search

mercedes-benz / sechub

SecHub provides a central API to test software with different security tools.
https://mercedes-benz.github.io/sechub/
MIT License
263 stars 63 forks source link

Improve output in code scan reports #68

Closed de-jcup closed 4 years ago

de-jcup commented 4 years ago

Currently we got output as following description inside JSON and HTML reports:

<br>Location:com/daimler/sechub/sharedkernel/util/ZipSupport.java - line:17, column:5\n<br>For details look at <a href='https://defvm1676.intranet.example.org/CxWebClient/ViewerMain.aspx?scanid=1000866&projectid=227441&pathid=167'>Full result</a>

This is cumbersome to read - also html parts should be only inside a html report and nowhere else...

{
"jobUUID": "41460d02-08bd-4bf3-b3fa-adce7bb49b6b",
   "result": {
      "count": 0,
      "findings": [
         {
            "id": 1,
            "description": "\n<br>Location:com/daimler/sechub/domain/scan/HTMLScanResultReportModelBuilder.java - line:116, column:29\\n<br>For details look at <a href=''https://defvm1676.intranet.example.org/CxWebClient/ViewerMain.aspx?scanid=1000769&projectid=227441&pathid=163'>Full result</a>",
            "hostnames": [],
            "created": null,
            "createdBy": null,
            "name": "Reflected XSS All Clients",
            "parameters": null,
            "path": null,
            "parameterName": null,
            "query": null,
            "references": [],
            "method": null,
            "request": null,
            "resolution": null,
            "response": null,
            "service": null,
            "severity": "HIGH",
            "target": null,
            "website": null
  }
      ]
   },
   "trafficLight": "RED"
}
de-jcup commented 4 years ago

Following changes will happen:

  1. We will reduce output (null values and empty arrays do no longer appear)
  2. description field for code scans will be empty
  3. code scans will have code field containing location, line and column
  4. deeplink to product result is own field productResultLink The visibility /occurance of this field shall be configurable. At a first start we switch it globally by spring value {sechub.feature.showProductResultLink:false}

The output shall be in future for code scans:

{
"jobUUID": "41460d02-08bd-4bf3-b3fa-adce7bb49b6b",
   "result": {
      "count": 0,
      "findings": [
         {
            "id": 1,
            "name": "Reflected XSS All Clients",
            "severity": "HIGH",
            "code": {
                 "location" : "com/daimler/sechub/domain/scan/HTMLScanResultReportModelBuilder.java",
                 "line" : 116,
                 "column" : 29,
                 "source" : "               while ((line=br.readLine())!=null) {",

                 "calls": {
                       "location" : "com/daimler/sechub/domain/scan/HTMLScanResultReportModelBuilder.java",
                       "line" : 216,
                        "column" : 31,
                         "source" : "               xyz",

                         "calls": {
                               "location" : -1,
                               "line" : -1,
                               "source" : "..."
                         }
                 }
            },
            "productResultLink" : "https://defvm1676.intranet.example.org/CxWebClient/ViewerMain.aspx?scanid=1000769&projectid=227441&pathid=163"

  }
      ]
   },
   "trafficLight": "RED"
}
de-jcup commented 4 years ago

Thymeleaf template must be changed, so we use code meta information for rendering (when available) - fallback to description, because webscan and infrascan will still return their description fields

Formerly: image

de-jcup commented 4 years ago

Now : image

de-jcup commented 4 years ago

The relevant part of source should be contained in HTML and in JSON data as well.

de-jcup commented 4 years ago

Added relevant parts now html and json report:

image image

de-jcup commented 4 years ago

At https://github.com/Daimler/sechub/blob/develop/sechub-other/examples/sechub-reports/codescan-checkmarx-one-yellow-finding-result-beautified.json there is the beautified JSON output for last picture.

https://github.com/Daimler/sechub/blob/develop/sechub-other/examples/sechub-reports/codescan-checkmarx-one-yellow-finding-result.json is the origin example output.

de-jcup commented 4 years ago

Be aware: We have changed the JSON output handling for null values: We show now no longer any results containing null - reduces file size and increases readability.

If you parse JSON output you should be aware, that a field containing null, will be no longer available - so please check if element exists...