1. About

About SecHub

SecHub is an acronym for Security Hub and is first of all one API to scan for different security problems. Users of SecHub do not care about which exact product is doing the real scan on server side, but only configure their wanted aim.

SecHub does NOT provide a security infrastructure but does orchestrate different security products/tools.

So you still need an existing security infrastructure behind SecHub !

It was designed to be very easy to integrate into any existing build pipeline / contionus integration (CI) and helps to provide SecDevOps.

You can get more information about from SecHub web page .

The project is hosted at https://github.com/mercedes-benz/sechub

About documentation

This documentation is part of SecHub.

Key Value Information

LICENSE

MIT License

Please look at https://github.com/mercedes-benz/sechub/blob/master/LICENSE

Documentation version: Client 1.4.0 modified (commit cf48181) - Build date: 20240226101315


2. SecHub client

2.1. In a nutshell

The SecHub client program is an executable binary which can be used from command line or in a build tool of your choice.

It’s very easy to use and you do not have to handle all the REST-API calls by yourself.

Currently the client only supports basic authentication, but of course always only over https.

2.2. Download

Download the binary for your operating system where you want to trigger SecHub scanning. You will have no dependencies, just place the single binary file to a location inside your path variable.

Direct download link to the latest client release: https://mercedes-benz.github.io/sechub/latest/client-download.html For documentation, please look at SecHub web page .

2.3. Supported Platforms

The SecHub Client is available for a number of platforms. A platform is a combination of an operating system and a CPU architecture.

Table 1. Supported platforms
Name OS CPU Architecture Description

darwin-amd64

macOS

AMD and Intel 64-bit

The macOS client.

darwin-arm64

macOS

ARM

Support for recent Macs with ARM architecture.

linux-386

Linux

AMD and Intel 32-bit

Universal client for Linux as operating system. Statically linked - no dependencies. Also for older hardware.

linux-amd64

Linux

AMD and Intel 64-bit

The Linux client, unless you are using older hardware or an ARM system. Dynamically linked.

linux-arm

Linux

ARM 32-bit

For ARM 32-bit systems. For example, single board computers such as the Raspberry PIs, older Nvidia Jetson boards and many more.

linux-arm64

Linux

ARM 64-bit

For ARM 64-bit systems, such as ARM based servers and some single board computers. Examples include newer models of the Nvidia Jetson series, newer Raspberry PI models, servers from the Marvell ThunderX series and Amazon AWS EC2 A1, T4g, M6g, C6g, and R6g instances.

windows-386

Windows

AMD and Intel 32-bit

For older hardware running Windows as operating system.

windows-amd64

Windows

AMD and Intel 64-bit

The Windows client, unless you are using older 32-bit hardware.

In case your platform is not included in the table, you might be able to compile the SecHub Client for your platform. The SecHub Client is written in the Go programming language. Go supports more platforms. For a full list of supported platforms have a look at the Go documentation: Optional environment variables.

2.4. Usage

2.4.1. Show help

sechub help

will print out a simple help of all command line options. At the end you will find a link to the latest config and variable examples.

2.4.2. Actions

2.4.3. Parameter overview for client actions

Here is an overview of the mandatory parameters for each action:

action

mandatory parameters

scan

server + user + api token + projectID + configFile

scanAsync

server + user + api token + projectID + configFile

getStatus

server + user + api token + projectID

getReport

server + user + api token + projectID

listJobs

server + user + api token + projectID

defineFalsePositives

server + user + api token + projectID

getFalsePositives

server + user + api token + projectID

interactiveMarkFalsePositives

server + user + api token + projectID + (file only if no report file is in current dir)

interactiveUnmarkFalsePositives

server + user + apiToken + projectID

markFalsePositives

server + user + api token + projectID + file

unmarkFalsePositives

server + user + api token + projectID + file

help

version

2.4.3.1. scan

This is the recommended scan action: You only have to make one single client call to trigger a scan and get the report.

The client performs these steps for you:

  1. create a scan job on the SecHub server

  2. upload necessary data (e.g. zipped sourcefiles for source scans)

  3. approve the job as ready to start

  4. wait until the job is done

  5. download the report file

On "red" (critical or high findings) the SecHub client exits with a non-zero status so your build will break (depends on your build tool).
For security reasons always pass your API-token via the environment variable SECHUB_APITOKEN.

Minimum call syntax

Prerequisite is a configuration file sechub.json in current directory.
See here for details: Configuration file

sechub scan
If you prefer the report in HTML format:
sechub -reportformat html scan
With -output ${file-or-directory} you can define where to place the report.
Can be a directory, a file name or a file path.
Default: sechub_report_${your-project}_${jobUUID}.{json|html|spdx} in current directory
2.4.3.2. scanAsync

Does scan asynchronous:

  • Identical to action scan but does not wait until the job has finished on the SecHub server

  • Returns the SecHub job UUID of the newly created scan job.

This can be interesting if you have long running scans and you want have a fast continous integration build - but then you have to manually check the job state, fetch reports and you get no automated build break!

Minimum call syntax

sechub scanAsync
2.4.3.3. getStatus

Will fetch the job status and return result as json

Minimum call syntax

sechub getStatus
Defaults to latest job.
You can select the job by providing the wanted job UUID by adding -jobUUID ${jobUUID}
2.4.3.4. getReport

Will fetch the report as json. (result will only exist when job is done)

Minimum call syntax

sechub getReport
Defaults to latest finished job.
You can select the job by providing the wanted job UUID by adding -jobUUID ${jobUUID}
With -output ${file-or-directory} you can define where to place the report.
Can be a directory, a file name or a file path.
Default: sechub_report_${your-project}_${jobUUID}.{json|html|spdx} in current directory
2.4.3.5. listJobs

Lists the last jobs and their state.

Minimum call syntax

sechub listJobs
This might be useful for an overview or
when you want to see your project’s scan job queue or
to find out the job UUID of a certain job.
2.4.3.6. defineFalsePositives

This will define the false positives list of your project.
Default definition file to read from is sechub-false-positives.json - format is same as for markFalsePositives.

The client will compare against the already defined false-positives on the server and
- add missing false-positive definitions
- remove the ones which are not in the definition file

Minimum call syntax

sechub defineFalsePositives
With -file ${file} you can define where to read from.
Default: sechub-false-positives.json in current directory
It’s a good idea to add your false-positives definition file in your source code repository. So everybody can easily have an overview about the declared false-positives.
2.4.3.7. getFalsePositives

This will fetch the false positives list of your project as JSON.

