Define and document the TAR and zip structure for data sections

mercedes-benz / sechub

SecHub provides a central API to test software with different security tools.

MIT License

272 stars 66 forks source link

Situation

This is (not only) a sub issue of #1166

When https://github.com/mercedes-benz/sechub/issues/1154 and https://github.com/mercedes-benz/sechub/issues/1098 are implemented a user is able to upload multiple binaries, sources etc. give them names and reference the files/folders inside the sechub configuration file

But doing this, we must

define how those files are stored inside TAR and ZIP files
think about default names (e.g. inside existing codescan configuration - there is a file system setup)
think for specialized analyze phase (currently not implemented) behaviour and also https://github.com/mercedes-benz/sechub/issues/1164 were we want to filter files

Wanted

documentation
clear definition how the structure inside tars and zips looks like

Solution

General Definition

We map the JSON model into the file system by using always following path pattern:

/__data__/$storageDataType/$dataObjectName/$originPath

$storageDataType can be sources or binaries (like in JSON)
$dataObjectName is just the name defined inside JSON for the data section
$originPath represents the origin path from file system

Examples

look at the next comments for examples

Next steps

Implement

{ "apiVersion" : "1.0", "data" : { "sources" : [ { "name" : "open-api-file-reference", "fileystem" : { "files" : [ "gamechanger-webapp/src/main/resources/openapi3.json" ] } } ] }, "codeScan" : { "fileSystem" : { "folders" : [ "gamechanger-android/src/main/java", "gamechanger-server/src/main/java" ] }, "excludes" : [ "**/mytestcode/**", "**/documentation/**" ], "additionalFilenameExtensions" : [ ".cplusplus", ".py9" ], "uses" : [ "open-api-file-reference"] }, "webScan" : { "openApi" : { "uses" : [ "open-api-file-reference" ] }, "uri" : "https://productfailure.demo.example.org" } }

mercedes-benz / sechub