About SecHub

SecHub is an acronym for Security Hub and is first of all one API to scan for different security problems. Users of SecHub do not care about which exact product is doing the real scan on server side, but only configure their wanted aim.

SecHub does NOT provide a security infrastructure but does orchestrate different security products/tools.

So you still need an existing security infrastructure behind SecHub !

It was designed to be very easy to integrate into any existing build pipeline / contionus integration (CI) and helps to provide SecDevOps.

You can get more information about from SecHub web page .

The project is hosted at https://github.com/mercedes-benz/sechub

About documentation

This documentation is part of SecHub.

Key Value Information

LICENSE

MIT License

Please look at https://github.com/mercedes-benz/sechub/blob/master/LICENSE

Documentation version: Server 2.3.1 modified (commit 7de5e5c) - Build date: 2024-11-27 09:48 (UTCZ)

1. Target audience

In case you are a developer, this guide is for you.

2. Guide

This guide describes how to get started with SecHub from a developer perspective.

The following topics are covered:

  • Getting SecHub

  • Building SecHub

  • Starting SecHub server in Integration Test mode

  • Default passwords

  • Working with the REST API

  • Creating a project on SecHub server

  • Code scan with the SecHub client

  • Stopping the server

2.1. Requirements

  • Java JDK 17+

  • Go 1.21.6+

  • Git

  • cURL

  • jq

Only long term support (LTS) versions of Java are supported.

SecHub can be build and runs with OpenJDK Hotspot and Eclipse OpenJ9.

2.1.1. Alpine Linux

apk add openjdk17 go curl git bash jq
Tested with Alpine Linux 3.12, 3.13 and 3.14.

2.1.2. Debian/Ubuntu

sudo apt install openjdk-17-jdk-headless golang git curl jq
Tested with Debian 10 "Buster", Ubuntu 18.04 "Bionic" and 20.04 "Focal" LTS.
If the version of your GoLang is below 1.21.6, please install a more recent version from here.

2.1.3. Fedora and CentOS

sudo dnf install java-17-openjdk-devel golang git curl jq
Tested with Fedora 34 and CentOS 8.

2.1.4. MacOS

To easily install the requirements via cli you can use brew.

brew install openjdk@17 go git curl jq
Tested with MacOS Ventura 13.3.1.

2.2. Instructions

Let’s start with:

  1. Cloning the repository

    cd ~
    git clone https://github.com/mercedes-benz/sechub.git
    cd sechub

    Proxy:
    In case you have to connect via proxy to the internet, please have a look on how to setup a proxy in the Gradle documentation: Accessing the web through a HTTP proxy

    Example:
    Add these lines to your ~/.gradle/gradle.properties file:

    systemProp.http.proxyHost=yourproxy.youcompany.com
    systemProp.http.proxyPort=3128
    systemProp.http.proxyUser=userid
    systemProp.http.proxyPassword=password
    systemProp.http.nonProxyHosts=*.nonproxyrepos.com|localhost
  2. Build SecHub

    ./buildExecutables
  3. Start SecHub server in Integration Test mode

    ./gradlew startIntegrationTestServer
    Do not use the Integration Test Server mode in production.
  4. Credentials

    These are the initial credentials when starting SecHub server in integration-test mode:

    SecHub Superadmin:

    username: int-test_superadmin
    password: int-test_superadmin-pwd

    SecHub User Account:

    username: int-test_onlyuser
    password: int-test_onlyuser-pwd
  5. Environment variables

    Set search path and environment variables for the SecHub client and sechub-api.sh script:

    export SECHUB_SERVER=https://localhost:8443
    export SECHUB_USERID=int-test_superadmin
    export SECHUB_APITOKEN=int-test_superadmin-pwd
    export SECHUB_TRUSTALL=true
    export PATH="$PATH:`pwd`/sechub-cli/build/go/platform/linux-amd64:`pwd`/sechub-developertools/scripts"
  6. Test: List all users as administrator

    sechub-api.sh is a helper Bash script based on curl that eases the use of the SecHub server REST API. We use it here to get a list of the users.
    sechub-api.sh user_list

    Expected result:

