search

mercedes-benz / sechub

SecHub provides a central API to test software with different security tools.
https://mercedes-benz.github.io/sechub/
MIT License
259 stars 58 forks source link

Describe S3 usage in documentation #423

Open de-jcup opened 3 years ago

de-jcup commented 3 years ago

At least in archtiecture documentation there is only file system folder described for source uploads. But S3 storage can be used also.

This description is missing and must be documented (should be available in operations doc as well)

Vivek-Prajapatii commented 2 years ago

Would like to work on it, but I'll need help

Jeeppler commented 2 years ago

@Vivek-Prajapatii yes, you can work on this. We are willing to help you. With what aspect of this issue do you need help with?

Vivek-Prajapatii commented 2 years ago

as i'm new to this project, i dont know the system i dont know how S3 is used in this system and where do i need to update the documentation.

thank you.

Jeeppler commented 2 years ago

@Vivek-Prajapatii those are quite a lot of questions. I think, we mislabeled the issue as good first issue as this issue requires knowledge of how SecHub is working as a distributed system and distributed systems in general.

The short explanation is:

A user uploads files (for example, source code) to one SecHub instance, which are then analyzed by different security tools. Those files need to be stored in such as way, that any other SecHub instance can read the files and upload it to one of the security tools. To be able to share files one needs to have a storage system which allows the instances to read the files. One can either use a shared file system like NFS or an object storage like S3.

The Product Delegation Server (PDS) works the same way.

There are two main reasons for not storing the user uploads in the database:

  1. Uploads are zipped (single binary file) and storing large binary files (blobs) in a database is usually not recommended
  2. The uploads are deleted after a scan (data life-cycle)

My recommendation would be to first work on other issues to get a better understanding of the inner workings of SecHub and the documentation and later come back to this issue.

The two issues are:

The issue #764 is not trivial, but will give you some understanding how the distributed architecture and sharing in PDS works. The architecture of PDS and SecHub are the same. However, the PDS is smaller and hopefully easier to understand. In addition, PMD is a free and open source (FOSS) static application security testing (SAST) product written in Java.

Vivek-Prajapatii commented 2 years ago

Ok first I will be working on #764