From 3d19fad7aaa75c9aacd4b07f71b2e927791b12a5 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Tue, 14 Aug 2018 17:52:52 +0200 Subject: [PATCH 001/257] Updated Camunda & Spring boot versions --- pom.xml | 14 ++++++++++---- scb-scanprocesses/arachni-process/pom.xml | 4 ++++ .../src/main/resources/archetype-resources/pom.xml | 4 ++++ scb-scanprocesses/nmap-process/pom.xml | 4 ++++ .../subdomain-scanner-process/pom.xml | 4 ++++ scb-scanprocesses/test-process/pom.xml | 4 ++++ scb-scanprocesses/zap-process/pom.xml | 5 +++++ 7 files changed, 35 insertions(+), 4 deletions(-) diff --git a/pom.xml b/pom.xml index c00d6f17..1b3edd98 100644 --- a/pom.xml +++ b/pom.xml @@ -56,11 +56,11 @@ IMPORTANT: camunda.version and camunda.spring.boot.starter.version must be compatible please see org.camunda.bpm.springboot.project:camunda-bpm-spring-boot-starter-root --> - 7.8.0 - 2.3.0 + 7.9.0 + 3.0.0 - 1.5.13.RELEASE + 2.0.2.RELEASE 2.9.0 @@ -128,7 +128,13 @@ org.camunda.bpm.extension.mockito camunda-bpm-mockito test - 3.1.0 + 3.2.1 + + + org.camunda.bpm.extension + camunda-bpm-assert + 1.2 + test org.camunda.bpm.extension diff --git a/scb-scanprocesses/arachni-process/pom.xml b/scb-scanprocesses/arachni-process/pom.xml index d8de4703..6306efd8 100644 --- a/scb-scanprocesses/arachni-process/pom.xml +++ b/scb-scanprocesses/arachni-process/pom.xml @@ -64,6 +64,10 @@ camunda-bpm-process-test-coverage test + + org.camunda.bpm.extension + camunda-bpm-assert + diff --git a/scb-scanprocesses/archetype-process/src/main/resources/archetype-resources/pom.xml b/scb-scanprocesses/archetype-process/src/main/resources/archetype-resources/pom.xml index 8ca83c23..c82daa55 100644 --- a/scb-scanprocesses/archetype-process/src/main/resources/archetype-resources/pom.xml +++ b/scb-scanprocesses/archetype-process/src/main/resources/archetype-resources/pom.xml @@ -65,6 +65,10 @@ camunda-bpm-process-test-coverage test + + org.camunda.bpm.extension + camunda-bpm-assert + diff --git a/scb-scanprocesses/nmap-process/pom.xml b/scb-scanprocesses/nmap-process/pom.xml index e9c0f674..3075631f 100644 --- a/scb-scanprocesses/nmap-process/pom.xml +++ b/scb-scanprocesses/nmap-process/pom.xml @@ -45,6 +45,10 @@ 0.3.2 test + + org.camunda.bpm.extension + camunda-bpm-assert + diff --git a/scb-scanprocesses/subdomain-scanner-process/pom.xml b/scb-scanprocesses/subdomain-scanner-process/pom.xml index 8f2155d6..6d2102a7 100644 --- a/scb-scanprocesses/subdomain-scanner-process/pom.xml +++ b/scb-scanprocesses/subdomain-scanner-process/pom.xml @@ -64,6 +64,10 @@ camunda-bpm-process-test-coverage test + + org.camunda.bpm.extension + camunda-bpm-assert + diff --git a/scb-scanprocesses/test-process/pom.xml b/scb-scanprocesses/test-process/pom.xml index 11f87f2a..4a98a37b 100644 --- a/scb-scanprocesses/test-process/pom.xml +++ b/scb-scanprocesses/test-process/pom.xml @@ -36,6 +36,10 @@ org.camunda.bpm.springboot camunda-bpm-spring-boot-starter + + org.camunda.bpm.extension + camunda-bpm-assert + diff --git a/scb-scanprocesses/zap-process/pom.xml b/scb-scanprocesses/zap-process/pom.xml index 0f93883a..b62492b6 100644 --- a/scb-scanprocesses/zap-process/pom.xml +++ b/scb-scanprocesses/zap-process/pom.xml @@ -37,6 +37,11 @@ camunda-bpm-assert-scenario test + + org.camunda.bpm.extension + camunda-bpm-assert + test + org.camunda.bpm.extension camunda-bpm-process-test-coverage From 71a5ee5901a0df803ea453bd912e13e1e2ac5663 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Tue, 14 Aug 2018 17:53:29 +0200 Subject: [PATCH 002/257] Fixed getArgument calls --- .../engine/execution/DefaultScanProcessExecutionTest.java | 4 ++-- .../test/nmap/TransformNmapResultsDelegateTest.java | 2 +- .../execution/TransformFindingsToTargetsListenerTest.java | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scb-engine/src/test/java/io/securecodebox/engine/execution/DefaultScanProcessExecutionTest.java b/scb-engine/src/test/java/io/securecodebox/engine/execution/DefaultScanProcessExecutionTest.java index e5b10570..19cd1ab0 100644 --- a/scb-engine/src/test/java/io/securecodebox/engine/execution/DefaultScanProcessExecutionTest.java +++ b/scb-engine/src/test/java/io/securecodebox/engine/execution/DefaultScanProcessExecutionTest.java @@ -79,14 +79,14 @@ public void setUp() { when(executionMock.hasVariable(eq(DefaultFields.PROCESS_FINDINGS.name()))).thenReturn(true); when(executionMock.getVariable(eq(DefaultFields.PROCESS_FINDINGS.name()))).thenAnswer((answer) -> findingCache); doAnswer((Answer) invocation -> { - findingCache = (String) invocation.getArgumentAt(1, ObjectValueImpl.class).getValue(); + findingCache = (String) ((ObjectValueImpl)invocation.getArgument(1)).getValue(); return Void.TYPE; }).when(executionMock).setVariable(eq(DefaultFields.PROCESS_FINDINGS.name()), any()); when(executionMock.hasVariable(eq(DefaultFields.PROCESS_TARGETS.name()))).thenReturn(true); when(executionMock.getVariable(eq(DefaultFields.PROCESS_TARGETS.name()))).thenAnswer((answer) -> targetCache); doAnswer((Answer) invocation -> { - targetCache = (String) invocation.getArgumentAt(1, ObjectValueImpl.class).getValue(); + targetCache = (String) ((ObjectValueImpl)invocation.getArgument(1)).getValue(); return Void.TYPE; }).when(executionMock).setVariable(eq(DefaultFields.PROCESS_TARGETS.name()), any()); } diff --git a/scb-scanprocesses/nmap-process/src/test/java/io/securecodebox/scanprocess/test/nmap/TransformNmapResultsDelegateTest.java b/scb-scanprocesses/nmap-process/src/test/java/io/securecodebox/scanprocess/test/nmap/TransformNmapResultsDelegateTest.java index 9259d357..2984ab4d 100644 --- a/scb-scanprocesses/nmap-process/src/test/java/io/securecodebox/scanprocess/test/nmap/TransformNmapResultsDelegateTest.java +++ b/scb-scanprocesses/nmap-process/src/test/java/io/securecodebox/scanprocess/test/nmap/TransformNmapResultsDelegateTest.java @@ -86,7 +86,7 @@ public void setUp() { MockitoAnnotations.initMocks(this); when(execution.getFindings()).thenReturn(findingCache); doAnswer((Answer) invocation -> { - findingCache.add(invocation.getArgumentAt(0, Finding.class)); + findingCache.add(invocation.getArgument(0)); return Void.TYPE; }).when(execution).appendFinding(any()); diff --git a/scb-sdk/src/test/java/io/securecodebox/model/execution/TransformFindingsToTargetsListenerTest.java b/scb-sdk/src/test/java/io/securecodebox/model/execution/TransformFindingsToTargetsListenerTest.java index 64817a22..695a1557 100644 --- a/scb-sdk/src/test/java/io/securecodebox/model/execution/TransformFindingsToTargetsListenerTest.java +++ b/scb-sdk/src/test/java/io/securecodebox/model/execution/TransformFindingsToTargetsListenerTest.java @@ -88,7 +88,7 @@ public void testTransformationOfTargetToFindings(String input, List expe doAnswer(invocationOnMock -> { ObjectMapper objectMapper = new ObjectMapper(); List targets = objectMapper.readValue( - (String)invocationOnMock.getArgumentAt(1, ObjectValue.class).getValue(), + (String)((ObjectValue)invocationOnMock.getArgument(1)).getValue(), objectMapper.getTypeFactory().constructCollectionType(List.class, Target.class)); checkTargets(targets, expectedResult); return null; From 4c5fb4686703762db012c41c34740f60519e1287 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Tue, 14 Aug 2018 17:53:40 +0200 Subject: [PATCH 003/257] Changed import --- .../securecodebox/scanprocess/test/DefaultProcessTest.java | 4 +--- .../securecodebox/scanprocess/test/DefaultProcessTest.java | 4 +--- .../securecodebox/scanprocess/test/nmap/NmapProcessTest.java | 5 +---- .../scanprocess/test/SubdomainScannerProcessTest.java | 4 +--- .../securecodebox/scanprocess/test/zap/ZapProcessTest.java | 4 +--- 5 files changed, 5 insertions(+), 16 deletions(-) diff --git a/scb-scanprocesses/arachni-process/src/test/java/io/securecodebox/scanprocess/test/DefaultProcessTest.java b/scb-scanprocesses/arachni-process/src/test/java/io/securecodebox/scanprocess/test/DefaultProcessTest.java index 73be0213..8b8617ac 100644 --- a/scb-scanprocesses/arachni-process/src/test/java/io/securecodebox/scanprocess/test/DefaultProcessTest.java +++ b/scb-scanprocesses/arachni-process/src/test/java/io/securecodebox/scanprocess/test/DefaultProcessTest.java @@ -50,9 +50,7 @@ import java.util.List; import java.util.Map; -import static org.camunda.bpm.engine.test.assertions.bpmn.AbstractAssertions.processEngine; -import static org.camunda.bpm.engine.test.assertions.bpmn.BpmnAwareAssertions.assertThat; -import static org.camunda.bpm.engine.test.assertions.bpmn.BpmnAwareTests.runtimeService; +import static org.camunda.bpm.engine.test.assertions.ProcessEngineTests.*; import static org.camunda.bpm.extension.mockito.CamundaMockito.autoMock; import static org.mockito.Mockito.when; diff --git a/scb-scanprocesses/archetype-process/src/main/resources/archetype-resources/src/test/java/io/securecodebox/scanprocess/test/DefaultProcessTest.java b/scb-scanprocesses/archetype-process/src/main/resources/archetype-resources/src/test/java/io/securecodebox/scanprocess/test/DefaultProcessTest.java index eba7013a..48375ed5 100644 --- a/scb-scanprocesses/archetype-process/src/main/resources/archetype-resources/src/test/java/io/securecodebox/scanprocess/test/DefaultProcessTest.java +++ b/scb-scanprocesses/archetype-process/src/main/resources/archetype-resources/src/test/java/io/securecodebox/scanprocess/test/DefaultProcessTest.java @@ -50,9 +50,7 @@ import java.util.List; import java.util.Map; -import static org.camunda.bpm.engine.test.assertions.bpmn.AbstractAssertions.processEngine; -import static org.camunda.bpm.engine.test.assertions.bpmn.BpmnAwareAssertions.assertThat; -import static org.camunda.bpm.engine.test.assertions.bpmn.BpmnAwareTests.runtimeService; +import static org.camunda.bpm.engine.test.assertions.ProcessEngineTests.*; import static org.camunda.bpm.extension.mockito.CamundaMockito.autoMock; import static org.mockito.Mockito.when; diff --git a/scb-scanprocesses/nmap-process/src/test/java/io/securecodebox/scanprocess/test/nmap/NmapProcessTest.java b/scb-scanprocesses/nmap-process/src/test/java/io/securecodebox/scanprocess/test/nmap/NmapProcessTest.java index 24f3dd6a..d4595723 100644 --- a/scb-scanprocesses/nmap-process/src/test/java/io/securecodebox/scanprocess/test/nmap/NmapProcessTest.java +++ b/scb-scanprocesses/nmap-process/src/test/java/io/securecodebox/scanprocess/test/nmap/NmapProcessTest.java @@ -50,11 +50,8 @@ import java.util.List; import java.util.Map; -import static org.camunda.bpm.engine.test.assertions.bpmn.AbstractAssertions.processEngine; -import static org.camunda.bpm.engine.test.assertions.bpmn.BpmnAwareAssertions.assertThat; -import static org.camunda.bpm.engine.test.assertions.bpmn.BpmnAwareTests.runtimeService; +import static org.camunda.bpm.engine.test.assertions.ProcessEngineTests.*; import static org.camunda.bpm.extension.mockito.CamundaMockito.autoMock; -import static org.camunda.bpm.extension.mockito.CamundaMockito.verifyJavaDelegateMock; import static org.mockito.Mockito.when; /** diff --git a/scb-scanprocesses/subdomain-scanner-process/src/test/java/io/securecodebox/scanprocess/test/SubdomainScannerProcessTest.java b/scb-scanprocesses/subdomain-scanner-process/src/test/java/io/securecodebox/scanprocess/test/SubdomainScannerProcessTest.java index d387b654..c3b28e7a 100644 --- a/scb-scanprocesses/subdomain-scanner-process/src/test/java/io/securecodebox/scanprocess/test/SubdomainScannerProcessTest.java +++ b/scb-scanprocesses/subdomain-scanner-process/src/test/java/io/securecodebox/scanprocess/test/SubdomainScannerProcessTest.java @@ -50,9 +50,7 @@ import java.util.List; import java.util.Map; -import static org.camunda.bpm.engine.test.assertions.bpmn.AbstractAssertions.processEngine; -import static org.camunda.bpm.engine.test.assertions.bpmn.BpmnAwareAssertions.assertThat; -import static org.camunda.bpm.engine.test.assertions.bpmn.BpmnAwareTests.runtimeService; +import static org.camunda.bpm.engine.test.assertions.ProcessEngineTests.*; import static org.camunda.bpm.extension.mockito.CamundaMockito.autoMock; import static org.mockito.Mockito.when; diff --git a/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/test/zap/ZapProcessTest.java b/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/test/zap/ZapProcessTest.java index d116ab58..80153385 100644 --- a/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/test/zap/ZapProcessTest.java +++ b/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/test/zap/ZapProcessTest.java @@ -32,9 +32,7 @@ import java.util.concurrent.atomic.AtomicBoolean; import static org.assertj.core.api.Assertions.fail; -import static org.camunda.bpm.engine.test.assertions.bpmn.AbstractAssertions.processEngine; -import static org.camunda.bpm.engine.test.assertions.bpmn.BpmnAwareAssertions.assertThat; -import static org.camunda.bpm.engine.test.assertions.bpmn.BpmnAwareTests.runtimeService; +import static org.camunda.bpm.engine.test.assertions.ProcessEngineTests.*; import static org.camunda.bpm.extension.mockito.CamundaMockito.autoMock; import static org.camunda.bpm.extension.mockito.CamundaMockito.verifyExecutionListenerMock; import static org.camunda.bpm.extension.mockito.CamundaMockito.verifyJavaDelegateMock; From 2419ae7caa208660408dfb6b357bbf93f78365be Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 15 Aug 2018 17:04:20 +0200 Subject: [PATCH 004/257] Changed version reference to avoid warnings --- scb-scanprocesses/arachni-process/pom.xml | 2 +- scb-scanprocesses/subdomain-scanner-process/pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scb-scanprocesses/arachni-process/pom.xml b/scb-scanprocesses/arachni-process/pom.xml index 6306efd8..c25c55c4 100644 --- a/scb-scanprocesses/arachni-process/pom.xml +++ b/scb-scanprocesses/arachni-process/pom.xml @@ -36,7 +36,7 @@ io.securecodebox.core sdk - ${parent.version} + ${project.parent.version} diff --git a/scb-scanprocesses/subdomain-scanner-process/pom.xml b/scb-scanprocesses/subdomain-scanner-process/pom.xml index 6d2102a7..f9467daa 100644 --- a/scb-scanprocesses/subdomain-scanner-process/pom.xml +++ b/scb-scanprocesses/subdomain-scanner-process/pom.xml @@ -36,7 +36,7 @@ io.securecodebox.core sdk - ${parent.version} + ${project.parent.version} From b50909b918270ba7454320181a2987e985340fbe Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 15 Aug 2018 17:05:16 +0200 Subject: [PATCH 005/257] Changed back to tomcat jdbc connection pool --- scb-engine/pom.xml | 5 +++++ scb-engine/src/main/resources/application.yaml | 2 ++ 2 files changed, 7 insertions(+) diff --git a/scb-engine/pom.xml b/scb-engine/pom.xml index 9be73e43..8bbccf9c 100644 --- a/scb-engine/pom.xml +++ b/scb-engine/pom.xml @@ -69,6 +69,11 @@ runtime + + org.apache.tomcat + tomcat-jdbc + + io.securecodebox.persistenceproviders empty-persistenceprovider diff --git a/scb-engine/src/main/resources/application.yaml b/scb-engine/src/main/resources/application.yaml index c0a28834..d4a901e6 100644 --- a/scb-engine/src/main/resources/application.yaml +++ b/scb-engine/src/main/resources/application.yaml @@ -7,6 +7,8 @@ camunda.bpm: webapp: index-redirect-enabled: true +spring.datasource.type: org.apache.tomcat.jdbc.pool.DataSource + logging.level: INFO logging.level.io.securecodebox: INFO From c75e81066969978409d099cf99811978ab1bafbf Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 15 Aug 2018 17:06:08 +0200 Subject: [PATCH 006/257] Added spring boot properties migrator --- pom.xml | 6 ++++++ scb-engine/pom.xml | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/pom.xml b/pom.xml index 1b3edd98..c7d4ebc8 100644 --- a/pom.xml +++ b/pom.xml @@ -97,6 +97,12 @@ pom + + org.springframework.boot + spring-boot-properties-migrator + runtime + + org.camunda.bpm.springboot diff --git a/scb-engine/pom.xml b/scb-engine/pom.xml index 8bbccf9c..cb58d085 100644 --- a/scb-engine/pom.xml +++ b/scb-engine/pom.xml @@ -28,6 +28,12 @@ org.camunda.bpm.springboot camunda-bpm-spring-boot-starter-webapp + + org.springframework.boot + spring-boot-properties-migrator + runtime + 2.0.2.RELEASE + From f9a62975a12c8728d1dd38c2653785abef250a7d Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Tue, 11 Sep 2018 17:22:03 +0200 Subject: [PATCH 007/257] Added gateway to skip zap spider task if sitemap is provided --- .../zap/constants/ZAPAttributes.java | 6 + .../listener/IsSitemapProvidedListener.java | 67 +++++++ .../src/main/resources/bpmn/zap_process.bpmn | 184 +++++++++++------- 3 files changed, 185 insertions(+), 72 deletions(-) create mode 100644 scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/constants/ZAPAttributes.java create mode 100644 scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListener.java diff --git a/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/constants/ZAPAttributes.java b/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/constants/ZAPAttributes.java new file mode 100644 index 00000000..8d72ff02 --- /dev/null +++ b/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/constants/ZAPAttributes.java @@ -0,0 +1,6 @@ +package io.securecodebox.scanprocess.zap.constants; + +public enum ZAPAttributes { + ZAP_SITEMAP, + ZAP_SKIP_SPIDER; +} diff --git a/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListener.java b/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListener.java new file mode 100644 index 00000000..559b9fb0 --- /dev/null +++ b/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListener.java @@ -0,0 +1,67 @@ +/* + * + * SecureCodeBox (SCB) + * Copyright 2015-2018 iteratec GmbH + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * / + */ +package io.securecodebox.scanprocess.zap.listener; + +import io.securecodebox.model.execution.ScanProcessExecution; +import io.securecodebox.model.execution.ScanProcessExecutionFactory; +import io.securecodebox.model.execution.Target; +import io.securecodebox.scanprocess.zap.constants.ZAPAttributes; +import java.util.List; +import org.camunda.bpm.engine.delegate.DelegateExecution; +import org.camunda.bpm.engine.delegate.ExecutionListener; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +@Component +public class IsSitemapProvidedListener implements ExecutionListener { + + protected static final org.slf4j.Logger LOG = LoggerFactory.getLogger(IsSitemapProvidedListener.class); + + @Autowired + ScanProcessExecutionFactory processExecutionFactory; + + @Override + public void notify(DelegateExecution execution) throws Exception { + LOG.info("Check if all Targets provide a sitemap"); + ScanProcessExecution scanProcess = processExecutionFactory.get(execution); + List targets = scanProcess.getTargets(); + + boolean allTargetsHaveSitemap = targets.stream() + .filter(target -> !hasSitemap(target)) + .count() == 0; + + if(allTargetsHaveSitemap){ + LOG.info("-> All Targets have sitemap. Set ZAP_SKIP_SPIDER variable"); + execution.setVariable(ZAPAttributes.ZAP_SKIP_SPIDER.name(),true); + } else { + LOG.info("-> NOT All Targets have sitemap"); + execution.setVariable(ZAPAttributes.ZAP_SKIP_SPIDER.name(),false); + } + } + + private boolean hasSitemap(Target target){ + if (target.getAttributes().containsKey(ZAPAttributes.ZAP_SITEMAP.name())) { + return true; + } else { + return false; + } + } + +} diff --git a/scb-scanprocesses/zap-process/src/main/resources/bpmn/zap_process.bpmn b/scb-scanprocesses/zap-process/src/main/resources/bpmn/zap_process.bpmn index 74ae1122..ed4a9d27 100644 --- a/scb-scanprocesses/zap-process/src/main/resources/bpmn/zap_process.bpmn +++ b/scb-scanprocesses/zap-process/src/main/resources/bpmn/zap_process.bpmn @@ -1,10 +1,9 @@ - + SequenceFlow_SummaryCreated - SequenceFlow_0r2gvr8 SequenceFlow_02qc6c8 @@ -23,7 +22,7 @@ SequenceFlow_0drubkw - + ${PROCESS_RESULT_APPROVED == 'approved'} SequenceFlow_0drubkw @@ -31,7 +30,7 @@ SequenceFlow_AutomatedStart SequenceFlow_ManualStart - + ${PROCESS_AUTOMATED == true} @@ -52,8 +51,7 @@ - SequenceFlow_AutomatedStart - SequenceFlow_0tb0m80 + SequenceFlow_1cve6n9 SequenceFlow_WebserverScanFinisched @@ -71,14 +69,14 @@ SequenceFlow_1s3gu9y SequenceFlow_0dnuw18 - + - + ${ZAP_SPIDER_CONFIGURATION_TYPE == 'advanced'} - + ${ZAP_SCANNER_CONFIGURATION_TYPE == 'advanced'} ${ZAP_AUTHENTICATION} @@ -86,15 +84,16 @@ - + ${!ZAP_AUTHENTICATION && ZAP_SPIDER_CONFIGURATION_TYPE == 'default' && ZAP_SCANNER_CONFIGURATION_TYPE == 'default'} SequenceFlow_WebserverScanFinisched + SequenceFlow_18v3nda SequenceFlow_1g7p2w3 - + ${PROCESS_RESULT_APPROVED == 'disapproved'} SequenceFlow_ManualStart @@ -124,8 +123,25 @@ SequenceFlow_TargetConfigured - Configure a new security-scan process. The inital configuration must contain a target URL. The advanced configuration could be used to configure each component in detail. - + + + + + SequenceFlow_AutomatedStart + SequenceFlow_0tb0m80 + SequenceFlow_1cve6n9 + SequenceFlow_18v3nda + + + ${ZAP_SKIP_SPIDER != true} + + + + ${ZAP_SKIP_SPIDER == true} + + + Configure a new security-scan process. The inital configuration must contain a target URL. The advanced configuration could be used to configure each component in detail. + @@ -136,19 +152,12 @@ - - - - - - - - - + + @@ -163,8 +172,8 @@ - - + + @@ -176,17 +185,17 @@ - - - + + + - + - - - + + + @@ -198,15 +207,15 @@ - - + + - - + + @@ -215,8 +224,8 @@ - - + + @@ -231,79 +240,81 @@ - - + + + + - - + + - - - + + + - - + + - - - + + + - - - + + + - - + + - - - + + + - - - - + + + + - - + + - + @@ -313,10 +324,10 @@ - - - - + + + + @@ -340,15 +351,44 @@ - - + + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 663968ad1d6e8c4fd3a511b51e18e5e0250f93c4 Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Wed, 12 Sep 2018 18:05:56 +0200 Subject: [PATCH 008/257] Added Tests for ZapProcess and IsSitemapProvidedListener --- scb-scanprocesses/zap-process/pom.xml | 6 ++ ...tributes.java => ZapProcessVariables.java} | 3 +- .../zap/constants/ZapTargetAttributes.java | 5 + .../listener/IsSitemapProvidedListener.java | 19 ++-- .../scanprocess/test/zap/ZapProcessTest.java | 25 +++++ .../IsSitemapProvidedListenerTest.java | 93 +++++++++++++++++++ 6 files changed, 141 insertions(+), 10 deletions(-) rename scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/constants/{ZAPAttributes.java => ZapProcessVariables.java} (62%) create mode 100644 scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/constants/ZapTargetAttributes.java create mode 100644 scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListenerTest.java diff --git a/scb-scanprocesses/zap-process/pom.xml b/scb-scanprocesses/zap-process/pom.xml index 0f93883a..fc90a4ff 100644 --- a/scb-scanprocesses/zap-process/pom.xml +++ b/scb-scanprocesses/zap-process/pom.xml @@ -42,6 +42,12 @@ camunda-bpm-process-test-coverage test + + com.google.guava + guava + 23.0 + compile + diff --git a/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/constants/ZAPAttributes.java b/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/constants/ZapProcessVariables.java similarity index 62% rename from scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/constants/ZAPAttributes.java rename to scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/constants/ZapProcessVariables.java index 8d72ff02..f3e3f776 100644 --- a/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/constants/ZAPAttributes.java +++ b/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/constants/ZapProcessVariables.java @@ -1,6 +1,5 @@ package io.securecodebox.scanprocess.zap.constants; -public enum ZAPAttributes { - ZAP_SITEMAP, +public enum ZapProcessVariables { ZAP_SKIP_SPIDER; } diff --git a/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/constants/ZapTargetAttributes.java b/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/constants/ZapTargetAttributes.java new file mode 100644 index 00000000..398dcc37 --- /dev/null +++ b/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/constants/ZapTargetAttributes.java @@ -0,0 +1,5 @@ +package io.securecodebox.scanprocess.zap.constants; + +public enum ZapTargetAttributes { + ZAP_SITEMAP; +} diff --git a/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListener.java b/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListener.java index 559b9fb0..7b81c381 100644 --- a/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListener.java +++ b/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListener.java @@ -18,10 +18,12 @@ */ package io.securecodebox.scanprocess.zap.listener; +import com.google.common.annotations.VisibleForTesting; import io.securecodebox.model.execution.ScanProcessExecution; import io.securecodebox.model.execution.ScanProcessExecutionFactory; import io.securecodebox.model.execution.Target; -import io.securecodebox.scanprocess.zap.constants.ZAPAttributes; +import io.securecodebox.scanprocess.zap.constants.ZapProcessVariables; +import io.securecodebox.scanprocess.zap.constants.ZapTargetAttributes; import java.util.List; import org.camunda.bpm.engine.delegate.DelegateExecution; import org.camunda.bpm.engine.delegate.ExecutionListener; @@ -39,7 +41,7 @@ public class IsSitemapProvidedListener implements ExecutionListener { @Override public void notify(DelegateExecution execution) throws Exception { - LOG.info("Check if all Targets provide a sitemap"); + LOG.debug("Check if all Targets provide a sitemap"); ScanProcessExecution scanProcess = processExecutionFactory.get(execution); List targets = scanProcess.getTargets(); @@ -48,16 +50,17 @@ public void notify(DelegateExecution execution) throws Exception { .count() == 0; if(allTargetsHaveSitemap){ - LOG.info("-> All Targets have sitemap. Set ZAP_SKIP_SPIDER variable"); - execution.setVariable(ZAPAttributes.ZAP_SKIP_SPIDER.name(),true); + LOG.debug("-> All Targets have sitemap. Set ZAP_SKIP_SPIDER to true"); + execution.setVariable(ZapProcessVariables.ZAP_SKIP_SPIDER.name(),true); } else { - LOG.info("-> NOT All Targets have sitemap"); - execution.setVariable(ZAPAttributes.ZAP_SKIP_SPIDER.name(),false); + LOG.debug("-> NOT all Targets have sitemap. Set ZAP_SKIP_SPIDER to false"); + execution.setVariable(ZapProcessVariables.ZAP_SKIP_SPIDER.name(),false); } } - private boolean hasSitemap(Target target){ - if (target.getAttributes().containsKey(ZAPAttributes.ZAP_SITEMAP.name())) { + @VisibleForTesting + boolean hasSitemap(Target target){ + if (target.getAttributes().containsKey(ZapTargetAttributes.ZAP_SITEMAP.name())) { return true; } else { return false; diff --git a/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/test/zap/ZapProcessTest.java b/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/test/zap/ZapProcessTest.java index ab9f7b49..f7ba9306 100644 --- a/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/test/zap/ZapProcessTest.java +++ b/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/test/zap/ZapProcessTest.java @@ -4,12 +4,16 @@ import com.fasterxml.jackson.databind.ObjectMapper; import io.securecodebox.constants.DefaultFields; import io.securecodebox.model.execution.Target; +import io.securecodebox.scanprocess.zap.constants.ZapProcessVariables; +import io.securecodebox.scanprocess.zap.listener.IsSitemapProvidedListener; import org.camunda.bpm.engine.ExternalTaskService; import org.camunda.bpm.engine.ProcessEngineException; +import org.camunda.bpm.engine.delegate.ExecutionListener; import org.camunda.bpm.engine.externaltask.LockedExternalTask; import org.camunda.bpm.engine.runtime.ProcessInstance; import org.camunda.bpm.engine.test.Deployment; import org.camunda.bpm.engine.test.ProcessEngineRule; +import org.camunda.bpm.engine.test.mock.Mocks; import org.camunda.bpm.extension.process_test_coverage.junit.rules.TestCoverageProcessEngineRuleBuilder; import org.camunda.bpm.scenario.ProcessScenario; import org.camunda.bpm.scenario.Scenario; @@ -66,6 +70,9 @@ public class ZapProcessTest { @Mock private ProcessScenario zapProcess; + @Mock + private IsSitemapProvidedListener isSitemapProvidedListener; + /** * Executed before every test-case * In this method default variables for the process and a default behaviour for the mocks @@ -108,6 +115,10 @@ public void init() { task -> startExternalMockProcess("zap_spider")); when(zapProcess.waitsAtServiceTask(RUN_SCANNER_TASK)).thenReturn( task -> startExternalMockProcess("zap_scan")); + + Mocks.register("isSitemapProvidedListener", (ExecutionListener) delegateExecution -> + delegateExecution.setVariable(ZapProcessVariables.ZAP_SKIP_SPIDER.name(), false) + ); } @Test @@ -237,6 +248,20 @@ public void testCorrectAdvancedConfiguration(){ assertThat(scenario.instance(zapProcess)).isWaitingAt(RUN_SPIDER_TASK); } + @Test + public void shouldSkipSpiderTaskIfSitemapProvided(){ + // given + Mocks.register("isSitemapProvidedListener", (ExecutionListener) delegateExecution -> + delegateExecution.setVariable(ZapProcessVariables.ZAP_SKIP_SPIDER.name(), true) + ); + + // when + ProcessInstance processInstance = startProcessInstance(defaultVariables); + + // then + assertThat(processInstance).isWaitingAt(RUN_SCANNER_TASK); + } + @Test public void testFindingToTargetsTransformationCalled(){ diff --git a/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListenerTest.java b/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListenerTest.java new file mode 100644 index 00000000..417366ee --- /dev/null +++ b/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListenerTest.java @@ -0,0 +1,93 @@ +package io.securecodebox.scanprocess.zap.listener; + +import io.securecodebox.model.execution.ScanProcessExecution; +import io.securecodebox.model.execution.ScanProcessExecutionFactory; +import io.securecodebox.model.execution.Target; +import io.securecodebox.scanprocess.zap.constants.ZapProcessVariables; +import io.securecodebox.scanprocess.zap.constants.ZapTargetAttributes; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; +import org.camunda.bpm.engine.delegate.DelegateExecution; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.InjectMocks; +import org.mockito.Mock; +import org.mockito.Spy; +import org.mockito.runners.MockitoJUnitRunner; + + +import static junit.framework.TestCase.assertTrue; +import static org.junit.Assert.assertFalse; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + +@RunWith(MockitoJUnitRunner.class) +public class IsSitemapProvidedListenerTest { + + @InjectMocks + @Spy + IsSitemapProvidedListener underTest; + + @Mock + ScanProcessExecutionFactory processExecutionFactory; + + @Mock + DelegateExecution execution; + + @Mock + ScanProcessExecution scanProcessExecution; + + @Test + public void shouldSetSkipSpiderFlagWhenSitemapIsProvided() throws Exception { + // given + Target t1 = new Target(); + Target t2 = new Target(); + List targets = Arrays.asList(t1, t2); + when(processExecutionFactory.get(execution)).thenReturn(scanProcessExecution); + when(scanProcessExecution.getTargets()).thenReturn(targets); + when(underTest.hasSitemap(t1)).thenReturn(true); + when(underTest.hasSitemap(t2)).thenReturn(true); + + // when + underTest.notify(execution); + + //then + verify(execution, times(1)).setVariable(ZapProcessVariables.ZAP_SKIP_SPIDER.name(),true); + } + + @Test + public void shouldNotSkipSpiderFlagWhenSitemapIsNotProvidedInAllTargets() throws Exception { + // given + Target t1 = new Target(); + Target t2 = new Target(); + List targets = Arrays.asList(t1, t2); + when(processExecutionFactory.get(execution)).thenReturn(scanProcessExecution); + when(scanProcessExecution.getTargets()).thenReturn(targets); + when(underTest.hasSitemap(t1)).thenReturn(true); + when(underTest.hasSitemap(t2)).thenReturn(false); + + // when + underTest.notify(execution); + + //then + verify(execution, times(0)).setVariable(ZapProcessVariables.ZAP_SKIP_SPIDER.name(),true); + verify(execution, times(1)).setVariable(ZapProcessVariables.ZAP_SKIP_SPIDER.name(),false); + } + + @Test + public void shouldFindSitemapWhenTargetContainSitemap() { + Target target = new Target(); + target.getAttributes().put(ZapTargetAttributes.ZAP_SITEMAP.name(), Collections.emptyList()); + + assertTrue(underTest.hasSitemap(target)); + } + + @Test + public void shouldSayNoSitemapWhenTargetContainNoSitemap() { + Target target = new Target(); + + assertFalse(underTest.hasSitemap(target)); + } +} From 3eeb370f96efb124461cd0fda6302cc8a239dad2 Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Thu, 13 Sep 2018 15:02:51 +0200 Subject: [PATCH 009/257] Removed dependency to google.guava --- scb-scanprocesses/zap-process/pom.xml | 6 ------ .../scanprocess/zap/listener/IsSitemapProvidedListener.java | 2 -- 2 files changed, 8 deletions(-) diff --git a/scb-scanprocesses/zap-process/pom.xml b/scb-scanprocesses/zap-process/pom.xml index fc90a4ff..0f93883a 100644 --- a/scb-scanprocesses/zap-process/pom.xml +++ b/scb-scanprocesses/zap-process/pom.xml @@ -42,12 +42,6 @@ camunda-bpm-process-test-coverage test - - com.google.guava - guava - 23.0 - compile - diff --git a/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListener.java b/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListener.java index 7b81c381..c6bee426 100644 --- a/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListener.java +++ b/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListener.java @@ -18,7 +18,6 @@ */ package io.securecodebox.scanprocess.zap.listener; -import com.google.common.annotations.VisibleForTesting; import io.securecodebox.model.execution.ScanProcessExecution; import io.securecodebox.model.execution.ScanProcessExecutionFactory; import io.securecodebox.model.execution.Target; @@ -58,7 +57,6 @@ public void notify(DelegateExecution execution) throws Exception { } } - @VisibleForTesting boolean hasSitemap(Target target){ if (target.getAttributes().containsKey(ZapTargetAttributes.ZAP_SITEMAP.name())) { return true; From e67da03118c03b8c80752c82727d21ac862b0d7e Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Mon, 17 Sep 2018 16:16:05 +0200 Subject: [PATCH 010/257] Added basic auth filter with camunda authentication check --- pom.xml | 6 +++ scb-engine/pom.xml | 4 ++ ...asicAuthAuthProviderWebSecurityConfig.java | 30 +++++++++++++++ .../auth/CamundaAuthenticationProvider.java | 38 +++++++++++++++++++ 4 files changed, 78 insertions(+) create mode 100644 scb-engine/src/main/java/io/securecodebox/engine/auth/BasicAuthAuthProviderWebSecurityConfig.java create mode 100644 scb-engine/src/main/java/io/securecodebox/engine/auth/CamundaAuthenticationProvider.java diff --git a/pom.xml b/pom.xml index 28226385..0782e90c 100644 --- a/pom.xml +++ b/pom.xml @@ -154,6 +154,12 @@ ${swagger-version} + + org.springframework.boot + spring-boot-starter-security + ${spring-boot.version} + + io.securecodebox.core sdk diff --git a/scb-engine/pom.xml b/scb-engine/pom.xml index 9be73e43..2d5b592e 100644 --- a/scb-engine/pom.xml +++ b/scb-engine/pom.xml @@ -42,6 +42,10 @@ io.springfox springfox-swagger-ui + + org.springframework.boot + spring-boot-starter-security + diff --git a/scb-engine/src/main/java/io/securecodebox/engine/auth/BasicAuthAuthProviderWebSecurityConfig.java b/scb-engine/src/main/java/io/securecodebox/engine/auth/BasicAuthAuthProviderWebSecurityConfig.java new file mode 100644 index 00000000..d7ff29d3 --- /dev/null +++ b/scb-engine/src/main/java/io/securecodebox/engine/auth/BasicAuthAuthProviderWebSecurityConfig.java @@ -0,0 +1,30 @@ +package io.securecodebox.engine.auth; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + + +@Configuration +@EnableWebSecurity +public class BasicAuthAuthProviderWebSecurityConfig extends WebSecurityConfigurerAdapter { + + + @Autowired + CamundaAuthenticationProvider camundaAuthenticationProvider; + + @Override + protected void configure(final HttpSecurity http) throws Exception { + http.antMatcher("/box/**").authorizeRequests() + .anyRequest().authenticated() + .and().httpBasic(); + } + + @Autowired + public void configureGlobal(final AuthenticationManagerBuilder auth) throws Exception { + auth.authenticationProvider(camundaAuthenticationProvider); + } +} diff --git a/scb-engine/src/main/java/io/securecodebox/engine/auth/CamundaAuthenticationProvider.java b/scb-engine/src/main/java/io/securecodebox/engine/auth/CamundaAuthenticationProvider.java new file mode 100644 index 00000000..ca37d00b --- /dev/null +++ b/scb-engine/src/main/java/io/securecodebox/engine/auth/CamundaAuthenticationProvider.java @@ -0,0 +1,38 @@ +package io.securecodebox.engine.auth; + +import java.util.Collections; +import org.camunda.bpm.engine.ProcessEngine; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.authentication.AuthenticationProvider; +import org.springframework.security.authentication.BadCredentialsException; +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.AuthenticationException; +import org.springframework.stereotype.Component; + +@Component +public class CamundaAuthenticationProvider implements AuthenticationProvider { + + @Autowired + ProcessEngine engine; + + @Override + public Authentication authenticate(Authentication auth) throws AuthenticationException { + String username = auth.getName(); + String password = auth.getCredentials().toString(); + + + boolean authenticated = engine.getIdentityService().checkPassword(username,password); + + if (authenticated) { + return new UsernamePasswordAuthenticationToken(username, password, Collections.emptyList()); + } else { + throw new BadCredentialsException("Authentication failed"); + } + } + + @Override + public boolean supports(Class auth) { + return auth.equals(UsernamePasswordAuthenticationToken.class); + } +} From 37ab07c2ab77af8d649cebba11a5f3b5d431fc70 Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Wed, 19 Sep 2018 11:31:47 +0200 Subject: [PATCH 011/257] Added property to disable basic auth for scb rest api --- pom.xml | 10 ++++----- scb-engine/pom.xml | 9 ++++++++ ...g.java => BasicAuthWebSecurityConfig.java} | 8 +++++-- .../engine/auth/NoAuthWebSecurityConfig.java | 22 +++++++++++++++++++ .../src/main/resources/application.yaml | 5 +++++ scb-engine/src/test/resources/application.yml | 5 +++++ 6 files changed, 52 insertions(+), 7 deletions(-) rename scb-engine/src/main/java/io/securecodebox/engine/auth/{BasicAuthAuthProviderWebSecurityConfig.java => BasicAuthWebSecurityConfig.java} (71%) create mode 100644 scb-engine/src/main/java/io/securecodebox/engine/auth/NoAuthWebSecurityConfig.java create mode 100644 scb-engine/src/test/resources/application.yml diff --git a/pom.xml b/pom.xml index 0782e90c..62731cc6 100644 --- a/pom.xml +++ b/pom.xml @@ -117,6 +117,11 @@ camunda-bpm-spring-boot-starter-rest ${camunda.spring.boot.starter.version} + + org.springframework.boot + spring-boot-starter-security + ${spring-boot.version} + org.camunda.bpm.springboot @@ -154,11 +159,6 @@ ${swagger-version} - - org.springframework.boot - spring-boot-starter-security - ${spring-boot.version} - io.securecodebox.core diff --git a/scb-engine/pom.xml b/scb-engine/pom.xml index 2d5b592e..5f8b9ea5 100644 --- a/scb-engine/pom.xml +++ b/scb-engine/pom.xml @@ -181,6 +181,15 @@ + + test + + false + + + test + + docs diff --git a/scb-engine/src/main/java/io/securecodebox/engine/auth/BasicAuthAuthProviderWebSecurityConfig.java b/scb-engine/src/main/java/io/securecodebox/engine/auth/BasicAuthWebSecurityConfig.java similarity index 71% rename from scb-engine/src/main/java/io/securecodebox/engine/auth/BasicAuthAuthProviderWebSecurityConfig.java rename to scb-engine/src/main/java/io/securecodebox/engine/auth/BasicAuthWebSecurityConfig.java index d7ff29d3..aa5d2641 100644 --- a/scb-engine/src/main/java/io/securecodebox/engine/auth/BasicAuthAuthProviderWebSecurityConfig.java +++ b/scb-engine/src/main/java/io/securecodebox/engine/auth/BasicAuthWebSecurityConfig.java @@ -1,6 +1,7 @@ package io.securecodebox.engine.auth; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; @@ -10,17 +11,20 @@ @Configuration @EnableWebSecurity -public class BasicAuthAuthProviderWebSecurityConfig extends WebSecurityConfigurerAdapter { +@ConditionalOnProperty(name = "securecodebox.rest.auth", havingValue = "basic auth") +public class BasicAuthWebSecurityConfig extends WebSecurityConfigurerAdapter { + private static final String SCB_REST_API_URL = "/box"; @Autowired CamundaAuthenticationProvider camundaAuthenticationProvider; @Override protected void configure(final HttpSecurity http) throws Exception { - http.antMatcher("/box/**").authorizeRequests() + http.antMatcher(SCB_REST_API_URL + "/**").authorizeRequests() .anyRequest().authenticated() .and().httpBasic(); + http.csrf().disable(); } @Autowired diff --git a/scb-engine/src/main/java/io/securecodebox/engine/auth/NoAuthWebSecurityConfig.java b/scb-engine/src/main/java/io/securecodebox/engine/auth/NoAuthWebSecurityConfig.java new file mode 100644 index 00000000..84630430 --- /dev/null +++ b/scb-engine/src/main/java/io/securecodebox/engine/auth/NoAuthWebSecurityConfig.java @@ -0,0 +1,22 @@ +package io.securecodebox.engine.auth; + +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + + +@Configuration +@EnableWebSecurity +@ConditionalOnProperty(name = "securecodebox.rest.auth", havingValue = "none") +public class NoAuthWebSecurityConfig extends WebSecurityConfigurerAdapter { + + @Override + protected void configure(final HttpSecurity http) throws Exception { + http.authorizeRequests() + .anyRequest().permitAll() + .and().httpBasic().disable(); + http.csrf().disable(); + } +} diff --git a/scb-engine/src/main/resources/application.yaml b/scb-engine/src/main/resources/application.yaml index c0a28834..104b8954 100644 --- a/scb-engine/src/main/resources/application.yaml +++ b/scb-engine/src/main/resources/application.yaml @@ -25,3 +25,8 @@ securecodebox.default.target.name: BodgeIT Public Host securecodebox.default.target.location: bodgeit securecodebox.default.target.uri: http://bodgeit:8080/bodgeit securecodebox.default.context: BodgeIT + +# Configure Secure CodeBox rest api protection +# - basic auth +# - none +securecodebox.rest.auth: basic auth diff --git a/scb-engine/src/test/resources/application.yml b/scb-engine/src/test/resources/application.yml new file mode 100644 index 00000000..833c4e12 --- /dev/null +++ b/scb-engine/src/test/resources/application.yml @@ -0,0 +1,5 @@ +spring.profiles.active: test + +securecodebox: + persistence.provider: none + rest.auth: none From 75fb03e5d6a8134402a292ef6dfca0fa6cfbeda2 Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Fri, 21 Sep 2018 13:05:06 +0200 Subject: [PATCH 012/257] Added Configuration to create default user for scanner services --- .../helper/DefaultGroupConfiguration.java | 10 ++- .../helper/DefaultUserConfiguration.java | 84 +++++++++++++++++++ .../engine/helper/PropertyValueProvider.java | 15 ++++ .../src/main/resources/application-dev.yaml | 4 + .../src/main/resources/application.yaml | 6 ++ 5 files changed, 116 insertions(+), 3 deletions(-) create mode 100644 scb-engine/src/main/java/io/securecodebox/engine/helper/DefaultUserConfiguration.java diff --git a/scb-engine/src/main/java/io/securecodebox/engine/helper/DefaultGroupConfiguration.java b/scb-engine/src/main/java/io/securecodebox/engine/helper/DefaultGroupConfiguration.java index 43a773e8..e3f82ad2 100644 --- a/scb-engine/src/main/java/io/securecodebox/engine/helper/DefaultGroupConfiguration.java +++ b/scb-engine/src/main/java/io/securecodebox/engine/helper/DefaultGroupConfiguration.java @@ -28,6 +28,7 @@ import org.slf4j.LoggerFactory; import org.springframework.context.annotation.Configuration; + /** * This configuration file generates the default group approver and * @@ -37,15 +38,17 @@ @Configuration public class DefaultGroupConfiguration extends AbstractCamundaConfiguration { + public static final String GROUP_SCANNER = "scanner"; + public static final String GROUP_APPROVER = "approver"; + private static final Logger LOG = LoggerFactory.getLogger(DefaultGroupConfiguration.class); @Override public void postProcessEngineBuild(final ProcessEngine processEngine) { final IdentityService identityService = processEngine.getIdentityService(); - createGroup(identityService, "approver"); - createGroup(identityService, "scanner"); - + createGroup(identityService, GROUP_APPROVER); + createGroup(identityService, GROUP_SCANNER); } private void createGroup(IdentityService identityService, String group) { @@ -58,4 +61,5 @@ private void createGroup(IdentityService identityService, String group) { LOG.info("Created default secureCodeBox group: {}", approverGroup.getName()); } } + } diff --git a/scb-engine/src/main/java/io/securecodebox/engine/helper/DefaultUserConfiguration.java b/scb-engine/src/main/java/io/securecodebox/engine/helper/DefaultUserConfiguration.java new file mode 100644 index 00000000..6732139f --- /dev/null +++ b/scb-engine/src/main/java/io/securecodebox/engine/helper/DefaultUserConfiguration.java @@ -0,0 +1,84 @@ +/* + * + * SecureCodeBox (SCB) + * Copyright 2015-2018 iteratec GmbH + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * / + */ + +package io.securecodebox.engine.helper; + +import org.camunda.bpm.engine.AuthorizationService; +import org.camunda.bpm.engine.IdentityService; +import org.camunda.bpm.engine.ProcessEngine; +import org.camunda.bpm.engine.identity.User; +import org.camunda.bpm.spring.boot.starter.configuration.impl.AbstractCamundaConfiguration; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Configuration; + +/** + * This configuration file adds a default user for scanner services + */ +@Configuration +public class DefaultUserConfiguration extends AbstractCamundaConfiguration { + + @Autowired + private PropertyValueProvider properties; + + private static final Logger LOG = LoggerFactory.getLogger(DefaultUserConfiguration.class); + + @Override + public void postProcessEngineBuild(final ProcessEngine processEngine) { + final IdentityService identityService = processEngine.getIdentityService(); + + if(identityService.isReadOnly()) { + LOG.warn("Identity service provider is Read Only, not creating any users."); + return; + } + + setupTechnicalUserForScanner(identityService); + } + + private void setupTechnicalUserForScanner(final IdentityService identityService) { + final String scannerUserId = properties.getDefaultUserScannerId(); + final String scannerUserPw = properties.getDefaultUserScannerPassword(); + + if(scannerUserId == null || scannerUserId.isEmpty() || scannerUserPw == null || scannerUserPw.isEmpty()) { + LOG.info("No environment variables provided to create technical user for scanners"); + return; + } + + boolean userForScannersAlreadyExists = identityService.createUserQuery().userId(scannerUserId).count() > 0; + if(userForScannersAlreadyExists){ + LOG.info("Technical user for scanners already exists"); + } else { + LOG.info("Creating technical user for scanners"); + createTechnicalUserForScanner(identityService, scannerUserId, scannerUserPw); + identityService.createMembership(scannerUserId, DefaultGroupConfiguration.GROUP_SCANNER); + } + } + + private void createTechnicalUserForScanner(final IdentityService identityService, final String scannerUserId, final String scannerUserPw) { + User technicalUserForScanner = identityService.newUser(scannerUserId); + technicalUserForScanner.setPassword(scannerUserPw); + technicalUserForScanner.setFirstName("Technical-User"); + technicalUserForScanner.setLastName("Default-Scanner"); + + identityService.saveUser(technicalUserForScanner); + } + + +} diff --git a/scb-engine/src/main/java/io/securecodebox/engine/helper/PropertyValueProvider.java b/scb-engine/src/main/java/io/securecodebox/engine/helper/PropertyValueProvider.java index d6cd4220..349d36e2 100644 --- a/scb-engine/src/main/java/io/securecodebox/engine/helper/PropertyValueProvider.java +++ b/scb-engine/src/main/java/io/securecodebox/engine/helper/PropertyValueProvider.java @@ -29,6 +29,13 @@ public class PropertyValueProvider { @Value("${securecodebox.default.target.location}") private String defaultTargetLocation; + @Value("${securecodebox.rest.user.scanner-default.user-id}") + private String defaultUserScannerId; + + @Value("${securecodebox.rest.user.scanner-default.password}") + private String defaultUserScannerPassword; + + /** * Default target access URI */ @@ -50,4 +57,12 @@ public String getDefaultTargetLocation() { public String getDefaultTargetUri() { return defaultTargetUri; } + + String getDefaultUserScannerId() { + return defaultUserScannerId; + } + + String getDefaultUserScannerPassword() { + return defaultUserScannerPassword; + } } diff --git a/scb-engine/src/main/resources/application-dev.yaml b/scb-engine/src/main/resources/application-dev.yaml index be6f6238..653b607d 100644 --- a/scb-engine/src/main/resources/application-dev.yaml +++ b/scb-engine/src/main/resources/application-dev.yaml @@ -10,3 +10,7 @@ logging.level.io.securecodebox: TRACE # - none # - elasticsearch securecodebox.persistence.provider: none + +securecodebox.rest.user.scanner-default: + user-id: default-scanner + password: scan diff --git a/scb-engine/src/main/resources/application.yaml b/scb-engine/src/main/resources/application.yaml index 104b8954..5628d5b1 100644 --- a/scb-engine/src/main/resources/application.yaml +++ b/scb-engine/src/main/resources/application.yaml @@ -30,3 +30,9 @@ securecodebox.default.context: BodgeIT # - basic auth # - none securecodebox.rest.auth: basic auth + +# Configure a technical user for the scanner services. This user allows the scanner services to authenticate on the engines rest api. +# (if not configured, a user has to be added manually in the camunda ui) +securecodebox.rest.user.scanner-default: + user-id: + password: From 46d7682f11393d8efdf2c51826619fd240b03a7d Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Fri, 21 Sep 2018 13:08:00 +0200 Subject: [PATCH 013/257] Enable camunda authorization (camunda default is false) --- scb-engine/src/main/resources/application.