Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide explanation by knowledge database #477

Open
de-jcup opened this issue Dec 7, 2020 · 1 comment
Open

Provide explanation by knowledge database #477

de-jcup opened this issue Dec 7, 2020 · 1 comment
Labels
3rd-party-integration enhancement New feature or request epic server

Comments

@de-jcup
Copy link
Member

de-jcup commented Dec 7, 2020
edited
Loading

If we would provide an internal knowledge database we could provide an alternative for #476 which would be a product neutral. way to provide #474

The knowledge database would provide as a first step the explanation of a CWE and we would use this internally to obtain details.

Disadvantages:

  • we must provide, adopt, handle the information and maintain the kb

Advantages:

  • would be part of SecHub Open Source
  • not product specific
  • maintainable
  • open
  • future ready

How could we use it then inside sechub/sereco

  • we would store those information NOT inside other product results, but ONLY at sereco report output!!!!!
  • so at least sereco must have access to the kb (by simply sending a message and obtaining result - so we would not use https rest SERVICE here.)

Request format

We could provide a request format in JSON style - e.g.:

{
   "outputFormat" : "html",
    
   "request" : [
       "cwe" : [
           {
                  "id": "CWE-ID-XYZ1"
           },
           {
                  "id": "CWE-ID-XYZ2"
           }
       ]
     
   ]
}

So this would be very open and clear to read. If we provide something other than CWE ids, we could simply add this as another field - easy to extend.

Output format

HTML

Hmm.. HTML output ... maybe a little bit odd? HTML sechub report generation could do this itself in a more suitable way? So JSON output should be preferred way and HTML maybe only a second choice in future?

JSON

We should provide provide a good readable json document structure and provide the content in asciidoc format. reason for asciidoc : plain text, but we can integrate code examples etc. as well - and it becomes an industrial standard.

{
   "results" : [
          { 
              "type" : "cwe",
              "id": "CWE-ID-XYZ1",
              "explanation" : "explaintation description in asciidoc format - can contain codesnippets as well"
              "mitigation" : "mitigation description is asciidoc - can contain code snippets etc. as well",
          }
   ]
}

Additional ways for interaction

Also we could use this format for ADMIN rest api call - and maybe if this comes to an option at a public KB service REST. We would provide this same request data structure as used for internal messaging.

Albert Tregnaghi albert.tregnaghi@daimler.com, Daimler TSS GmbH, imprint
@Jeeppler
Copy link
Member

See #365 regarding the knowledge base concept.

@de-jcup de-jcup added the epic label Jan 21, 2021
@de-jcup de-jcup mentioned this issue Jan 21, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3rd-party-integration enhancement New feature or request epic server
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Jeeppler @de-jcup