search

mercedes-benz / sechub

SecHub provides a central API to test software with different security tools.
https://mercedes-benz.github.io/sechub/
MIT License
259 stars 58 forks source link

Replace `PDS_SCRIPT_ENV_WHITELIST` env entry by PDS config entry #3220

Closed de-jcup closed 2 weeks ago

de-jcup commented 2 weeks ago

Situation

With

we kept the script environment as small as possible but have the possibility to add additional env values via PDS_SCRIPT_ENV_WHITELIST.

We have here 3 problems:

Problem 1: Setup for every environment necessary

It works, but there is a need to handle/setup this in any kind of environment again and again (e.g. local, local testing, builds (github,jenkins), k83s helm, system tests etc. etc.)

After all: too much complicated to configure and so error prone...

Problem 2: Multiple products on same PDS will have both access

Multiple products on same PDS will have both access to the whitelisted parts - even when not necessary.

Problem 3: Not clear at first sight

It is not clear on first glimpse which product has additional script variable access or not.

Wanted

Solution

We change the existing implementation in a way, that no longer a env variable PDS_SCRIPT_ENV_WHITELIST is used for the comma separated list, but we move the information to the pds configuration file instead by providing a new (optional) field envWhitelist.

Example:

{
  "apiVersion": "1.0",
  "serverId": "XYZ_Cluster",
  "products": [
    {
      "id": "product_1",
      "path": "/pds/scripts/xyz.sh",
      "envWhitelist" : [
            "ALLOWED_EVERY_*",
            "ALLOWED_SPECIAL_ONE"
      ],
      "scanType": "xyz",
      "description": "Runx xyz",
    }
  ]
}

Also the PDS startup summary shall show the envWhitelist entries.