Examples with SecHubWebScanConfiguration com.mercedesbenz.sechub.commons.model.SecHubWebScanConfiguration used on opensource projects

Example 11 with SecHubWebScanConfiguration

use of com.mercedesbenz.sechub.commons.model.SecHubWebScanConfiguration in project sechub by mercedes-benz.

the class SechubWebConfigProviderTest method get_sechub_web_config_by_sechub_file_works_when_file_can_be_read.

@Test
void get_sechub_web_config_by_sechub_file_works_when_file_can_be_read() {
    /* prepare */
    File testFile = new File("src/test/resources/sechub-config-examples/basic-auth.json");
    /* execute */
    SecHubWebScanConfiguration sechubWebConfig = providerToTest.getSecHubWebConfiguration(testFile);
    /* test */
    assertEquals(sechubWebConfig.getUri().toString(), "https://127.0.0.1:8080");
    assertTrue(sechubWebConfig.getLogin().isPresent());
    WebLoginConfiguration webLoginConfiguration = sechubWebConfig.getLogin().get();
    assertEquals(webLoginConfiguration.getUrl().toExternalForm(), "https://127.0.0.1:8080/login");
    assertTrue(webLoginConfiguration.getBasic().isPresent());
    BasicLoginConfiguration basicLoginConfiguration = webLoginConfiguration.getBasic().get();
    assertEquals(basicLoginConfiguration.getRealm().get(), "realm");
    String user = new String(basicLoginConfiguration.getUser());
    assertEquals(user, "user");
    String password = new String(basicLoginConfiguration.getPassword());
    assertEquals(password, "password");
}

Example 12 with SecHubWebScanConfiguration

use of com.mercedesbenz.sechub.commons.model.SecHubWebScanConfiguration in project sechub by mercedes-benz.

the class PDSWebScanJobScenario12IntTest method pds_web_scan_has_expected_info_finding_with_given_target_url_and_product2_level_information_and_sechub_web_config_parts.

@Test
public void pds_web_scan_has_expected_info_finding_with_given_target_url_and_product2_level_information_and_sechub_web_config_parts() {
    /* @formatter:off */
    /* prepare */
    String configurationAsJson = IntegrationTestFileSupport.getTestfileSupport().loadTestFile("sechub-integrationtest-webscanconfig-all-options.json");
    SecHubScanConfiguration configuration = SecHubScanConfiguration.createFromJSON(configurationAsJson);
    configuration.setProjectId("myTestProject");
    TestProject project = PROJECT_1;
    String targetURL = configuration.getWebScan().get().getUri().toString();
    as(SUPER_ADMIN).updateWhiteListForProject(project, Arrays.asList(targetURL));
    UUID jobUUID = as(USER_1).createJobAndReturnJobUUID(project, configuration);
    /* execute */
    as(USER_1).approveJob(project, jobUUID);
    waitForJobDone(project, jobUUID, 30, true);
    /* test */
    String sechubReport = as(USER_1).getJobReport(project, jobUUID);
    // IMPORTANT: The 'integrationtest-webscan.sh' returns the configuration file as part of the resulting report.
    // It is necessary to start a PDS and SecHub in integration mode. The web scan will be created on the
    // SecHub server and SecHub calls the PDS. The PDS in return calls the 'integrationtest-webscan.sh',
    // which produces the report.
    // 
    // Workflow:
    // This test -- sends webscan config to -> SecHub -- calls -> PDS -- calls -> 'integrationtest-webscan.sh' -- returns -> Report
    // 
    // look at 'integrationtest-webscan.sh' for implementation details
    // finding 1: contains target url and more
    // finding 2: contains sechub configuration (only web parts)
    String descriptionFinding2WithDataInside = assertReport(sechubReport).finding(0).hasSeverity(Severity.INFO).hasDescriptionContaining(// this comes from custom mandatory parameter from PDS config
    "PRODUCT2_LEVEL=4711").hasDescriptionContaining(// this is a default generated parameter which will always be sent by SecHub without being defined in PDS config!
    "PDS_SCAN_TARGET_URL=" + targetURL).finding(1).hasDescriptionContaining("PDS_SCAN_CONFIGURATION={").getDescription();
    String returndPdsScanConfigurationJSON = descriptionFinding2WithDataInside.substring("PDS_SCAN_CONFIGURATION=".length());
    /* @formatter:on */
    // the returned JSON must be a valid sechub scan configuration
    SecHubScanConfiguration returnedConfiguration = SecHubScanConfiguration.createFromJSON(returndPdsScanConfigurationJSON);
    assertEquals("ProjectId not as expected", project.getProjectId(), returnedConfiguration.getProjectId());
    assertFalse(targetURL, returnedConfiguration.getCodeScan().isPresent());
    assertFalse(targetURL, returnedConfiguration.getInfraScan().isPresent());
    assertTrue(targetURL, returnedConfiguration.getWebScan().isPresent());
    SecHubWebScanConfiguration webConfiguration = returnedConfiguration.getWebScan().get();
    assertNotNull(webConfiguration.getUri());
    assertEquals(JSONConverter.get().toJSON(configuration, true), JSONConverter.get().toJSON(returnedConfiguration, true));
}

