Feature/elasticsearch authentication

.travis.yml

@@ -11,9 +11,6 @@ cache:
 install: true
 script:
   - set -e
-  - echo -en "travis_fold:start:Test\r"
-  - mvn install -Pdependency-check -B
-  - echo -en "travis_fold:end:Test\r"
   - export REPO=securecodebox/engine
   - export TAG=$(echo $TRAVIS_BRANCH | sed 's/\//-/g')
   - echo -en "travis_fold:start:Docker_Build\r"

README.md

@@ -36,6 +36,51 @@ This allows you to e.g. enable https using:
 | SERVER_SSL_ENABLED                    | Enables http over ssl                 | true                        |
 | SERVER_SSL_KEY_STORE_PASSWORD         | Password to the java keystore         | AStrongPassword-NotThisOne! |
 
+## Persistence Provider Configuration
+A more detailed description of all persistence specific integration configuration options can be fund here: [secureCodeBox Integration Documentation][scb-integration]
+
+### Enabling Elasticsearch as Persistence Provider
+All properties defined in scb-engine/src/main/resources/application.yaml can be overwritten via environment variables.
+
+| Property                                             | Example Value              |
+| ---------------------------------------------------- | -------------------------- |
+| SECURECODEBOX_PERSISTENCE_ELASTICSEARCH_ENABLED      | true                       |
+| SECURECODEBOX_PERSISTENCE_ELASTICSEARCH_HOST         | elasticsearch.example.com  |
+| SECURECODEBOX_PERSISTENCE_ELASTICSEARCH_PORT         | 9200                       |
+| SECURECODEBOX_PERSISTENCE_ELASTICSEARCH_INDEX_PREFIX | securecodebox              |
+
+### Configure Elasticsearch Basic Authentication
+If your elasticsearch service enforces authentication your can configure basic authentication:
+
+| Property                                                    | Example Value               |
+| ----------------------------------------------------------- | --------------------------- |
+| SECURECODEBOX_PERSISTENCE_ELASTICSEARCH_AUTH                | basic                       |
+| SECURECODEBOX_PERSISTENCE_ELASTICSEARCH_AUTH_BASIC_USERNAME | elastic                     |
+| SECURECODEBOX_PERSISTENCE_ELASTICSEARCH_AUTH_BASIC_PASSWORD | AStrongPassword-NotThisOne! |
+
+### Configure Elasticsearch API Token Authentication
+If your elasticsearch service enforces authentication your can configure api token based authentication:
+
+| Property                                                    | Example Value               |
+| ----------------------------------------------------------- | --------------------------- |
+| SECURECODEBOX_PERSISTENCE_ELASTICSEARCH_AUTH                | token                       |
+| SECURECODEBOX_PERSISTENCE_ELASTICSEARCH_AUTH_APIKEY_ID      | yourToken                   |
+| SECURECODEBOX_PERSISTENCE_ELASTICSEARCH_AUTH_APIKEY_SECRET  | 7fd7eac6fed567b19932492347  |
+
+### Enabling DefectDojo as Persistence Provider
+All properties defined in scb-engine/src/main/resources/application.yaml can be overwritten via environment variables.
+
+#### Properties / Environment Variables
+
+| Property                                       | Example Value                            |
+| ---------------------------------------------- | ---------------------------------------- |
+| SECURECODEBOX_PERSISTENCE_DEFECTDOJO_ENABLED   | true                                     |
+| SECURECODEBOX_PERSISTENCE_DEFECTDOJO_URL       | [http://localhost:8000]()                |
+| SECURECODEBOX_PERSISTENCE_DEFECTDOJO_AUTH_KEY  | 7fd7eac6fed567b19928f7928a7ddb86f0497e4e |
+| SECURECODEBOX_PERSISTENCE_DEFECTDOJO_AUTH_NAME | admin                                    |
+
+Alternatively the corresponding environment variables, e.g. `SECURECODEBOX_PERSISTENCE_DEFECTDOJO_URL` can be used.
+
 # Development
 
 ## Local setup
@@ -78,4 +123,5 @@ Well boring yes - but please read our [guidelines and naming standards][scb-deve
 
 [docker]:                   https://www.docker.com/
 [beta-testers]:             https://www.securecodebox.io/
+[scb-integration]:          https://www.securecodebox.io/integrations
 [owasp]:                    https://www.owasp.org/index.php/Main_Page

pom.xml

@@ -56,11 +56,11 @@
             IMPORTANT: camunda.version and camunda.spring.boot.starter.version must be compatible
             please see org.camunda.bpm.springboot.project:camunda-bpm-spring-boot-starter-root
          -->
-        <camunda.version>7.10.0</camunda.version>
-        <camunda.spring.boot.starter.version>3.2.8</camunda.spring.boot.starter.version>
+        <camunda.version>7.12.0</camunda.version>
+        <camunda.spring.boot.starter.version>3.4.2</camunda.spring.boot.starter.version>
         <!-- END IMPORTANT -->
 