Minimum call syntax

sechub getFalsePositives
With -output ${file-or-directory} you can define where to place the result.
Can be a directory, a file name or a file path.
Default: sechub-false-positives-${your-project}.json in current directory
2.4.3.8. interactiveMarkFalsePositives

Instead of creating a json file to mark false positives, you can also do this interactively: Go to the project directory containing sechub.json and a report file from a recent scan and run sechub interactiveMarkFalsePositives.

You can select the report file using the -file option of the client. Otherwise the project’s latest report file in the current directory is automatically selected.

For each finding in the reports file, you are prompted: "Add this as false positive?" Your choices are:

  • y Yes - Mark as false positive. You are prompted for an optional comment line which can help to understand later why this has been marked.

  • n No - Do nothing and go to next item.

  • s Skip following findings - Finish the marking and add the marked items to the false positives list on the SecHub server.

  • c Cancel - Quit and upload nothing

You can download and view your current false positives list with getFalsePositives
2.4.3.9. interactiveUnmarkFalsePositives

Instead of creating a json file to unmark false positives, you can also do this interactively: Go to the project directory containing sechub.json and run sechub interactiveUnmarkFalsePositives

SecHub client will download the current false posisitves list and interactively ask each entry: "Do you want to remove this false positive?" Your choices are:

  • y Yes - Unmark this false positive.

  • n No - Do nothing and go to next item.

  • s Skip the rest - End the asking here and remove the marked items from the false positives list on the SecHub server.

  • c Cancel - Quit and change nothing

2.4.3.10. markFalsePositives

Read your report carefully and figure out which of the findings are "false positives" (FP). After this, create a json file containing jobUUID and ID of the findings you decided to be a FP. You should add an optional comment, describing your decision to mark this as FP. Select this file by the -file argument and start action markFalsePositives.

Minimum call syntax

sechub -file ${json-file} markFalsePositives

Example JSON:

{
  "apiVersion": "1.0", (1)
  "type": "falsePositiveJobDataList", (2)
  "jobData": [
    {
      "jobUUID": "6cfa2ccf-da13-4dee-b529-0225ed9661bd", (3)
      "findingId": 1, (4)
      "comment": "Absolute Path Traversal, can be ignored because not in deployment" (5)
    },
    {
      "jobUUID": "6cfa2ccf-da13-4dee-b529-0225ed9661bd",
      "findingId": 15
    }
  ]
}
1 api version
2 type - must be falsePositiveJobDataList
3 job-UUID of the report where the finding was
4 finding ID of finding in the report, which shall be marked as false positive
5 Comment (optional) describing the reason why this is a false positive
markFalsePositives only adds new false positives.
Providing an empty list here does NOT delete the already declared false positives!
If you want this, please use defineFalsePositives.
See also interactiveMarkFalsePositives for an easy way to declare false positives.
2.4.3.11. unmarkFalsePositives

Remove formerly defined false positives.
It works similar to markFalsePositives: Just define a JSON file, select the file by the -file argument and start action unmarkFalsePositives

Minimum call syntax

sechub -file ${json-file} unmarkFalsePositives

Example JSON:

{
  "apiVersion": "1.0",
  "type": "falsePositiveJobDataList",
  "jobData": [
    {
      "jobUUID": "6cfa2ccf-da13-4dee-b529-0225ed9661bd",
      "findingId": 1
    },
    {
      "jobUUID": "6cfa2ccf-da13-4dee-b529-0225ed9661bd",
      "findingId": 15
    }
  ]
}
interactiveMarkFalsePositives might be much easier to use

2.4.4. Configuration overview

Basically parameters can be passed to the SecHub client in three ways:

  • commandline options (overrides below)

  • environment variables (overrides config file)

  • configuration file (default sechub.json)

In below table, there is an overview of what can be defined where.

scope

cmdline option

environment variable

JSON config file

api token

-apitoken (!! not recommended !!)

SECHUB_APITOKEN

code scan config

codeScan

JSON config file

-configfile

file

-file

job uuid

-jobUUID

label definitions

-label

SECHUB_LABELS

metaData.labels

max. poll interval

-wait

SECHUB_WAITTIME_DEFAULT

network timeout

-timeout

output folder or file

-output

project id

-project

SECHUB_PROJECT

project

quiet mode

-quiet

SECHUB_QUIET

report format

-reportformat

scan for secrets

secretScan

server url

-server

SECHUB_SERVER

server

stop on yellow

-stop-on-yellow

temporary dir

-tempdir

SECHUB_TEMP_DIR

user id

-user

SECHUB_USERID

user

web scan config

webScan

2.4.5. Commandline Options

  • -apitoken <string>
    The user’s api token - mandatory. Please try to avoid -apitoken parameter for security reasons!!
    Use environment variable SECHUB_APITOKEN instead! (see: Environment variables)

  • -configfile <filepath>
    Path to SecHub JSON config file. Defaults to sechub.json in current directory.

  • -file <filepath>
    Defines file to read from for actions defineFalsePositives, markFalsePositives, interactiveMarkFalsePositives, unmarkFalsePositives

  • -jobUUID <string>
    SecHub job uuid. Optional for actions getStatus or getReport

  • -label <label definition>
    Define a SecHub label for the scan job. (Example: "key1=value1") Repeat to define multiple labels.

  • -output <path to folder or file>
    Where to place reports, false-positive files etc. Can be a directory, a file name or a file path (defaults to current working directory and default file names)

  • -project <string>
    Unique project id - mandatory, but can also be defined in config file or via environment variable.

  • -quiet
    Quiet mode - Suppress all informative output. Can also be defined via environment variable SECHUB_QUIET=true.
    Only print filenames written to, errors and explicitely requested informations (job-UUID, version, status).

  • -reportformat <format>
    Output format for reports. Currently supported: [json, html, spdx-json]. If an unsupported format string is provided, "json" will always be the fallback.

  • -server <url>
    Server url of SecHub server to use - e.g. https//example.com:8081. Mandatory, but can also be defined in config file or via environment variable.

  • -stop-on-yellow
    A yellow traffic light in the report will result in a non-zero return code.

  • -tempdir <path to folder>
    Temporary files will be placed here. (defaults to current working directory)

  • -timeout <seconds>
    Timeout for network communication in seconds. (default 120)

  • -user <string>
    Username - mandatory, but can also be defined in config file or via environment variable.

  • -wait <seconds>
    Maximum wait time in seconds (default 60). Will be used for periodic status checks when action=scan and for retries of HTTP calls.