    [
      "int-test_onlyuser",
      "int-test_superadmin"
    ]
  7. Create a project on SecHub server

    The output of the API calls are omitted here for better readability:

    # Create "testproject"
    sechub-api.sh project_create testproject int-test_superadmin
    
    # Assign "int-test_superadmin" as scan user to our project
    sechub-api.sh project_assign_user testproject int-test_superadmin
    
    # List project details
    sechub-api.sh project_details testproject
  8. Scan with SecHub client

    Let’s do a scan of our SecHub code:

    sechub -project testproject -reportformat html scan
    
    WARNING: Configured to trust all - means unknown service certificate is accepted. Don't use this in production!
     _____           _   _       _
    /  ___|         | | | |     | |
    \ `--.  ___  ___| |_| |_   _| |__
     `--. \/ _ \/ __|  _  | | | | '_ \
    /\__/ /  __/ (__| | | | |_| | |_) |
    \____/ \___|\___\_| |_/\__,_|_.__/ Client Version 0.0.0-1ba48fa-dirty-20220426102342
    
    2022-04-26 10:33:34 (+02:00) Zipping folder: . (/home/user/sechub)
    2022-04-26 10:33:34 (+02:00) Creating new sechub job
    2022-04-26 10:33:34 (+02:00) Uploading source zip file
    2022-04-26 10:33:35 (+02:00) Approve sechub job
    2022-04-26 10:33:35 (+02:00) Waiting for job 2fbb0553-db8c-4edb-827e-afed282f4140 to be done
                                 .
    2022-04-26 10:33:37 (+02:00) Fetching result (format=html) for job 2fbb0553-db8c-4edb-827e-afed282f4140
    2022-04-26 10:33:38 (+02:00) SecHub report written to sechub_report_testproject_2fbb0553-db8c-4edb-827e-afed282f4140.html
      GREEN - no severe security vulnerabilities identified

    Congratulations! You have done your first SecHub code scan.
    You can open the SecHub report file in your browser.

    In order to scan, you need a sechub.json config file. In our case, it is already in the repository so we can use it right away.

    For real results, you have to define an 'execution profile' with a scanner (via a product adapter) attached. Assign it to your project and you get real results. Have a look at the SecHub operations documentation for details.
  9. Stop SecHub integration test server

    ./gradlew stopIntegrationTestServer

2.2.1. Troubleshooting

2.2.1.1. Log files

Open the log file ./sechub-integrationtest/integrationtest-server.log to get more details about the problem.

3. Start Contributing

  1. Fork SecHub: https://github.com/mercedes-benz/sechub/fork

  2. Select a SecHub issue you want to work on: https://github.com/mercedes-benz/sechub/issues

    Issues have labels a good way to start is to look for issues with good first issue or help wanted. Issues with labels beginner, intermediate, advanced indicate the level of difficulty. However, not all issues are labeled. In addition, if you like an issue just comment on it, so that we can assign you to it.
    • In case, the issue you want to work on does not yet exist, please create an issue.

  3. Create a new branch on your local fork following the naming pattern feature-<issue-number>-<short-description>

    Example: feature-36-go-client-supports-env-variable.
  4. Set Up git configurations as explained here: Configure your git settings

  5. Set up your IDE

  6. Implement your changes
    Please follow our coding conventions: Coding conventions

    In case, you have any questions or need clarification ask inside the issues
  7. Run the tests locally

    • From within the (Eclipse) IDE

    • Using the sdc.sh helper script (located in the sechub repository folder)

      # Run all Unit Tests
      ./sechub-developertools/scripts/sdc.sh -u
      
      # Run all Integration Tests
      ./sechub-developertools/scripts/sdc.sh -i
      sdc.sh is a convenience wrapper around the gradlew tool, which bundles the CLI calls into use cases.
  8. Create a pull-request and merge your changes into SecHub

4. Setup IDE for SecHub

Our supported setup is:

  • Eclipse IDE

  • IntelliJ

  • Git

  • Debian based GNU/Linux

  • x86 64-bit CPU

  • Docker

In case your setup differs, please try to adjust the guides to your setup. Any contributions for other setups are welcome. Feel free to create pull requests for this guide with your setup.

