Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypt complete job configuration in PDS #3264

Closed
Tracked by #3250
de-jcup opened this issue Jul 2, 2024 · 1 comment · Fixed by #3254
Closed
Tracked by #3250

Encrypt complete job configuration in PDS #3264

de-jcup opened this issue Jul 2, 2024 · 1 comment · Fixed by #3254
Assignees
@de-jcup
Labels
encryption security
Milestone
PDS 2.0.0

Comments

@de-jcup
Copy link
Member

de-jcup commented Jul 2, 2024
edited
Loading

Situation

We store the parts of the SecHub configuration inside PDS database

ℹ️ This is a sub issue of #3250

Wanted

This must be encrypted - similar to #3263
@de-jcup de-jcup self-assigned this Jul 2, 2024
@de-jcup de-jcup mentioned this issue Jul 2, 2024
Open
8 tasks
@de-jcup de-jcup changed the title Encrypt SecHub configuraiton in PDS Encrypt SecHub configuration in PDS Jul 2, 2024
@de-jcup de-jcup mentioned this issue Jul 2, 2024
Merged
13 tasks
@de-jcup
Copy link
Member Author

de-jcup commented Jul 12, 2024
edited
Loading

At the first glimpse: We store only the PDSJobConfiguration...
But the job configuration contains the sechub configuration (partly) as job parameter which is necessary for the underlying product /pds -solution.

Means this contains sensitive data as well and must be encrypted as well!

de-jcup added a commit that referenced this issue Aug 2, 2024
@de-jcup
Initial PDS data encryption #3264
8f01370 
- implemented encryption parts for PDS
- documented encryption for PDS
- flyway migration scripts
- added unit tests
- some changes in common encryption
de-jcup added a commit that referenced this issue Aug 3, 2024
@de-jcup
Initial PDS data encryption #3264
81ae5a9 
- implemented encryption parts for PDS
- documented encryption for PDS
- flyway migration scripts
- added unit tests
- some changes in common encryption
- NONE is default cipher encryption, means startup possible without
  encryption
- summary log service shows encryption algorithm
- handled encryption out of synch problems on PDS side and
  at SecHub side
- extracted PDS apply of future into own service + wrote tests
- implemented developer admin ui test action for encryption
de-jcup added a commit that referenced this issue Aug 3, 2024
@de-jcup
Initial PDS data encryption #3264
2aaf217 
- implemented encryption parts for PDS
- documented encryption for PDS
- flyway migration scripts
- added unit tests
- some changes in common encryption
- NONE is default cipher encryption, means startup possible without
  encryption
- summary log service shows encryption algorithm
- handled encryption out of synch problems on PDS side and
  at SecHub side
- extracted PDS apply of future into own service + wrote tests
- implemented developer admin ui test action for encryption
de-jcup added a commit that referenced this issue Aug 3, 2024
@de-jcup
Minor change + one bugfix for startup #3264
1e8e40b 
- improved daui secret key gen action
- startup outside integration test failed because
  "-" was not correctly handled by
   SecureEnvironmentVariableKeyValueRegistry
de-jcup added a commit that referenced this issue Aug 5, 2024
@de-jcup
SecHub data encryption #3250 (#3254)
173dc36 
* SecHub
  - described concept of data encryption #3250
  - Introduced sechub-encryption #3273 + update bouncy castle version #3275
  - encryption implementation are now inside own gradle sub module "sechub-encryption"
  - refacotred sechub encryption library #3274

  - implemented data encryption inside SecHub #3250
  - restricted access and storage, avoid using configuration when not
    absolut necessary
  - created dedicated job message which contains unencrypted configuration
    at runtime. Only one message uses this one -> clear not accidently
    used on another code location
  - created migration scripts, seperated pool id generation for h2 and
    postgres because of binary type. Also postgres will migrate old
    data automatically to NoneCipher variant (means no real encryption,
    but admin will be able to rotate keys...)
  - wrote tests
  - introduced new usecases
  - new  REST APIs introduced
  - added integration test for encryption rotation
  - added developer admin ui actions

  - auto cleanup does also auto clean old unused encryption pool data
 - Scheduler now only executes for accepted encryption pool ids #3250
  -  Updated open api file for encryption parts #3250

*  PDS 
  - implemented data encryption + documentation #3264
  - NONE is default cipher encryption, means startup possible without
  encryption 
  - summary log service shows encryption algorithm
  - handled encryption out of sync problems on PDS side and
  at SecHub side
@de-jcup de-jcup added this to the PDS 2.0.0 milestone Aug 5, 2024
@de-jcup de-jcup changed the title Encrypt SecHub configuration in PDS Encrypt complete job configuration in PDS Aug 5, 2024
@de-jcup de-jcup mentioned this issue Aug 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@de-jcup de-jcup

Labels
encryption security
Projects
None yet
Milestone
PDS 2.0.0
Development

Successfully merging a pull request may close this issue.

SecHub data encryption #3250 mercedes-benz/sechub
1 participant
@de-jcup