2.4.6. Environment variables

Additionally to above cmdline options, you can set some values also via environment variables which can be helpful when you have different SecHub environments (like: dev, int, prod)

  • SECHUB_APITOKEN
    The SecHub api token for SECHUB_USERID. (same as -apitoken option)

  • SECHUB_LABELS
    Define one or more labels for the scan job. The labels will appear in your SecHub report. Separate multiple labels with ",". (see also -label option)
    Example: export SECHUB_LABELS="key1=test 1,key2=test 2"

  • SECHUB_PROJECT
    The SecHub project id. (same as -project option)

  • SECHUB_QUIET
    Quiet mode (true or false / unset) - Suppress all informative output. (same as -quiet option)

  • SECHUB_SERVER
    The SecHub server url. (same as -server option)

  • SECHUB_TEMP_DIR
    Temporary files will be placed here. Make sure that the folder exists and is writeable. (same as -tempdir option)

  • SECHUB_TRUSTALL
    When set to true, then HTTPS certificate checking will be disabled. May be useful when using self-signed certificates. Please try to avoid this setting for security reasons.

  • SECHUB_USERID
    The SecHub username. (same as -user option)

  • SECHUB_WAITTIME_DEFAULT
    Maximum wait time in seconds (default 60). Will be used for automatic status checks etc. when action=scan.

  • SECHUB_WHITELIST_ALL
    When set to true then ignore the default whitelist for source files and add every file. You may want to define excludes in your sechub.json file. !! Handle with care !!

Settings for debugging/client development:

  • SECHUB_DEBUG
    When set to true then log as much as possible (but not HTTP request contents)

  • SECHUB_DEBUG_HTTP
    When set to true then log HTTP request contents.

  • SECHUB_IGNORE_DEFAULT_EXCLUDES
    When set to true then default exclude folders {"**/test/**", "**/.git/**", "**/node_modules/**"} will be included for code scan. In this case, you should declare your own exclude list in the config json.

  • SECHUB_INITIAL_WAIT_INTERVAL
    Initial wait time (floating point number) until SecHub client polls the first time if the report is ready (sechub scan). Meant for local integration tests.

  • SECHUB_KEEP_TEMPFILES
    When set to true then sourcecode-<projectID>.zip files for code scan will not be removed, so you can check, what was uploaded to the SecHub server.

2.4.7. Proxy support

The environment variables http_proxy, https_proxy and no_proxy (or the uppercase versions thereof) can be set to use a proxy for accessing the SecHub server. (https_proxy takes precedence over http_proxy for https requests.)

Syntax: [<scheme>://][<username>:<password>@]<proxy host>[:<proxy port>]

The environment values may be either a complete URL or a "host[:port]", in which case the "http" scheme is assumed.

Examples (Linux/Mac):

export http_proxy=http://scott:tiger@proxy.example.org:3128

export http_proxy=http://localhost:3128 (e.g. when using a local CNTLM proxy)

2.4.8. Debugging

For troubleshooting, you can

  • set environment variable SECHUB_DEBUG to true
    Now you will see in detail what the client does and also the html calls sent to and received from SecHub server.

  • set environment variable SECHUB_DEBUG_HTTP to true
    Now you will see the complete HTTP communication including headers.
    (basic-auth headers (security) and contents of uploads (binary data) are filtered out)

  • set environment variable SECHUB_KEEP_TEMPFILES to true
    Now sourcecode-<projectID>.zip files for code scan or binaries-<projectID>.tar will not be removed, so you can check, what was uploaded to the SecHub server.

2.5. SecHub configuration JSON

A SecHub configuration must be valid JSON and is defined at caller side.

It is used by the client and also by rest calls to define SecHub scan jobs and add meta data.

Some minor parts are client specific and must be handled by direct REST calls in a special way or do just not exist. But this is mentioned inside this documentation

The individual components in the JSON are documented below:

2.5.1. API version

apiVersion must be defined (so mandatory). Currently only 1.0 is valid.

2.5.2. Server

server defines the url of your SecHub server. Information can be used by client implementations.

This is an optional parameter only which is only interesting for the client to pass the URL. Every REST call contains the server URL already.

2.5.3. Project

project defines the project id within SecHub. Information can be used by client implementations.

When using project id related REST calls, you do not need the project id inside the configuration.

2.5.4. Code scan

codeScan defines the settings for code scans.

2.5.4.1. Upload source files from file system

This section applies only to the SecHub client.

All source code files inside the defined folders will be automatically zipped and uploaded by the SecHub client to the SecHub server for analysis.

Paths must be defined relative to caller location - for example on a Jenkins Build Server this is usually the root folder of your repository.

Please do NOT use \ inside paths but always /.

We do NOT recommend using absolute paths but always relative paths!
You should call SecHub inside the repository’s root folder - this is the standard on build servers.

There are two ways to define source code uploads for the SecHub client:

2.5.4.1.1. Using data section

Define the files and folders in a data section and reference it inside the codeScan.
This becomes useful e.g. if the same sources are used by different scan types.

Example sechub.json using data section

{
  "apiVersion": "1.0",
  "codeScan": { (1)
    "use": [
      "gamechanger-sources"
    ]
  },
  "data": {
    "sources": [ (2)
      {
        "name": "gamechanger-sources",
        "fileSystem": { (3)
          "folders": [ (4)
            "gamechanger-android/src/main/java",
            "gamechanger-server/src/main/java"
          ]
        },
        "excludes": [ (5)
          "**/mytestcode/**",
          "*.config"
        ],
        "additionalFilenameExtensions": [ (6)
          ".cplusplus",
          ".py9"
        ]
      }
    ]
  }
}
1 Define code scan
2 Upload source code (in contrast to binary uploads)
3 fileSystem - means uploading sources from local filesystem to SecHub server
4 Upload will contain sources from gamechanger-android/src/main/java and gamechanger-server/src/main/java and their sub folders
5 Exclude directories (optional), the ANT fileset pattern notation is supported.
  • In the example above all files in directories named mytestcode and their subdirectories are excluded from upload.

  • Also all files matching *.config are excluded in any directory

  • Default excludes:
    Per default, the directories **/test/** **/.git/** **/node_modules/** are already excluded.

6 The SecHub client only adds "well known" sources into the upload zip file. This reduces the upload size and the scan duration. (E.g. a codescan for a JPEG image would not make sense…​)
In the SecHub client documentation you will find a list of the default file endings.
Here we also add ".cplusplus" and ".py9" as additional accepted source file extensions.
2.5.4.1.2. fileSystem inside the codeScan section (deprecated)

Define a fileSystem child entry inside the codeScan section for code scanning.

