mercedes-benz / sechub

SecHub provides a central API to test software with different security tools.
https://mercedes-benz.github.io/sechub/
MIT License
270 stars 65 forks source link

Introduce scan phases #678

Open Jeeppler opened 3 years ago

Jeeppler commented 3 years ago

Situation

At the moment no preprocessing before the actual scan is done. SecHub will just start the scan.

Wanted

Introduce scan phases. Each phase will determine the steps which should be taken in the next phase. At least the following two phases are needed: pre-processing and scan.

During the pre-processing phase information are gathered about the scan, such as which programming languages need to be scanned, how many lines of code etc. The outcome of the pre-processing phase determines the execution plan of the scan phase. The scan plan contains a list of tools and settings for the adapters which should be executed. During the scan phase all adapter + configurations of the scan plan will be executed and the results collected. The results will be collected and processed by SERECO. SERECO will combine the different reports and output a single report for the user at the end.

1. pre-processing { programming language statistics, annotations etc. } -> results
2. results -> descisions  -> scan plan
3. scan plan -> scan { use tool a, tool e and tool z } -> reports 
4. reports -> sereco { merge reports } -> user report.
de-jcup commented 3 years ago

concept/epic see #684

sven-dmlr commented 1 year ago

@de-jcup Can this issue be closed?