➹ Implement a lightweight false-/positive-handling about securecodebox HOT 5 CLOSED

This depends on: PR #225

from securecodebox.

As described in PR #225 we want to introduce a hash value to the finding model.
This hash has to be set/updated in the parser of the scanner as well as in each hook modifying findings.
To avoid duplication we should introduce a new npm package containing a function to calculate the hash consistently.

For this purpose I took a look at the parser-sdk and the hook-sdk and found at least one duplication (code for uploadFile()). This rose the question if we want to create a scb-sdk combining parser-sdk and hook-sdk as well as their helpers.

Consequences:

• some minor refactoring of hooks and parsers to use the scb-sdk.
• This could cause breaking changes to third-party hooks/scanners that are not included in the official project
• This package would also have to be published to npm.

from securecodebox.

@fuhrmeistery great idea 👍
We might be able to avoid publishing to npm referencing the scb-sdk in the package.json via a file-path.
This would probably simplify this a bit.

from securecodebox.

In PR #330 @J12934 suggests that the DefectDojo persistence provider is run as a ReadAndWrite Hook before other hooks are executed.
Similar to this we could add a simple hook that runs before every other hook to realize a lightweight false positive handling.

This Hook could be optional and would be replaced by a much more sophisticated alternative like DefectDojo.
This way we could introduce an immutable hash without having to worry about the execution order of ReadWriteHooks.

See ADR 0007
See PR #330

from securecodebox.

Since we use Defectdojo, which ships with false-positive handling, we do not work further on this topic at the moment.

from securecodebox.