This option is deprecated but still supported.
Please consider using the data section as described above as it provides more flexibility.

Example sechub.json using fileSystem inside the codeScan section (results in same upload as in above example):

{
  "apiVersion": "1.0",
  "codeScan": {
    "fileSystem": {
      "folders": [
        "gamechanger-android/src/main/java",
        "gamechanger-server/src/main/java"
      ]
    },
    "excludes": [
      "**/mytestcode/**",
      "*.config"
    ],
    "additionalFilenameExtensions": [
      ".cplusplus",
      ".py9"
    ]
  }
}

2.5.5. License scan

licenseScan defines the settings for license scans.

2.5.5.1. Example binary license scan
License scan configuration for binaries
{
  "apiVersion" : "1.0",
  "data" : {
    "binaries" : [ { 
      "name" : "firmware-images",(1)
      "fileSystem" : {
        "folders" : [ "gamechanger-firmware/images" ]
      }
    } ]
  },
  "licenseScan" : { 
    "use" : [ "firmware-images"] (2)
  }
}
1 name of the source data configuration: "firmware-images"
2 license scan uses the referenced data configuration "firmware-images"
2.5.5.2. Example source license scan
License scan configuration for sources
{
  "apiVersion" : "1.0",
  "data" : {
    "sources" : [ {
      "name" : "firmware-sources", (1)
      "fileSystem" : {
        "folders" : [ "gamechanger-firmware/src" ]
      }
    } ]
  },
  "licenseScan" : { 
    "use" : [ "firmware-sources"] (2)
  }
}
1 name of the source data configuration: "firmware-sources"
2 license scan uses the referenced data configuration "firmware-sources"
2.5.5.3. Example source licence scan with sources code scan combined
License scan and code scan configuration for sources
{
  "apiVersion" : "1.0",
  "data" : {
    "sources" : [ {
      "name" : "firmware-sources", (1)
      "fileSystem" : {
        "folders" : [ "gamechanger-firmware/src" ] 
      }
    } ]
  },
  "licenseScan" : {
    "use" : [ "firmware-sources"] (2)
  },
  
  "codeScan" : {
    "use" : [ "firmware-sources"] (3)
  }
}
1 name of the source data configuration: "firmware-sources"
2 license scan uses the referenced data configuration "firmware-sources"
3 code scan uses the referenced data configuration "firmware-sources"

2.5.6. Secret scan

secretScan defines the settings for scanning for secrets in your source code.

2.5.6.1. Example source secret scan
Secret scan configuration for sources
{
  "apiVersion" : "1.0",
  "data" : {
    "sources" : [ {
      "name" : "gamechanger-source", (1)
      "fileSystem" : {
        "folders" : [ "gamechanger-configuration/src", "gamechanger-app/src"  ] (2)
      }
    } ]
  },
  "secretScan" : { 
    "use" : [ "gamechanger-source"] (3)
  }
}
1 name of the source data configuration: "gamechanger-source"
2 source code folders to scan.
3 secret scan uses the referenced data configuration "gamechanger-source"
2.5.6.2. Example binary secret scan
Secret scan scan configuration for binaries
{
  "apiVersion" : "1.0",
  "data" : {
    "binaries" : [ { 
      "name" : "firmware-images",(1)
      "fileSystem" : {
        "folders" : [ "gamechanger-firmware/images" ]
      }
    } ]
  },
  "secretScan" : { 
    "use" : [ "firmware-images"] (2)
  }
}
1 name of the source data configuration: "firmware-images"
2 secret scan uses the referenced data configuration "firmware-images"
2.5.6.3. Example source secret scan combined with code scan
Secret scan and code scan configuration for sources
{
  "apiVersion" : "1.0",
  "data" : {
    "sources" : [ {
      "name" : "gamechanger-source", (1)
      "fileSystem" : {
        "folders" : [ "gamechanger-configuration/src", "gamechanger-app/src"  ] (2)
      }
    } ]
  },
  "secretScan" : { 
    "use" : [ "gamechanger-source"] (3)
  },
  "codeScan" : { 
    "use" : [ "gamechanger-source"] (4)
  }
}
1 name of the source data configuration: "gamechanger-source"
2 source code folders to scan.
3 secret scan uses the referenced data configuration "gamechanger-source"
4 code scan uses the referenced data configuration "gamechanger-source"

2.5.7. Web scan

webScan defines the settings for web scans (DAST).

2.5.7.1. URL

Use the url element to define a URL you want to scan.

The URL must be whitelisted in your project. Otherwise it will be rejected. So you are not able to start scanning foreign domains and do accidently attack them…​
2.5.7.1.1. Example anonymous
{
  "apiVersion": "1.0",
  "webScan": { (1)
    "url": "https://www.gamechanger.example.org", (2)
    "includes": [ (3)
      "/special/include",
      "/special/include/<*>",
      "<*>/special/<*>/include/<*>",
      "<*>/special/include/<*>",
      "special/include/<*>",
      "special/include",
      "special/include/"
    ],
    "excludes": [ (4)
      "/en/contact",
      "/en/contacts/<*>",
      "<*>/en/<*>/contacts/<*>",
      "<*>/en/contacts/<*>",
      "en/contacts/<*>",
      "en/contacts",
      "en/contacts/"
    ]
  },
  "maxScanDuration": { (5)
    "duration": 1,
    "unit": "hour" (6)
  }
}
1 Define web scan
2 The URL to scan. This URL must be whitelisted in SecHub project. Normally without a slash / at the end.
3 Optional: Define includes, if you have a special path that is linked nowhere, so the scanner can not detect it automatically while crawling the application. You can use wildcards by using the symbol <*> like in the example above. To make the scan work the target URL will always be implicitly included with "https://www.gamechanger.example.org<*>" if no includes are specified. If includes are specified the scan is limited to these includes. In case you need to include certain parts of your application the scanner cannot detect, but you want everything else to be scanned as well, please specify a wildcard as include explicitly: "includes": [ "/hidden/from/crawler/", "/<*>" ].
  • Includes starting with a slash (/) like "includes": [ "/special/include","/special/include/<*>"] they are interpreted relative to the scan target URL provided before.

  • Includes not starting with a slash (/) like "includes": [ "<*>/en/contacts/<*>","en/contacts/<*>","en/contacts","en/contacts/"] are interpreted as enclosed by wildcards like the first include in the list example: "<*>/en/contacts/<*>".