4.1. Setup SecHub in Eclipse IDE

  1. Please, first create a fork of SecHub on GitHub: https://github.com/mercedes-benz/sechub/fork

    github fork sechub
  2. On your local Linux computer create a new folder Development in your home folder

    $ mkdir "$HOME/Development"
  3. Change into the Development folder

    cd "$HOME/Development"
  4. Download Eclipse IDE for Java Developers or Eclipse IDE for Enterprise Java and Web Developers

    # Download Eclipse IDE for Enterprise Java and Web Developers
    wget http://www.mirrorservice.org/sites/download.eclipse.org/eclipseMirror/technology/epp/downloads/release/2023-09/R/eclipse-jee-2023-09-R-linux-gtk-x86_64.tar.gz
    
    # Download checksum
    wget http://www.mirrorservice.org/sites/download.eclipse.org/eclipseMirror/technology/epp/downloads/release/2023-09/R/eclipse-jee-2023-09-R-linux-gtk-x86_64.tar.gz.sha512
    
    # Verify checksum
    sha512sum -c eclipse*.sha512
    
    # Extract archive
    tar -xf eclipse-jee-2023-09-R-linux-gtk-x86_64.tar.gz
    
    # Remove downloaded files
    rm eclipse-jee-*

    As end result an eclipse folder containing the eclipse executable should be available.

    www.mirrorservice.org is provided by the University of Kent School of Computing.
  5. Create a projects folder

    mkdir projects
  6. Switch into the project folder

    mkdir projects
    cd projects/
    We create a projects folder, because there are several SecHub projects. For example, the "sechub-<ide>` plugins are separated into different repositories.
  7. Clone the SecHub repository (your fork)

    git clone https://github.com/<your-github-username>/sechub.git

    After, successfully cloning the repository. There should be a folder named sechub containing the source code.

  8. Go one level up into to the Development folder

    $ cd ..
    $ pwd
    /home/<user>/Development
    $ ls
    eclipse  projects
  9. Create a workspaces/sechub folder for the Eclipse IDE to store settings in

    mkdir -p workspaces/sechub
  10. Check the folder structure

    The folder structure should look like this:

    $ pwd
    /home/user/Development
    $ tree -L 2
    .
    ├── eclipse
    │   ├── artifacts.xml
    │   ├── configuration
    │   ├── dropins
    │   ├── eclipse
    │   ├── eclipse.ini
    │   ├── features
    │   ├── icon.xpm
    │   ├── p2
    │   ├── plugins
    │   └── readme
    ├── projects
    │   └── sechub
    └── workspaces
        └── sechub
  11. Go into the eclipse folder and start eclipse

    cd eclipse
    ./eclipse
  12. Select the workspaces/sechub folder as workspace folder and press the Launch button

    eclipse choose workspaces folder
  13. Install the EGradle IDE Plugin

    1. In the Eclipse IDE menu click the help menu and select marketplace

      eclipse help menu marketplace
    2. To search for the EGradle IDE Plugin, type egradle ide into the Find intput box and press enter

      eclipse marketplace egradle ide
    3. Select the EGradle IDE Plugin and press install. Next follow the installation wizard.

      The creator and developer of the EGradle IDE Plugin is a SecHub developer. However, the EGradle IDE Plugin is a private project and not affiliated with SecHub.
  14. Import the SecHub project into the workspace

    1. Select Import from the File menu

      eclipse import menu
    2. Select the EGradle → Import gradle root project with all subprojects option and select next

      eclipse import egradle
    3. The EGradle Import Wizard opens up. Next, click Browse… after the Gradle root project path input box

      eclipse import gradle projects wizard
    4. A file dialog opens, select the Development/projects/sechub folder (previously cloned)

      eclipse egradle import file dialog
    5. The sechub folder is selected. Next, click the Finish button to import the SecHub project

      eclipse import gradle projects sechub selected
    6. The import will take some time. Once, successfully imported all SecHub sub-projects, a Virtual Root and the success message in the console should be visible

      eclipse egradle sechub imported

4.1.1. Add Sechub Java Code Formatter

  1. Download the formatter xml file here and unzip it.

  2. Open Java Formatter page in preferences (Window→Preferences). Then press the import button and select the former unpacked xml file.

    eclipse java formatter import
  3. Ensure SecHub is your active profile. Select SecHub as active profile, then press apply and close.

    eclipse java formatter activate
  4. Before pushing your code please check your java format by executing spotless check.

