Comments (5)
This depends on: PR #225
from securecodebox.
As described in PR #225 we want to introduce a hash value to the finding model.
This hash has to be set/updated in the parser of the scanner as well as in each hook modifying findings.
To avoid duplication we should introduce a new npm
package containing a function to calculate the hash consistently.
For this purpose I took a look at the parser-sdk and the hook-sdk and found at least one duplication (code for uploadFile()
). This rose the question if we want to create a scb-sdk
combining parser-sdk
and hook-sdk
as well as their helpers.
Consequences:
- some minor refactoring of hooks and parsers to use the
scb-sdk
. - This could cause breaking changes to third-party hooks/scanners that are not included in the official project
- This package would also have to be published to
npm
.
from securecodebox.
@fuhrmeistery great idea 👍
We might be able to avoid publishing to npm referencing the scb-sdk in the package.json via a file-path.
This would probably simplify this a bit.
from securecodebox.
In PR #330 @J12934 suggests that the DefectDojo persistence provider is run as a ReadAndWrite Hook before other hooks are executed.
Similar to this we could add a simple hook that runs before every other hook to realize a lightweight false positive handling.
This Hook could be optional and would be replaced by a much more sophisticated alternative like DefectDojo.
This way we could introduce an immutable hash without having to worry about the execution order of ReadWriteHooks.
from securecodebox.
Since we use Defectdojo, which ships with false-positive handling, we do not work further on this topic at the moment.
from securecodebox.
Related Issues (20)
- Automatically "Tröt" on Mastodon for new Releases
- Admonition in Hooks How-To Broken
- Add a optional ttlSecondsAfterFinished field to scans to cleanup finished scans HOT 3
- 📚 Recurring documentation issue
- Ncrack Parser is using a depracated encryption padding mechanism removed in the newest node security patch
- Switch (optional) encryption of identified passwords from ncrack to use AGE
- Passing parameters to ScheduledScan HOT 1
- add no ssl_use value
- Trivy Parser Creates Malformed Location URL HOT 4
- controleur crash with SchedulScan HOT 6
- The scan status displays 'Scanning,' even though the job has reached the specified backoff limit HOT 1
- Lurker terminated with 'OOMKilled' event HOT 5
- NodeSelector configuration not working as documented in SecureCodeBox v4.4.0 HOT 4
- improve security Deployment Workload HOT 4
- Trivy Scans persisted to Defect Dojo are missing multiple metadata fields HOT 8
- 📚 Recurring documentation issue
- "Exception while attaching findings to engagement" error in Persistence-defectdojo HOT 5
- Auto-Discovery service in Cluster Internal Central Scans architecture HOT 1
- 📚 Recurring documentation issue
- Analytics for securecodebox.io
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from securecodebox.