4 Optional: Define excludes, if you have a special path you want to exclude, from the scan. You can use excludes the same way you can use the includes. Excludes do always overwrite includes if the provided patterns for includes and excludes do have intersections.
5 Optional: Define the maximum duration the scan can take. Scanning a "large" web page/application can take several hours or even days. This option ensures the scan will only run for a limited time.
6 Define the unit of time. The unit can be: millisecond, second, minute, hour, day.

Includes are a different from excludes looking at wildcards, because in includes they might not be resolved properly, if the pages behind the wildcards cannot be detected by a web crawler.

If you only want to scan a specific part of your application e.g only the customers section https://my-application.com/customer/, you can specify the target URL : "url": "https://my-application.com" and the wanted include starting with a slash like this : "includes": [ "/customer/<*>"].

2.5.7.2. Login

A web scan does work much better if it has got access to all content - so a login is necessary most time. If you do not define a login configuration your web scan will be done only as anonymous user.

Providing login will enable web scanner to execute ALL possible actions!

An example: Your test application has a Web UI for sending SMS which can be triggered by an user. Then a web scan can trigger those operations as well!

If you do this inside an environment where a real SMS provider is connected, this could result into mass SMS and also in a bigger invoice from your SMS provider - so be careful!

2.5.7.2.1. Options

SecHub provides you with 2 options for login:

  • basic authentication

  • form based login

    • script based

When a web scan product (or its adapter) does not support your wanted options you will have a failure at execution time!

2.5.7.2.2. Example basic authentication
{
    "apiVersion": "1.0",
    "webScan": {
        "url": "https://productfailure.demo.example.org",
        "login": {
            "url": "https://productfailure.demo.example.org/login",(1)
            "basic": {(2)
                "user": "{{ .LOGIN_USER }}",
                "password": "{{ .LOGIN_PWD }}",
                "realm": "{{ .LOGIN_REALM }}" (3)
            }
        }
    }
}
1 URL for web login
2 Basic authentication, needs user id/name and password.
3 Optional: You can set the realm used for basic authentication. But normally this is not necessary.
2.5.7.2.3. Example client certificate authentication
client certificate authentication
{
  "apiVersion" : "1.0",
  "project" : "example_project",
  "data" : {
    "sources" : [ {
      "name" : "client-certificate-file-reference", (1)
      "fileSystem" : {
        "files" : [ "path/to/backend-cert.p12" ]
      }
    } ]
  },
  "webScan" : {
    "url" : "https://my-app.com",
    "clientCertificate" : {
      "password" : "{{ .CERT_PASSWORD }}", (2)
      "use" : [ "client-certificate-file-reference" ] (3)
    }
  }
}
1 name of the source data configuration: "client-certificate-file-reference". Please use single files only instead of folders to specify the client certificate. If you want to combine this with an openAPI definition that must be uploaded for the scan as well, please refer to this example.
2 Optional: If the client certificate is password protected, the password can be specified here. Using our SecHub GO client you can make use of the GO templating engine. Like in the example above the you can provide an environment variable containing the password instead of writing the plaintext password in the JSON configuration file. In the example above the SecHub GO client will substitute the value of "{{ .CERT_PASSWORD }}" with the value of the environment variable CERT_PASSWORD.
3 web scan uses the referenced data configuration "client-certificate-file-reference", to obtain the client certificate file.
2.5.7.2.4. Example form based login by script
{
  "apiVersion" : "1.0",
  "webScan" : {
    "url" : "https://productfailure.demo.example.org",
    "login" : {
      "url" : "https://productfailure.demo.example.org/login", (1)
      "form" : { (2)
        "script" : { (3)
          "pages" : [ (4)
                  {
                    "actions" : [ (5)
                            {
                              "type" : "username", (6)
                              "selector" : "#example_login_userid", (7)
                              "value" : "{{ .LOGIN_USER }}" (8)
                            }, 
                            {
                              "type" : "password",
                              "selector" : "#example_login_pwd",
                              "value" : "{{ .LOGIN_PWD }}"
                            },
                            {
                              "type" : "click",
                              "selector" : "#next",
                              "description" : "Click to go to next page" (9)
                            }
                         ]
                  },
                  {
                    "actions" : [
                            {
                              "type" : "input",
                              "selector" : "#example_other_inputfield",
                              "value" : "{{ .OTHER_VALUE }}"
                            }, 
                            {
                              "type" : "wait", (10)
                              "value" : "1",
                              "unit" : "second" (11)
                            }, 
                            {
                              "type" : "click",
                              "selector" : "#doLogin"
                            } 
                    ]
                 } 
          ]
        }
      }
    }
  }
}
1 URL for web login.
2 Start of form based login.
3 Script definition.
4 Pages section. A page is a visible page. Some logins need more than one page.
5 The actions which should be executed on each page.
6 Type of action. Valid types are :
  • username
    name of user used for login

