Merge pull request #3381 from mercedes-benz/develop

Merge `develop` into `master` for release

sechub-developertools/src/main/java/com/mercedesbenz/sechub/developertools/admin/DeveloperAdministration.java

@@ -687,7 +687,7 @@ public String fetchProjectFalsePositiveConfiguration(String projectId) {
     }
 
     public String markFalsePositivesForProjectByJobData(String projectId, String json) {
-        return getRestHelper().putJSON(getUrlBuilder().buildUserAddsFalsePositiveJobDataListForProject(projectId), json);
+        return getRestHelper().putJSON(getUrlBuilder().buildUserAddsFalsePositiveDataListForProject(projectId), json);
     }
 
     public void deleteFalsePositivesForProject(String projectId, UUID jobUUID, int findingId) {

sechub-doc/src/docs/asciidoc/diagrams/diagram_falsepositives_definition_overview.puml

@@ -4,37 +4,38 @@ skinparam linetype ortho
 hide empty methods
 hide empty fields
 package com.mercedesbenz.sechub.domain.scan.project{
-'com.mercedesbenz.sechub.domain.scan.project.FalsePositiveJobDataService
-   class FalsePositiveJobDataService ##[bold]black {
+'com.mercedesbenz.sechub.domain.scan.project.FalsePositiveDataService
+   class FalsePositiveDataService ##[bold]black {
     ~ScanReportRepository : scanReportRepository
     ~ScanProjectConfigService : configService
-    ~FalsePositiveJobDataListValidation : falsePositiveJobDataListValidation
-    ~FalsePositiveJobDataConfigMerger : merger
+    ~FalsePositiveDataListValidation : falsePositiveJobDataListValidation
+    ~FalsePositiveDataConfigMerger : merger
   }
-  FalsePositiveJobDataService *-- FalsePositiveJobDataConfigMerger
-  FalsePositiveJobDataService -[#blue]- FalsePositiveJobDataList
-  FalsePositiveJobDataService *-- FalsePositiveJobDataListValidation
-  FalsePositiveJobDataService -[#blue]- FalsePositiveProjectConfiguration
-  FalsePositiveJobDataService *-- ScanProjectConfigService
-  FalsePositiveJobDataService *-- com.mercedesbenz.sechub.domain.scan.report.ScanReportRepository
-'com.mercedesbenz.sechub.domain.scan.project.FalsePositiveJobDataConfigMerger
-   class FalsePositiveJobDataConfigMerger{
+  FalsePositiveDataService *-- FalsePositiveDataConfigMerger
+  FalsePositiveDataService -[#blue]- FalsePositiveDataList
+  FalsePositiveDataService *-- FalsePositiveDataListValidation
+  FalsePositiveDataService -[#blue]- FalsePositiveProjectConfiguration
+  FalsePositiveDataService *-- ScanProjectConfigService
+  FalsePositiveDataService *-- com.mercedesbenz.sechub.domain.scan.report.ScanReportRepository
+'com.mercedesbenz.sechub.domain.scan.project.FalsePositiveDataConfigMerger
+   class FalsePositiveDataConfigMerger{
   }
-  FalsePositiveJobDataConfigMerger .[#green]. com.mercedesbenz.sechub.commons.model.SecHubCodeCallStack
-  FalsePositiveJobDataConfigMerger -[#blue]- com.mercedesbenz.sechub.commons.model.SecHubFinding
-  FalsePositiveJobDataConfigMerger .. FalsePositiveCodePartMetaData
-  FalsePositiveJobDataConfigMerger .. FalsePositiveEntry
