Coder Social home page Coder Social logo

mercedes-benz / sechub-plugin-vscode Goto Github PK

View Code? Open in Web Editor NEW
2.0 9.0 1.0 464 KB

VSCode/VSCodium/Eclipse Theia plugin for sechub

Home Page: https://open-vsx.org/extension/mercedes-benz/sechub

License: MIT License

TypeScript 90.05% Java 1.39% C 0.16% Shell 8.41%
sechub security vscode theia plugin vscodium security-automation security-testing

sechub-plugin-vscode's Introduction

SecHub VSCode/VSCodium/Eclipse Theia plugin

This is an VSCode/VSCodium/Eclipse Theia plugin for a convenient IDE integration of SecHub.

Features

  • Read and navigate through SecHub reports
  • Supported modules: codeScan and secretScan

Installation

Recommended: Install the plugin from the Open-VSX marketplace from within VSCodium or Eclipse Theia by searching for the term: sechub in the Extensions manager.

For VS Code you need to download the plugin and install it manually. It is also possible to install the plugin manually in VSCodium and Eclipse Theia.

NOTE: Please use the new plugin from Mercedes-Benz: https://open-vsx.org/extension/mercedes-benz/sechub. The old Daimler plugin will be deprecated. The reason for the deprecation is the rebranding of Daimler to Mercedes-Benz.

Development

Develop

  1. Install Node.js

  2. Install Typescript compiler

    npm install -g typescript

# or on Linux

sudo npm install -g typescript

# check version
tsc --version

  3. Install VSCodium, Eclipse Theia or VSCode

    NOTE: VSCodium and Eclipse Theia distribute free/libre open source software binaries. VS Code, on the other hand, distributes non-free binaries and collects telemetry data.

  4. In VSCodium toolbar: Run -> Start Debugging.

    image

Test

Prerequisite: The Node package manager NPM needs to be installed.

  1. Install dependencies

    npm install

  2. Compile and run tests

    npm test

    NOTE: The test automatically downloads and runs VS Code.

Build

  1. Install the vsce cli tool

    npm install -g @vscode/vsce

# or on Linux

sudo npm install -g @vscode/vsce

  2. Build the plugin

    vsce package

Contributing

We welcome any contributions. If you want to contribute to this project, please read the contributing guide.

Code of Conduct

Please read our Code of Conduct as it is our base for interaction.

License

This project is licensed under the link:LICENSE[MIT LICENSE].

Provider Information

Please visit https://www.mercedes-benz-techinnovation.com/en/imprint/ for information on the provider.

Notice: Before you use the program in productive use, please take all necessary precautions, e.g. testing and verifying the program with regard to your specific use. The program was tested solely for our own use cases, which might differ from yours.

sechub-plugin-vscode's People

Contributors

de-jcup avatar jeeppler avatar lorriborri avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

alxprd

sechub-plugin-vscode's Issues

Handle rebranding issues

We must

https://open-vsx.org/extension/Daimler/sechub

GoSec Report - Unable to jump to code location

Problem

After loading a SecHub report from a GoSec scan, I am unable to jump to the issues in Code. This is an issue in VSCodium and Eclipse Theia.

[2022-03-18 15:21:11.514] [exthost] [error] TypeError: Cannot read property 'length' of undefined
	at openInEditor (/home/user/.vscode-oss/extensions/mercedes-benz.sechub-0.1.2/out/action/callHierarchyViewActions.js:32:98)
	at callBack (/home/user/.vscode-oss/extensions/mercedes-benz.sechub-0.1.2/out/action/callHierarchyViewActions.js:11:13)
	at f._executeContributedCommand (/usr/share/codium/resources/app/out/vs/workbench/api/node/extensionHostProcess.js:85:30255)
	at f._doExecuteCommand (/usr/share/codium/resources/app/out/vs/workbench/api/node/extensionHostProcess.js:85:29143)
	at f.executeCommand (/usr/share/codium/resources/app/out/vs/workbench/api/node/extensionHostProcess.js:85:29049)
	at Object.executeCommand (/usr/share/codium/resources/app/out/vs/workbench/api/node/extensionHostProcess.js:99:31629)
	at /home/user/.vscode-oss/extensions/mercedes-benz.sechub-0.1.2/out/action/reportViewActions.js:22:33
	at processTicksAndRejections (internal/process/task_queues.js:93:5) sechubCallHierarchyView.selectNode {"value":"Mercedes-Benz.sechub","_lower":"mercedes-benz.sechub"}

Affected: SecHub VSCode plugin version 0.1.1 and 0.1.2.
Tested with:

  • VSCodium Version: 1.65.2
  • Eclipse Theia Blueprint Version 1.23.0 (Beta)

Check if Eclipse Theia Cloud version can import SecHub reports

Situation

When using eclipse theia as cloud variant with SecHub plugin the import could be problematic because the import is done by fs inside sechubModel.ts#loadFromFile

Wanted

Check if this is a problem. If it is - create a new issue to solve the problem.