  • password
    password entered at login

  • input
    setup value for a field on UI

  • click
    will simulate a mouse click on UI

  • wait
    time to wait before executing the next action

7 Selector (CSS) to identify web element.
8 Value, used by most actions (username|password|input|wait).
In this examples you see variables in go template format. This is SecHub client specific. If you use the REST API directly, you must use real values!
9 A description can be added to explain an action.
10 The time the next action will be delayed.
11 Define the unit of time. The unit can be: millisecond, second, minute, hour, day.
username and password are like input but SecHub tries to hide these information in logs or at UI where possible. So do NOT use input for credentials!
2.5.7.2.5. Example OpenAPI scan
Open API scan
{
  "apiVersion" : "1.0",
  "data" : { 
    "sources" : [ {
      "name" : "open-api-file-reference", (1)
      "fileSystem" : {
        "files" : [ "gamechanger-webapp/src/main/resources/openapi3.json" ]
      }
    } ]
  },
  "webScan" : { 
    "url" : "https://productfailure.demo.example.org",
    "api" : {
      "type" : "openApi", (2)
      "use" : [ "open-api-file-reference" ] (3)
    }
  }
}
1 name of the source data configuration: "open-api-file-reference"
2 web scan uses "openApi" as API type
3 web scan uses the referenced data configuration "open-api-file-reference" to obtain the open api configuration file
2.5.7.2.6. Example combination of openAPI definition and client certificate authentication
Open API scan with client certificate authentication
{
  "apiVersion" : "1.0",
  "data" : {
    "sources" : [ {
      "name" : "open-api-file-reference", (1)
      "fileSystem" : {
        "files" : [ "gamechanger-webapp/src/main/resources/openapi3.json" ]
      }
    }, {
      "name" : "client-certificate-file-reference", (2)
      "fileSystem" : {
        "files" : [ "path/to/backend-cert.p12" ]
      }
    } ]
  },
  "webScan" : {
    "url" : "https://productfailure.demo.example.org",
    "api" : {
      "type" : "openApi",
      "use" : [ "open-api-file-reference" ] (3)
    },
    "clientCertificate" : {
      "password" : "{{ .CERT_PASSWORD }}",
      "use" : [ "client-certificate-file-reference" ] (4)
    }
  }
}
1 Data section with files referenced by the openAPI definition. Multiple files (NOT folders) are possible.
2 Data section with the file referenced by the clientCertificate definition. Only one single file shall be provided here.
3 Reference to the data section containing files with your openAPI definitions (e.g. swagger.yml or openAPI.json)
4 Reference to the data section containing file with your client certificate for authentication.
2.5.7.2.7. Example Header scan
header scan
{
  "apiVersion" : "1.0",
  "webScan" : {
    "url" : "https://productfailure.demo.example.org",
    "headers" : [ {
      "name" : "Authorization", (1)
      "value" : "{{ .HEADER_VALUE }}" (2)
    }, {
      "name" : "x-file-size", (3)
      "value" : "123456", (4)
      "onlyForUrls" : [ "https://productfailure.demo.example.org/admin", "https://productfailure.demo.example.org/upload/<*>", "https://productfailure.demo.example.org/<*>/special/" ], (5)
      "sensitive" : false (6)
    } ]
  }
}
1 Name of the specified header. Must not be null or empty.
2 Value of the specified header. Must not be null or empty. You can use the go template format like above by creating a environment variable like: HEADER_VALUE="Bearer mytoken1234". This might be useful to load the information via the SecHub client dynamically, if the header value you specify contains credentials.
3 Name of the second header. You can specify a list of headers the DAST Scanner needs interact with your application.
4 Value of the second header. Here no go template format is used, since in this example there are no credentials but only file size of an upload.
5 Optional Parameter: For each header you can specify a list of URLs. The header this list belongs to, will only be send when accessing one of the URLs on the list. If you do not specify a list of URLs or the list is empty, the header will be send on each request to every URL. You can also use wildcards by specifying <*> like in the example above. Adding a wildcard to the end of an URL, the header will be sent to all sub URLs as well, otherwise it won’t be sent to sub URLs. Make sure that the header URL combinations are unique. This means do not specify the same header multiple times for the same scope of URLs.
6 Optional Parameter to handle sensitive header data: If true, the value of this header will be masked inside the SecHub report to avoid leaking the information. But if the parameter is set to false the value will be shown as is. The default is true if nothing is specified.

2.5.8. Infrastructure scan

infraScan (optional) defines the infrastructure scan settings.

2.5.8.1. URIs

Use uris element to define a string array containing URIs you want to scan.

2.5.8.1.1. Example infrascan one URI
{
  "apiVersion": "1.0",
  "infraScan": { (1)
    "uris": [ (2)
      "https://www.gamechanger.example.org/"
    ]
  }
}
1 Define infrastructure scan
2 The URI s to scan. Every URI listed here must be white listed in SecHub project.
2.5.8.2. IPs

Use ips element to define a string array containing IPs you want to scan.

2.5.8.2.1. Example infrascan one IP
{
  "apiVersion": "1.0",
  "infraScan": { (1)
    "ips": [ (2)
      "127.0.0.1"
    ]
  }
}
1 Define infrastructure scan
2 The IP s to scan. Every IP listed here must be white listed in SecHub project. The given example with 127.0.0.1 represents only an example and will always not work because scanners do not scan them self.

2.5.9. Data section

With the data section users are able to

  • define binary and source uploads

  • reference the same by muliple scan types in one job

The scan configurations can reference the name data configuration elements by defining the array attribute "use" with a list of references.

{
  // ..scan definition
  "use" : [ "reference-name-1","reference-name-2", ... ] (1)
}
1 the list of referenced data configurations . The referenced names must exist.

Here are some links to examples which are using data inside their configurations:

The next figure shows an example which presents all possibilities (for simplicity the source and binary configuration arrays do contain only just one entry):

General JSON syntax
{
  "data": { (1)
    "sources": [
      { (2)
        "name": "reference-name-sources-1", (3)
        "fileSystem": { (4)
          "files": [ (5)
            "somewhere/file1.txt",
            "somewhere/file2.txt"
          ],
          "folders": [ (6)
            "somewhere/subfolder1",
            "somewhere/subfolder2"
          ]
        },
        "excludes": [ (7)
          "**/mytestcode/**",
          "**/documentation/**"
        ],
        "additionalFilenameExtensions": [ (8)
          ".cplusplus",
          ".py9"
        ]
      }
    ],
    "binaries": [
      { (9)
        "name": "reference-name-binaries-1", (3)
        "fileSystem": {
          "files": [ (5)
            "somewhere/file1.dll",
            "somewhere/file2.a"
          ],
          "folders": [ (6)
            "somewhere/bin/subfolder1",
            "somewhere/bin/subfolder2"
          ]
        }
      }
    ]
  }
}
1 data: The main element for data configuration.
2 sources: Inside this array multiple source data definitions can be listed
3 name: Is a unique name for the data configuration element. The name must be unique inside the whole SecHub configuration file! Allowed characters are a-z,0-9 and the special characters _ and -.
4 fileSystem: Describes fileystem parts which are available inside this data configuration element
5 files: An array containing file paths to use for uploading dedicated files
6 folders: An array containing folder paths to use for uploading dedicated folders
7 excludes: Exclude directories (optional) - see code scan for details. The excludes work for sources and binaries the same way.
8 additionalFilenameExtensions Introduce additional file name extensions. See code scan for details about default behaviour for sources.
9 sources: Inside this array multiple binary data definitions can be listed.

2.5.10. MetaData

The SecHub configuration file can have optional meta data.

2.5.10.1. Labels

With labels a user is able to add additional information to the scan configuration which end up in the report as key value pairs.

Using the SecHub client, you can also pass labels via command line or environment variables.

The next figure shows an example which presents all possibilities (for simplicity other configuration elements are removed).

General JSON syntax
{
  "metaData": { (1)
    "labels": { (2)
      "Example1": (3)
      "The labels are alphabetically sorted!", (4)
      "Example1.1": "Values can be any text."
    }
  }
}
1 metaData: The main element for meta data configuration. It is optional.
2 labels: Inside this element the user can define labels as key value pairs.
  • maximum allowed entries per configuration file: 20

3 represents the label key.
  • allowed are characters A-Z,a-z,0-9 and the special characters _ , - and .