Example 13 with SecHubWebScanConfiguration

use of com.mercedesbenz.sechub.commons.model.SecHubWebScanConfiguration in project sechub by mercedes-benz.

the class OwaspZapScanConfigurationFactory method create.

public OwaspZapScanConfiguration create(CommandLineSettings settings) {
    if (settings == null) {
        throw new MustExitRuntimeException("Command line settings must not be null!", MustExitCode.COMMANDLINE_CONFIGURATION_INVALID);
    }
    /* Wrapper settings */
    OwaspZapServerConfiguration serverConfig = createOwaspZapServerConfig(settings);
    ProxyInformation proxyInformation = createProxyInformation(settings);
    /* SecHub settings */
    URI targetUri = targetUriFactory.create(settings.getTargetURL());
    SecHubWebScanConfiguration sechubWebConfig = webConfigProvider.getSecHubWebConfiguration(settings.getSecHubConfigFile());
    long maxScanDurationInMillis = sechubWebConfigHelper.fetchMaxScanDurationInMillis(sechubWebConfig);
    AuthenticationType authType = sechubWebConfigHelper.determineAuthenticationType(sechubWebConfig);
    /* we always use the SecHub job UUID as OWASP Zap context name */
    String contextName = settings.getJobUUID();
    if (contextName == null) {
        contextName = UUID.randomUUID().toString();
        LOG.warn("The job UUID was not set. Using randomly generated UUID: {} as fallback.", contextName);
    }
    /* @formatter:off */
    OwaspZapScanConfiguration scanConfig = OwaspZapScanConfiguration.builder().setTargetUri(targetUri).setVerboseOutput(settings.isVerboseEnabled()).setReportFile(settings.getReportFile()).setContextName(contextName).setAjaxSpiderEnabled(settings.isAjaxSpiderEnabled()).setActiveScanEnabled(settings.isActiveScanEnabled()).setServerConfig(serverConfig).setAuthenticationType(authType).setMaxScanDurationInMillis(maxScanDurationInMillis).setSecHubWebScanConfiguration(sechubWebConfig).setProxyInformation(proxyInformation).build();
    /* @formatter:on */
    return scanConfig;
}

Example 14 with SecHubWebScanConfiguration

use of com.mercedesbenz.sechub.commons.model.SecHubWebScanConfiguration in project sechub by mercedes-benz.

the class ProjectWhiteListSecHubConfigurationValidationService method assertAllowedForProject.

public void assertAllowedForProject(SecHubConfigurationModel configuration) {
    List<URI> allowed = fetchAllowedUris(configuration);
    Optional<SecHubInfrastructureScanConfiguration> infrascanOpt = configuration.getInfraScan();
    if (infrascanOpt.isPresent()) {
        SecHubInfrastructureScanConfiguration infraconf = infrascanOpt.get();
        assertWhitelisted(allowed, infraconf.getUris());
        assertWhitelisted(allowed, asUris(infraconf.getIps()));
    }
    Optional<SecHubWebScanConfiguration> webscanopt = configuration.getWebScan();
    if (webscanopt.isPresent()) {
        SecHubWebScanConfiguration webconf = webscanopt.get();
        assertWhitelisted(allowed, webconf.getUri());
    }
}

Example 15 with SecHubWebScanConfiguration

use of com.mercedesbenz.sechub.commons.model.SecHubWebScanConfiguration in project sechub by mercedes-benz.

the class SecHubConfigurationTest method webscan_empty_includes_excludes.

@Test
public void webscan_empty_includes_excludes() {
    /* prepare */
    String json = SharedKernelTestFileSupport.getTestfileSupport().loadTestFile("webscan/webscan_empty_includes_excludes.json");
    /* execute */
    SecHubConfiguration result = SECHUB_CONFIG.fromJSON(json);
    /* test */
    Optional<SecHubWebScanConfiguration> webScanOption = result.getWebScan();
    assertTrue("webscan config must be present", webScanOption.isPresent());
    SecHubWebScanConfiguration secHubWebScanConfiguration = webScanOption.get();
    assertEquals(URI.create("https://productfailure.demo.example.org"), secHubWebScanConfiguration.getUri());
    Optional<List<String>> includes = secHubWebScanConfiguration.getIncludes();
    assertTrue("includes must be present", includes.isPresent());
    List<String> expectedIncludes = new LinkedList<>();
    assertTrue("includes are empty", includes.get().isEmpty());
    assertEquals(expectedIncludes, includes.get());
    Optional<List<String>> excludes = secHubWebScanConfiguration.getExcludes();
    assertTrue("excludes must be present", excludes.isPresent());
    List<String> expectedExcludes = new LinkedList<>();
    assertTrue("excludes are empty", excludes.get().isEmpty());
    assertEquals(expectedExcludes, excludes.get());
}