diff --git a/docs/adr/adr_0001.adoc b/docs/adr/adr_0001.adoc index c6c898bf..87d68733 100644 --- a/docs/adr/adr_0001.adoc +++ b/docs/adr/adr_0001.adoc @@ -1,11 +1,8 @@ [[ADR-0000]] -= ADR-0000: How can we introduce a more general extension concept for data proccessing modules? += ADR-0000: How can we introduce a more general extension concept for data processing modules? [cols="h,d",grid=rows,frame=none,stripes=none,caption="Status",%autowidth] |==== -// Use one of the ADR status parameter based on status -// Please add a cross reference link to the new ADR on 'superseded' ADR. -// e.g.: {adr_suposed_by} <> | Status | ACCEPTED @@ -16,59 +13,63 @@ | Author(s) | Jannik Hollenbach , Jorge Estigarribia , - Robert Seedorff + Robert Seedorff , + Sven Strittmatter |==== == Context === Status Quo -One major challenge implementing the _secureCodeBox_ is to provide a flexible and modular architecture, which enables the open source community to easily understand the concepts and especially to extend the _secureCodeBox_ with individual features. Therefore we decided to seperate the process stages of a single security scan (instance of scanType CRD) in 3 major phases: -``` - ┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐ - │ Scanning ├─────────▶│ Parsing ├─────────▶│ Persisting │ - │ (Phase 1) │ │ (Phase 2) │ │ (Phase 3) │ - └──────────────────┘ └──────────────────┘ └──────────────────┘ -``` -By now the "Persisting Phase 3" was implemented by so called _persistenceProviders_ e.g the *persistence-elastic* provider which is responsible for persisting all findings in a given elasticsearch database. The _secureCodeBox_ Operator is aware of this 3 phases and is responsible for the state model and execution of each security scan (instance of scanType CRD). +One major challenge implementing the _secureCodeBox_ is to provide a flexible and modular architecture, which enables the open source community to easily understand the concepts and especially to extend the _secureCodeBox_ with individual features. Therefore we decided to separate the process stages of a single security scan (instance of _scanType_ custom resource definition; further abbreviated with _CRD_) in three major phases: + +.... +┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐ +│ scanning ├─────────▶│ parsing ├─────────▶│ persisting │ +│ (phase 1) │ │ (phase 2) │ │ (phase 3) │ +└──────────────────┘ └──────────────────┘ └──────────────────┘ +.... + +By now the phase 3 "`persisting`" was implemented by so called _PersistenceProviders_ (e.g., the _persistence-elastic_ provider which is responsible for persisting all findings in a given elasticsearch database). The _secureCodeBox_ Operator is aware of this 3 phases and is responsible for the state model and execution of each security scan. === Problem and Question -We identified different additional UseCases with a more _data proccessing oriented_ pattern than the implemented _persisting phase3_ indicates. For example, we implemented a so called "MetaDataProvider" feature, which is responsible for enhancing each security finding with additional metadata. But the MetaDataProvider must be executed after the _parsing phase 2_ and before the _persisting phase 3_ because it depends on the parsed finding results (which will be enhanced) and the update findings should be also persisted. +We identified different additional use cases with a more "`data processing oriented`" pattern than the implemented phase 3 "`persisting`" indicates. For example, we implemented a so called _MetaDataProvider_ feature, which is responsible for enhancing each security finding with additional metadata. But the _MetaDataProvider_ must be executed after the phase 2 "`parsing`" and before the phase 3 "`persisting`" because it depends on the parsed finding results (which will be enhanced) and the updated findings should be also persisted. +To find a proper solution, we split the topic into the following two questions: -To find a proper solution, we splitted the topic into the follwong two questions: +. Should we unify the concepts _MetaDataProvider_ and _PersistenceProvider_? +. How should the execution model look like for each concept? -* Question 1: Should we unify the concepts MetaDataProvider and PersistenceProvider? -* Question 2: How should the execution model look like for each concept? +==== Question 1: Should We Unify the Concepts MetaDataProvider and PersistenceProvider? -==== Question 1: Should we unify the concepts MetaDataProvider and PersistenceProvider? -==== Solution approach 1: Unify +===== Solution Approach 1: Unify -Both "modules" are "processing" the security findings, which are generated in the parsing phase. -But there is one larger difference between them: +Both "`modules`" are "`processing`" the security findings, which were generated in the phase 2 "`parsing`", +but there is one major difference between them: -* `PersistenceProvider` is proccesing the findings with a *ReadOnly* pattern -* `MetaDataProvider` is proccesing the findings with a *ReadAndWrite* pattern +* a _PersistenceProvider_ is processing the findings *read only*, and +* a _MetaDataProvider_ is processing the findings *read and write*. -There is a similar thing in kubernetes called [AdmissionController](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/), with the exception that the are executed before a resource gets created. +There is a similar concept in Kubernetes called https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/[AdmissionController], but with the exception that the will be executed before a resource is created. -The are two variants: +There are two variants of _AdmissionControllers_: -* `ValidatingWebhookConfiguration` (ReadOnly) *Executed Last* -* `MutatingWebhookConfiguration` (ReadAndWrite) *Executed First* +. _ValidatingWebhookConfiguration_: *read only*, *executed last*; and +. _MutatingWebhookConfiguration_: *read and write*, *executed first*. -We could do a similar thing and introduce CRD which allows to execute "custom code" (generally speaking, depends on the second question) after a scan has completed (meaning both scan and parser phases are done). Some name ideas: +We could do a similar thing and introduce CRD which allows to execute "`custom code`" (depends on the second question) after a scan has completed (meaning both phases "`scan`" and "`parsing`" were done). Some name ideas: -- `ScanHooks` -- `ScanCompletionHooks` -- `FindingProcessors` +* _ScanHooks_ +* _ScanCompletionHooks_ +* _FindingProcessors_ -These could be implemented with a `type` attribute, which declares if they are `ReadOnly` or `ReadAndWrite`. +These could be implemented with a `type` attribute, which declares if they are *read only* or *read and write*. -The operator would process all these resources in the namespace and execute the `ReadAndWrite` ones first (in serial: one at a time to avoid write conflicts) and then the `ReadOnly` ones (in parallel). +The _secureCodeBox operator_ would process all these CRDs in the namespace of the scan and execute the *read and write* ones first in serial only one at a time to avoid write conflicts and then the *read only* ones in parallel. -```yaml +[source,yaml] +---- apiVersion: execution.experimental.securecodebox.io/v1 kind: ScanCompletionHook metadata: @@ -77,11 +78,11 @@ spec: type: ReadAndWrite # If implemented like the current persistence provider image: my-metadata:v2.0.0 -``` +---- The Execution Flow would then look something like this: -``` +.... ┌ ReadOnly─Hooks─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┌ ReadAndWriteHooks ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┌────────────────────────────────┐ │ ┌───────────────────────┐ │ ┌──┼▶│ Elastic PersistenceProvider │ @@ -90,24 +91,24 @@ The Execution Flow would then look something like this: └──────────────────┘ └──────────────────┘ │ └───────────────────────┘ └───────────────────────┘ └───▶│ DefectDojo PersistenceProvider │ │ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┘ │ └────────────────────────────────┘ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┘ -``` +.... -**Pros:** +====== Pros -- Only one Implementation -- Pretty Generic to expand and test out new ideas without having to modify the secureCodeBox Operator +* Only one implementation. +* Pretty generic to expand and test out new ideas without having to modify the _secureCodeBox operator_. -**Cons:** +====== Cons -- Possible "over-abstraction"? -- Need to refactor the ElasticSearch PersistenceProvider -- The "General Implementation" will be harder than the individual ones +* Possibly an "`over-abstraction`". +* Need to refactor the _persistence-elastic_ provider. +* The "`general implementation`" will be harder than the individual ones. -==== Solution approach 1: Keep Split between Persistence Provider and MetaData Provider +===== Solution Approach 2: Keep Split between Persistence Provider and MetaData Provider -Keep PersistenceProvider as they are and introduce new "MetaDataProvider" CRD which gets executed before the PersistenceProviders by the operator. +Keep _PersistenceProvider_ as they are and introduce new _MetaDataProvider_ CRD which gets executed before the _PersistenceProviders_ by the __secureCodeBox operator_. -``` +.... ┌ Persistence Provider─ ─ ─ ─ ─ ─ ─ ─ ┌ MetaData Provider ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┌────────────────────────────────┐ │ ┌───────────────────────┐ │ ┌──┼▶│ Elastic PersistenceProvider │ @@ -116,98 +117,98 @@ Keep PersistenceProvider