-        <spring-boot.version>2.2.2.RELEASE</spring-boot.version>
+        <spring-boot.version>2.2.6.RELEASE</spring-boot.version>
         <swagger-version>2.9.2</swagger-version>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>
@@ -101,6 +101,7 @@
             <dependency>
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-properties-migrator</artifactId>
+                <version>${spring-boot.version}</version>
                 <scope>runtime</scope>
             </dependency>
 
@@ -144,7 +145,7 @@
                 <groupId>org.camunda.bpm.extension.mockito</groupId>
                 <artifactId>camunda-bpm-mockito</artifactId>
                 <scope>test</scope>
-                <version>3.2.1</version>
+                <version>4.12.0</version>
             </dependency>
             <dependency>
                 <groupId>org.camunda.bpm.extension</groupId>
@@ -155,7 +156,7 @@
             <dependency>
                 <groupId>org.camunda.bpm.extension</groupId>
                 <artifactId>camunda-bpm-assert-scenario</artifactId>
-                <version>0.2</version>
+                <version>1.0.0</version>
                 <scope>test</scope>
             </dependency>
             <dependency>
@@ -203,7 +204,7 @@
                 </plugin>
                 <plugin>
                     <artifactId>maven-compiler-plugin</artifactId>
-                    <version>2.3.1</version>
+                    <version>3.8.1</version>
                     <configuration>
                         <source>1.8</source>
                         <target>1.8</target>
@@ -217,12 +218,12 @@
         <pluginRepository>
             <id>jcenter-snapshots</id>
             <name>jcenter</name>
-            <url>http://oss.jfrog.org/artifactory/oss-snapshot-local/</url>
+            <url>https://oss.jfrog.org/artifactory/oss-snapshot-local/</url>
         </pluginRepository>
         <pluginRepository>
             <id>jcenter-releases</id>
             <name>jcenter</name>
-            <url>http://jcenter.bintray.com</url>
+            <url>https://jcenter.bintray.com</url>
             <snapshots>
                 <enabled>false</enabled>
             </snapshots>
@@ -256,7 +257,7 @@
                     <plugin>
                         <groupId>org.owasp</groupId>
                         <artifactId>dependency-check-maven</artifactId>
-                        <version>5.2.4</version>
+                        <version>5.3.2</version>
                         <configuration>
                             <format>ALL</format>
                             <suppressionFile>dependency-check-suppression.xml</suppressionFile>
@@ -315,7 +316,7 @@
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-source-plugin</artifactId>
-                        <version>3.0.1</version>
+                        <version>3.2.1</version>
                         <executions>
                             <execution>
                                 <id>generate-sources</id>
@@ -328,7 +329,7 @@
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-javadoc-plugin</artifactId>
-                        <version>2.10.4</version>
+                        <version>3.2.0</version>
                         <executions>
                             <execution>
                                 <id>generate-javadocs</id>

scb-engine/pom.xml

@@ -32,13 +32,12 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-properties-migrator</artifactId>
             <scope>runtime</scope>
-            <version>2.2.2.RELEASE</version>
         </dependency>
 
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-core</artifactId>
-            <version>5.2.2.RELEASE</version>
+            <version>5.3.1.RELEASE</version>
         </dependency>
 
         <dependency>
@@ -90,22 +89,6 @@
             <artifactId>tomcat-jdbc</artifactId>
         </dependency>
 
-        <dependency>
-            <groupId>org.apache.tomcat.embed</groupId>
-            <artifactId>tomcat-embed-core</artifactId>
-            <version>9.0.31</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.tomcat.embed</groupId>
-            <artifactId>tomcat-embed-el</artifactId>
-            <version>9.0.31</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.tomcat.embed</groupId>
-            <artifactId>tomcat-embed-websocket</artifactId>
-            <version>9.0.31</version>
-        </dependency>
-
         <dependency>
             <groupId>io.securecodebox.persistenceproviders</groupId>
             <artifactId>empty-persistenceprovider</artifactId>