-  FalsePositiveJobDataConfigMerger -[#blue]- FalsePositiveJobData
-  FalsePositiveJobDataConfigMerger -[#blue]- FalsePositiveMetaData
-  FalsePositiveJobDataConfigMerger -[#blue]- FalsePositiveProjectConfiguration
-  FalsePositiveJobDataConfigMerger -[#blue]- com.mercedesbenz.sechub.domain.scan.report.ScanSecHubReport
-'com.mercedesbenz.sechub.domain.scan.project.FalsePositiveJobDataList
-   class FalsePositiveJobDataList{
+  FalsePositiveDataConfigMerger .[#green]. com.mercedesbenz.sechub.commons.model.SecHubCodeCallStack
+  FalsePositiveDataConfigMerger -[#blue]- com.mercedesbenz.sechub.commons.model.SecHubFinding
+  FalsePositiveDataConfigMerger .. FalsePositiveCodePartMetaData
+  FalsePositiveDataConfigMerger .. FalsePositiveEntry
+  FalsePositiveDataConfigMerger -[#blue]- FalsePositiveJobData
+  FalsePositiveDataConfigMerger -[#blue]- FalsePositiveMetaData
+  FalsePositiveDataConfigMerger -[#blue]- FalsePositiveProjectConfiguration
+  FalsePositiveDataConfigMerger -[#blue]- com.mercedesbenz.sechub.domain.scan.report.ScanSecHubReport
+'com.mercedesbenz.sechub.domain.scan.project.FalsePositiveDataList
+   class FalsePositiveDataList{
     -String : apiVersion
     -String : type
     -FalsePositiveJobData : jobData
   }
-  FalsePositiveJobDataList -[#blue]- FalsePositiveJobData
+  FalsePositiveDataList -[#blue]- FalsePositiveJobData
+  FalsePositiveDataList -[#blue]- FalsePositiveProjectData
 'com.mercedesbenz.sechub.domain.scan.project.FalsePositiveProjectConfiguration
    class FalsePositiveProjectConfiguration{
     -List<FalsePositiveEntry> : falsePositives
@@ -57,6 +58,22 @@ package com.mercedesbenz.sechub.domain.scan.project{
     -String : relevantPart
     -String : sourceCode
   }
+'com.mercedesbenz.sechub.domain.scan.project.FalsePositiveProjectData
+   class FalsePositiveProjectData{
+    -String : id
+    -String : comment
+    -WebscanFalsePositiveProjectData: webScan
+  }
+'com.mercedesbenz.sechub.domain.scan.project.WebscanFalsePositiveProjectData
+   class WebscanFalsePositiveProjectData{
+    -Integer : cweId
+    -List<String> : hostPatterns
+    -List<String> : urlPathPatterns
+    -List<String> : protocols
+    -List<String> : ports
+    -List<String> : methods
+  }
+  FalsePositiveProjectData *-- WebscanFalsePositiveProjectData
 'com.mercedesbenz.sechub.domain.scan.project.FalsePositiveEntry
    class FalsePositiveEntry{
     -FalsePositiveJobData : jobData
@@ -66,6 +83,7 @@ package com.mercedesbenz.sechub.domain.scan.project{
   }
   FalsePositiveEntry -[#blue]- FalsePositiveJobData
   FalsePositiveEntry -[#blue]- FalsePositiveMetaData
+  FalsePositiveEntry -[#blue]- FalsePositiveProjectData
 'com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData
    class FalsePositiveMetaData{
     -ScanType : scanType
@@ -110,4 +128,6 @@ package com.mercedesbenz.sechub.domain.scan.project{
     -String: evidence
     -int: statuscode
   }
+
+
 @enduml

sechub-doc/src/docs/asciidoc/diagrams/diagram_falsepositives_runtime_overview.puml