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scb-engine/src/main/resources/application.yaml b/scb-engine/src/main/resources/application.yaml index 5628d5b1..9aa8d58e 100644 --- a/scb-engine/src/main/resources/application.yaml +++ b/scb-engine/src/main/resources/application.yaml @@ -4,8 +4,8 @@ spring.profiles.active: ${activatedProfiles} camunda.bpm: - webapp: - index-redirect-enabled: true + webapp.index-redirect-enabled: true + authorization.enabled: true logging.level: INFO logging.level.io.securecodebox: INFO From 6aa2b3beb29196d5f89217068d89082ee0af729c Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Mon, 24 Sep 2018 16:24:50 +0200 Subject: [PATCH 014/257] Added Test for Camunda Authentication Provider --- .../CamundaAuthenticationProviderTest.java | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 scb-engine/src/test/java/io/securecodebox/engine/auth/CamundaAuthenticationProviderTest.java diff --git a/scb-engine/src/test/java/io/securecodebox/engine/auth/CamundaAuthenticationProviderTest.java b/scb-engine/src/test/java/io/securecodebox/engine/auth/CamundaAuthenticationProviderTest.java new file mode 100644 index 00000000..f1c46b03 --- /dev/null +++ b/scb-engine/src/test/java/io/securecodebox/engine/auth/CamundaAuthenticationProviderTest.java @@ -0,0 +1,61 @@ +package io.securecodebox.engine.auth; + +import org.camunda.bpm.engine.IdentityService; +import org.camunda.bpm.engine.ProcessEngine; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.InjectMocks; +import org.mockito.Mock; +import org.mockito.runners.MockitoJUnitRunner; +import org.springframework.security.authentication.BadCredentialsException; +import org.springframework.security.core.Authentication; + + +import static org.assertj.core.api.Assertions.catchThrowable; +import static org.assertj.core.api.Assertions.assertThat; +import static org.junit.Assert.assertTrue; +import static org.mockito.BDDMockito.given; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; + +@RunWith(MockitoJUnitRunner.class) +public class CamundaAuthenticationProviderTest { + + @InjectMocks + CamundaAuthenticationProvider classUnderTest; + + @Mock + ProcessEngine processEngine; + + @Mock + IdentityService identityService; + + @Mock + Authentication authDummy; + + @Test + public void shouldAuthenticateIfCredentialsAreValid() { + given(authDummy.getName()).willReturn("username"); + given(authDummy.getCredentials()).willReturn("correct-password"); + given(processEngine.getIdentityService()).willReturn(identityService); + given(identityService.checkPassword("username","correct-password")).willReturn(true); + + Authentication result = classUnderTest.authenticate(authDummy); + + verify(identityService,times(1)).checkPassword("username","correct-password"); + assertTrue(result.isAuthenticated()); + } + + @Test + public void shouldAuthenticateIfCredentialsAreInvalid() { + given(authDummy.getName()).willReturn("username"); + given(authDummy.getCredentials()).willReturn("wrong-password"); + given(processEngine.getIdentityService()).willReturn(identityService); + given(identityService.checkPassword("username","wrong-password")).willReturn(false); + + final Throwable exception = catchThrowable(() -> classUnderTest.authenticate(authDummy)); + + verify(identityService,times(1)).checkPassword("username","wrong-password"); + assertThat(exception).isInstanceOf(BadCredentialsException.class); + } +} From 7331b9b6b531974fc9ac6ed44afda30af9ff1264 Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Tue, 25 Sep 2018 10:42:08 +0200 Subject: [PATCH 015/257] Applied feedback from code review --- .../scanprocess/zap/listener/IsSitemapProvidedListener.java | 6 +----- .../zap/listener/IsSitemapProvidedListenerTest.java | 3 ++- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListener.java b/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListener.java index c6bee426..4eedcac0 100644 --- a/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListener.java +++ b/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListener.java @@ -58,11 +58,7 @@ public void notify(DelegateExecution execution) throws Exception { } boolean hasSitemap(Target target){ - if (target.getAttributes().containsKey(ZapTargetAttributes.ZAP_SITEMAP.name())) { - return true; - } else { - return false; - } + return target.getAttributes().containsKey(ZapTargetAttributes.ZAP_SITEMAP.name()); } } diff --git a/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListenerTest.java b/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListenerTest.java index 417366ee..0abdd09b 100644 --- a/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListenerTest.java +++ b/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListenerTest.java @@ -19,6 +19,7 @@ import static junit.framework.TestCase.assertTrue; import static org.junit.Assert.assertFalse; +import static org.mockito.Mockito.never; import static org.mockito.Mockito.times; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; @@ -72,7 +73,7 @@ public void shouldNotSkipSpiderFlagWhenSitemapIsNotProvidedInAllTargets() throws underTest.notify(execution); //then - verify(execution, times(0)).setVariable(ZapProcessVariables.ZAP_SKIP_SPIDER.name(),true); + verify(execution, never()).setVariable(ZapProcessVariables.ZAP_SKIP_SPIDER.name(),true); verify(execution, times(1)).setVariable(ZapProcessVariables.ZAP_SKIP_SPIDER.name(),false); } From aa20aba0c9f21ec23c9c5f913faf6289bb284131 Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Tue, 25 Sep 2018 10:54:02 +0200 Subject: [PATCH 016/257] Renamed zap process variable --- .../scanprocess/zap/constants/ZapProcessVariables.java | 2 +- .../zap/listener/IsSitemapProvidedListener.java | 8 ++++---- .../scanprocess/test/zap/ZapProcessTest.java | 4 ++-- .../zap/listener/IsSitemapProvidedListenerTest.java | 6 +++--- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/constants/ZapProcessVariables.java b/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/constants/ZapProcessVariables.java index f3e3f776..f0aed57f 100644 --- a/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/constants/ZapProcessVariables.java +++ b/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/constants/ZapProcessVariables.java @@ -1,5 +1,5 @@ package io.securecodebox.scanprocess.zap.constants; public enum ZapProcessVariables { - ZAP_SKIP_SPIDER; + SKIP_SPIDER; } diff --git a/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListener.java b/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListener.java index 4eedcac0..8128c47e 100644 --- a/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListener.java +++ b/scb-scanprocesses/zap-process/src/main/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListener.java @@ -49,11 +49,11 @@ public void notify(DelegateExecution execution) throws Exception { .count() == 0; if(allTargetsHaveSitemap){ - LOG.debug("-> All Targets have sitemap. Set ZAP_SKIP_SPIDER to true"); - execution.setVariable(ZapProcessVariables.ZAP_SKIP_SPIDER.name(),true); + LOG.debug("-> All Targets have sitemap. Set SKIP_SPIDER to true"); + execution.setVariable(ZapProcessVariables.SKIP_SPIDER.name(),true); } else { - LOG.debug("-> NOT all Targets have sitemap. Set ZAP_SKIP_SPIDER to false"); - execution.setVariable(ZapProcessVariables.ZAP_SKIP_SPIDER.name(),false); + LOG.debug("-> NOT all Targets have sitemap. Set SKIP_SPIDER to false"); + execution.setVariable(ZapProcessVariables.SKIP_SPIDER.name(),false); } } diff --git a/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/test/zap/ZapProcessTest.java b/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/test/zap/ZapProcessTest.java index f7ba9306..1d42e414 100644 --- a/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/test/zap/ZapProcessTest.java +++ b/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/test/zap/ZapProcessTest.java @@ -117,7 +117,7 @@ public void init() { task -> startExternalMockProcess("zap_scan")); Mocks.register("isSitemapProvidedListener", (ExecutionListener) delegateExecution -> - delegateExecution.setVariable(ZapProcessVariables.ZAP_SKIP_SPIDER.name(), false) + delegateExecution.setVariable(ZapProcessVariables.SKIP_SPIDER.name(), false) ); } @@ -252,7 +252,7 @@ public void testCorrectAdvancedConfiguration(){ public void shouldSkipSpiderTaskIfSitemapProvided(){ // given Mocks.register("isSitemapProvidedListener", (ExecutionListener) delegateExecution -> - delegateExecution.setVariable(ZapProcessVariables.ZAP_SKIP_SPIDER.name(), true) + delegateExecution.setVariable(ZapProcessVariables.SKIP_SPIDER.name(), true) ); // when diff --git a/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListenerTest.java b/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListenerTest.java index 0abdd09b..670a5f40 100644 --- a/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListenerTest.java +++ b/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/zap/listener/IsSitemapProvidedListenerTest.java @@ -55,7 +55,7 @@ public void shouldSetSkipSpiderFlagWhenSitemapIsProvided() throws Exception { underTest.notify(execution); //then - verify(execution, times(1)).setVariable(ZapProcessVariables.ZAP_SKIP_SPIDER.name(),true); + verify(execution, times(1)).setVariable(ZapProcessVariables.SKIP_SPIDER.name(),true); } @Test @@ -73,8 +73,8 @@ public void shouldNotSkipSpiderFlagWhenSitemapIsNotProvidedInAllTargets() throws underTest.notify(execution); //then - verify(execution, never()).setVariable(ZapProcessVariables.ZAP_SKIP_SPIDER.name(),true); - verify(execution, times(1)).setVariable(ZapProcessVariables.ZAP_SKIP_SPIDER.name(),false); + verify(execution, never()).setVariable(ZapProcessVariables.SKIP_SPIDER.name(),true); + verify(execution, times(1)).setVariable(ZapProcessVariables.SKIP_SPIDER.name(),false); } @Test From 4d808ef9143f117a81042827956e1430a8ee5fbf Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 26 Sep 2018 12:03:32 +0200 Subject: [PATCH 017/257] Use context to create new insulated indexes. The context process variable will be used to create context specific indexes. This can be used to separate scans from each other in a multi Tennant setup. --- .../DefaultScanProcessExecution.java | 6 ----- .../ElasticSearchPersistenceProvider.java | 25 ++++++++++++++++--- .../constants/DefaultFields.java | 2 +- .../java/io/securecodebox/model/Report.java | 4 +-- .../model/execution/ScanProcessExecution.java | 3 --- 5 files changed, 24 insertions(+), 16 deletions(-) diff --git a/scb-engine/src/main/java/io/securecodebox/engine/execution/DefaultScanProcessExecution.java b/scb-engine/src/main/java/io/securecodebox/engine/execution/DefaultScanProcessExecution.java index f30fd955..2a530800 100644 --- a/scb-engine/src/main/java/io/securecodebox/engine/execution/DefaultScanProcessExecution.java +++ b/scb-engine/src/main/java/io/securecodebox/engine/execution/DefaultScanProcessExecution.java @@ -154,12 +154,6 @@ public boolean isAutomated() { return isAutomated != null ? isAutomated.getValue() : false; } - @Override - public String getTenantId() { - StringValue tenantId = execution.getVariableTyped(DefaultFields.PROCESS_TENANT_ID.name()); - return tenantId != null ? tenantId.getValue() : null; - } - @Override public String getScannerType(){ return (String) execution.getVariable(DefaultFields.PROCESS_SCANNER_TYPE.name()); diff --git a/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java b/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java index 3ddb2fd8..c6f827bb 100644 --- a/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java +++ b/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java @@ -37,8 +37,10 @@ import org.elasticsearch.client.ResponseException; import org.elasticsearch.client.RestClient; import org.elasticsearch.client.RestHighLevelClient; +import org.elasticsearch.cluster.metadata.MetaDataCreateIndexService; import org.elasticsearch.common.xcontent.XContentType; import org.elasticsearch.index.query.QueryBuilders; +import org.elasticsearch.indices.InvalidIndexNameException; import org.elasticsearch.rest.RestStatus; import org.elasticsearch.search.builder.SearchSourceBuilder; import org.slf4j.Logger; @@ -93,7 +95,7 @@ public class ElasticSearchPersistenceProvider implements PersistenceProvider { private RestHighLevelClient highLevelClient; private boolean connected = false; - private String tenantId = null; + private String context = null; /** * Initializes elasticsearch with an secureCodeBox specific index based on the configuration settings. @@ -145,7 +147,7 @@ public void persist(Report report) { return; } - this.tenantId = report.getTenantId(); + this.context = report.getContext(); if (!initialized || !indexExists(getElasticIndexName())) { init(); @@ -261,6 +263,21 @@ public void onFailure(Exception e) { } } + private String transformContextForElasticsearchIndexCompatability(){ + if(context != null){ + String contextIndex = context.toLowerCase().replace(" ", "_") + "_"; + + try{ + MetaDataCreateIndexService.validateIndexOrAliasName(contextIndex, InvalidIndexNameException::new); + return contextIndex; + } catch(InvalidIndexNameException e){ + LOG.error("Context name contains chars which are invalid to be a elasticsearch index name. Please change the context name so that a context specific index can be created."); + } + } + + return ""; + } + /** * Returns the elasticsearch indexName, based on the current dateTime and configuration. * @@ -268,10 +285,10 @@ public void onFailure(Exception e) { */ private String getElasticIndexName() { Date date = Date.from(Instant.now()); - + SimpleDateFormat sdf = new SimpleDateFormat(indexDatePattern); String dateAsString = sdf.format(date); - String indexName = indexPrefix + "_" + ((tenantId != null) ? tenantId + "_" : "") + dateAsString; + String indexName = indexPrefix + "_" + transformContextForElasticsearchIndexCompatability() + dateAsString; return indexName.toLowerCase(); } diff --git a/scb-sdk/src/main/java/io/securecodebox/constants/DefaultFields.java b/scb-sdk/src/main/java/io/securecodebox/constants/DefaultFields.java index c7d57604..b9b29baf 100644 --- a/scb-sdk/src/main/java/io/securecodebox/constants/DefaultFields.java +++ b/scb-sdk/src/main/java/io/securecodebox/constants/DefaultFields.java @@ -26,6 +26,6 @@ public enum DefaultFields { PROCESS_CONTEXT, PROCESS_SCANNER_ID, PROCESS_SCANNER_TYPE, PROCESS_AUTOMATED, PROCESS_FINDINGS, - PROCESS_RAW_FINDINGS, PROCESS_TENANT_ID, PROCESS_SCANNERS, PROCESS_TARGETS, + PROCESS_RAW_FINDINGS, PROCESS_SCANNERS, PROCESS_TARGETS, PROCESS_RESULT_APPROVED, PROCESS_ATTRIBUTE_MAPPING } diff --git a/scb-sdk/src/main/java/io/securecodebox/model/Report.java b/scb-sdk/src/main/java/io/securecodebox/model/Report.java index 93531426..78c5b6e7 100644 --- a/scb-sdk/src/main/java/io/securecodebox/model/Report.java +++ b/scb-sdk/src/main/java/io/securecodebox/model/Report.java @@ -90,8 +90,8 @@ public Map getSeverityOverview() { } @JsonIgnore - public String getTenantId(){ - return execution.getTenantId(); + public String getContext(){ + return execution.getContext(); } @Override diff --git a/scb-sdk/src/main/java/io/securecodebox/model/execution/ScanProcessExecution.java b/scb-sdk/src/main/java/io/securecodebox/model/execution/ScanProcessExecution.java index 14fc2160..329bbc2b 100644 --- a/scb-sdk/src/main/java/io/securecodebox/model/execution/ScanProcessExecution.java +++ b/scb-sdk/src/main/java/io/securecodebox/model/execution/ScanProcessExecution.java @@ -94,9 +94,6 @@ public interface ScanProcessExecution { @JsonProperty("automated") public abstract boolean isAutomated(); - @JsonProperty("tenant_id") - public abstract String getTenantId(); - @JsonProperty("scanner_type") public abstract String getScannerType(); From 1b52cb0d4089e73858bd796c7a8ecd31fc7cd109 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 26 Sep 2018 12:05:51 +0200 Subject: [PATCH 018/257] Removed formatting mistakes --- .../ElasticSearchPersistenceProvider.java | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java b/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java index c6f827bb..4d31dc1e 100644 --- a/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java +++ b/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java @@ -263,14 +263,14 @@ public void onFailure(Exception e) { } } - private String transformContextForElasticsearchIndexCompatability(){ - if(context != null){ + private String transformContextForElasticsearchIndexCompatability() { + if (context != null) { String contextIndex = context.toLowerCase().replace(" ", "_") + "_"; - try{ + try { MetaDataCreateIndexService.validateIndexOrAliasName(contextIndex, InvalidIndexNameException::new); return contextIndex; - } catch(InvalidIndexNameException e){ + } catch (InvalidIndexNameException e) { LOG.error("Context name contains chars which are invalid to be a elasticsearch index name. Please change the context name so that a context specific index can be created."); } } @@ -285,7 +285,6 @@ private String transformContextForElasticsearchIndexCompatability(){ */ private String getElasticIndexName() { Date date = Date.from(Instant.now()); - SimpleDateFormat sdf = new SimpleDateFormat(indexDatePattern); String dateAsString = sdf.format(date); String indexName = indexPrefix + "_" + transformContextForElasticsearchIndexCompatability() + dateAsString; @@ -372,7 +371,7 @@ private List> serializeAndRemoveList(List objects, String */ private void initializeKibana() throws IOException { - if(!indexExists(".kibana")) { + if (!indexExists(".kibana")) { LOG.info(".kibana index doesn't exist. Creating it..."); @@ -413,7 +412,7 @@ private void initializeKibana() throws IOException { List dataElements = objectMapper.readValue(kibanaFile, objectMapper.getTypeFactory().constructCollectionType(List.class, KibanaData.class)); BulkRequest bulkRequest = new BulkRequest(); - for(KibanaData data: dataElements) { + for (KibanaData data : dataElements) { IndexRequest indexRequest = new IndexRequest(data.getIndex(), data.getType(), data.getId()); indexRequest.source(objectMapper.writeValueAsString(data.getSource()), XContentType.JSON); bulkRequest.add(indexRequest); @@ -426,8 +425,7 @@ public void onResponse(BulkResponse bulkItemResponses) { DeleteIndexRequest deleteIndexRequest = new DeleteIndexRequest(".kibana"); try { highLevelClient.indices().delete(deleteIndexRequest); - } - catch (IOException e){ + } catch (IOException e) { LOG.error("Kibana index could not be successfully deleted and might be corrupted. Delete it manually!"); } } else { @@ -440,8 +438,7 @@ public void onFailure(Exception e) { LOG.error("Could not import kibana data"); } }); - } - else { + } else { LOG.info("Index Pattern securecodebox* exists. Assuming that searches, visualizations and dashboards are imported already."); } } From 1f102d93da4ed236572e97e4210b7505842997ad Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 26 Sep 2018 16:49:37 +0200 Subject: [PATCH 019/257] Added new resource to start multiple different security tests --- .../engine/rest/SecurityTestRessource.java | 111 ++++++++++++++++++ .../model/rest/SecurityTest.java | 69 +++++++++++ 2 files changed, 180 insertions(+) create mode 100644 scb-engine/src/main/java/io/securecodebox/engine/rest/SecurityTestRessource.java create mode 100644 scb-sdk/src/main/java/io/securecodebox/model/rest/SecurityTest.java diff --git a/scb-engine/src/main/java/io/securecodebox/engine/rest/SecurityTestRessource.java b/scb-engine/src/main/java/io/securecodebox/engine/rest/SecurityTestRessource.java new file mode 100644 index 00000000..7c4c9a12 --- /dev/null +++ b/scb-engine/src/main/java/io/securecodebox/engine/rest/SecurityTestRessource.java @@ -0,0 +1,111 @@ +/* + * + * SecureCodeBox (SCB) + * Copyright 2015-2018 iteratec GmbH + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * / + */ +package io.securecodebox.engine.rest; + +import com.fasterxml.jackson.databind.ObjectMapper; +import io.securecodebox.constants.DefaultFields; +import io.securecodebox.model.rest.SecurityTest; +import io.securecodebox.scanprocess.ProcessVariableHelper; +import io.swagger.annotations.*; +import org.camunda.bpm.engine.ProcessEngine; +import org.camunda.bpm.engine.runtime.ProcessInstance; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.http.HttpStatus; +import org.springframework.http.ResponseEntity; +import org.springframework.web.bind.annotation.*; + +import javax.validation.Valid; +import java.util.*; + +@Api(description = "Scan Tests Resource", produces = "application/json", consumes = "application/json") +@RestController +@RequestMapping(value = "/box/security-tests") +public class SecurityTestRessource { + + private static final Logger LOG = LoggerFactory.getLogger(SecurityTestRessource.class); + + @Autowired + ProcessEngine engine; + + @Autowired + ObjectMapper objectMapper; + + @ApiOperation(value = "Creates a new scan tests.") + @ApiResponses(value = { + @ApiResponse( + code = 201, + message = "Successful created a new process returns the process id.", + response = UUID.class, + responseContainer = "List" + ), + @ApiResponse( + code = 300, + message = "For some reason multiple processes could be addressed by the given processKey.", + response = void.class + ), + @ApiResponse( + code = 400, + message = "Incomplete or inconsistent Request" + ), + @ApiResponse( + code = 404, + message = "Could not find definition for specified security test.", + response = void.class + ), + @ApiResponse( + code = 500, + message = "Unknown technical error occurred." + ) + }) + @RequestMapping(method = RequestMethod.PUT) + public ResponseEntity> startSecurityTests(@Valid @RequestBody List securityTests) { + + for(SecurityTest securityTest : securityTests){ + long processCount = engine.getRepositoryService() + .createProcessDefinitionQuery() + .active() + .processDefinitionKey(securityTest.getProcessDefinitionKey()) + .latestVersion() + .count(); + + if(processCount == 0) { + return ResponseEntity.status(HttpStatus.NOT_FOUND).build(); + } else if(processCount > 1){ + return ResponseEntity.status(HttpStatus.MULTIPLE_CHOICES).build(); + } + } + + List processInstances = new LinkedList<>(); + + for (SecurityTest securityTest: securityTests) { + Map values = new HashMap<>(); + + values.put(DefaultFields.PROCESS_AUTOMATED.name(), true); + values.put(DefaultFields.PROCESS_CONTEXT.name(), securityTest.getContext()); + values.put(DefaultFields.PROCESS_TARGETS.name(), ProcessVariableHelper.generateObjectValue(securityTest.getTarget())); + + ProcessInstance instance = engine.getRuntimeService().startProcessInstanceByKey(securityTest.getProcessDefinitionKey(), values); + processInstances.add(UUID.fromString(instance.getProcessInstanceId())); + } + + return ResponseEntity.ok(processInstances); + } +} diff --git a/scb-sdk/src/main/java/io/securecodebox/model/rest/SecurityTest.java b/scb-sdk/src/main/java/io/securecodebox/model/rest/SecurityTest.java new file mode 100644 index 00000000..480302af --- /dev/null +++ b/scb-sdk/src/main/java/io/securecodebox/model/rest/SecurityTest.java @@ -0,0 +1,69 @@ +/* + * + * SecureCodeBox (SCB) + * Copyright 2015-2018 iteratec GmbH + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * / + */ +package io.securecodebox.model.rest; + +import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonProperty; +import io.securecodebox.model.execution.Target; +import io.swagger.annotations.ApiModel; +import io.swagger.annotations.ApiModelProperty; + +@ApiModel(description = "A security scan contains the description of a target and the description of the method used to test the target for security defects.") +public class SecurityTest{ + @JsonProperty + @ApiModelProperty("Context references the larger scope the security test. In most cases this is equal to the name of the project.") + String context; + + @JsonProperty("securitytest") + @ApiModelProperty("Security test to perform on the target.") + String securityTest; + + @JsonProperty + @ApiModelProperty("The target of the security test.") + Target target; + + public String getContext() { + return context; + } + + public void setContext(String context) { + this.context = context; + } + + public String getSecurityTest() { + return securityTest; + } + + public void setSecurityTest(String securityTest) { + this.securityTest = securityTest; + } + + public Target getTarget() { + return target; + } + + public void setTarget(Target target) { + this.target = target; + } + + @JsonIgnore + public String getProcessDefinitionKey(){ + return this.getSecurityTest() + "-process"; + } +} From 6269777066a181302664856cb5bd135dd6344bb8 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 26 Sep 2018 16:53:22 +0200 Subject: [PATCH 020/257] Changed process definition keys so that the all formed after the same rules --- .../src/main/resources/bpmn/arachni_process.bpmn | 6 +++--- .../src/main/resources/bpmn/nmap_process_raw.bpmn | 4 ++-- .../src/main/resources/bpmn/subdomain_scanner_process.bpmn | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/scb-scanprocesses/arachni-process/src/main/resources/bpmn/arachni_process.bpmn b/scb-scanprocesses/arachni-process/src/main/resources/bpmn/arachni_process.bpmn index 62cedca1..43f810e3 100644 --- a/scb-scanprocesses/arachni-process/src/main/resources/bpmn/arachni_process.bpmn +++ b/scb-scanprocesses/arachni-process/src/main/resources/bpmn/arachni_process.bpmn @@ -1,6 +1,6 @@ - - + + @@ -70,7 +70,7 @@ - + diff --git a/scb-scanprocesses/nmap-process/src/main/resources/bpmn/nmap_process_raw.bpmn b/scb-scanprocesses/nmap-process/src/main/resources/bpmn/nmap_process_raw.bpmn index 710d3d9d..f55471c6 100644 --- a/scb-scanprocesses/nmap-process/src/main/resources/bpmn/nmap_process_raw.bpmn +++ b/scb-scanprocesses/nmap-process/src/main/resources/bpmn/nmap_process_raw.bpmn @@ -1,6 +1,6 @@ - + @@ -107,7 +107,7 @@ - + diff --git a/scb-scanprocesses/subdomain-scanner-process/src/main/resources/bpmn/subdomain_scanner_process.bpmn b/scb-scanprocesses/subdomain-scanner-process/src/main/resources/bpmn/subdomain_scanner_process.bpmn index a057dfe3..92ebdbb3 100644 --- a/scb-scanprocesses/subdomain-scanner-process/src/main/resources/bpmn/subdomain_scanner_process.bpmn +++ b/scb-scanprocesses/subdomain-scanner-process/src/main/resources/bpmn/subdomain_scanner_process.bpmn @@ -1,6 +1,6 @@ - + @@ -73,7 +73,7 @@ - + From f571490b7473941ae8d25069e6af9e3a0c93e605 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 26 Sep 2018 16:58:47 +0200 Subject: [PATCH 021/257] Added example values for securityTest properties --- .../java/io/securecodebox/model/rest/SecurityTest.java | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/scb-sdk/src/main/java/io/securecodebox/model/rest/SecurityTest.java b/scb-sdk/src/main/java/io/securecodebox/model/rest/SecurityTest.java index 480302af..680de556 100644 --- a/scb-sdk/src/main/java/io/securecodebox/model/rest/SecurityTest.java +++ b/scb-sdk/src/main/java/io/securecodebox/model/rest/SecurityTest.java @@ -27,11 +27,17 @@ @ApiModel(description = "A security scan contains the description of a target and the description of the method used to test the target for security defects.") public class SecurityTest{ @JsonProperty - @ApiModelProperty("Context references the larger scope the security test. In most cases this is equal to the name of the project.") + @ApiModelProperty( + value = "Context references the larger scope the security test. In most cases this is equal to the name of the project.", + example = "JuiceShop" + ) String context; @JsonProperty("securitytest") - @ApiModelProperty("Security test to perform on the target.") + @ApiModelProperty( + value = "Security test to perform on the target.", + example = "nmap" + ) String securityTest; @JsonProperty From 79542a36bdf898b2cd58c982059ca4924d44f609 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 26 Sep 2018 19:00:17 +0200 Subject: [PATCH 022/257] Corrected process names in tests --- .../io/securecodebox/scanprocess/test/DefaultProcessTest.java | 2 +- .../scanprocess/test/SubdomainScannerProcessTest.