + ], + "stop": [ + { + "script": { + "path": "./05-stop-single-sechub-network-docker-compose.sh" + } + } + ] + } + ] + } + }, + "tests": [ + { + "name": "sanity-check", + "comment": "This checks if the solution works at all. It is very fast. Can be used to test if system testframework has some problems at all.", + "prepare": [ + { + "script": { + "arguments": [ + "${runtime.currentTestFolder}" + ], + "path": "./copy_sanitycheck_files.sh" + } + } + ], + "execute": { + "runSecHubJob": { + "uploads": [ + { + "sourceFolder": "sanity-check" + } + ], + "codeScan": {} + } + }, + "assert": [ + { + "sechubResult": { + "hasTrafficLight": "GREEN" + } + } + ] + }, + { + "name": "terragoat", + "prepare": [ + { + "script": { + "arguments": [ + "${runtime.currentTestFolder}", + "https://github.com/bridgecrewio/terragoat" + ], + "path": "./clone_repo.sh" + } + } + ], + "execute": { + "runSecHubJob": { + "uploads": [ + { + "sourceFolder": "terragoat" + } + ], + "codeScan": {} + } + }, + "assert": [ + { + "sechubResult": { + "hasTrafficLight": "RED", + "containsStrings": { + "values": [ + "result", + "SUCCESS", + "jobUUID", + "reportVersion", + "HIGH", + "severity", + "terragoat/terraform/azure/sql.tf" + ] + } + } + } + ] + }, + { + "name": "wrongsecrets", + "prepare": [ + { + "script": { + "arguments": [ + "${runtime.currentTestFolder}", + "https://github.com/OWASP/wrongsecrets.git" + ], + "path": "./clone_repo.sh" + } + } + ], + "execute": { + "runSecHubJob": { + "uploads": [ + { + "sourceFolder": "wrongsecrets" + } + ], + "codeScan": {} + } + }, + "assert": [ + { + "sechubResult": { + "hasTrafficLight": "RED", + "containsStrings": { + "values": [ + "result", + "SUCCESS", + "jobUUID", + "reportVersion", + "HIGH", + "severity", + "wrongsecrets/okteto/k8s/secret-challenge-ctf-deployment.yml" + ] + } + } + } + ] + } + ] +} \ No newline at end of file