@@ -6,36 +6,53 @@ hide empty fields
 package com.mercedesbenz.sechub.domain.scan.product.sereco{
 'com.mercedesbenz.sechub.domain.scan.product.sereco.SerecoFalsePositiveMarker
    class SerecoFalsePositiveMarker ##[bold]black {
-    ~SerecoFalsePositiveFinder : falsePositiveCodeFinder
+    ~SerecoJobDataFalsePositiveFinder : jobDatafalsePositiveCodeFinder
     ~ScanProjectConfigService : scanProjectConfigService
+    ~SerecoProjectDataFalsePositiveFinder: projectDataFalsePositiveFinder
+    ~SerecoProjectDataPatternMapFactory: projectDataPatternMapFactory
   }
-  SerecoFalsePositiveMarker *-- SerecoFalsePositiveFinder
+  SerecoFalsePositiveMarker *-- SerecoJobDataFalsePositiveFinder
+  SerecoFalsePositiveMarker *-- SerecoProjectDataFalsePositiveFinder
+  SerecoFalsePositiveMarker *-- SerecoProjectDataPatternMapFactory
   SerecoFalsePositiveMarker -[#blue]- com.mercedesbenz.sechub.domain.scan.project.FalsePositiveEntry
   SerecoFalsePositiveMarker *-- com.mercedesbenz.sechub.domain.scan.project.ScanProjectConfigService
   SerecoFalsePositiveMarker -[#blue]- com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability
-'com.mercedesbenz.sechub.domain.scan.product.sereco.SerecoFalsePositiveFinder
-   class SerecoFalsePositiveFinder{
-    ~SerecoFalsePositiveCodeScanStrategy : codeSCanStrategy
+'com.mercedesbenz.sechub.domain.scan.product.sereco.SerecoJobDataFalsePositiveFinder
+   class SerecoJobDataFalsePositiveFinder{
+    ~CodeScanJobDataFalsePositiveStrategy : jobDataCodeScanStrategy
+    ~SecretScanJobDataFalsePositiveStrategy: jobDataSecretScanStrategy
+    ~WebScanJobDataFalsePositiveStrategy: jobDataSebScanStrategy
   }
-  SerecoFalsePositiveFinder *-- SerecoFalsePositiveCodeScanStrategy
-  SerecoFalsePositiveFinder *-- SerecoFalsePositiveWebScanStrategy
-  SerecoFalsePositiveFinder -[#blue]- com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData
-  SerecoFalsePositiveFinder -[#blue]- com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability
-'com.mercedesbenz.sechub.domain.scan.product.sereco.SerecoFalsePositiveCodeScanStrategy
-   class SerecoFalsePositiveCodeScanStrategy{
+  SerecoJobDataFalsePositiveFinder *-- CodeScanJobDataFalsePositiveStrategy
+  SerecoJobDataFalsePositiveFinder *-- WebScanJobDataFalsePositiveStrategy
+  SerecoJobDataFalsePositiveFinder *-- SecretScanJobDataFalsePositiveStrategy
+  SerecoJobDataFalsePositiveFinder -[#blue]- com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData
+  SerecoJobDataFalsePositiveFinder -[#blue]- com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability
+'com.mercedesbenz.sechub.domain.scan.product.sereco.CodeScanJobDataFalsePositiveStrategy
+   class CodeScanJobDataFalsePositiveStrategy{
     ~SerecoSourceRelevantPartResolver : relevantPartResolver
   }
-  SerecoFalsePositiveCodeScanStrategy *-- SerecoSourceRelevantPartResolver
-  SerecoFalsePositiveCodeScanStrategy -[#blue]- com.mercedesbenz.sechub.domain.scan.project.FalsePositiveCodePartMetaData
-  SerecoFalsePositiveCodeScanStrategy .[#green]. com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData
-  SerecoFalsePositiveCodeScanStrategy -[#blue]- com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement
-  SerecoFalsePositiveCodeScanStrategy .[#green]. com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability
+  CodeScanJobDataFalsePositiveStrategy *-- SerecoSourceRelevantPartResolver
+  CodeScanJobDataFalsePositiveStrategy -[#blue]- com.mercedesbenz.sechub.domain.scan.project.FalsePositiveCodePartMetaData
+  CodeScanJobDataFalsePositiveStrategy .[#green]. com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData
+  CodeScanJobDataFalsePositiveStrategy -[#blue]- com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement
+  CodeScanJobDataFalsePositiveStrategy .[#green]. com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability
 'com.mercedesbenz.sechub.domain.scan.product.sereco.SerecoSourceRelevantPartResolver
    class SerecoSourceRelevantPartResolver{
   }
-   class SerecoFalsePositiveWebScanStrategy{
+   class WebScanJobDataFalsePositiveStrategy{
     