scb-engine/src/main/resources/application.yaml

@@ -48,6 +48,15 @@ securecodebox.persistence.elasticsearch.host: persistence-elasticsearch
 securecodebox.persistence.elasticsearch.port: 9200
 securecodebox.persistence.elasticsearch.index.prefix: securecodebox
 securecodebox.persistence.elasticsearch.index.delete_on_init: false
+# Must be 'basic' for basic authentication or 'token' for a api token based authentication
+securecodebox.persistence.elasticsearch.auth: ""
+securecodebox.persistence.elasticsearch.auth.basic.username: ""
+securecodebox.persistence.elasticsearch.auth.basic.password: ""
+securecodebox.persistence.elasticsearch.auth.apikey.id: ""
+securecodebox.persistence.elasticsearch.auth.apikey.secret: ""
+
+# Initialize Kibana with some basic Security Dashboards and Visualisations if no .kibana index will be found on startup
+securecodebox.persistence.elasticsearch.kibana.initialize: true
 
 
 securecodebox.default.target.name: BodgeIT Public Host

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java

@@ -26,7 +26,12 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.core.ParameterizedTypeReference;
 import org.springframework.core.io.ByteArrayResource;
-import org.springframework.http.*;
+
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
 import org.springframework.http.converter.FormHttpMessageConverter;
 import org.springframework.http.converter.ResourceHttpMessageConverter;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
@@ -206,7 +211,7 @@ public EngagementResponse createEngagement(EngagementPayload engagementPayload)
     public ImportScanResponse createFindings(String rawResult, long engagementId, long lead, String currentDate, String defectDojoScanName) {
         return createFindings(rawResult, engagementId, lead, currentDate,defectDojoScanName, "", new LinkedMultiValueMap<>());
     }
-    /**
+    /*
      * Before version 1.5.4. testName (in DefectDojo _test_type_) must be defectDojoScanName, afterwards, you can have somethings else
      */
     public ImportScanResponse createFindings(String rawResult, long engagementId, long lead, String currentDate,String defectDojoScanName, String testName, MultiValueMap<String, Object> options) {
@@ -254,7 +259,7 @@ public String getFilename() {
             throw new DefectDojoPersistenceException("Failed to attach findings to engagement.");
         }
     }
-    /**
+    /*
      * When DefectDojo >= 1.5.4 is used, testType can be given. Add testName in case DefectDojo >= 1.5.4 is used
      * Using testName for each branch leads to multiple issues in DefectDojo, so it is not recommended
      */
@@ -363,7 +368,7 @@ private long getTestIdOrCreate(long engagementId, TestPayload testPayload, Strin
         return testId.longValue();
     }
 
-    /**
+    /*
      * @deprecated
      */
     public ImportScanResponse createFindingsReImport(String rawResult, String productName, String engagementName, long lead, String currentDate, String defectDojoScanName, EngagementPayload engagementPayload, TestPayload testPayload, MultiValueMap<String, Object> options) {
@@ -480,7 +485,7 @@ private Optional<Long> getEngagementIdByEngagementName(String engagementName, lo
         LOG.warn("Engagement with name '{}' not found.", engagementName);
         return Optional.empty();
     }
-    /**
+    /*
      * @deprecated
      */
     public ProductResponse createProduct(String productName) {
@@ -508,7 +513,9 @@ public void deleteUnusedBranches(List<String> existingBranches, String producNam
 
     /**
      * Deletes engagements based on branch tag
-     * Be aware that the branch tag MUST be set, otherwise all engagments will be deleted
+     * Be aware that the branch tag MUST be set, otherwise all engagements will be deleted
+     * @param existingBranches The list of existing branches
+     * @param productId The productId to find engagements for
      */
     public void deleteUnusedBranches(List<String> existingBranches, long productId) {
         if(existingBranches == null) {

scb-persistenceproviders/elasticsearch-persistenceprovider/pom.xml

@@ -31,7 +31,7 @@
     <version>0.0.1-SNAPSHOT</version>
 
     <properties>
-        <elasticsearch.version>6.8.7</elasticsearch.version>
+        <elasticsearch.version>7.6.2</elasticsearch.version>
     </properties>
 
 
@@ -53,6 +53,18 @@
             <version>${elasticsearch.version}</version>
             <scope>compile</scope>
         </dependency>
+        <dependency>
+            <groupId>org.elasticsearch.client</groupId>
+            <artifactId>elasticsearch-rest-client</artifactId>
+            <version>${elasticsearch.version}</version>
+            <scope>compile</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.elasticsearch.client</groupId>
+            <artifactId>transport</artifactId>
+            <version>${elasticsearch.version}</version>
+            <scope>compile</scope>
+        </dependency>
         <dependency>
             <groupId>org.elasticsearch.test</groupId>
             <artifactId>framework</artifactId>