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scb-scanprocesses/arachni-process/src/test/java/io/securecodebox/scanprocess/test/DefaultProcessTest.java b/scb-scanprocesses/arachni-process/src/test/java/io/securecodebox/scanprocess/test/DefaultProcessTest.java index 73be0213..b80760c0 100644 --- a/scb-scanprocesses/arachni-process/src/test/java/io/securecodebox/scanprocess/test/DefaultProcessTest.java +++ b/scb-scanprocesses/arachni-process/src/test/java/io/securecodebox/scanprocess/test/DefaultProcessTest.java @@ -78,7 +78,7 @@ public class DefaultProcessTest { //Define the Process Activity IDs - private static final String PROCESS_ID = "arachni_webapplicationscan"; + private static final String PROCESS_ID = "arachni-process"; private static final String DO_SCAN_TASK_ID = "ServiceTask_DoScan"; private static final String CREATE_REPORT_TASK_ID = "ServiceTask_CreateSummary"; private static final String APPROVE_RESULTS_TASK_ID = "UserTask_ApproveResults"; diff --git a/scb-scanprocesses/subdomain-scanner-process/src/test/java/io/securecodebox/scanprocess/test/SubdomainScannerProcessTest.java b/scb-scanprocesses/subdomain-scanner-process/src/test/java/io/securecodebox/scanprocess/test/SubdomainScannerProcessTest.java index d387b654..7c2e0821 100644 --- a/scb-scanprocesses/subdomain-scanner-process/src/test/java/io/securecodebox/scanprocess/test/SubdomainScannerProcessTest.java +++ b/scb-scanprocesses/subdomain-scanner-process/src/test/java/io/securecodebox/scanprocess/test/SubdomainScannerProcessTest.java @@ -78,7 +78,7 @@ public class SubdomainScannerProcessTest { //Define the Process Activity IDs - private static final String PROCESS_ID = "subdomain_scan"; + private static final String PROCESS_ID = "amass-process"; private static final String DO_SCAN_TASK_ID = "ServiceTask_DoScan"; private static final String CREATE_REPORT_TASK_ID = "ServiceTask_CreateSummary"; private static final String APPROVE_RESULTS_TASK_ID = "UserTask_ApproveResults"; From b043bf759c0e3b82f09f2545c857529c68be9e0e Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Mon, 1 Oct 2018 13:56:08 +0200 Subject: [PATCH 023/257] Forgot to rename process attribute in bpmn model --- .../zap-process/src/main/resources/bpmn/zap_process.bpmn | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scb-scanprocesses/zap-process/src/main/resources/bpmn/zap_process.bpmn b/scb-scanprocesses/zap-process/src/main/resources/bpmn/zap_process.bpmn index ed4a9d27..ba461e17 100644 --- a/scb-scanprocesses/zap-process/src/main/resources/bpmn/zap_process.bpmn +++ b/scb-scanprocesses/zap-process/src/main/resources/bpmn/zap_process.bpmn @@ -133,11 +133,11 @@ SequenceFlow_18v3nda - ${ZAP_SKIP_SPIDER != true} + ${SKIP_SPIDER != true} - ${ZAP_SKIP_SPIDER == true} + ${SKIP_SPIDER == true} Configure a new security-scan process. The inital configuration must contain a target URL. The advanced configuration could be used to configure each component in detail. From 5792893df1bd4278c61be27a3b9d44ba774bd937 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Tue, 2 Oct 2018 14:39:08 +0200 Subject: [PATCH 024/257] Replaced custom SummeryGenerator with generic one --- .../SummaryGeneratorDelegate.java | 74 ------------------- .../scanprocess/test/DefaultProcessTest.java | 2 +- .../SummaryGeneratorDelegate.java | 74 ------------------- .../test/SubdomainScannerProcessTest.java | 2 +- 4 files changed, 2 insertions(+), 150 deletions(-) delete mode 100644 scb-scanprocesses/arachni-process/src/main/java/io/securecodebox/scanprocesses/SummaryGeneratorDelegate.java delete mode 100644 scb-scanprocesses/subdomain-scanner-process/src/main/java/io/securecodebox/scanprocesses/SummaryGeneratorDelegate.java diff --git a/scb-scanprocesses/arachni-process/src/main/java/io/securecodebox/scanprocesses/SummaryGeneratorDelegate.java b/scb-scanprocesses/arachni-process/src/main/java/io/securecodebox/scanprocesses/SummaryGeneratorDelegate.java deleted file mode 100644 index a7db617e..00000000 --- a/scb-scanprocesses/arachni-process/src/main/java/io/securecodebox/scanprocesses/SummaryGeneratorDelegate.java +++ /dev/null @@ -1,74 +0,0 @@ - -/* - * - * SecureCodeBox (SCB) - * Copyright 2015-2018 iteratec GmbH - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * / - */ - -package io.securecodebox.scanprocesses; - -import io.securecodebox.model.Report; -import io.securecodebox.model.execution.ScanProcessExecution; -import io.securecodebox.model.execution.ScanProcessExecutionFactory; -import io.securecodebox.persistence.PersistenceProvider; -import org.camunda.bpm.engine.delegate.DelegateExecution; -import org.camunda.bpm.engine.delegate.JavaDelegate; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Component; - -/** - * Example process saving results to the persistence. - * - * @author Rüdiger Heins - iteratec GmbH - * @since 04.04.18 - */ -@Component("io_securecodebox_scanprocesses_SummaryGeneratorDelegate") -public class SummaryGeneratorDelegate implements JavaDelegate { - - private static final Logger LOG = LoggerFactory.getLogger(SummaryGeneratorDelegate.class); - - @Autowired - PersistenceProvider persistenceProvider; - - @Autowired - ScanProcessExecutionFactory executionFactory; - - @Override - public void execute(DelegateExecution delegateExecution) { - ScanProcessExecution scanProcessExecution = executionFactory.get(delegateExecution); - - Report report = new Report(scanProcessExecution); - persist(report); - } - - /** - * Eventually consistent: try to persist if the persistence provider is currently available. - * - * @param report The generic report of findings to persist. - */ - private void persist(Report report) { - LOG.trace("starting scan report persistence. {}", report); - - try { - persistenceProvider.persist(report); - } catch (Exception e) { - LOG.error("Unexpected Error while trying to init a persistence provider!", e); - } - } - -} diff --git a/scb-scanprocesses/arachni-process/src/test/java/io/securecodebox/scanprocess/test/DefaultProcessTest.java b/scb-scanprocesses/arachni-process/src/test/java/io/securecodebox/scanprocess/test/DefaultProcessTest.java index 73be0213..b4aed98b 100644 --- a/scb-scanprocesses/arachni-process/src/test/java/io/securecodebox/scanprocess/test/DefaultProcessTest.java +++ b/scb-scanprocesses/arachni-process/src/test/java/io/securecodebox/scanprocess/test/DefaultProcessTest.java @@ -20,7 +20,7 @@ package io.securecodebox.scanprocess.test; import io.securecodebox.constants.DefaultFields; -import io.securecodebox.scanprocesses.SummaryGeneratorDelegate; +import io.securecodebox.scanprocess.delegate.SummaryGeneratorDelegate; import org.camunda.bpm.engine.ExternalTaskService; import org.camunda.bpm.engine.delegate.DelegateTask; import org.camunda.bpm.engine.delegate.Expression; diff --git a/scb-scanprocesses/subdomain-scanner-process/src/main/java/io/securecodebox/scanprocesses/SummaryGeneratorDelegate.java b/scb-scanprocesses/subdomain-scanner-process/src/main/java/io/securecodebox/scanprocesses/SummaryGeneratorDelegate.java deleted file mode 100644 index a7db617e..00000000 --- a/scb-scanprocesses/subdomain-scanner-process/src/main/java/io/securecodebox/scanprocesses/SummaryGeneratorDelegate.java +++ /dev/null @@ -1,74 +0,0 @@ - -/* - * - * SecureCodeBox (SCB) - * Copyright 2015-2018 iteratec GmbH - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * / - */ - -package io.securecodebox.scanprocesses; - -import io.securecodebox.model.Report; -import io.securecodebox.model.execution.ScanProcessExecution; -import io.securecodebox.model.execution.ScanProcessExecutionFactory; -import io.securecodebox.persistence.PersistenceProvider; -import org.camunda.bpm.engine.delegate.DelegateExecution; -import org.camunda.bpm.engine.delegate.JavaDelegate; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Component; - -/** - * Example process saving results to the persistence. - * - * @author Rüdiger Heins - iteratec GmbH - * @since 04.04.18 - */ -@Component("io_securecodebox_scanprocesses_SummaryGeneratorDelegate") -public class SummaryGeneratorDelegate implements JavaDelegate { - - private static final Logger LOG = LoggerFactory.getLogger(SummaryGeneratorDelegate.class); - - @Autowired - PersistenceProvider persistenceProvider; - - @Autowired - ScanProcessExecutionFactory executionFactory; - - @Override - public void execute(DelegateExecution delegateExecution) { - ScanProcessExecution scanProcessExecution = executionFactory.get(delegateExecution); - - Report report = new Report(scanProcessExecution); - persist(report); - } - - /** - * Eventually consistent: try to persist if the persistence provider is currently available. - * - * @param report The generic report of findings to persist. - */ - private void persist(Report report) { - LOG.trace("starting scan report persistence. {}", report); - - try { - persistenceProvider.persist(report); - } catch (Exception e) { - LOG.error("Unexpected Error while trying to init a persistence provider!", e); - } - } - -} diff --git a/scb-scanprocesses/subdomain-scanner-process/src/test/java/io/securecodebox/scanprocess/test/SubdomainScannerProcessTest.java b/scb-scanprocesses/subdomain-scanner-process/src/test/java/io/securecodebox/scanprocess/test/SubdomainScannerProcessTest.java index d387b654..cd18c2ae 100644 --- a/scb-scanprocesses/subdomain-scanner-process/src/test/java/io/securecodebox/scanprocess/test/SubdomainScannerProcessTest.java +++ b/scb-scanprocesses/subdomain-scanner-process/src/test/java/io/securecodebox/scanprocess/test/SubdomainScannerProcessTest.java @@ -20,7 +20,7 @@ package io.securecodebox.scanprocess.test; import io.securecodebox.constants.DefaultFields; -import io.securecodebox.scanprocesses.SummaryGeneratorDelegate; +import io.securecodebox.scanprocess.delegate.SummaryGeneratorDelegate; import org.camunda.bpm.engine.ExternalTaskService; import org.camunda.bpm.engine.delegate.DelegateTask; import org.camunda.bpm.engine.delegate.Expression; From 6e2045d8eca3219756304b454376d0587a0ffec1 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Tue, 2 Oct 2018 15:04:28 +0200 Subject: [PATCH 025/257] Added custom exception for persistence provider specific errors. These errors will then be raised as incidents. --- .../persistence/PersistenceException.java | 27 +++++++++++++++++++ .../persistence/PersistenceProvider.java | 2 +- .../delegate/SummaryGeneratorDelegate.java | 5 +++- 3 files changed, 32 insertions(+), 2 deletions(-) create mode 100644 scb-sdk/src/main/java/io/securecodebox/persistence/PersistenceException.java diff --git a/scb-sdk/src/main/java/io/securecodebox/persistence/PersistenceException.java b/scb-sdk/src/main/java/io/securecodebox/persistence/PersistenceException.java new file mode 100644 index 00000000..4f1753c6 --- /dev/null +++ b/scb-sdk/src/main/java/io/securecodebox/persistence/PersistenceException.java @@ -0,0 +1,27 @@ +/* + * + * SecureCodeBox (SCB) + * Copyright 2015-2018 iteratec GmbH + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * / + */ +package io.securecodebox.persistence; + +public abstract class PersistenceException extends RuntimeException{ + protected String message; + + public String getMessage(){ + return message; + } +} diff --git a/scb-sdk/src/main/java/io/securecodebox/persistence/PersistenceProvider.java b/scb-sdk/src/main/java/io/securecodebox/persistence/PersistenceProvider.java index 595843a5..c57c0519 100644 --- a/scb-sdk/src/main/java/io/securecodebox/persistence/PersistenceProvider.java +++ b/scb-sdk/src/main/java/io/securecodebox/persistence/PersistenceProvider.java @@ -30,5 +30,5 @@ */ public interface PersistenceProvider { - void persist(Report report); + void persist(Report report) throws PersistenceException; } diff --git a/scb-sdk/src/main/java/io/securecodebox/scanprocess/delegate/SummaryGeneratorDelegate.java b/scb-sdk/src/main/java/io/securecodebox/scanprocess/delegate/SummaryGeneratorDelegate.java index 42dd1266..ac337bc0 100644 --- a/scb-sdk/src/main/java/io/securecodebox/scanprocess/delegate/SummaryGeneratorDelegate.java +++ b/scb-sdk/src/main/java/io/securecodebox/scanprocess/delegate/SummaryGeneratorDelegate.java @@ -24,6 +24,7 @@ import io.securecodebox.model.execution.ScanProcessExecution; import io.securecodebox.model.execution.ScanProcessExecutionFactory; import io.securecodebox.model.findings.Finding; +import io.securecodebox.persistence.PersistenceException; import io.securecodebox.persistence.PersistenceProvider; import io.securecodebox.scanprocess.ProcessVariableHelper; import org.camunda.bpm.engine.delegate.DelegateExecution; @@ -74,10 +75,12 @@ private void persist(Report report) { LOG.trace("starting scan report persistence. {}", report); try { - if (persistenceProvider != null) { persistenceProvider.persist(report); } + } catch (PersistenceException e) { + LOG.error("Persistence provider errored while trying to save report. Going to create incident.", e); + throw e; } catch (Exception e) { LOG.error("Unexpected Error while trying to init a persistence provider!", e); } From a8df6ff024fd34fa5c641c8184b01dd3189bd059 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Tue, 2 Oct 2018 15:05:57 +0200 Subject: [PATCH 026/257] Throwing errors on non valid context names --- .../ElasticSearchPersistenceProvider.java | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java b/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java index 4d31dc1e..6154c813 100644 --- a/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java +++ b/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java @@ -24,6 +24,7 @@ import com.fasterxml.jackson.databind.ObjectMapper; import io.securecodebox.model.Report; import io.securecodebox.model.findings.Finding; +import io.securecodebox.persistence.PersistenceException; import io.securecodebox.persistence.PersistenceProvider; import org.apache.http.HttpHost; import org.elasticsearch.action.ActionListener; @@ -140,7 +141,7 @@ private void init() { } @Override - public void persist(Report report) { + public void persist(Report report) throws PersistenceException{ if (report == null) { LOG.warn("The given Report is null, nothing to persist."); @@ -263,6 +264,12 @@ public void onFailure(Exception e) { } } + private static class InvalidContextNameForElkIndex extends PersistenceException{ + public InvalidContextNameForElkIndex(String contextName) { + this.message = "Cannot create custom elasticsearch index for context name '" + contextName + "' as it contains reserved characters. Please choose a different context name."; + } + } + private String transformContextForElasticsearchIndexCompatability() { if (context != null) { String contextIndex = context.toLowerCase().replace(" ", "_") + "_"; @@ -272,6 +279,7 @@ private String transformContextForElasticsearchIndexCompatability() { return contextIndex; } catch (InvalidIndexNameException e) { LOG.error("Context name contains chars which are invalid to be a elasticsearch index name. Please change the context name so that a context specific index can be created."); + throw new InvalidContextNameForElkIndex(context); } } From e103f85c136afd00334bc8f57d9e0ca10864be2e Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Tue, 2 Oct 2018 18:54:29 +0200 Subject: [PATCH 027/257] Use environment variables to define default scanner user instead of properties --- README.md | 14 ++++++++------ scb-engine/src/main/resources/application.yaml | 6 +++--- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 91b0843d..6ea612ef 100644 --- a/README.md +++ b/README.md @@ -17,12 +17,14 @@ This is the main component of the _secureCodeBox_ it's a [Camunda][camunda] [BPM # Configuration Options To configure the SCB engine specify the following environment variables: -| Environment Variable | Description | Example Value | -| ------------------------------------- | ---------------------------------- | --------------------------- | -| SECURECODEBOX_DEFAULT_TARGET_NAME | Default target identifier | BodgeIT Public Host | -| SECURECODEBOX_DEFAULT_TARGET_LOCATION | Default target hostname/ip address | bodgeit | -| SECURECODEBOX_DEFAULT_TARGET_URI | Default target URI/URL | http://bodgeit:8080/bodgeit | -| SECURECODEBOX_DEFAULT_CONTEXT | Default business context | BodgeIT | +| Environment Variable | Description | Example Value | +| ------------------------------------- | ------------------------------------- | --------------------------- | +| SECURECODEBOX_DEFAULT_TARGET_NAME | Default target identifier | BodgeIT Public Host | +| SECURECODEBOX_DEFAULT_TARGET_LOCATION | Default target hostname/ip address | bodgeit | +| SECURECODEBOX_DEFAULT_TARGET_URI | Default target URI/URL | http://bodgeit:8080/bodgeit | +| SECURECODEBOX_DEFAULT_CONTEXT | Default business context | BodgeIT | +| SECURECODEBOX_USER_SCANNER | Default user for scanner services | default-scanner | +| SECURECODEBOX_USER_SCANNER_PW | Default password for scanner services | AStrongPassword-NotThisOne! | # Development diff --git a/scb-engine/src/main/resources/application.yaml b/scb-engine/src/main/resources/application.yaml index 9aa8d58e..99027a5d 100644 --- a/scb-engine/src/main/resources/application.yaml +++ b/scb-engine/src/main/resources/application.yaml @@ -32,7 +32,7 @@ securecodebox.default.context: BodgeIT securecodebox.rest.auth: basic auth # Configure a technical user for the scanner services. This user allows the scanner services to authenticate on the engines rest api. -# (if not configured, a user has to be added manually in the camunda ui) +# (If not set as environment variable, a user has to be added manually in the camunda ui.) securecodebox.rest.user.scanner-default: - user-id: - password: + user-id: ${SECURECODEBOX_USER_SCANNER:} + password: ${SECURECODEBOX_USER_SCANNER_PW:} From 76ae3216e35162c388a9671e115821d1652a8e93 Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Thu, 4 Oct 2018 17:52:00 +0200 Subject: [PATCH 028/257] Disabled camunda rest api (use scb api instead) --- scb-engine/pom.xml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/scb-engine/pom.xml b/scb-engine/pom.xml index 5f8b9ea5..efc32149 100644 --- a/scb-engine/pom.xml +++ b/scb-engine/pom.xml @@ -29,11 +29,6 @@ camunda-bpm-spring-boot-starter-webapp - - - org.camunda.bpm.springboot - camunda-bpm-spring-boot-starter-rest - io.springfox springfox-swagger2 From 6a514fdbb899f93194541afe1bfa55dd93da5119 Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Mon, 8 Oct 2018 17:38:02 +0200 Subject: [PATCH 029/257] Refactored persistance exception --- .../ElasticSearchPersistenceProvider.java | 8 +----- .../InvalidContextNameForElkIndex.java | 28 +++++++++++++++++++ .../persistence/PersistenceException.java | 5 ++-- 3 files changed, 31 insertions(+), 10 deletions(-) create mode 100644 scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/InvalidContextNameForElkIndex.java diff --git a/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java b/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java index 6154c813..3dde3e10 100644 --- a/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java +++ b/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java @@ -264,12 +264,6 @@ public void onFailure(Exception e) { } } - private static class InvalidContextNameForElkIndex extends PersistenceException{ - public InvalidContextNameForElkIndex(String contextName) { - this.message = "Cannot create custom elasticsearch index for context name '" + contextName + "' as it contains reserved characters. Please choose a different context name."; - } - } - private String transformContextForElasticsearchIndexCompatability() { if (context != null) { String contextIndex = context.toLowerCase().replace(" ", "_") + "_"; @@ -279,7 +273,7 @@ private String transformContextForElasticsearchIndexCompatability() { return contextIndex; } catch (InvalidIndexNameException e) { LOG.error("Context name contains chars which are invalid to be a elasticsearch index name. Please change the context name so that a context specific index can be created."); - throw new InvalidContextNameForElkIndex(context); + throw new InvalidContextNameForElkIndex("Cannot create custom elasticsearch index for context name '" + context + "' as it contains reserved characters. Please choose a different context name."); } } diff --git a/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/InvalidContextNameForElkIndex.java b/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/InvalidContextNameForElkIndex.java new file mode 100644 index 00000000..0076eec3 --- /dev/null +++ b/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/InvalidContextNameForElkIndex.java @@ -0,0 +1,28 @@ +/* + * + * SecureCodeBox (SCB) + * Copyright 2015-2018 iteratec GmbH + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * / + */ + +package io.securecodebox.persistence.elasticsearch; + +import io.securecodebox.persistence.PersistenceException; + +class InvalidContextNameForElkIndex extends PersistenceException { + public InvalidContextNameForElkIndex(String message) { + super(message); + } +} diff --git a/scb-sdk/src/main/java/io/securecodebox/persistence/PersistenceException.java b/scb-sdk/src/main/java/io/securecodebox/persistence/PersistenceException.java index 4f1753c6..790aab49 100644 --- a/scb-sdk/src/main/java/io/securecodebox/persistence/PersistenceException.java +++ b/scb-sdk/src/main/java/io/securecodebox/persistence/PersistenceException.java @@ -19,9 +19,8 @@ package io.securecodebox.persistence; public abstract class PersistenceException extends RuntimeException{ - protected String message; - public String getMessage(){ - return message; + public PersistenceException(String message) { + super(message); } } From 8ff82bda44689b4c6ed1fbd2e8d62596371f7f61 Mon Sep 17 00:00:00 2001 From: melvinkoitzsch0007 Date: Wed, 10 Oct 2018 14:15:03 +0200 Subject: [PATCH 030/257] add forms for rate limited zap scanner --- .../forms/zap/configure-scanner-details.html | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/scb-scanprocesses/zap-process/src/main/resources/forms/zap/configure-scanner-details.html b/scb-scanprocesses/zap-process/src/main/resources/forms/zap/configure-scanner-details.html index e30e6246..cfe651dc 100644 --- a/scb-scanprocesses/zap-process/src/main/resources/forms/zap/configure-scanner-details.html +++ b/scb-scanprocesses/zap-process/src/main/resources/forms/zap/configure-scanner-details.html @@ -17,6 +17,7 @@ }); camForm.on('submit', function () { $scope.targetList = $scope.targetList.map(function (target) { + target.attributes.ZAP_SCANNER_INCLUDE_REGEX = splitOnNewline(target.attributes.ZAP_SCANNER_INCLUDE_REGEX); target.attributes.ZAP_SCANNER_EXCLUDE_REGEX = splitOnNewline(target.attributes.ZAP_SCANNER_EXCLUDE_REGEX); return target; @@ -46,6 +47,48 @@