    ./gradlew clean spotlessCheck

4.1.2. Switch to Dark theme (Optional)

Needs to be done for every new workspace.

  1. Select Preferences from the Window menu

    eclipse preferences
  2. Search for Dark in the input box. The menu point General → Appearance should appear as an option

    eclipse dark theme
  3. Select Dark from the theme drop-down menu

  4. Press the Apply and Close button

4.2. Set up IntelliJ for SecHub

Requirements: IntelliJ IDE (Community or Ultimate) is installed.

  1. Fork and clone the SecHub repository from GitHub

  2. Open the sechub project in IntelliJ (it will automatically detect the Gradle project)

  3. Click on FilesettingsJava Compiler and switch the compiler to Javac

    intelliJ javac compiler
  4. Click on FilesettingsBuild, Execution, DeploymentBuild ToolsGradle and set the Build and run using to IntelliJ IDEA and Run tests using to IntelliJ IDEA

    intelliJ switch to intelliJ compiler

4.2.1. Add Sechub Java Code Formatter

  1. Download the formatter xml file here and unzip it.

  2. Open Java Formatter page in preferences (File→Settings). Then press the import button and select the former unpacked xml file.

    intelliJ java formatter import
  3. Ensure SecHub is your active profile. Select SecHub as active profile, then press apply and close.

    intelliJ java formatter activate
  4. Before pushing your code please check your java format by executing spotless check.

    ./gradlew clean spotlessCheck

5. Run Integration Tests from IDE

5.1. Run Integration Tests From Eclipse IDE

We explain the setup based on the Free and Open Source Software (FOSS) Eclipse IDE.

5.1.1. SecHub Server

Run a SecHub server integration test.

5.1.1.1. Configure SecHub Server

Download the launch configuration for the Eclipse IDE: SecHubServerApplication (INTEGRATION TEST - H2)

  1. Open the Run Configurations… in the toolbar of the Eclipse IDE

    eclipse run configurations
  2. Right-click on Java Application and select New Configuration from the context menu.

    eclipse new configuration
  3. Name the new configuration SecHubServerApplication_(INTEGRATION_TEST-H2)

  4. In the tab Main:

    • Project: Select the sechub-server project.

    • Main class: com.mercedesbenz.sechub.SecHubServerApplication

      eclipse run configuration server main tab
  5. Next open the Arguments tab and add the following arguments into the VM arguments section:

    -Dspring.profiles.active=mocked_products,h2,integrationtest
    -Dsechub.server.debug=true
    -Dsechub.storage.sharedvolume.upload.dir=/home/<user>/.sechub/sharedvolume
    -Dsechub.targettype.detection.intranet.hostname.endswith=intranet.example.org
    -Dsechub.config.trigger.nextjob.initialdelay=0
    Ensure you replace the <user> with your own user. The sechub.storage.sharedvolume.upload.dir parameter must be set to a folder with read and write access on the system.
    (On IOS, the path should be /Users/<user>/.sechub/sharedvolume)
    eclipse run configuration server arguments tab
5.1.1.2. Run a SecHub server integration test

This section demonstrate how to run an integration test for the SecHub server using UserRegistrationScenario1IntTest.java as example. Other SecHub server integration tests can be run in the same way.

  1. Start SecHub server in integration test mode using the SecHub integration test launch configuration as explained in Configure SecHub Server

  2. Select sechub-integrationtest/src/test/java/com/mercedesbenz/sechub/integrationtest/scenario1/UserRegistrationScenario1IntTest.java in the Project Explorer

  3. Right-click on UserRegistrationScenario1IntTest.java to open the context menu and select Run As and select JUnit Test in the submenu.

    eclipse run server integrationtest
  4. Your first run will fail, as the run needs to be configured with the variables -Dsechub.integrationtest.running=true or -Dsechub.integrationtest.longrunning=true. Therefor open the run configurations and select the UserRegistrationScenario1IntTest. Click on the Arguments tab and paste the flag -Dsechub.integrationtest.running=true in the VM arguments field, click apply and run the test again.

eclipse add VM argument to UnitTest
  1. Check the JUnit tab, the result should be green indicating a successful run.