as they are and introduce new "MetaDataProvider" CRD wh └──────────────────┘ └──────────────────┘ │ └───────────────────────┘ └───────────────────────┘ └───▶│ DefectDojo PersistenceProvider │ │ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┘ │ └────────────────────────────────┘ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┘ -``` +.... -**Pros:** +====== Pros -- Quicker to implement -- Might be worth it to have a seperate concept for it +* Quicker to implement. +* Might be worth it to have a separate concept for it. -**Cons:** +====== Cons -- Really worth introducing a new CRD for everything, especially when the are conceptually pretty close? +* Not sure if it worth to introduce a new CRD for everything, especially when it's conceptually pretty close to to something already existing. -=== Question 2: How should the execution model look like for each? +==== Question 2: How Should the Execution Model Look like for Each Concept? -==== Solution approach 1: Like the persistence provider +===== Solution Approach 1: Like the Persistence Provider -Basically a docker container which process takes two command line args: +Basically a docker container which process findings takes two arguments: -* A pre-signed URL to download the findings from -* A pre-signed URL to upload the modified findings to +. A pre-defined URL to download the findings from. +. A pre-defined URL to upload the modified findings to. Examples: -* Node.js `node my-metadata.js "https://storage.googleapi.com/..." "https://storage.googleapi.com/..."` -* java `java my-metadata.jar "https://storage.googleapi.com/..." "https://storage.googleapi.com/..."` -* golang `./my-metadata "https://storage.googleapi.com/..." "https://storage.googleapi.com/..."` +* NodeJS: `node my-metadata.js "https://storage.googleapi.com/..." "https://storage.googleapi.com/..."` +* Java: `java my-metadata.jar "https://storage.googleapi.com/..." "https://storage.googleapi.com/..."` +* Golang: `./my-metadata "https://storage.googleapi.com/..." "https://storage.googleapi.com/..."` -**Pros:** +====== Pros -* on liner with the current implementations -* code overhead / wrapper code is pretty minimal -* zero scale - no resource costs when nothing is running +* One liner with the current implementations. +* Code overhead / wrapper code is pretty minimal. +* Zero scale: no resource costs when nothing is running. -**Cons:** +===== Cons -* results in too many k8s jobs? -** resource blocking on finished resources -** ttlAfterFinished enabled -* container runtime overhead (especially time) +* May results in too many Kubernetes jobs. +** Resource blocking on finished resources. +** `ttlAfterFinished` enabled. +* Container runtime overhead (especially time). -### Option 2: A WebHooks like concept +===== Solution Approach 2: A WebHooks Like Concept -Analog to kubernetes webhooks. -Https server receiving findings and returning results. +Analog to kubernetes webhooks: HTTP server receiving findings and returning results. -**Pros:** +===== Pros -* MilliSeconds instead of seconds for processing -* No ContainerCreation Overhead -* No additional k8s jobs needed +* Milliseconds instead of seconds for processing. +* No overhead for container Creation. +* No additional kubernetes jobs needed. -**Cons:** +===== Cons -* Introduces new running Services that need to be maintained and have uptime -* Code Overhead / Boilerplate (Can be mitigated by sdk) -* Debugging of individual MetaDataProvider is harder as everything is handled by a single service -* Introduces "New" Concept -* Certificate Management for webhook services (`cert-manager` required by default?) -* Scaling for systems with lots of load could be a problem -* One service per namespace (multiple tenants) needed => results in many running active services which is ressource consuming +* Introduces new running services which needs to be maintained and have uptime. +* Code overhead / boilerplate (Can be mitigated by an SDK). +* Debugging of individual _MetaDataProvider_ is harder than a single service which handles everything. +* Introduces "`new`"cConcept. +* Certificate management for webhook services (`cert-manager` required by default?). +* Scaling for systems with lots of load could be a problem. +* One service per namespace (multiple tenants) needed -> results in many running active services which is resource consuming. == Decision -Regarding the Question 1 it seems that both solution approaches are resulting in the same execution model. We descided to implement solution approach 1 and unify both concepts into a more general concept with the name _"hook concept"_. Therefore we exchange the existing name `persistenceProvider` for phase 3 in the excecution model with a more general term `DataProcessing`: +Regarding question 1 it seems that both solution approaches are resulting in the same execution model. We decided to implement solution approach 1 and unify both concepts into a more general concept with the name _hook concept_. Therefore we exchange the existing name _PersistenceProvider_ for phase 3 in the execution model with a more general term _processing_: -``` - ┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐ - │ Scanning ├─────────▶│ Parsing ├─────────▶│ DataProcessing │ - │ (Phase 1) │ │ (Phase 2) │ │ (Phase 3) │ - └──────────────────┘ └──────────────────┘ └──────────────────┘ -``` +.... +┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐ +│ scanning ├─────────▶│ parsing ├─────────▶│ processing │ +│ (Phase 1) │ │ (Phase 2) │ │ (Phase 3) │ +└──────────────────┘ └──────────────────┘ └──────────────────┘ +.... -Regarding the Question 2 we decided to implement the solution approach 1 with a job-based approach (no active service componend needed). -The Phase 3 `DataProcessing` will be therefore splitt into to seperate phases named `ReadAndWriteHooks (3.1)` and `ReadOnlyHooks (3.2)` +Regarding question 2 we decided to implement the solution approach 1 with a job-based approach (no active service component needed). Therefore the phase 3 _processing_ will be split into two separate phases named _ReadAndWriteHooks_ (3.1) and _ReadOnlyHooks_ (3.2) +// #30 to what refers 3.1 and 3.2? -``` - ┌ DataProcessing: ReadOnlyHooks ─ ─ ─ - ┌ DataProcessing: ReadAndWriteHooks ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┌────────────────────────────────┐ │ +.... + ┌ 3.2 processing: ReadOnlyHooks ─ ─ ─ + ┌ 3.1 processing: ReadAndWriteHooks ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┌────────────────────────────────┐ │ ┌───────────────────────┐ │ ┌──┼▶│ Elastic PersistenceProvider │ ┌──────────────────┐ ┌──────────────────┐ │ │ ReadAndWrite Hook #1 │ ┌───────────────────────┐ │ └────────────────────────────────┘ │ -│ Scan ├──▶│ Parsing │────▶│ "MyMetaDataProvider" ├─▶│ ReadAndWrite Hook #2 │─┼──┤ │ ┌────────────────────────────────┐ +│ scanning ├──▶│ parsing │────▶│ "MyMetaDataProvider" ├─▶│ ReadAndWrite Hook #2 │─┼──┤ │ ┌────────────────────────────────┐ └──────────────────┘ └──────────────────┘ │ └───────────────────────┘ └───────────────────────┘ └───▶│ DefectDojo PersistenceProvider │ │ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┘ │ └────────────────────────────────┘ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┘ -``` +.... == Consequences -With the new `Hook Concept` we open the `DataProcessing` Phase 3 to a more intuitive and flexible architecture. It is easier to understand because _WebHooks_ are already a well known concept. It is possible to keep the existing implementation of the `persistenceProviders` and to integrate them with a lot of other possible data processing components in a more general fashion. In the end, this step will result in a lot of additional feature possibilities, which go fare beyond the existing ones. Therefore we only need to implement this concept once in the secureCodeBox Operator and new ideas for extending the DataProcessing will not enforce conceptual or architectural changes. +With the new _hook concept_ we open the _phase 3 processing_ to a more intuitive and flexible architecture. It is easier to understand because _WebHooks_ are already a well known concept. It is possible to keep the existing implementation of the _PersistenceProvider_ and integrate them with a lot of other possible processing components in a more general fashion. In the end, this step will result in a lot of additional feature possibilities, which go far beyond the existing ones proposed here. Therefore we only need to implement this concept once in the _secureCodeBox operator_ and new ideas for extending the _DataProcessing_ will not enforce conceptual or architectural changes. + +Ideas for additional processing hooks: -Ideas for additional data processing hooks: -* Notifier-Hooks (ReadOnlyHook) e.g. for chat systems (slack, teams...) or metric / alerting systems -* MetaData Enrichment Hooks (ReadAndWriteHook) -* FilterData Hooks (e.g. false/positive Handling) (ReadAndWriteHook) -* SystemIntegration Hooks (ReadOnlyHook) e.g. for ticketing systems like JIRA -* CascadingScans Hooks (ReadOnlyHook) e.g. for starting new security scans based on findings +* Notifier hooks (_ReadOnlyHook_) e.g., for chat (slack, teams etc.), metric, alerting systems +* MetaData enrichment hooks (_ReadAndWriteHook_) +* FilterData hooks (_ReadAndWriteHook_) (e.g., false/positive handling) +* SystemIntegration hooks (_ReadOnlyHook_) e.g., for ticketing systems like Jira +* CascadingScans hooks (_ReadOnlyHook_) e.g., for starting new security scans based on findings