ZAP Scanner advanced configuration

Target: {{ target.location }}
+ +
+ +
+ +
+
+ + +
+ +
+ +
+
+ + +
+ +
+ +
+
+
From 713e79a74b0c70e32789b73a8d6047477c288756 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 10 Oct 2018 16:25:44 +0200 Subject: [PATCH 031/257] Corrected delegate expression to use the sdk summary generator delegate --- .../src/main/resources/bpmn/arachni_process.bpmn | 2 +- .../src/main/resources/bpmn/subdomain_scanner_process.bpmn | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scb-scanprocesses/arachni-process/src/main/resources/bpmn/arachni_process.bpmn b/scb-scanprocesses/arachni-process/src/main/resources/bpmn/arachni_process.bpmn index 62cedca1..2235cb69 100644 --- a/scb-scanprocesses/arachni-process/src/main/resources/bpmn/arachni_process.bpmn +++ b/scb-scanprocesses/arachni-process/src/main/resources/bpmn/arachni_process.bpmn @@ -50,7 +50,7 @@ SequenceFlow_PortscanFinished - + SequenceFlow_PortscanFinished SequenceFlow_SummaryCreated diff --git a/scb-scanprocesses/subdomain-scanner-process/src/main/resources/bpmn/subdomain_scanner_process.bpmn b/scb-scanprocesses/subdomain-scanner-process/src/main/resources/bpmn/subdomain_scanner_process.bpmn index a057dfe3..d2b183fd 100644 --- a/scb-scanprocesses/subdomain-scanner-process/src/main/resources/bpmn/subdomain_scanner_process.bpmn +++ b/scb-scanprocesses/subdomain-scanner-process/src/main/resources/bpmn/subdomain_scanner_process.bpmn @@ -51,7 +51,7 @@ SequenceFlow_PortscanFinished - + SequenceFlow_ResultApproved SequenceFlow_1i44eck From b204edf941e32d35d3c0018ebd0d96f768f2f85c Mon Sep 17 00:00:00 2001 From: melvinkoitzsch0007 Date: Wed, 10 Oct 2018 16:30:18 +0200 Subject: [PATCH 032/257] remove input for host per scan and required condition for delay input --- .../forms/zap/configure-scanner-details.html | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/scb-scanprocesses/zap-process/src/main/resources/forms/zap/configure-scanner-details.html b/scb-scanprocesses/zap-process/src/main/resources/forms/zap/configure-scanner-details.html index cfe651dc..27a2c4fd 100644 --- a/scb-scanprocesses/zap-process/src/main/resources/forms/zap/configure-scanner-details.html +++ b/scb-scanprocesses/zap-process/src/main/resources/forms/zap/configure-scanner-details.html @@ -51,7 +51,7 @@

ZAP Scanner advanced configuration

- ZAP Scanner advanced configuration
- -
- -
- -
-
-
From 9e6ca923021723f3a1285c1fd86c8cd3873dc0c5 Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Thu, 11 Oct 2018 13:58:53 +0200 Subject: [PATCH 033/257] created generated scan process for amass nmap combination --- .../combined-amass-nmap-process/pom.xml | 69 ++++++ .../scanprocess/ProcessInitConfiguration.java | 33 +++ .../amassnmap/SummaryGeneratorDelegate.java | 71 ++++++ .../src/main/resources/META-INF/processes.xml | 0 .../bpmn/combined_amass_nmap_process.bpmn | 197 +++++++++++++++ .../forms/default/approve-results.html | 122 ++++++++++ .../forms/default/configure-target.html | 128 ++++++++++ .../CombinedAmassNmapProcessTest.java | 230 ++++++++++++++++++ .../src/test/resources/camunda.cfg.xml | 14 ++ .../src/test/resources/logback-test.xml | 27 ++ scb-scanprocesses/pom.xml | 3 +- 11 files changed, 893 insertions(+), 1 deletion(-) create mode 100644 scb-scanprocesses/combined-amass-nmap-process/pom.xml create mode 100644 scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocess/ProcessInitConfiguration.java create mode 100644 scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/SummaryGeneratorDelegate.java create mode 100644 scb-scanprocesses/combined-amass-nmap-process/src/main/resources/META-INF/processes.xml create mode 100644 scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn create mode 100644 scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/default/approve-results.html create mode 100644 scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/default/configure-target.html create mode 100644 scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocess/amassnmap/CombinedAmassNmapProcessTest.java create mode 100644 scb-scanprocesses/combined-amass-nmap-process/src/test/resources/camunda.cfg.xml create mode 100644 scb-scanprocesses/combined-amass-nmap-process/src/test/resources/logback-test.xml diff --git a/scb-scanprocesses/combined-amass-nmap-process/pom.xml b/scb-scanprocesses/combined-amass-nmap-process/pom.xml new file mode 100644 index 00000000..96dcec7f --- /dev/null +++ b/scb-scanprocesses/combined-amass-nmap-process/pom.xml @@ -0,0 +1,69 @@ + + + + + 4.0.0 + + + io.securecodebox.scanprocesses + default-process-collection + 0.0.1-SNAPSHOT + + + io.securecodebox.scanprocesses + combined-amass-nmap-process + 0.0.1-SNAPSHOT + + + + io.securecodebox.core + sdk + ${parent.version} + + + + + com.h2database + h2 + + + org.camunda.bpm.springboot + camunda-bpm-spring-boot-starter-test + test + + + org.camunda.bpm.extension.mockito + camunda-bpm-mockito + test + + + org.camunda.bpm.extension + camunda-bpm-assert-scenario + test + + + org.camunda.bpm.extension + camunda-bpm-process-test-coverage + test + + + + diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocess/ProcessInitConfiguration.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocess/ProcessInitConfiguration.java new file mode 100644 index 00000000..3f6620fd --- /dev/null +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocess/ProcessInitConfiguration.java @@ -0,0 +1,33 @@ +/* + * + * SecureCodeBox (SCB) + * Copyright 2015-2018 iteratec GmbH + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * / + */ + +package io.securecodebox.scanprocess; + +import org.springframework.context.annotation.ComponentScan; +import org.springframework.context.annotation.Configuration; + +/** + * The secureCodeBox by default only scans for components in the package io.securecodebox.scanprocess. + *