5.1.2. Product Delegation Server (PDS)

Run a Product Delegation Server (PDS) integration test.

5.1.2.1. Configure Product Delegation Server (PDS)

Download the launch configure for the Eclipse IDE: ProductDelegationServerApplication (INTEGRATION TEST - H2)

  1. Open the Run Configurations… in the toolbar of the Eclipse IDE

    eclipse run configurations
  2. Right-click on Java Application and select New Configuration from the context menu.

    eclipse new configuration
  3. Name the new configuration ProductDelegationServerApplication_(INTEGRATION_TEST-H2)

  4. In the tab Main:

    • Project: Select the sechub-pds project.

    • Main class: com.mercedesbenz.sechub.pds.ProductDelegationServerApplication

  5. Next open the Arguments tab and add the following arguments into the VM arguments section:

    -Dspring.profiles.active=pds_integrationtest,pds_h2
    -Dpds.workspace.rootfolder=/home/<user>/.pds/workspace
    Ensure you replace the <user> with your own user. It is necessary to set the folder sechub.pds.storage.sharedvolume.upload.dir to the same folder as configured for the SecHub server.
  6. Open the Environment tab and add the following environment variable:

    PDS_STORAGE_SHAREDVOLUME_UPLOAD_DIR=/home/<user>/.sechub/sharedvolume
    Ensure you replace the <user> with your own user. It is necessary to set the folder sechub.pds.storage.sharedvolume.upload.dir to the same folder as configured for the SecHub server.
5.1.2.2. Run a PDS integration test

This section demonstrate how to run an integration test for the PDS server using DirectPDSAPICheckAliveScenario6IntTest.java as example. Other PDS integration tests can be run in the same way.

  1. Start PDS in integration test mode using the SecHub integration test launch configuration as explained in Configure Product Delegation Server (PDS)

  2. Select sechub-integrationtest/src/test/java/com/mercedesbenz/sechub/integrationtest/scenario6/DirectPDSAPICheckAliveScenario6IntTest.java in the Project Explorer

  3. Right-click on DirectPDSAPICheckAliveScenario6IntTest.java to open the context menu and select Run As and select JUnit Test in the submenu.

  4. Check the JUnit tab, the result should be green indicating a successful run.

5.1.2.3. Run a SecHub + PDS integration test

This section demonstrate how to run an integration test for the SecHub + PDS server using PDSCodeScanJobScenario5IntTest.java as example. Other PDS integration tests can be run in the same way.

  1. Start PDS and SecHub server in integration test mode using the launch configurations created in Configure SecHub Server and Configure Product Delegation Server (PDS)

  2. Select sechub-integrationtest/src/test/java/com/mercedesbenz/sechub/integrationtest/scenario5/PDSCodeScanJobScenario5IntTest.java in the Project Explorer

  3. Right-click on PDSCodeScanJobScenario5IntTest.java to open the context menu and select Run As and select JUnit Test in the submenu.

  4. Check the JUnit tab, the result should be green indicating a successful run.

5.2. Run Integration Tests From IntelliJ IDE

We explain the integration test setup based on the IntelliJ IDEA IDE.

First run the following commands to create the necessary certificates for the integration test servers:

./gradlew ensureLocalhostCertificate build generateOpenapi buildDeveloperAdminUI -x :sechub-cli:build
./gradlew clean

5.2.1. SecHub Server

Run a SecHub server integration test.

