search

mercedes-benz / sechub

SecHub provides a central API to test software with different security tools.
https://mercedes-benz.github.io/sechub/
MIT License
260 stars 63 forks source link

Introduce possibility to add git commit id as meta data for scans #548

Open de-jcup opened 3 years ago

de-jcup commented 3 years ago

Situation

When people get sechub

Wanted

As a developer using SecHub I want to know for which commit ID the report information was.

Solution

Inside a code scan we introduce a metaData container JSON with git container inside having field commit. This information is available in sechub report later as well.

SecHub Config changes

Example for SecHub config file (partial):


"codeScan" : {
     "metaData" : {
           "git" : {
                 "commit" : "aa893349"
           }
     }

}

SecHub report changes

We need the information in report result - because input data is already validated and in a format suitable for report, I would suggest to simply add this to root node

Additional: We should add the report UUID also automatically inside the report JSON - if not already available inside there

Additional thoughts

We could later



---
<sup>Albert Tregnaghi <albert.tregnaghi@daimler.com>, Daimler TSS GmbH, [imprint](https://github.com/Daimler/daimler-foss/blob/master/LEGAL_IMPRINT.md)</sup>
Jeeppler commented 3 years ago

The metadata block could be made more generic to support other version control systems as well. For example, Apache Subversion, Mercurial etc.

For git:

"codeScan" : {
     "metaData" : {
           "versionControl " : {
                "type" : "git",
                 "commit" : "aa893349"
           }
     }
}

For SVN:

"codeScan" : {
     "metaData" : {
           "versionControl " : {
                "type" : "svn",
                 "revision" : "4123"
           }
     }
}