+ * This configuration ensures that your defined package io.securecodebox.scanprocesses.amassnmap also gets scanned, please don't move or remove this configuration. + */ +@ComponentScan("io.securecodebox.scanprocesses.amassnmap") +@Configuration +public class ProcessInitConfiguration { +} diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/SummaryGeneratorDelegate.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/SummaryGeneratorDelegate.java new file mode 100644 index 00000000..405edad2 --- /dev/null +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/SummaryGeneratorDelegate.java @@ -0,0 +1,71 @@ + +/* + * + * SecureCodeBox (SCB) + * Copyright 2015-2018 iteratec GmbH + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * / + */ + +package io.securecodebox.scanprocesses.amassnmap; + +import io.securecodebox.model.Report; +import io.securecodebox.model.execution.ScanProcessExecution; +import io.securecodebox.model.execution.ScanProcessExecutionFactory; +import io.securecodebox.persistence.PersistenceProvider; +import org.camunda.bpm.engine.delegate.DelegateExecution; +import org.camunda.bpm.engine.delegate.JavaDelegate; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +/** + * Example process saving results to the persistence. + */ +@Component("io_securecodebox_scanprocesses_amassnmap_SummaryGeneratorDelegate") +public class SummaryGeneratorDelegate implements JavaDelegate { + + private static final Logger LOG = LoggerFactory.getLogger(SummaryGeneratorDelegate.class); + + @Autowired + PersistenceProvider persistenceProvider; + + @Autowired + ScanProcessExecutionFactory executionFactory; + + @Override + public void execute(DelegateExecution delegateExecution) { + ScanProcessExecution scanProcessExecution = executionFactory.get(delegateExecution); + + Report report = new Report(scanProcessExecution); + persist(report); + } + + /** + * Eventually consistent: try to persist if the persistence provider is currently available. + * + * @param report The generic report of findings to persist. + */ + private void persist(Report report) { + LOG.trace("starting scan report persistence. {}", report); + + try { + persistenceProvider.persist(report); + } catch (Exception e) { + LOG.error("Unexpected Error while trying to init a persistence provider!", e); + } + } + +} diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/META-INF/processes.xml b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/META-INF/processes.xml new file mode 100644 index 00000000..e69de29b diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn new file mode 100644 index 00000000..66aa0eff --- /dev/null +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn @@ -0,0 +1,197 @@ + + + + + + + + + + + + + + SequenceFlow_TargetConfigured + + + + SequenceFlow_SummaryCreated + + + + + + + + SequenceFlow_ManualFinish + SequenceFlow_ResultReviewed + + + SequenceFlow_ResultReviewed + SequenceFlow_ResultApproved + SequenceFlow_ResultRejected + + + + + + SequenceFlow_PortscanFinished + SequenceFlow_ManualFinish + SequenceFlow_AutomatedFinish + + + ${PROCESS_AUTOMATED == false} + + + ${PROCESS_AUTOMATED == true} + + + + SequenceFlow_TargetConfigured + SequenceFlow_PortscanFinished + + + + + SequenceFlow_ResultApproved + SequenceFlow_1i44eck + SequenceFlow_AutomatedFinish + SequenceFlow_SummaryCreated + + + + + + + + SequenceFlow_ResultRejected + SequenceFlow_1i44eck + + + + results in a generic format + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/default/approve-results.html b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/default/approve-results.html new file mode 100644 index 00000000..44bae303 --- /dev/null +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/default/approve-results.html @@ -0,0 +1,122 @@ + + +

+ + +
+

Combined Amass-Nmap results for "{{ target.name }}"

+ +
+
+
{{ scannerId }}
+
+
+
+
{{ target.location }}
+
+
+
+
{{ context }}
+
+
+
+ +
+ + + + + + + + + + + + + + + +
Host:Name:Category:Severity:Reference:
{{ result.location }}{{ result.name }}{{ result.category }} +
+ + + {{ result.severity }} + + + + + {{ result.severity }} + + + + + {{ result.severity }} + + + + + {{ result.severity }} + +
+ 		{{ result.reference.id }}
+
+
+ +
+
+

Approve Result

+ +
+ +
+ + +
+
+
diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/default/configure-target.html b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/default/configure-target.html new file mode 100644 index 00000000..99a61dcb --- /dev/null +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/default/configure-target.html @@ -0,0 +1,128 @@ + + +

Please configure the Port Scan

+ +
+ + + +
+ +
+

Combined Amass-Nmap Target

+ + +
+
+
+ + +
+
+ + +
+
+ +
+
+ + +
+ + +
+ +
+ +
+
+ +
+
+
diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocess/amassnmap/CombinedAmassNmapProcessTest.java b/scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocess/amassnmap/CombinedAmassNmapProcessTest.java new file mode 100644 index 00000000..c9c7917e --- /dev/null +++ b/scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocess/amassnmap/CombinedAmassNmapProcessTest.java @@ -0,0 +1,230 @@ +/* + * + * SecureCodeBox (SCB) + * Copyright 2015-2018 iteratec GmbH + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * / + */ + +package io.securecodebox.scanprocess.amassnmap; + +import io.securecodebox.constants.DefaultFields; +import io.securecodebox.scanprocesses.amassnmap.SummaryGeneratorDelegate; +import org.camunda.bpm.engine.ExternalTaskService; +import org.camunda.bpm.engine.delegate.DelegateTask; +import org.camunda.bpm.engine.delegate.Expression; +import org.camunda.bpm.engine.delegate.TaskListener; +import org.camunda.bpm.engine.externaltask.LockedExternalTask; +import org.camunda.bpm.engine.runtime.ProcessInstance; +import org.camunda.bpm.engine.test.Deployment; +import org.camunda.bpm.engine.test.ProcessEngineRule; +import org.camunda.bpm.engine.test.mock.Mocks; +import org.camunda.bpm.extension.process_test_coverage.junit.rules.TestCoverageProcessEngineRuleBuilder; +import org.camunda.bpm.scenario.ProcessScenario; +import org.camunda.bpm.scenario.Scenario; +import org.camunda.bpm.scenario.delegate.ExternalTaskDelegate; +import org.camunda.bpm.scenario.delegate.TaskDelegate; +import org.junit.Before; +import org.junit.ClassRule; +import org.junit.Rule; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.Mock; +import org.mockito.Mockito; +import org.mockito.MockitoAnnotations; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import static org.camunda.bpm.engine.test.assertions.bpmn.AbstractAssertions.processEngine; +import static org.camunda.bpm.engine.test.assertions.bpmn.BpmnAwareAssertions.assertThat; +import static org.camunda.bpm.engine.test.assertions.bpmn.BpmnAwareTests.runtimeService; +import static org.camunda.bpm.extension.mockito.CamundaMockito.autoMock; +import static org.mockito.Mockito.when; + +/** + * This class tests the process execution of the Default-Process BPMN Model + * It verifies that each process task is called when it's supposed to be and + * delegation code is executed at the right time + *

+ * The tests run in an own Camunda engine which is defined by the camunda.cfg.xml in the resources directory + *

+ * The test cases use Camunda BPM's standard framework as well as the + * Camunda BPM Assert extension (), + * camunda-bpm-mockito () + * and the Camunda BPM Assert Scenario extension () + *

+ * Furthermore this class also uses the Camunda BPM Process Test Coverage extension + * (). + * After the test is run we can examine the test coverage in the directory target/process-test-coverage + */ + +@RunWith(SpringJUnit4ClassRunner.class) +@Deployment(resources = "bpmn/combined_amass_nmap_process.bpmn") +public class CombinedAmassNmapProcessTest { + + //Define the Process Activity IDs + private static final String PROCESS_ID = "amass-nmap-process"; + private static final String DO_SCAN_TASK_ID = "ServiceTask_DoScan"; + private static final String CREATE_REPORT_TASK_ID = "ServiceTask_CreateSummary"; + private static final String APPROVE_RESULTS_TASK_ID = "UserTask_ApproveResults"; + + private final Map defaultVariables = new HashMap<>(); + + @Rule + @ClassRule + public static ProcessEngineRule processEngineRule = TestCoverageProcessEngineRuleBuilder.create().build(); + + @Mock + private ProcessScenario process; + + @Mock + SummaryGeneratorDelegate delegate; + + /** + * Executed before every test-case + * In this method default variables for the process and a default behaviour for the mocks + * in the process are defined+ + */ + @Before + public void init() { + + MockitoAnnotations.initMocks(this); + + //Creating a map of default variables for the process + defaultVariables.put(DefaultFields.PROCESS_AUTOMATED.name(), true); + defaultVariables.put(DefaultFields.PROCESS_CONTEXT.name(), "BodgeIT"); + + /* + Mocking everything in the BPMN Model + This includes ExecutionListeners, TaskListeners, JavaDelegates, etc. + Simply stated: Everything, that's executable code + + If you need to define custom behaviour for the Mocks you can do so by + registering Mocks with Camunda's method "Mocks.register(String key, Object value)". + Here the key describes a delegateExpression (as defined in BPMN model) and the value + describes the implementation of the code which should be executed + (Hint: You can put the real implementation as well as a fake one in there) + + Note: Most of the mocking methods seem to work only in combination with delegateExpressions + but not with class definitions as delegate implementation. + + If you have the path to your executable code (the class for delegate) as delegate implementation + then this guide is helpful: + https://blog.akquinet.de/2016/11/04/camunda-bpm-test-your-processes-based-on-plain-old-java-delegates/ + */ + autoMock("bpmn/combined_amass_nmap_process.bpmn"); + + /* + Here we define a default behaviour for all the tasks in the BPMN model. + This behaviour can easily be overridden in test cases. + + The code inside the "thenReturn(...)" method specifies what should happen when process execution + waits at the given task + As a default behaviour we just complete the task and move on to the next one without changing anything + + Note that we have our own mock implementation in the last two when(...) statements. + This is because these tasks are external tasks which cannot be as easily completed as + ServiceTasks. They need an external worker to do so. + */ + when(process.waitsAtUserTask(Mockito.anyString())).thenReturn(TaskDelegate::complete); + when(process.waitsAtServiceTask(Mockito.anyString())).thenReturn(ExternalTaskDelegate::complete); + when(process.waitsAtServiceTask(DO_SCAN_TASK_ID)).thenReturn(task -> startExternalMockProcess("amass-nmap-process")); + } + + @Test + public void testAutomatedStart_shouldPass() { + + ProcessInstance processInstance = runtimeService().startProcessInstanceByKey(PROCESS_ID, defaultVariables); + + assertThat(processInstance).isStarted(); + } + + @Test + public void testManualStartWithDefaultConfiguration_shouldPass() { + ProcessInstance processInstance = runtimeService().startProcessInstanceByKey(PROCESS_ID, defaultVariables); + + assertThat(processInstance).isStarted(); + assertThat(processInstance).isWaitingAt(DO_SCAN_TASK_ID); + } + + @Test + public void testManualRunWithApprovedTestResults() { + + Map variables = new HashMap<>(defaultVariables); + changeVariable(variables, DefaultFields.PROCESS_AUTOMATED.name(), false); + + when(process.waitsAtUserTask(APPROVE_RESULTS_TASK_ID)).thenReturn(task -> { + variables.put(DefaultFields.PROCESS_RESULT_APPROVED.name(), "approved"); + task.complete(variables); + }); + + /* + Here we register a custom mock. + The BPMN model TaskListener takes an injected field variable which cannot be mocked. + Therefore we create our own TaskListener with a dummy implementation and which also + holds the variable, that should be injected. + Then we register our TaskListener with "Mocks.register(...)" and it gets executed when the delegateExpression + is called. + */ + Mocks.register("setFormUrlListener", new TaskListener() { + + @Autowired + private Expression scanner_type; + + @Override + public void notify(DelegateTask delegateTask) { + } + }); + + Scenario scenario = Scenario.run(process).startByKey(PROCESS_ID, variables).execute(); + + assertThat(scenario.instance(process)).isEnded(); + assertThat(scenario.instance(process)).hasPassed(APPROVE_RESULTS_TASK_ID); + assertThat(scenario.instance(process)).variables() + .containsEntry(DefaultFields.PROCESS_RESULT_APPROVED.name(), "approved"); + } + + /** + * Executes an external process without doing anything in the task. + * In the first step the job is executed on the Camunda engine. Therefore the token for the + * provided topic gets pushed. Then an external service is called to pull the token and execute the task + * + * @param topic the topic for the external task + */ + private void startExternalMockProcess(String topic) { + + ExternalTaskService externalTaskService = processEngine().getExternalTaskService(); + List lockedExternalTasks = externalTaskService.fetchAndLock(1, "worker") + .topic(topic, 5000L) + .execute(); + + assertThat(lockedExternalTasks.size()).isEqualTo(1); + + LockedExternalTask task = lockedExternalTasks.get(0); + externalTaskService.complete(task.getId(), "worker"); + } + + private void changeVariable(Map variables, String key, Object value) { + + if (variables.containsKey(key)) { + variables.remove(key); + } + variables.put(key, value); + } + +} diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/test/resources/camunda.cfg.xml b/scb-scanprocesses/combined-amass-nmap-process/src/test/resources/camunda.cfg.xml new file mode 100644 index 00000000..d5e7d6f9 --- /dev/null +++ b/scb-scanprocesses/combined-amass-nmap-process/src/test/resources/camunda.cfg.xml @@ -0,0 +1,14 @@ + + + + + + + + + + + \ No newline at end of file diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/test/resources/logback-test.xml b/scb-scanprocesses/combined-amass-nmap-process/src/test/resources/logback-test.xml new file mode 100644 index 00000000..81dcdbcd --- /dev/null +++ b/scb-scanprocesses/combined-amass-nmap-process/src/test/resources/logback-test.xml @@ -0,0 +1,27 @@ + + + + + + + + + + diff --git a/scb-scanprocesses/pom.xml b/scb-scanprocesses/pom.xml index a96279a3..8e8d5661 100644 --- a/scb-scanprocesses/pom.xml +++ b/scb-scanprocesses/pom.xml @@ -21,8 +21,9 @@ zap-process sslyze-process combined-nmap-nikto-scanprocess + combined-amass-nmap-process arachni-process subdomain-scanner-process - \ No newline at end of file + From 888204787c84211f0897fa169cf87a48826b2e4a Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Thu, 11 Oct 2018 15:57:24 +0200 Subject: [PATCH 034/257] Fixed amass-nmap process forms --- .../resources/bpmn/combined_amass_nmap_process.bpmn | 12 ++++++------ .../{default => amass-nmap}/approve-results.html | 0 .../{default => amass-nmap}/configure-target.html | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) rename scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/{default => amass-nmap}/approve-results.html (100%) rename scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/{default => amass-nmap}/configure-target.html (98%) diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn index 66aa0eff..62d6e275 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn @@ -1,7 +1,7 @@ - - - + + + @@ -19,7 +19,7 @@ - + @@ -32,7 +32,7 @@ SequenceFlow_ResultRejected - + ${PROCESS_RESULT_APPROVED == 'approved'} SequenceFlow_PortscanFinished @@ -61,7 +61,7 @@ - + ${PROCESS_RESULT_APPROVED == 'disapproved'} SequenceFlow_ResultRejected diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/default/approve-results.html b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/approve-results.html similarity index 100% rename from scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/default/approve-results.html rename to scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/approve-results.html diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/default/configure-target.html b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/configure-target.html similarity index 98% rename from scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/default/configure-target.html rename to scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/configure-target.html index 99a61dcb..8ab3788b 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/default/configure-target.html +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/configure-target.html @@ -17,7 +17,7 @@ ~ */ --> -

Please configure the Port Scan

+

Please configure the Combined Amass-Nmap Scan

From 0bc0a6c486c0b7f1b6d304de04f6bd82207a70a0 Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Fri, 12 Oct 2018 17:44:12 +0200 Subject: [PATCH 035/257] Started implemening process model for amass-nmap scan --- .../TransformAmassResultsToNmapInput.java | 73 ++++++++ .../bpmn/combined_amass_nmap_process.bpmn | 165 ++++++++++-------- .../forms/amass-nmap/configure-target.html | 20 ++- 3 files changed, 179 insertions(+), 79 deletions(-) create mode 100644 scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java new file mode 100644 index 00000000..097a6a79 --- /dev/null +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java @@ -0,0 +1,73 @@ +package io.securecodebox.scanprocesses.amassnmap; + +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; +import io.securecodebox.constants.DefaultFields; +import io.securecodebox.model.execution.Target; +import java.net.URI; +import java.net.URISyntaxException; +import java.util.List; +import org.camunda.bpm.engine.delegate.DelegateExecution; +import org.camunda.bpm.engine.delegate.JavaDelegate; +import org.camunda.bpm.engine.variable.Variables; +import org.camunda.bpm.engine.variable.value.ObjectValue; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.stereotype.Component; +import sun.rmi.runtime.Log; + +@Component +public class TransformAmassResultsToNmapInput implements JavaDelegate { + + private static final Logger LOG = LoggerFactory.getLogger(TransformAmassResultsToNmapInput.class); + + @Override + public void execute(DelegateExecution execution) throws Exception { + + LOG.info("----------------------------------------"); + LOG.info("Trying to convert amass output to nmap input"); + LOG.info("----------------------------------------"); + + + try { + ObjectMapper objectMapper = new ObjectMapper(); + String findingsAsString = objectMapper.writeValueAsString(execution.getVariable(DefaultFields.PROCESS_FINDINGS.name())); + + List newTargets = objectMapper.readValue(objectMapper.readValue(findingsAsString, String.class), + objectMapper.getTypeFactory().constructCollectionType(List.class, Target.class)); + + for (Target target : newTargets) { + target.getAttributes().put("hostname", target.getLocation()); + target.setName("My Name Dummy"); + // remove target configs + } + + LOG.info("Created Targets out of Findings: " + newTargets); + + ObjectValue objectValue = Variables.objectValue(objectMapper.writeValueAsString(newTargets)) + .serializationDataFormat(Variables.SerializationDataFormats.JSON) + .create(); + execution.setVariable(DefaultFields.PROCESS_TARGETS.name(), objectValue); + + // SET NMAP PROCESS VARIABLES + execution.setVariable("NMAP_CONFIGURATION_TYPE","default"); + + LOG.info("FINISHED TransformAmassResultsToNmapInput Service Task. -> Start nmap"); + + } catch (JsonProcessingException e) { + throw new IllegalStateException("Can't write field to process!", e); + } + + + + } + +// private String removeProtocollFromUrl(String url) throws URISyntaxException { +// LOG.info("URL:" + url); +// URI uri = new URI(url); +// //TODO: not correct yet +// String path = uri.getHost() + uri.getPath(); // split whatever you need +// LOG.info("PATH:" + path); +// return path; +// } +} diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn index 62d6e275..ff2292aa 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn @@ -1,6 +1,6 @@ - + @@ -13,11 +13,10 @@ SequenceFlow_TargetConfigured - + SequenceFlow_SummaryCreated - @@ -35,7 +34,7 @@ ${PROCESS_RESULT_APPROVED == 'approved'} - SequenceFlow_PortscanFinished + SequenceFlow_16dtbnz SequenceFlow_ManualFinish SequenceFlow_AutomatedFinish @@ -45,29 +44,42 @@ ${PROCESS_AUTOMATED == true} - - - SequenceFlow_TargetConfigured - SequenceFlow_PortscanFinished - SequenceFlow_ResultApproved - SequenceFlow_1i44eck SequenceFlow_AutomatedFinish + SequenceFlow_ResultRejected SequenceFlow_SummaryCreated - + + + + + + SequenceFlow_0p5mwz6 + SequenceFlow_16dtbnz + + + + + + + + SequenceFlow_TargetConfigured + SequenceFlow_160sc2u + + + + ${PROCESS_RESULT_APPROVED == 'disapproved'} - - SequenceFlow_ResultRejected - SequenceFlow_1i44eck - - + + SequenceFlow_160sc2u + SequenceFlow_0p5mwz6 + results in a generic format @@ -76,122 +88,125 @@ - + - + - - + + - + - + - - - - - - - - - + + + + - + - + - + - + - - + + - + - + - + - - - + + + - + - - - - + + + + - + - - - - - + + - + - + - + - + - + - - + + - - - - - - - + + + + + + - - + + - - - - + + + + + + + + + + + + + - + + + + diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/configure-target.html b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/configure-target.html index 8ab3788b..444e90c0 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/configure-target.html +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/configure-target.html @@ -38,7 +38,13 @@

Please configure the Combined Amass-Nmap Scan

}]; $scope.addTarget = function () { - $scope.targetList.push({'name':'', 'location': ''}); + $scope.targetList.push({ + name: '', + location: '', + attributes: { + NO_DNS: false + } + }); }; $scope.checkForEnter = function ($event) { @@ -51,7 +57,6 @@

Please configure the Combined Amass-Nmap Scan

}); camForm.on('submit', function () { - camForm.variableManager.destroyVariable('PROCESS_TARGETS'); camForm.variableManager.createVariable({ name: 'PROCESS_TARGETS', type: 'Object', @@ -83,10 +88,10 @@