   }
+'com.mercedesbenz.sechub.domain.scan.product.sereco.SerecoProjectDataFalsePositiveFinder
+   class SerecoProjectDataFalsePositiveFinder{
+    ~WebScanProjectDataFalsePositiveStrategy: webScanProjectDataStrategy
+  }
+  SerecoProjectDataFalsePositiveFinder *-- WebScanProjectDataFalsePositiveStrategy
+
+'com.mercedesbenz.sechub.domain.scan.product.sereco.WebScanProjectDataFalsePositiveStrategy
+   class WebScanProjectDataFalsePositiveStrategy{
+  }
+  WebScanProjectDataFalsePositiveStrategy .[#green]. com.mercedesbenz.sechub.domain.scan.project.FalsePositiveProjectData
+  WebScanProjectDataFalsePositiveStrategy .[#green]. com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability
 }
-
 @enduml

sechub-doc/src/docs/asciidoc/documents/code2doc/usecases/user/mark_false_positives.adoc

@@ -0,0 +1,10 @@
+// SPDX-License-Identifier: MIT
+[[sechub-doclink-uc-user-marks-false-positives]]
+A user wants to mark false positives either for a finished job or with project data not necessarily connected to a finished job.
+
+To mark false positives using job data the job must have been executed, finished without failure and job NOT been deleted.
+The user will be able to mark former job results by their given id as false positives.
+
+To mark false positives using no job must have been run, but it will help identify findings as false positives of course.
+The project data are not related to any job information.
+

sechub-doc/src/docs/asciidoc/documents/code2doc/usecases/user/unmark_false_positives.adoc → sechub-doc/src/docs/asciidoc/documents/code2doc/usecases/user/unmark_false_positives_jobdata.adoc

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-[[sechub-doclink-uc-user-unmarks-false-positives]]
+[[sechub-doclink-uc-user-unmarks-false-positives-jobdata]]
 A user wants to unmark existing false positives
 This means the false positives has been marked before. 
 

sechub-doc/src/docs/asciidoc/documents/code2doc/usecases/user/unmark_false_positives_projectdata.adoc

@@ -0,0 +1,8 @@
+// SPDX-License-Identifier: MIT
+[[sechub-doclink-uc-user-unmarks-false-positives-projectdata]]
+A user wants to unmark existing false positives
+This means the false positives has been marked before. 
+
+NOTE: This will NOT change any former job report where the false positive to unmark has been filtered! 
+
+After next scan job the former false positive is no longer filtering the finding.

sechub-doc/src/docs/asciidoc/documents/shared/false-positives/false-positives-REST-API-content-example1.json

@@ -1,6 +1,6 @@
 {
   "apiVersion": "1.0", //<1>
-  "type": "falsePositiveJobDataList", //<2>
+  "type": "falsePositiveDataList", //<2>
   "jobData": [
     {
       "jobUUID": "6cfa2ccf-da13-4dee-b529-0225ed9661bd", //<3>
@@ -11,5 +11,19 @@
       "jobUUID": "6cfa2ccf-da13-4dee-b529-0225ed9661bd",
       "findingId": 15
     }
+  ],
+  "projectData": [ //<6>
+  {
+      "id": "unique-id", //<7>
+      "comment": "It was verified that there is no SQL-injection vulnerability at this location",
+      "webScan": { //<8>
+          "cweId": 89, //<9>
+          "hostPatterns": [ "127.0.*.1", "api.example.com", "dev.*.example.com"], //<10>
+          "urlPathPatterns": [ "/rest/products/search*", "/rest/users/profile" ], //<11>
+          "protocols": [ "HTTPS", "WSS" ], //<12>
+          "methods": [ "GET", "DELETE" ], //<13>
+          "ports": [ "8080", "443" ] //<14>
+      }
+  }
   ]
 }

sechub-doc/src/docs/asciidoc/documents/shared/false-positives/false-positives-howto-define-by-api.adoc

@@ -1,7 +1,8 @@
 // SPDX-License-Identifier: MIT
 [[section-false-positives-define-by-API]]
-Define false positive handling in `JSON` by referencing a former {sechub} job UUID and the
-corresponding finding entry (by id) and post it to REST API. 
+Define false positive be done sending false positive information via `JSON` either
+by referencing a former {sechub} job UUID and the corresponding finding entry (by id) or
+by specifying a project data section where specific patterns that match false positive findings are declared and post it to REST API. 
 
