Epic: SecHub PDCW (Product Delegation Client Wrapper) for scans on client side

[de-jcup]

Situation

There exists some security products were standard sechub "scan by server" approach is difficult:

• container security (when we want to scan build images BEFORE uploading to public container registry...)
• special code scans (when scan must be integrated to build logic)

Normally all these products come up with a binary client. But product teams etc. need to know the client version, use the correct version etc. etc. also changes of a security product (or using multiple ones) would affect the build logic, must be adopted etc.

Here comes SecHub: We want:

• user shall not know if this happens on server or client side!
• user just configures ala "I wish to scan ..." and starts sechub client and all is done!

Wanted solution

We provide a "sechub bin wrapper" which can be executed by sechub-client has a simple interface which does not change. From this point we call this PDCW (Product Delegation Client Wrapper) which does the client scan logic. The binary wrapper contains the origin product binaries and is called by sechub client via command execution. (Remark: we use PDCW so its similar to existing PDS which is the product delegation server and we use same naming concept)

Wapper concept

Remark: Gradle and Maven have got a wrapper concept was some kind of a blueprint for this concept

Client way

• scan starts
• client creates job
• NEW/Change to SchedulerResult.java : not only job id (uuid) is returned, but also information for client if there is a need for
  • PDCW in dedicated version:
• when client recognizes wrapper is needed, it checks if wrapper is already available in wanted version at $SECHUB_HOME/pdcw/$productId/$version/platform/$platformname/sechub-pdcw (when SECHUB_HOME is not set it will be default: ${user.home}/.sechub)
• when not available, sechub client will download sechub-pdcw-package.zip from $sechubServerHostname/api/download/pdcw/$productId/$version/$platformname
• after download the zip file is extracted to current dir. It will contain:
  • sechub-pdcx (gneral wrapper to start )
  • sechub-pdcx.json (config file describes wrapper tasks)
  • subfolder bin were all product specific content is stored
• after extraction is done, zip file is deleted
• when sechub-pdcw is available sechub client will give sechub.json to client, which executes necessary stuf
• sechub-pdcw result will be stored in a temporary file
• sechub-client uploads the temporary file data to sechub scheduler into job workspace and marks with product id
• sechub-client checks if other stuff is necessary to do (configured in sechub.json ) - normally not
• sechub-client marks job as ready to start
• sechub-server-scan domain will not start a product but validate + store product result (from pdcw scan)
• sechub-sereco: just transform product result to sechub format
• done

People using directly SecHub REST API but not sechub client

• they must either do things like client (download pdcw, unpack, call etc.) or directly use the product binaries to create origin product output
• upload product output to server job
• mark job as ready to go
• wait for job done
• get job result

Example for a container security scan

This shows up an example for a PDCW appraoch when doing a container security scan by this approach:

---

^{Albert Tregnaghi albert.tregnaghi@daimler.com, Daimler TSS GmbH, imprint}

[Jeeppler]

Another scenario for the PDCW could be jobs which can be executed faster on the client as it would be to upload the code to SecHub and do the analysis on SecHub. One such example would be a secret scanner.

[Jeeppler]

It is a convenient feature of the PDCW to automatically download the necessary scan modules (pdcw-package) from the server. However, that behaviour might be problem in certain environments or for some organizations. It would be nice to still have an easy way to download the modules through a separate channel and install them manually on the system.

In addition, it would be nice to have the possibility (e. g. configuration file options) to use a specific version of a scan module. That way it is possible to test new versions or use an old version.