Skip to content

@janoszen janoszen released this Jun 11, 2019 · 21 commits to master since this release

This is a bugfix release. It is recommended that you update as soon as possible. It also

Issue #32: NullPointerException on list-ips with empty Exoscale organization

This issue was caused when listing IP addresses was attempted on an empty Exoscale organization due to the missing response objects in the CloudStack response.

Issue #11: Azure integration

This release contains the first iteration of the Azure connector that is able to list IP addresses on Azure and scan firewall rules.

Issue #33: Security vulnerability in dependency Jackson

This security vulnerability was part of the initial Azure development and was fixed before release.

Assets 3

@janoszen janoszen released this Apr 15, 2019 · 29 commits to master since this release

This is a feature release and contains breaking changes. Upgrade at your own leisure after reading the release notes.

Issue #27: Generic Object Storages

The S3 rule system is now replaced with the generic object storage rule system in preparation for Azure and GCP
integration. This is breaking the output as instead of s3 in the rule output now objectstorage is written.
To revert to the old behavior please pass the --legacy-s3-output flag. (This will be removed in 1.0.0)
Old configuration files are still accepted.

Issue #2: Host discovery

Instead of evaluating rules, cscanner can now also output all IP addresses and their associated hosts on requests.
This is useful in conjunction with other scanning tools and will be used in future to include host-level checks,
such as MongoDB, etc. To trigger this behavior, pass the --list-ips flag.

Assets 3

@janoszen janoszen released this Apr 9, 2019 · 38 commits to master since this release

This is a bugfix release. It is recommended that you update as soon as possible if you use the AWS integration.

Issue #25: DigitalOcean support

The biggest change in this release is the inclusion of DigitalOcean in the list of providers supported. The full documentation, of course, is available here.

Note that DigitalOcean has some very peculiar quirks, so please report any crashes via the issue tracker on GitHub.

Issue #13: End to End tests

Since the number of providers is growing there was need for full, end to end tests. The implementation is a unified test suite that runs against our own accounts at all cloud providers supported and makes sure that the rulesets and data conversion are still working. This was a huge effort but will ensure that in future we will catch bugs easier than with manual testing.

As part of these tests we fixed a critical bug in the AWS implementation.

Assets 3

@janoszen janoszen released this Apr 6, 2019 · 55 commits to master since this release

This is a feature release. Feel free to upgrade at your own leisure.

Issue #18: Allow include in YAML config

This issue lets users break away from a single configuration file and lets them load partial config files in order to build a reusable configuration. See the documentation for more details.

Issue #20: Provide default rule sets rule

This issue provides a default set of rules in the repository that users can either directly reference via includes or download for customization as needed.
The include reference looks like this:

---
configuration:
  # ...
rules:
  - include: https://raw.githubusercontent.com/janoszen/cscanner/master/rulesets/all.yaml

The source code for these rulesets can be found on GitHub.

Issue #22: Strictly structured config reading config

This is an internal overhaul of the configuration reading. With this upgrade rule- and cloud provider implementations no longer need to deal with processing the configuration data. Instead, an internal automation will take over this task and automatically maps the incoming configuration options to the config class.

This will, long term, read to better error messages and better documentation for configuration options.

Assets 3

@janoszen janoszen released this Apr 2, 2019 · 66 commits to master since this release

This is a feature release. Upgrade at your own leisure to find a better CLI interface and more info in the output.

Fixes #17: Output non-compliant firewall rules

As a fix for this request the CLI interface has been overhauled. Run java -jar cscanner.jar -h to get a detailed list of options.

Assets 3

@janoszen janoszen released this Apr 2, 2019 · 67 commits to master since this release

This is a bugfix release. It is recommended that you upgrade as soon as possible to avoid missed compliance failures due to inadequate checks. In addition, please read the following documentation to adjust your configuration files.

Thanks to @philipgh1 for reporting these issues.

Fixes #16: Crash on Exoscale with firewall rule protocol "all"

This issue is caused when a firewall rule is added on Exoscale with the protocol designation "all". This was not handled so far because the interface didn't allow for it. The fix now translates the protocol designation "all" to null and introduces proper handling for it.

Additionally, when the protocol is null, the port range 0-0 is also translated to null to include them in the scan.

Assets 3

@janoszen janoszen released this Apr 1, 2019 · 80 commits to master since this release

This is a bugfix release. It is recommended that you upgrade as soon as possible to avoid missed compliance failures due to inadequate checks. In addition, please read the following documentation to adjust your configuration files.

Thanks to @philipgh1 for reporting these issues.

Fixed #14: Exoscale ipv6 rule causes exception

Exoscale uses the non-standard specifier icmpv6 instead of the official protocol name IPv6-ICMP. Protocol converter support has now been adjusted to also recognize "icmpv6" as this protocol.

Fixed #15: S3 Exoscale compliance check not working

Exoscale Object Storage (SOS) does not support bucket ACLs, therefore the S3_PUBLIC_READ_PROHIBITED was not effective. Similarly, an AWS bucket with a non-public ACL but public contents would not have been found. Now added the scanContents flag to indicate that the content of the buckets should be scanned. (See documentation for details.) Later on support for blocking public ACLs like AWS will be added to avoid a costly scan of all buckets.

Assets 3

@janoszen janoszen released this Mar 30, 2019 · 99 commits to master since this release

First release. Note that the interface may change as this project is very early in development.

Assets 3
You can’t perform that action at this time.