  • minimum length: 1 character

  • maximum length: 30 characters

4 represents the label value.
  • can contain any text (content will be escaped accordingly in reports)

  • minimum length: 0 characters

  • maximum length: 150 characters

2.5.11. Code scan: accepted source code files

The client will per default only include "wellknown" source files. This is done by inspecting the filename ending. The accepted defaults are shown in next table.

All files having file endings not listed here, will be ignored and not uploaded to SecHub server.
But of course you can also define additional source file endings - see config file example .
Language(s) File extensions

Apex

.apex
.apexp
.apxc
.component
.-meta.xml
.object
.page
.report
.tgr
.trigger
.workflow

ASP (Active Server Pages)

.asp

ASP

.ascx
.aspx

Azure

.bicep

C/C++

.ac
.am
.c
.c++
.cc
.cmake
.cpp
.cxx
.ec
.h
.h++
.hh
.hpp
.hxx
.pro

C#, VB.NET, Visual Basic, VB Script

.asax
.bas
.cls
.cs
.cshtml
.csproj
.ctl
.dsr
.frm
.master
.sln
.vb
.vbp
.vbs
.xaml

Certificates for secrets scans

.crt,
.cer,
.csr,
.der,
.pem,
.pfx,
.p12,
.p7b,
.p7c,
.CRT,
.CER,
.CSR,
.DER,
.PEM,
.PFX,
.P12,
.P7B,
.P7C

Cobol

.cbl
.cob
.cpy
.eco
.pco
.sqb

Docker

Dockerfile
.dockerfile

Go, Protobuf

.go

Groovy

.groovy
.gsh
.gsp
.gvy
.gy

HTML

.htm
.html

Java ecosystem

.app
.cmp
.evt
.gradle
.hbs
.java
.javasln
.jsf
.jsp
.jspf
.mf
.project
.properties
.tag
.tld
.vm
.xhtml

JavaScript

.handlebars
.jade
.js
.json
.jsx
.pug
.vue
.xsaccess
.xsapp
.xsjs
.xsjslib

Kotlin

.ftl
.kt
.kts
,mustache

Kubernetes, Helm, Docker-Compose

.yaml
.yml
.tpl

Lua

.lua

Objective C, Swift

.m
.plist
.swift
.xib

Perl

.pl
.plx
.pm
.psgi

php

.ctp
.php
.php3
.php4
.php5
.php5.6
.phtm
.phtml
.tpl
.twig

PL/SQL

.pck
.pkb
.pkh
.pks
.pls
.sql

Python, Django

.csv
.gtl
.latex
.py
.py2
.py3
.pyi
.python
.tex
.txt

Ruby

.erb
.lock
.rb
.rhtml
.rjs
.rxml

Rust

.rs
.rlib

Scala

.conf
.sc
.scala

Terraform

.tf
.tfvars

Typescript/Angular

.ts
.tsx

Others

.build
.cgi
.config
.inc
.xml

2.5.12. Inject variables into configuration files (For advanced users)

All environment variables are available inside your configuration file in Go template syntax:

{{ .ENV_VARIABLE_NAME }}

For example: When you have defined USED_API_VERSION with value 1.0, you can inject it into a json config file like this:

{
  "apiVersion": "{{ .USED_API_VERSION }}"
}

2.6. Examples

The next subsections contain some SecHub configuration examples. You can use them as templates for your own files.

First: Define your SecHub environment variables:

export SECHUB_SERVER=https://sechub.example.org
export SECHUB_USERID=alice
export SECHUB_APITOKEN=EXAMPLE4aa82407da7e06bdbEXAMPLE
export SECHUB_PROJECT=myproject
Please replace the example values with your real ones to get them working.

2.6.1. Start a source code scan

sechub scan

with corresponding 'sechub.json' config file: see source scan example .

2.6.2. Start a web scan

sechub scan

with corresponding 'sechub.json' config file: see web scan example (anonymous)

2.6.3. Start a scan for secrets

sechub scan

with corresponding 'sechub.json' config file: see examples for secret scans

2.6.4. Start an infra scan

sechub scan

with corresponding sechub.json config file: infrastructure scan example .

2.6.5. Mark false positives

2.6.5.1. markFalsePositives
sechub -file mark-fp.json markFalsePositives

with a corresponding mark-fp.json - see Mark false positives JSON format

2.6.5.2. interactiveMarkFalsePositives
sechub interactiveMarkFalsePositives

/  ___|         | | | |     | |
\ `--.  ___  ___| |_| |_   _| |__
 `--. \/ _ \/ __|  _  | | | | '_ \
/\__/ /  __/ (__| | | | |_| | |_) |
\____/ \___|\___\_| |_/\__,_|_.__/ Client Version 0.29.0-20220401111823

Using latest report file "sechub_report_mytestproject_0a84899f-1305-41e0-a2d5-e7c31d6185fd.json".
------------------------------------------------------------------
1: Side Channel Data Leakage, severity: HIGH
src/main/java/com/example/testapp/invoice/application/InvoiceApplicationService.java, line 651 column 17
        Invoice creditNote = getInvoice(invoiceId).orElseThrow(InvoiceNotFoundException::new);
------------------------------------------------------------------
Add this as false positive? ('y' Yes, 'n' No, 's' Skip following findings, 'c' Cancel) y
Please add a single line comment:
Can be ignored in our case
------------------------------------------------------------------
2: Unsafe Object Binding, severity: MEDIUM
src/main/java/com/example/testapp/api/ServiceOrderController.java, line 33 column 59
    public void saveAttachment(@RequestBody AttachmentDto attachmentDto){
------------------------------------------------------------------
Add this as false positive? ('y' Yes, 'n' No, 's' Skip following findings, 'c' Cancel) n
------------------------------------------------------------------
3: Unsafe Object Binding, severity: MEDIUM
src/main/java/com/example/testapp/api/CouponController.java, line 30 column 78
    public CouponVerifyResponseDto couponVerify(@RequestBody CouponVerifyDto couponVerifyDto) {
------------------------------------------------------------------
Add this as false positive? ('y' Yes, 'n' No, 's' Skip following findings, 'c' Cancel) s
- Successfully uploaded SecHub false-positives list for project "mytestproject" to server.