Solution / How to

We can simple check this by using https://theia-ide.org/ (e.g. gitpod) + install SecHub plugin there and do an import from report view.

VSCodium Extension doesn't function properly

After opening a report in VsCodium using the SecHub extension.
image
And trying to click on one of the findings, to see where the vulnerability is located, does nothing!
Looking in the extension logs, there were some uncaught errors from the extension.
image

Reading the logs show this output:

[2022-10-10 12:00:00.021] [exthost] [error] TypeError: Cannot read properties of undefined (reading 'length')
	at openInEditor (/home/user/.vscode-oss/extensions/mercedes-benz.sechub-0.1.3/out/action/callHierarchyViewActions.js:32:98)
	at callBack (/home/user/.vscode-oss/extensions/mercedes-benz.sechub-0.1.3/out/action/callHierarchyViewActions.js:11:13)
	at n._executeContributedCommand (/usr/share/codium/resources/app/out/vs/workbench/api/node/extensionHostProcess.js:90:111324)
	at n._doExecuteCommand (/usr/share/codium/resources/app/out/vs/workbench/api/node/extensionHostProcess.js:90:110142)
	at n.executeCommand (/usr/share/codium/resources/app/out/vs/workbench/api/node/extensionHostProcess.js:90:110002)
	at Object.executeCommand (/usr/share/codium/resources/app/out/vs/workbench/api/node/extensionHostProcess.js:111:33656)
	at /home/user/.vscode-oss/extensions/mercedes-benz.sechub-0.1.3/out/action/reportViewActions.js:22:33
	at process.processTicksAndRejections (node:internal/process/task_queues:96:5) sechubCallHierarchyView.selectNode {"value":"Mercedes-Benz.sechub","_lower":"mercedes-benz.sechub"}

And the used report was:

{
   "result": {
      "count": 2,
      "findings": [
         {
            "id": 1,
            "description": "Subprocess launched with variable",
            "name": "Subprocess launched with variable",
            "severity": "HIGH",
            "code": {
               "location": "##################",
               "line": 20,
               "column": 17,
               "source": "out, err := exec.Command(command).Output() // Weakness: OS command injection; CWE-78"
            },
            "type": "codeScan",
            "cweId": 78
         },
         {
            "id": 2,
            "description": "SQL string formatting",
            "name": "SQL string formatting",
            "severity": "HIGH",
            "code": {
               "location": "##################",
               "line": 16,
               "column": 10,
               "source": "q := fmt.Sprintf(\"SELECT * FROM foo where name = '%s'\", os.Args[1]) //Error: SQL Injection; CWE-89"
            },
            "type": "codeScan",
            "cweId": 89
         }
      ]
   },
   "status": "SUCCESS",
   "jobUUID": "########-####-####-####-############",
   "trafficLight": "RED",
   "reportVersion": "1.0",
   "messages": []
}

Note: Some information was intentionally replaced with '#'

VSCodium Version: 1.72.0 (Not certain, might've updated after creating the issue)

Release: 22279

SecHub Plugin Version: 0.1.3

Drop Daimler namespace at open-vsx.org after renaming has been done

With

After the renaming of Daimler AG to Mercedes-Benz AG and the deployment to the new namespace (+ info community etc.) the open-vsx namespace can be removed.

To remove the extension from legacy namespace a separate issue is necessary:

If you need an extension removed from a legacy namespace, please file a separate issue.

Upgrade Node to 14 LTS

The NodeJS follows a similar release model as Java does: https://nodejs.org/en/about/releases/. All even numbered releases are long term support releases. The End-of-Life for Node 12 is 2022-04-30. As a result, we should upgrade our build system to use Node 14 instead of Node 12.

VS Code plugin does not work correctly with reports of the scantype "secretScan"

There is currently a bug in the VS Code plugin of SecHub. You can open reports that contain findings of the scantype "secretScan", but when you click on them the plugin does not jump on the corresponding file and it also does not show any information about the finding. See attached screenshot:

Screenshot

image

Wanted:
It should be possible to correctly use the plugin with reports of the scantype "secretScan"

See also:
mercedes-benz/sechub-plugin-eclipse#27
mercedes-benz/sechub-plugin-intellij#88

Fix dependency issues

Several of the used dependencies have security issues. Fix those issues, without making the plugin incompatible with Eclipse Theia/VSCodium.

Plugin not installable on Theia

The plugin cannot be installed on Theia Blueprint version 1.12.1 (Alpha). Theia Blueprint is a desktop IDE based on Theia. The purpose of Theia Blueprint is to demonstrate the capabilities of Theia.

The problem is, that the SecHub plugin requires at least vscode 1.5.1:

package.json


	"engines": {
		"vscode": "^1.51.0"
	},

Theia 1.12.0+ is based on vscode 1.50: https://eclipse-theia.github.io/theia/docs/next/modules/plugin_ext_vscode.html. As a result, this plugin cannot be installed in Eclipse Theia.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.