 *JSON*
 
@@ -14,16 +15,50 @@ include::false-positives-REST-API-content-example1.json[]
 <3> job UUID for which the given identifiers are representative
 <4> the finding id (number) in the report
 <5> comment _(optional)_ are only to define why this is a false positive.
+<6> projectData _(optional)_ that can be used to mark more than a single finding as false positive.
+Currently only available for web scans. This is not necessarily bound to a SecHub report,
+but it might be easier to create this type of false positive configuration with a SecHub report after a scan.
+<7> `id` that identifies this entry. If the same `id` is used again,
+the existing false positive entry will be overwritten. The `id` is also mandatory to unmark this entry. 
+<8> `webScan` _(optional)_ section can be used to define false positive patterns for web scans to provide more possibilities to the user.
+<9> `cweId` is used to mark a certain type of finding as false positive.
+When handling web scan project data this will be treated as a mandatory field,
+but it can be omitted inside this configuration an will then match findings that do not have any `cweId`.
+<10> `hostPatterns` are used to specify your hosts this entry shall be used for. This is a mandatory field which needs at least one entry.
+Asterisks can be used as wildcards e.g. if you have different environments like '*.example.com', would match anything ending with '.example.com'. 
+<11> `urlPathPatterns` are also mandatory and there must be at least one entry.
+Asterisks can be used here as wildcards as well. This can be useful to ignore random input of the scanner,
+e.g. inside query parameters or REST API path variables.
+<12> `protocols` _(optional)_ can be used to further restrict the false positive matching, to specific communication protocols, like HTTPS, WSS, etc.
+Like any other _optional_ field, if this is missing it is simply ignored.
+<13> `methods` _(optional)_ can be used to further restrict the false positive matching, to specific request methods protocols, like GET, POST, etc.
+Like any other _optional_ field, if this is missing it is simply ignored.
+<14> `ports`  _(optional)_ can be used to further restrict the false positive matching, to specific ports protocols.
+Like any other _optional_ field, if this is missing it is simply ignored.
+
+There are some important information on the asterisk wildcard approach, regarding web scans:
+
+. To be a false positive only one entry of each of the lists above must match the finding.
+. Specifying wildcards only inside `hostPatterns` or `urlPathPatterns` is not allowed.
+. Wildcards are only allowed inside mandatory parts, like `hostPatterns` or `urlPathPatterns`.
+. Wildcards tell the false positive handling to match anything until the next NOT wildcard character (asterisk).
+. Multiple wildcards can be used in one string.
+. No wildcards at the beginning or the end means the beginning or the end of the given part must match exactly otherwise it will not be matched as a false positive.
 
 [NOTE]
 ====
-This is a very easy, generic approach - and also future-proof: The only dependency is to the job, 
+The `jobData` approach is very easy, generic - and also future-proof: The only dependency is to the job, 
 `UUID`, for which the report must still exist while the definition is done. Every false-positive in 
-any kind of scan can be handled like that.  
+any kind of scan can be handled like that.
 
 The `REST` controller logic does read the job result data and creates internally false positive 
-meta data. If we delete later the {sechub} job it cannot destroy our false positive setup in {sechub}. 
+meta data. If we delete the {sechub} job later it cannot destroy our false positive setup in {sechub}. 
+
+The `projectData` approach is more powerful for the user.
+Since it is more powerful with the wildcard approach it requires more intial setup from the user.
 
+There are no dependencies because all information necessary to identify certain findings are specified via `REST`.
+Each entry can be overridden or removed by the given `id`.
 ====
 
 *ID handling* +