Combined Amass-Nmap Target

ng-model="target.name"/>
- + Combined Amass-Nmap Target
+
+ +
From 63e4922119f8241e39b5274dabf9b2184f75bb95 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Mon, 15 Oct 2018 11:12:55 +0200 Subject: [PATCH 036/257] Wrapped target in a list This ensures that scanner which rely on having a list of targets still work correctly --- .../engine/rest/SecurityTestRessource.java | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/scb-engine/src/main/java/io/securecodebox/engine/rest/SecurityTestRessource.java b/scb-engine/src/main/java/io/securecodebox/engine/rest/SecurityTestRessource.java index 7c4c9a12..10c8f7de 100644 --- a/scb-engine/src/main/java/io/securecodebox/engine/rest/SecurityTestRessource.java +++ b/scb-engine/src/main/java/io/securecodebox/engine/rest/SecurityTestRessource.java @@ -20,6 +20,7 @@ import com.fasterxml.jackson.databind.ObjectMapper; import io.securecodebox.constants.DefaultFields; +import io.securecodebox.model.execution.Target; import io.securecodebox.model.rest.SecurityTest; import io.securecodebox.scanprocess.ProcessVariableHelper; import io.swagger.annotations.*; @@ -78,7 +79,7 @@ public class SecurityTestRessource { @RequestMapping(method = RequestMethod.PUT) public ResponseEntity> startSecurityTests(@Valid @RequestBody List securityTests) { - for(SecurityTest securityTest : securityTests){ + for (SecurityTest securityTest : securityTests) { long processCount = engine.getRepositoryService() .createProcessDefinitionQuery() .active() @@ -86,21 +87,24 @@ public ResponseEntity> startSecurityTests(@Valid @RequestBody List 1){ + } else if (processCount > 1) { return ResponseEntity.status(HttpStatus.MULTIPLE_CHOICES).build(); } } List processInstances = new LinkedList<>(); - for (SecurityTest securityTest: securityTests) { + for (SecurityTest securityTest : securityTests) { Map values = new HashMap<>(); + List targets = new LinkedList<>(); + targets.add(securityTest.getTarget()); + values.put(DefaultFields.PROCESS_AUTOMATED.name(), true); values.put(DefaultFields.PROCESS_CONTEXT.name(), securityTest.getContext()); - values.put(DefaultFields.PROCESS_TARGETS.name(), ProcessVariableHelper.generateObjectValue(securityTest.getTarget())); + values.put(DefaultFields.PROCESS_TARGETS.name(), ProcessVariableHelper.generateObjectValue(targets)); ProcessInstance instance = engine.getRuntimeService().startProcessInstanceByKey(securityTest.getProcessDefinitionKey(), values); processInstances.add(UUID.fromString(instance.getProcessInstanceId())); From 9072c7cc9a8f05e222b5ef26fec897ef1fad3b8e Mon Sep 17 00:00:00 2001 From: pbarwiko Date: Mon, 15 Oct 2018 13:56:01 +0200 Subject: [PATCH 037/257] add s3 persistence provider, tests need to get better though --- .../src/main/resources/application.yaml | 4 + scb-persistenceproviders/pom.xml | 1 + .../s3-persistenceprovider/pom.xml | 84 +++++++++++++++++ .../persistence/s3/S3PersistenceProvider.java | 89 +++++++++++++++++++ .../s3/S3PersistenceProviderTest.java | 56 ++++++++++++ .../java/io/securecodebox/model/Report.java | 3 + 6 files changed, 237 insertions(+) create mode 100644 scb-persistenceproviders/s3-persistenceprovider/pom.xml create mode 100644 scb-persistenceproviders/s3-persistenceprovider/src/main/java/io/securecodebox/persistence/s3/S3PersistenceProvider.java create mode 100644 scb-persistenceproviders/s3-persistenceprovider/src/test/java/io/securecodebox/persistence/s3/S3PersistenceProviderTest.java diff --git a/scb-engine/src/main/resources/application.yaml b/scb-engine/src/main/resources/application.yaml index c0a28834..9c8157fc 100644 --- a/scb-engine/src/main/resources/application.yaml +++ b/scb-engine/src/main/resources/application.yaml @@ -15,6 +15,10 @@ logging.level.io.securecodebox: INFO # - elasticsearch securecodebox.persistence.provider: none +# Configuration for the s3 persistence provider: +securecodebox.persistence.s3.bucket: abc-def +securecodebox.persistence.s3.region: eu-central-1 + # Configuration for the elasticsearch persistence provider: securecodebox.persistence.elasticsearch.host: persistence-elasticsearch securecodebox.persistence.elasticsearch.port: 9200 diff --git a/scb-persistenceproviders/pom.xml b/scb-persistenceproviders/pom.xml index f7ec9185..c661744c 100644 --- a/scb-persistenceproviders/pom.xml +++ b/scb-persistenceproviders/pom.xml @@ -35,6 +35,7 @@ elasticsearch-persistenceprovider empty-persistenceprovider + s3-persistenceprovider diff --git a/scb-persistenceproviders/s3-persistenceprovider/pom.xml b/scb-persistenceproviders/s3-persistenceprovider/pom.xml new file mode 100644 index 00000000..14b797e0 --- /dev/null +++ b/scb-persistenceproviders/s3-persistenceprovider/pom.xml @@ -0,0 +1,84 @@ + + + + 4.0.0 + + + io.securecodebox.persistenceproviders + default-persistence-collection + 0.0.1-SNAPSHOT + + + s3-persistenceprovider + 0.0.1-SNAPSHOT + + + + io.securecodebox.core + sdk + provided + + + com.amazonaws + aws-java-sdk-s3 + 1.11.424 + + + org.mockito + mockito-core + test + + + junit + junit + test + + + commons-io + commons-io + RELEASE + + + + + + + maven-assembly-plugin + 3.1.0 + + + jar-with-dependencies + + + + + make-assembly + package + + single + + + + + + + + diff --git a/scb-persistenceproviders/s3-persistenceprovider/src/main/java/io/securecodebox/persistence/s3/S3PersistenceProvider.java b/scb-persistenceproviders/s3-persistenceprovider/src/main/java/io/securecodebox/persistence/s3/S3PersistenceProvider.java new file mode 100644 index 00000000..9022d58d --- /dev/null +++ b/scb-persistenceproviders/s3-persistenceprovider/src/main/java/io/securecodebox/persistence/s3/S3PersistenceProvider.java @@ -0,0 +1,89 @@ +/* + * + * SecureCodeBox (SCB) + * Copyright 2015-2018 iteratec GmbH + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * / + */ +package io.securecodebox.persistence.s3; + +import com.amazonaws.auth.profile.ProfileCredentialsProvider; +import com.amazonaws.services.s3.AmazonS3; +import com.amazonaws.services.s3.AmazonS3ClientBuilder; +import com.amazonaws.services.s3.model.ObjectMetadata; +import com.amazonaws.services.s3.model.PutObjectRequest; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.databind.ObjectMapper; +import io.securecodebox.model.Report; +import io.securecodebox.persistence.PersistenceProvider; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Component; + +import java.io.File; +import java.io.IOException; +import java.util.UUID; + +@ConditionalOnProperty(name = "securecodebox.persistence.provider", havingValue = "none") +@Component +public class S3PersistenceProvider implements PersistenceProvider { + + private static final Logger LOG = LoggerFactory.getLogger(S3PersistenceProvider.class); + +// @Autowired + private ObjectMapper mapper = new ObjectMapper(); + + @Value("${securecodebox.persistence.s3.bucket}") + private String bucketName; + + @Value("${securecodebox.persistence.s3.region}") + private String awsRegion; + + @Override + public void persist(Report report) { + + if (report == null) { + LOG.warn("Report is null, nothing to persist."); + } else { + // Upload a file as a new object with ContentType and title specified. + + AmazonS3 s3Client = AmazonS3ClientBuilder.standard() + .withRegion(awsRegion) + .withCredentials(new ProfileCredentialsProvider()) + .build(); + File file = writeReportToFile(report); + + String fileName = report.getExecution().getContext().replace('/', '-') + '/'; + fileName += UUID.randomUUID(); + PutObjectRequest request = new PutObjectRequest(bucketName, fileName, file); + ObjectMetadata metadata = new ObjectMetadata(); + metadata.setContentType("application/json"); + request.setMetadata(metadata); + s3Client.putObject(request); + } + } + + File writeReportToFile(Report report) { + File tempFile = null; + try { + tempFile = File.createTempFile(UUID.randomUUID().toString(), ".json"); + mapper.writeValue(tempFile, report); + } catch (IOException exception) { + LOG.error("Could not write tempfile: ", exception); + } + return tempFile; + } +} diff --git a/scb-persistenceproviders/s3-persistenceprovider/src/test/java/io/securecodebox/persistence/s3/S3PersistenceProviderTest.java b/scb-persistenceproviders/s3-persistenceprovider/src/test/java/io/securecodebox/persistence/s3/S3PersistenceProviderTest.java new file mode 100644 index 00000000..cb1a0aab --- /dev/null +++ b/scb-persistenceproviders/s3-persistenceprovider/src/test/java/io/securecodebox/persistence/s3/S3PersistenceProviderTest.java @@ -0,0 +1,56 @@ +package io.securecodebox.persistence.s3; + + +import com.fasterxml.jackson.databind.ObjectMapper; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.InjectMocks; +import org.mockito.runners.MockitoJUnitRunner; + +import java.io.File; +import java.io.IOException; +import java.nio.charset.Charset; +import java.nio.file.Files; +import java.nio.file.Paths; + +import static junit.framework.TestCase.assertTrue; + +@RunWith(MockitoJUnitRunner.class) +public class S3PersistenceProviderTest { + + @InjectMocks + S3PersistenceProvider s3PersistenceProvider; + +// @Mock +// private ObjectMapper objMapper; + + public static final String DEFAULT_RESULT_STRING = "{}"; +// private static final String DEFAULT_EXECUTION = "{\"id\":\"5a4e9d37-09b0-4109-badd-d79dfa8fce2a\",\"context\":\"TEST_CONTEXT\",\"automated\":false,\"scanners\":[{\"id\":\"62fa8ffb-e3bc-433e-b322-9c02108c5171\",\"type\":\"Test_SCANNER\",\"findings\":[{\"id\":\"49bf7fd3-8512-4d73-a28f-608e493cd726\",\"name\":\"BAD_TEST_FINDIG\",\"description\":\"Some coder has tested this!\",\"category\":\"COOL_TEST_STUFF\",\"osi_layer\":\"NOT_APPLICABLE\",\"severity\":\"HIGH\",\"reference\":{\"id\":\"UNI_CODE_STUFF\",\"source\":\"RISCOOL\"},\"hint\":\"You might wan't to blame Rüdiger!\",\"attributes\":{\"TEST\":\"Kekse\",\"HORRIBLE\":\"Coke\"},\"location\":\"mett.brot.securecodebox.io\",\"false_positive\":false}],\"rawFindings\":\"[{\\\"pudding\\\":\\\"Bier\\\"}]\"}]}"; +// public static final String DEFAULT_RESULT_STRING = "{\"execution\": " + DEFAULT_EXECUTION + ", \"findings\":[{}]}"; +// public static final String DEFAULT_RESULT_STRING = "{\"execution\": null, \"findings\":[{\"id\":\"49bf7fd3-8512-4d73-a28f-608e493cd726\",\"name\":\"BAD_TEST_FINDIG\",\"description\":\"Some coder has tested this!\",\"category\":\"COOL_TEST_STUFF\",\"osi_layer\":\"NOT_APPLICABLE\",\"severity\":\"HIGH\",\"reference\":{\"id\":\"UNI_CODE_STUFF\",\"source\":\"RISCOOL\"},\"hint\":\"You might wan't to blame Rüdiger!\",\"attributes\":{\"TEST\":\"Kekse\",\"HORRIBLE\":\"Coke\"},\"location\":\"mett.brot.securecodebox.io\",\"false_positive\":false}]}"; + + private ObjectMapper objectMapper = new ObjectMapper(); + + + // Todo: find out how to initialize a example report correctly +// @Test +// public void testWriteReportToFile() throws IOException { +// Mockito.when(objMapper.writeValueAsString(any())).thenReturn(DEFAULT_RESULT_STRING); +// File file = s3PersistenceProvider.writeReportToFile(objectMapper.readValue(DEFAULT_RESULT_STRING, Report.class)); +// String content = FileUtils.readFileToString(file, "UTF-8"); +// assertTrue(content.contains("TEST_CONTEXT")); +// } + + @Test + public void testNullReport() throws IOException { + File file = s3PersistenceProvider.writeReportToFile(null); + assertTrue("null".equals(readFile(file.getPath(), Charset.forName("UTF-8")))); + } + + + private static String readFile(String path, Charset encoding) + throws IOException { + byte[] encoded = Files.readAllBytes(Paths.get(path)); + return new String(encoded, encoding); + } +} \ No newline at end of file diff --git a/scb-sdk/src/main/java/io/securecodebox/model/Report.java b/scb-sdk/src/main/java/io/securecodebox/model/Report.java index 93531426..cda29536 100644 --- a/scb-sdk/src/main/java/io/securecodebox/model/Report.java +++ b/scb-sdk/src/main/java/io/securecodebox/model/Report.java @@ -114,4 +114,7 @@ public int hashCode() { public String toString() { return "Report{" + "execution=" + execution + '}'; } + + public Report() { + } } From 72f56a2b4cfa93db449841f90e07e15f8ccd3f00 Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Tue, 16 Oct 2018 09:36:18 +0200 Subject: [PATCH 038/257] Removed compiler warnings 'parent.version is deprecated' and 'file encoding not set' --- pom.xml | 1 + scb-scanprocesses/arachni-process/pom.xml | 2 +- .../src/main/resources/archetype-resources/pom.xml | 2 +- scb-scanprocesses/combined-amass-nmap-process/pom.xml | 2 +- scb-scanprocesses/subdomain-scanner-process/pom.xml | 2 +- 5 files changed, 5 insertions(+), 4 deletions(-) diff --git a/pom.xml b/pom.xml index 28226385..9b5f0edd 100644 --- a/pom.xml +++ b/pom.xml @@ -62,6 +62,7 @@ 1.5.13.RELEASE 2.9.0 + UTF-8 diff --git a/scb-scanprocesses/arachni-process/pom.xml b/scb-scanprocesses/arachni-process/pom.xml index d8de4703..3f248de8 100644 --- a/scb-scanprocesses/arachni-process/pom.xml +++ b/scb-scanprocesses/arachni-process/pom.xml @@ -36,7 +36,7 @@ io.securecodebox.core sdk - ${parent.version} + ${project.parent.version} diff --git a/scb-scanprocesses/archetype-process/src/main/resources/archetype-resources/pom.xml b/scb-scanprocesses/archetype-process/src/main/resources/archetype-resources/pom.xml index 8ca83c23..e6ccf62f 100644 --- a/scb-scanprocesses/archetype-process/src/main/resources/archetype-resources/pom.xml +++ b/scb-scanprocesses/archetype-process/src/main/resources/archetype-resources/pom.xml @@ -37,7 +37,7 @@ io.securecodebox.core sdk - ${dollar}{parent.version} + ${dollar}{project.parent.version} diff --git a/scb-scanprocesses/combined-amass-nmap-process/pom.xml b/scb-scanprocesses/combined-amass-nmap-process/pom.xml index 96dcec7f..2870588e 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/pom.xml +++ b/scb-scanprocesses/combined-amass-nmap-process/pom.xml @@ -36,7 +36,7 @@ io.securecodebox.core sdk - ${parent.version} + ${project.parent.version} diff --git a/scb-scanprocesses/subdomain-scanner-process/pom.xml b/scb-scanprocesses/subdomain-scanner-process/pom.xml index 8f2155d6..9afd5525 100644 --- a/scb-scanprocesses/subdomain-scanner-process/pom.xml +++ b/scb-scanprocesses/subdomain-scanner-process/pom.xml @@ -36,7 +36,7 @@ io.securecodebox.core sdk - ${parent.version} + ${project.parent.version} From 231b43c7c22fddd6cdc0f78206dd85de20a833e3 Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Tue, 16 Oct 2018 10:09:02 +0200 Subject: [PATCH 039/257] Only use amass scanner task instead of subprocess --- .../TransformAmassResultsToNmapInput.java | 15 +- .../bpmn/combined_amass_nmap_process.bpmn | 185 +++--------------- 2 files changed, 29 insertions(+), 171 deletions(-) diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java index 097a6a79..247add4f 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java @@ -4,8 +4,6 @@ import com.fasterxml.jackson.databind.ObjectMapper; import io.securecodebox.constants.DefaultFields; import io.securecodebox.model.execution.Target; -import java.net.URI; -import java.net.URISyntaxException; import java.util.List; import org.camunda.bpm.engine.delegate.DelegateExecution; import org.camunda.bpm.engine.delegate.JavaDelegate; @@ -14,7 +12,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.stereotype.Component; -import sun.rmi.runtime.Log; @Component public class TransformAmassResultsToNmapInput implements JavaDelegate { @@ -37,7 +34,8 @@ public void execute(DelegateExecution execution) throws Exception { objectMapper.getTypeFactory().constructCollectionType(List.class, Target.class)); for (Target target : newTargets) { - target.getAttributes().put("hostname", target.getLocation()); + target.getAttributes().put("hostname", target.getName()); + target.setLocation(target.getName()); target.setName("My Name Dummy"); // remove target configs } @@ -61,13 +59,4 @@ public void execute(DelegateExecution execution) throws Exception { } - -// private String removeProtocollFromUrl(String url) throws URISyntaxException { -// LOG.info("URL:" + url); -// URI uri = new URI(url); -// //TODO: not correct yet -// String path = uri.getHost() + uri.getPath(); // split whatever you need -// LOG.info("PATH:" + path); -// return path; -// } } diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn index ff2292aa..f2861b71 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn @@ -13,77 +13,29 @@ SequenceFlow_TargetConfigured - - - SequenceFlow_SummaryCreated - - - - - - - SequenceFlow_ManualFinish - SequenceFlow_ResultReviewed - - - SequenceFlow_ResultReviewed - SequenceFlow_ResultApproved - SequenceFlow_ResultRejected - - - ${PROCESS_RESULT_APPROVED == 'approved'} - - - SequenceFlow_16dtbnz - SequenceFlow_ManualFinish - SequenceFlow_AutomatedFinish - - - ${PROCESS_AUTOMATED == false} - - - ${PROCESS_AUTOMATED == true} - - - - - SequenceFlow_ResultApproved - SequenceFlow_AutomatedFinish - SequenceFlow_ResultRejected - SequenceFlow_SummaryCreated - - - + SequenceFlow_0p5mwz6 - SequenceFlow_16dtbnz + SequenceFlow_108i7wd - - - - - - - SequenceFlow_TargetConfigured - SequenceFlow_160sc2u - - - - ${PROCESS_RESULT_APPROVED == 'disapproved'} - - SequenceFlow_160sc2u + SequenceFlow_01m9zqu SequenceFlow_0p5mwz6 - - results in a generic format - - + + SequenceFlow_TargetConfigured + SequenceFlow_01m9zqu + + + + SequenceFlow_108i7wd + + @@ -95,118 +47,35 @@ - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + From ad646fb0e963c4f02162282ada9fe370d633697c Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Tue, 16 Oct 2018 15:36:10 +0200 Subject: [PATCH 040/257] Changed amass-nmap process to only use nmap scan instead of nmap process --- .../amassnmap/SummaryGeneratorDelegate.java | 71 -------- .../TransformAmassResultsToNmapInput.java | 17 +- .../bpmn/combined_amass_nmap_process.bpmn | 164 +++++++++++++++--- .../forms/amass-nmap/approve-results.html | 140 +++++++-------- .../forms/amass-nmap/configure-target.html | 34 +--- .../CombinedAmassNmapProcessTest.java | 2 +- 6 files changed, 205 insertions(+), 223 deletions(-) delete mode 100644 scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/SummaryGeneratorDelegate.java diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/SummaryGeneratorDelegate.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/SummaryGeneratorDelegate.java deleted file mode 100644 index 405edad2..00000000 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/SummaryGeneratorDelegate.java +++ /dev/null @@ -1,71 +0,0 @@ - -/* - * - * SecureCodeBox (SCB) - * Copyright 2015-2018 iteratec GmbH - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * / - */ - -package io.securecodebox.scanprocesses.amassnmap; - -import io.securecodebox.model.Report; -import io.securecodebox.model.execution.ScanProcessExecution; -import io.securecodebox.model.execution.ScanProcessExecutionFactory; -import io.securecodebox.persistence.PersistenceProvider; -import org.camunda.bpm.engine.delegate.DelegateExecution; -import org.camunda.bpm.engine.delegate.JavaDelegate; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Component; - -/** - * Example process saving results to the persistence. - */ -@Component("io_securecodebox_scanprocesses_amassnmap_SummaryGeneratorDelegate") -public class SummaryGeneratorDelegate implements JavaDelegate { - - private static final Logger LOG = LoggerFactory.getLogger(SummaryGeneratorDelegate.class); - - @Autowired - PersistenceProvider persistenceProvider; - - @Autowired - ScanProcessExecutionFactory executionFactory; - - @Override - public void execute(DelegateExecution delegateExecution) { - ScanProcessExecution scanProcessExecution = executionFactory.get(delegateExecution); - - Report report = new Report(scanProcessExecution); - persist(report); - } - - /** - * Eventually consistent: try to persist if the persistence provider is currently available. - * - * @param report The generic report of findings to persist. - */ - private void persist(Report report) { - LOG.trace("starting scan report persistence. {}", report); - - try { - persistenceProvider.persist(report); - } catch (Exception e) { - LOG.error("Unexpected Error while trying to init a persistence provider!", e); - } - } - -} diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java index 247add4f..23782b07 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java @@ -21,26 +21,21 @@ public class TransformAmassResultsToNmapInput implements JavaDelegate { @Override public void execute(DelegateExecution execution) throws Exception { - LOG.info("----------------------------------------"); - LOG.info("Trying to convert amass output to nmap input"); - LOG.info("----------------------------------------"); - + LOG.debug("Converting amass output to nmap input"); try { ObjectMapper objectMapper = new ObjectMapper(); String findingsAsString = objectMapper.writeValueAsString(execution.getVariable(DefaultFields.PROCESS_FINDINGS.name())); - List newTargets = objectMapper.readValue(objectMapper.readValue(findingsAsString, String.class), objectMapper.getTypeFactory().constructCollectionType(List.class, Target.class)); for (Target target : newTargets) { + //TODO: this is not correct; Fix location in amass scan and use location instead target.getAttributes().put("hostname", target.getName()); target.setLocation(target.getName()); - target.setName("My Name Dummy"); - // remove target configs } - LOG.info("Created Targets out of Findings: " + newTargets); + LOG.debug("Transformed findings to new targets: " + newTargets); ObjectValue objectValue = Variables.objectValue(objectMapper.writeValueAsString(newTargets)) .serializationDataFormat(Variables.SerializationDataFormats.JSON) @@ -50,13 +45,11 @@ public void execute(DelegateExecution execution) throws Exception { // SET NMAP PROCESS VARIABLES execution.setVariable("NMAP_CONFIGURATION_TYPE","default"); - LOG.info("FINISHED TransformAmassResultsToNmapInput Service Task. -> Start nmap"); + LOG.debug("Finished TransformAmassResultsToNmapInput Service Task. Continue with nmap scan"); } catch (JsonProcessingException e) { throw new IllegalStateException("Can't write field to process!", e); } - - - } + } diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn index f2861b71..516d4ae5 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn @@ -14,28 +14,65 @@ SequenceFlow_TargetConfigured - - - - - - SequenceFlow_0p5mwz6 - SequenceFlow_108i7wd - - + SequenceFlow_01m9zqu SequenceFlow_0p5mwz6 - + SequenceFlow_TargetConfigured SequenceFlow_01m9zqu - - SequenceFlow_108i7wd + + SequenceFlow_0p5mwz6 + SequenceFlow_0x38sun + + + SequenceFlow_0mvz7h9 + SequenceFlow_16u7pin - + + SequenceFlow_0x38sun + SequenceFlow_1r4mrzm + SequenceFlow_1k9fyw2 + + + + + + SequenceFlow_1r4mrzm + SequenceFlow_0y61th0 + + + + ${PROCESS_AUTOMATED == false} + + + + + + + + SequenceFlow_1k9fyw2 + SequenceFlow_0u5weoe + SequenceFlow_16u7pin + + + ${PROCESS_AUTOMATED == true} + + + SequenceFlow_0y61th0 + SequenceFlow_0u5weoe + SequenceFlow_0mvz7h9 + + + ${PROCESS_RESULT_APPROVED == 'approved'} + + + ${PROCESS_RESULT_APPROVED != 'approved'} + + @@ -47,34 +84,105 @@ - + - - - - - + + - + - + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + + + + - - - + + + + + + + + + + + + + + + + + + diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/approve-results.html b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/approve-results.html index 44bae303..4fc10fce 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/approve-results.html +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/approve-results.html @@ -21,7 +21,6 @@ -
-