5.2.1.1. Configure SecHub Server
  1. Run the SecHubServerApplication in the sechub-server project (it will fail)

  2. Open the Run Configurations in the toolbar of the IntelliJ IDEA IDE by clicking on the dropdown menu next to the run button and selecting Edit Configurations…

    intelliJ run configurations edit
  3. Select the SecHubServerApplication configuration and open the Configuration tab

    intelliJ server application run configuration
  4. Click on the Modify options dropdown and select Add VM options, add the following VM options:

    -Dspring.profiles.active=mocked_products,h2,integrationtest
    -Dsechub.server.debug=true
    -Dsechub.storage.sharedvolume.upload.dir=/home/<user>/.sechub/sharedvolume
    -Dsechub.targettype.detection.intranet.hostname.endswith=intranet.example.org
    -Dsechub.config.trigger.nextjob.initialdelay=0
    Ensure you replace the <user> with your own user. The sechub.storage.sharedvolume.upload.dir parameter must be set to a folder with read and write access on the system.
    (On IOS, the path should be /Users/<user>/.sechub/sharedvolume)
  5. Click on the Modify options dropdown and select Workspace directory, add the project module path sechub-server

5.2.1.2. Run a SecHub server integration test

This section demonstrate how to run an integration test for the SecHub server using UserRegistrationScenario1IntTest.java as example. Other SecHub server integration tests can be run in the same way.

  1. Start SecHub server in integration test mode using the SecHub integration test launch configuration as explained in Configure SecHub Server

  2. Select sechub-integrationtest/src/test/java/com/mercedesbenz/sechub/integrationtest/scenario1/UserRegistrationScenario1IntTest.java in the Project Explorer

  3. Right-click on UserRegistrationScenario1IntTest.java to open the context menu and select test.

  4. Your first run will fail, as the run needs to be configured with the variables -Dsechub.integrationtest.running=true or -Dsechub.integrationtest.longrunning=true. Therefor open the run configurations and select the UserRegistrationScenario1IntTest. Click on the Add VM options tab and paste the flag -Dsechub.integrationtest.running=true in the VM arguments field, click apply and run the test again.

  5. Check the JUnit tab, the result should be green indicating a successful run.

5.2.2. Product Delegation Server (PDS)

Run a Product Delegation Server (PDS) integration test.

5.2.2.1. Configure Product Delegation Server (PDS)
  1. Run the ProductDelegationServerApplication in the sechub-pds module (it will fail)

  2. Open the Run Configurations in the toolbar of the IntelliJ IDEA IDE by clicking on the dropdown menu next to the run button and selecting Edit Configurations…

  3. Select the ProductDelegationServerApplication configuration and open the Configuration tab

  4. Click on the Modify options dropdown and select Add VM options, add the following VM options:

    -Dspring.profiles.active=pds_integrationtest,pds_h2
    -Dpds.workspace.rootfolder=/home/<user>/.pds/workspace
    Ensure you replace the <user> with your own user.
  5. Click on the Modify options dropdown and select Workspace directory, add the project module path sechub-pds

  6. Click on the Modify options dropdown and select Environment variables, add the following environment variables:

    PDS_STORAGE_SHAREDVOLUME_UPLOAD_DIR=/home/<user>/.sechub/sharedvolume
    Ensure you replace the <user> with your own user.
5.2.2.2. Run a PDS integration test

This section demonstrate how to run an integration test for the PDS server using DirectPDSAPICheckAliveScenario6IntTest.java as example. Other PDS integration tests can be run in the same way.

  1. Start PDS in integration test mode using the SecHub integration test launch configuration as explained in Configure Product Delegation Server (PDS)

  2. Select sechub-integrationtest/src/test/java/com/mercedesbenz/sechub/integrationtest/scenario6/DirectPDSAPICheckAliveScenario6IntTest.java in the Project Explorer

  3. Run DirectPDSAPICheckAliveScenario6IntTest.java

  4. Check the JUnit tab, the result should be green indicating a successful run.

5.2.2.3. Run a SecHub + PDS integration test

This section demonstrate how to run an integration test for the SecHub + PDS server using PDSCodeScanJobScenario5IntTest.java as example. Other PDS integration tests can be run in the same way.

  1. Start PDS and SecHub server in integration test mode using the launch configurations created in Configure SecHub Server and Configure Product Delegation Server (PDS)

  2. Select sechub-integrationtest/src/test/java/com/mercedesbenz/sechub/integrationtest/scenario5/PDSCodeScanJobScenario5IntTest.java in the Project Explorer

  3. Run the PDSCodeScanJobScenario5IntTest.java

  4. Check the JUnit tab, the result should be green indicating a successful run.