2.6.6. Unmark false positives

2.6.6.1. unmarkFalsePositives
sechub -file mark-fp.json unmarkFalsePositives

with a corresponding mark-fp.json - see Unmark false positives JSON format

2.6.6.2. interactiveUnmarkFalsePositives
sechub interactiveUnmarkFalsePositives
 _____           _   _       _
/  ___|         | | | |     | |
\ `--.  ___  ___| |_| |_   _| |__
 `--. \/ _ \/ __|  _  | | | | '_ \
/\__/ /  __/ (__| | | | |_| | |_) |
\____/ \___|\___\_| |_/\__,_|_.__/ Client Version 0.29.0-20220401111823

- Fetching false-positives list for project "mytestproject".
------------------------------------------------------------------
Side Channel Data Leakage, codeScan severity: HIGH
  Origin: Finding ID 1 in job 0a84899f-1305-41e0-a2d5-e7c31d6185fd
  File: src/main/java/com/example/testapp/invoice/application/InvoiceApplicationService.java
  Code:         Invoice creditNote = getInvoice(invoiceId).orElseThrow(InvoiceNotFoundException::new);
(Added by testuser at 2020-08-20 12:43:03; comment: "Can be ignored in our case")
------------------------------------------------------------------
Do you want to remove this false positive? ('y' Yes, 'n' No, 's' Skip the rest, 'c' Cancel) y
------------------------------------------------------------------
Side Channel Data Leakage, codeScan severity: HIGH
  Origin: Finding ID 2 in job 0c86134c-2305-41e0-a2d5-e7c31df45d15
  File: src/main/java/com/mercedesbenz/otr/invoice/application/ApplicationService.java
  Code:         Invoice invoice = getInvoice(invoiceId).orElseThrow(InvoiceNotFoundException::new);
(Added by testuser at 2020-08-20 12:43:03; comment: "Another explanation example")
------------------------------------------------------------------
Do you want to remove this false positive? ('y' Yes, 'n' No, 's' Skip the rest, 'c' Cancel) s
Applying false-positives to be removed for project "vpc_cn":
- JobUUID 0a84899f-1305-41e0-a2d5-e7c31d6185fd: finding #1
Transfer completed

3. Reporting

This chapter describes the different SecHub report types and how to read them.

Job reports do only contain information of exact one scan job done by SecHub.

3.1. Job reports

Users can download the results of their finished scan jobs. SecHub provides these report formats:

  • HTML
    human friendly report variant with less details

  • JSON
    as an also machine readable format. It can be directly used by the SecHub IDE plugins (Eclipse, IntelliJ, VSCode/Codium)

  • SPDX JSON

3.1.1. HTML

The main purpose for the HTML report is to have a human friendly report which gives you a fast overview.

At the top left corner you see a traffic light showing either

  • GREEN

  • YELLOW or

  • RED.

You can open the details by clicking on "Open details". This allows you to see the full hierarchy from entry point down to data sink and can help you in analyzing this finding. It also shows a description and a possible solution (if there is one).

The next picture shows a report which resulted in a red traffic light.

sechub report html example1

At the top of the report you find the most critical parts - in this example it is a "red" finding with finding ID 19 which is a "Stored XSS".
The second finding with ID 20 is of the same type. Here the details view is opened so more details can be seen.

If available, you can find the corresponding CWE-Id (Common Weakness Enumeration) as a link to the knowledge base of MITRE in the Type column.

The SecHub client will exit with a non-zero return code per default only at a RED traffic light, but you can also configure the client to do this on color YELLOW.

3.1.2. JSON

This is the machine readable report format.

3.1.2.1. Example code scan report with yellow traffic light
{
  "jobUUID": "6cf02ccf-da13-4dee-b529-0225ed9661bd", (1)
  "trafficLight": "YELLOW", (2)
  "messages": [],
  "status": "SUCCESS",
  "reportVersion": "1.0",
  "result": {
    "count": 2,
    "findings": [
      {
        "id": 1, (3)
        "description": "",
        "name": "Absolute Path Traversal", (4)
        "severity": "MEDIUM", (5)
        "code": {
          "location": "java/com/mercedesbenz/sechub/docgen/AsciidocGenerator.java", (6)
          "line": 28, (7)
          "column": 35,
          "source": "\tpublic static void main(String[] args) throws Exception {",
          "relevantPart": "args",
          "calls": { (8)
            "location": "java/com/mercedesbenz/sechub/docgen/AsciidocGenerator.java",
            "line": 33,
            "column": 17,
            "source": "\t\tString path = args[0];",
            "relevantPart": "args",
            "calls": {
              "location": "java/com/mercedesbenz/sechub/docgen/AsciidocGenerator.java",
              "line": 33,
              "column": 10,
              "source": "\t\tString path = args[0];",
              "relevantPart": "path",
              "calls": {
                "location": "java/com/mercedesbenz/sechub/docgen/AsciidocGenerator.java",
                "line": 34,
                "column": 38,
                "source": "\t\tFile documentsGenFolder = new File(path);",
                "relevantPart": "path",
                "calls": {
                  "location": "java/com/mercedesbenz/sechub/docgen/AsciidocGenerator.java", (9)
                  "line": 34, (10)
                  "column": 29,
                  "source": "\t\tFile documentsGenFolder = new File(path);", (11)
                  "relevantPart": "File" (12)
                }
              }
            }
          }
        },
        "type": "codeScan",
        "cweId": 778
      },
      {
        "id": 2,
        "description": "",
        "hostnames": [],
        "name": "Insufficient Logging of Exceptions",
        "references": [],
        "severity": "INFO",
        "code": {
          "location": "java/com/mercedesbenz/sechub/docgen/usecase/UseCaseRestDocModelDataCollector.java",
          "line": 137,
          "column": 5,
          "source": "\t\t} catch (IOException e) {",
          "relevantPart": "catch"
        },
        "type": "codeScan",
        "cweId": 778
      }
    ]
  }
}
1 SecHub job UUID
2 Traffic light color of report - here YELLOW
3 Finding ID inside report
4 The name of the vulnerability
in our case an Absolute path traversal where attackers could try to manipulate path input, so output could contain unwanted content/wrong file (e.g. a passwd file etc.)
5 The severity of this finding
(will be used to calculate the traffic light color)
6 Entry point location
in this case the Java class where the potential malicious input starts
7 Line number of entry point
8 Next call hierarchy element
this is the next element of the call hierarchy, means what is called by entry point with potential malicious content as parameter. This is ongoing until last entry inside call hierarchy which is the so called "data sink"
9 Data sink location
10 Line number inside data sink
11 Source snippet
12 Relevant code part where the found vulnerability lies/could be exploited