search

mercedes-benz / sechub

SecHub provides a central API to test software with different security tools.
https://mercedes-benz.github.io/sechub/
MIT License
259 stars 61 forks source link

Implement reasonable default exclude patterns #227

Closed sven-dmlr closed 4 years ago

sven-dmlr commented 4 years ago

Code Scan: Enable lazy usage of client: If no excludes are defined in the sechub.json config file, then use reasonable defaults. ( see https://daimler.github.io/sechub/latest/sechub-client.html#example-upload-folders-with-excludes )

Benefits:

Open discussion: Which exclude patterns should be added (source code scan)?

- Archives: **/*.7z **/*.bz2 **/*.gz **/*.rar **/*.tar **/*.tgz **/*.zip
- Binary image files: **/*.bin **/*.cue **/*.iso **/*.mdf **/*.vcd
- Build artifacts: **/*.o
- Documents: **/*.doc **/*.docx **/*.eps **/*.odc **/*.odp **/*.odt **/*.rtf **/*.pdf **/*.pps **/*.ppt **/*.pptx **/*.ps **/*.svg **/*.xls **/*.xlsx
- Executables: **/*.com **/*.exe
- Fonts: *.fnt *.otf *.ttf
- Images: **/*.bmp **/*.gif **/*.ico **/*.jpeg **/*.jpg **/*.png **/*.svg **/*.tif **/*.tiff **/*.xcf
- Libraries: **/*.a **/*.dll **/*.jar **/*.so
- OS packages: **/*.apk **/*.app **/*.cab **/*.deb **/*.rpm **/*.dmg
- Sound/Videos: **/*.aif **/*.avi **/*.flac **/*.flv **/*.gifv **/*.ogg **/*.ogv **/*.mid **/*.mkv **/*.mov **/*.mp2 **/*.mp3 **/*.mp4 **/*.mpa **/*.mpeg **/*.mpg **/*.vob **/*.wav **/*.wma **/*.wmv **/*.webm
- Text files: **/*.md **/*.adoc **/*.asciidoc **/*.log **/*.plantuml **/*.puml **/*.tex **/*.txt **/*.latex **/*.vcf
sven-dmlr commented 4 years ago

Idea: use whitelist (allowed file extensions) instead of exclude patterns. (we will provide a default whitelist / include patterns: see https://github.com/Daimler/sechub/issues/256). But excludes make still sense - e.g. to prevent tests being scanned

Jeeppler commented 4 years ago

I think the folder */test/* can be excluded by default.

de-jcup commented 4 years ago

Hmm.. I would appreciate more **/src/test/** because its the maven/gradle standard - and also prevents to have accidently filtered unwanted parts - e.g. com.example.myserver.test.NetworkConnectionStable.java will not be filtered...

sven-dmlr commented 4 years ago

Hmm.. I would appreciate more **/src/test/** because its the maven/gradle standard - and also prevents to have accidently filtered unwanted parts - e.g. com.example.myserver.test.NetworkConnectionStable.java will not be filtered...

When the filter is **/test/**, your example would not be filtered because of the directory separators /. I see no unwanted effects with this pattern.

Will add "**/test/**", "**/.git/**" initially.