Combined Amass-Nmap results for "{{ target.name }}"

- -
-
-
{{ scannerId }}
-
-
-
-
{{ target.location }}
-
-
-
-
{{ context }}
-
-
-
-
- - - - - - - - - - - - - - - -
Host:Name:Category:Severity:Reference:
{{ result.location }}{{ result.name }}{{ result.category }} -
- - - {{ result.severity }} - +

+ Port scan results for subdomains of "{{ firstTarget.name }}" +

- - - {{ result.severity }} - +
+
+
+
+ + {{ context }} +
+
- - - {{ result.severity }} - +
+ Results for Host: {{ address }} + + + + + + + + + + + + + + + +
Host:Port:Name:Protocol:State:
{{ address }}{{ port.category === 'Open Port' ? port.attributes.port : '' }}{{ port.category === 'Open Port' ? port.attributes.service : port.name}}{{ port.category === 'Open Port' ? port.attributes.protocol : '' }} + + + Open + +
+
- - - {{ result.severity }} - -
-
{{ result.reference.id }}
+

Approve Result

+ +
+ +
+ +
- -
-
-

Approve Result

- -
- -
- -
diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/configure-target.html b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/configure-target.html index 444e90c0..fb9bafe5 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/configure-target.html +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/configure-target.html @@ -36,24 +36,6 @@

Please configure the Combined Amass-Nmap Scan

name: camForm.variableManager.variableValue('DEFAULT_TARGET_NAME'), location: camForm.variableManager.variableValue('DEFAULT_TARGET_LOCATION') }]; - - $scope.addTarget = function () { - $scope.targetList.push({ - name: '', - location: '', - attributes: { - NO_DNS: false - } - }); - }; - - $scope.checkForEnter = function ($event) { - if ($event.key === 'Enter') { - $scope.addTarget(); - $event.stopPropagation(); - $event.preventDefault(); - } - }; }); camForm.on('submit', function () { @@ -67,14 +49,11 @@

Please configure the Combined Amass-Nmap Scan

} }); }); -
-

Combined Amass-Nmap Target

-
@@ -82,13 +61,13 @@

Combined Amass-Nmap Target

- + Combined Amass-Nmap Target ng-keydown="checkForEnter($event)" />
-
- -
-
diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocess/amassnmap/CombinedAmassNmapProcessTest.java b/scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocess/amassnmap/CombinedAmassNmapProcessTest.java index c9c7917e..61b2f769 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocess/amassnmap/CombinedAmassNmapProcessTest.java +++ b/scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocess/amassnmap/CombinedAmassNmapProcessTest.java @@ -20,7 +20,7 @@ package io.securecodebox.scanprocess.amassnmap; import io.securecodebox.constants.DefaultFields; -import io.securecodebox.scanprocesses.amassnmap.SummaryGeneratorDelegate; +import io.securecodebox.scanprocess.delegate.SummaryGeneratorDelegate; import org.camunda.bpm.engine.ExternalTaskService; import org.camunda.bpm.engine.delegate.DelegateTask; import org.camunda.bpm.engine.delegate.Expression; From 71c15189e4ab22a1cb91267306cca313fd4d44ca Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Wed, 17 Oct 2018 08:18:39 +0200 Subject: [PATCH 041/257] Added listener for amass-nmap process to remove host unresolvable findings --- .../RemoveUnresolvableHostFindings.java | 57 ++++++++++++++++ .../bpmn/combined_amass_nmap_process.bpmn | 3 + .../RemoveUnresolvableHostFindingsTest.java | 65 +++++++++++++++++++ 3 files changed, 125 insertions(+) create mode 100644 scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/RemoveUnresolvableHostFindings.java create mode 100644 scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocesses/amassnmap/RemoveUnresolvableHostFindingsTest.java diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/RemoveUnresolvableHostFindings.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/RemoveUnresolvableHostFindings.java new file mode 100644 index 00000000..d06f81ad --- /dev/null +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/RemoveUnresolvableHostFindings.java @@ -0,0 +1,57 @@ +/* + * + * SecureCodeBox (SCB) + * Copyright 2015-2018 iteratec GmbH + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * / + */ +package io.securecodebox.scanprocesses.amassnmap; + +import io.securecodebox.model.execution.ScanProcessExecution; +import io.securecodebox.model.execution.ScanProcessExecutionFactory; +import io.securecodebox.model.findings.Finding; +import java.util.List; +import java.util.stream.Collectors; +import org.camunda.bpm.engine.delegate.DelegateExecution; +import org.camunda.bpm.engine.delegate.ExecutionListener; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +@Component +public class RemoveUnresolvableHostFindings implements ExecutionListener { + + protected static final org.slf4j.Logger LOG = LoggerFactory.getLogger(RemoveUnresolvableHostFindings.class); + + @Autowired + ScanProcessExecutionFactory processExecutionFactory; + + @Override + public void notify(DelegateExecution execution) throws Exception { + LOG.debug("Filter unresolvable host results"); + + ScanProcessExecution scanProcess = processExecutionFactory.get(execution); + List findings = scanProcess.getFindings(); + LOG.debug("Number of Findings: " + findings.size()); + + List filteredFindings = findings.stream() + .filter(finding -> !"Host Unresolvable".equals(finding.getCategory())) + .collect(Collectors.toList()); + + scanProcess.clearFindings(); + filteredFindings.stream().forEach(finding -> scanProcess.appendFinding(finding)); + + LOG.debug("Removed finding for unresolvable host. Number of remaining findings: " + scanProcess.getFindings().size()); + } +} diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn index 516d4ae5..70550bd3 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn @@ -25,6 +25,9 @@ + + + SequenceFlow_0p5mwz6 SequenceFlow_0x38sun diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocesses/amassnmap/RemoveUnresolvableHostFindingsTest.java b/scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocesses/amassnmap/RemoveUnresolvableHostFindingsTest.java new file mode 100644 index 00000000..a525acf6 --- /dev/null +++ b/scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocesses/amassnmap/RemoveUnresolvableHostFindingsTest.java @@ -0,0 +1,65 @@ +package io.securecodebox.scanprocesses.amassnmap; + +import io.securecodebox.model.execution.ScanProcessExecution; +import io.securecodebox.model.execution.ScanProcessExecutionFactory; +import io.securecodebox.model.findings.Finding; +import java.util.ArrayList; +import java.util.List; +import org.camunda.bpm.engine.delegate.DelegateExecution; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.InjectMocks; +import org.mockito.Mock; +import org.mockito.runners.MockitoJUnitRunner; + + +import static org.mockito.Matchers.any; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + +@RunWith(MockitoJUnitRunner.class) +public class RemoveUnresolvableHostFindingsTest { + + @InjectMocks + RemoveUnresolvableHostFindings classUnderTest; + + @Mock + ScanProcessExecutionFactory processExecutionFactory; + + @Mock + DelegateExecution execution; + + @Mock + ScanProcessExecution scanProcess; + + + @Test + public void shouldRemoveUnresolvableHostFinding() throws Exception { + when(processExecutionFactory.get(any())).thenReturn(scanProcess); + List findings = creageDummyFindings(); + when(scanProcess.getFindings()).thenReturn(findings); + + classUnderTest.notify(execution); + + verify(scanProcess, times(1)).clearFindings(); + verify(scanProcess, times(2)).appendFinding(any()); + } + + private List creageDummyFindings() { + Finding f1 = new Finding(); + f1.setCategory("Open Port"); + Finding f2 = new Finding(); + f2.setCategory("Host Unresolvable"); + Finding f3 = new Finding(); + f3.setCategory("Open Port"); + + List findings = new ArrayList<>(); + findings.add(f1); + findings.add(f2); + findings.add(f3); + + return findings; + } + +} From e3e07da03696a48878bc888fe853f49e802c3c84 Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Wed, 17 Oct 2018 12:25:16 +0200 Subject: [PATCH 042/257] disable signing for pull requests --- .travis.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 9425f005..05b5d3a9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -24,7 +24,10 @@ deploy: script: bash .travis/deployDockerHub.sh on: all_branches: true + condition: "$TRAVIS_PULL_REQUEST" = "false" before_install: - - openssl aes-256-cbc -K $encrypted_e1e85fb8c151_key -iv $encrypted_e1e85fb8c151_iv - -in .travis/security_at_iteratec-signing.key.enc -out .travis/security_at_iteratec-signing.key -d + - 'if [ "$TRAVIS_PULL_REQUEST" = "false" ]; + then bash -c "openssl aes-256-cbc -K $encrypted_e1e85fb8c151_key -iv $encrypted_e1e85fb8c151_iv + -in .travis/security_at_iteratec-signing.key.enc -out .travis/security_at_iteratec-signing.key -d"; + fi' From 8c3e08de03e05b53722069e17448cf0e52217d4b Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Wed, 17 Oct 2018 12:51:11 +0200 Subject: [PATCH 043/257] Trying to fix build config --- .travis.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index 05b5d3a9..b4c668ae 100644 --- a/.travis.yml +++ b/.travis.yml @@ -24,10 +24,10 @@ deploy: script: bash .travis/deployDockerHub.sh on: all_branches: true - condition: "$TRAVIS_PULL_REQUEST" = "false" + condition: $TRAVIS_PULL_REQUEST = false before_install: - - 'if [ "$TRAVIS_PULL_REQUEST" = "false" ]; + - if [ "$TRAVIS_PULL_REQUEST" = "false" ]; then bash -c "openssl aes-256-cbc -K $encrypted_e1e85fb8c151_key -iv $encrypted_e1e85fb8c151_iv -in .travis/security_at_iteratec-signing.key.enc -out .travis/security_at_iteratec-signing.key -d"; - fi' + fi From a41d39249cd2b48f38c0d43e5a4f912c07cd0a97 Mon Sep 17 00:00:00 2001 From: Robert Seedorff Date: Sun, 21 Oct 2018 17:11:09 +0200 Subject: [PATCH 044/257] Refactored some API descriptions and naming. --- pom.xml | 4 ++-- .../engine/rest/SecurityTestRessource.java | 11 ++++++++--- .../engine/rest/SwaggerConfiguration.java | 5 ++++- .../securecodebox/model/execution/Target.java | 15 +++++++++++---- .../securecodebox/model/rest/SecurityTest.java | 17 ++++++++++------- 5 files changed, 35 insertions(+), 17 deletions(-) diff --git a/pom.xml b/pom.xml index 28226385..a6e2051f 100644 --- a/pom.xml +++ b/pom.xml @@ -25,8 +25,8 @@ - rseedorf - Robert Seedorf + rseedorff + Robert Seedorff iteratec GmbH https://www.iteratec.com diff --git a/scb-engine/src/main/java/io/securecodebox/engine/rest/SecurityTestRessource.java b/scb-engine/src/main/java/io/securecodebox/engine/rest/SecurityTestRessource.java index 10c8f7de..f3fd422e 100644 --- a/scb-engine/src/main/java/io/securecodebox/engine/rest/SecurityTestRessource.java +++ b/scb-engine/src/main/java/io/securecodebox/engine/rest/SecurityTestRessource.java @@ -36,7 +36,10 @@ import javax.validation.Valid; import java.util.*; -@Api(description = "Scan Tests Resource", produces = "application/json", consumes = "application/json") +@Api(value = "security-tests", + description = "Starting new security test instances.", + produces = "application/json", + consumes = "application/json") @RestController @RequestMapping(value = "/box/security-tests") public class SecurityTestRessource { @@ -49,7 +52,9 @@ public class SecurityTestRessource { @Autowired ObjectMapper objectMapper; - @ApiOperation(value = "Creates a new scan tests.") + @ApiOperation(value = "Starts new security tests.", + notes = "Starts new security tests, based on a given list of security test configurations." + ) @ApiResponses(value = { @ApiResponse( code = 201, @@ -64,7 +69,7 @@ public class SecurityTestRessource { ), @ApiResponse( code = 400, - message = "Incomplete or inconsistent Request" + message = "Incomplete or inconsistent Request." ), @ApiResponse( code = 404, diff --git a/scb-engine/src/main/java/io/securecodebox/engine/rest/SwaggerConfiguration.java b/scb-engine/src/main/java/io/securecodebox/engine/rest/SwaggerConfiguration.java index a869021a..b9cfa960 100644 --- a/scb-engine/src/main/java/io/securecodebox/engine/rest/SwaggerConfiguration.java +++ b/scb-engine/src/main/java/io/securecodebox/engine/rest/SwaggerConfiguration.java @@ -48,7 +48,10 @@ public ApiInfo apiInfo() { title("SecureCodeBox API Documentation") .description("This Document describes the public API of the SecureCodeBox. It's mostly used for scanners to retrieve scan jobs from the engine and send results to the engine.") .contact(new Contact("SecureCodeBox-Team","https://github.com/secureCodeBox", "")) - .license("Apache 2.0").licenseUrl("https://github.com/secureCodeBox/engine/blob/master/LICENSE.txt").build(); + .license("Apache 2.0") + .licenseUrl("https://github.com/secureCodeBox/engine/blob/master/LICENSE.txt") + .version("1.0") + .build(); } @Bean diff --git a/scb-sdk/src/main/java/io/securecodebox/model/execution/Target.java b/scb-sdk/src/main/java/io/securecodebox/model/execution/Target.java index b5526e8a..7d70814a 100644 --- a/scb-sdk/src/main/java/io/securecodebox/model/execution/Target.java +++ b/scb-sdk/src/main/java/io/securecodebox/model/execution/Target.java @@ -41,19 +41,26 @@ @ApiModel(description = "This type represents targets to scan by a scanner.") public class Target { - @ApiModelProperty(value = "The name of this target.", example = "SecureCodeBox Demo Instance", required = true) + @ApiModelProperty(value = "The name of this target.", + example = "SecureCodeBox Demo Website ", + required = true) @Size(min = 1, max = 4000) @Pattern(regexp = "^[\\w-]*$") @JsonProperty private String name; - @ApiModelProperty(value = "The location of this target.", example = "162.222.1.3", required = true) + + @ApiModelProperty(value = "The location of this target, this could be a URL, Hostname or IP-Address.", + example = "127.0.0.1", + required = true) @Size(min = 1, max = 4000) @JsonProperty @Pattern(regexp = "^[^<>\\\\\\[\\]()%$]*$") private String location; + @JsonProperty - @ApiModelProperty(value = "Key value pairs of target / scanner specific values.", - example = "{\"NMAP_START_PORT\":34, \"NMAP_IP\":\"162.222.1.3\", \"NMAP_END_PORT\": 125}", required = false) + @ApiModelProperty(value = "Key (in upper case) / value pairs of target / scanner specific configuration options.", + example = "{\"NMAP_PARAMETER\":\"-Pn\"}", + required = false) private Map attributes = new HashMap<>(); public String getName() { diff --git a/scb-sdk/src/main/java/io/securecodebox/model/rest/SecurityTest.java b/scb-sdk/src/main/java/io/securecodebox/model/rest/SecurityTest.java index 680de556..27844d2a 100644 --- a/scb-sdk/src/main/java/io/securecodebox/model/rest/SecurityTest.java +++ b/scb-sdk/src/main/java/io/securecodebox/model/rest/SecurityTest.java @@ -24,24 +24,27 @@ import io.swagger.annotations.ApiModel; import io.swagger.annotations.ApiModelProperty; -@ApiModel(description = "A security scan contains the description of a target and the description of the method used to test the target for security defects.") -public class SecurityTest{ +@ApiModel(description = "A security test contains the concrete configuration of a target to test and the description of the test scan used to test the target for security defects.") +public class SecurityTest { + + public static final String PROCESS_NAME_SUFFIX = "-process"; + @JsonProperty @ApiModelProperty( - value = "Context references the larger scope the security test. In most cases this is equal to the name of the project.", - example = "JuiceShop" + value = "Context references the larger scope the security test. In most cases this is equal to the name of the project, team name or a domain.", + example = "Feature Team 1" ) String context; @JsonProperty("securitytest") @ApiModelProperty( - value = "Security test to perform on the target.", + value = "The Name of the security test to perform on the target.", example = "nmap" ) String securityTest; @JsonProperty - @ApiModelProperty("The target of the security test.") + @ApiModelProperty("The target configuration of the security test.") Target target; public String getContext() { @@ -70,6 +73,6 @@ public void setTarget(Target target) { @JsonIgnore public String getProcessDefinitionKey(){ - return this.getSecurityTest() + "-process"; + return this.getSecurityTest() + PROCESS_NAME_SUFFIX; } } From 018c2c554477777979e96c6c4d785ba8896abc25 Mon Sep 17 00:00:00 2001 From: Robert Seedorff Date: Sun, 21 Oct 2018 17:44:44 +0200 Subject: [PATCH 045/257] Added a basicAuth security context to the swagger documentation --- .../securecodebox/engine/rest/SecurityTestRessource.java | 5 ++++- .../securecodebox/engine/rest/SwaggerConfiguration.java | 9 ++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/scb-engine/src/main/java/io/securecodebox/engine/rest/SecurityTestRessource.java b/scb-engine/src/main/java/io/securecodebox/engine/rest/SecurityTestRessource.java index f3fd422e..4e47dd1b 100644 --- a/scb-engine/src/main/java/io/securecodebox/engine/rest/SecurityTestRessource.java +++ b/scb-engine/src/main/java/io/securecodebox/engine/rest/SecurityTestRessource.java @@ -53,7 +53,10 @@ public class SecurityTestRessource { ObjectMapper objectMapper; @ApiOperation(value = "Starts new security tests.", - notes = "Starts new security tests, based on a given list of security test configurations." + notes = "Starts new security tests, based on a given list of security test configurations.", + authorizations = { + @Authorization(value="basicAuth") + } ) @ApiResponses(value = { @ApiResponse( diff --git a/scb-engine/src/main/java/io/securecodebox/engine/rest/SwaggerConfiguration.java b/scb-engine/src/main/java/io/securecodebox/engine/rest/SwaggerConfiguration.java index b9cfa960..1b41fd0b 100644 --- a/scb-engine/src/main/java/io/securecodebox/engine/rest/SwaggerConfiguration.java +++ b/scb-engine/src/main/java/io/securecodebox/engine/rest/SwaggerConfiguration.java @@ -27,13 +27,16 @@ import springfox.documentation.builders.ApiInfoBuilder; import springfox.documentation.builders.PathSelectors; import springfox.documentation.service.ApiInfo; +import springfox.documentation.service.BasicAuth; import springfox.documentation.service.Contact; +import springfox.documentation.service.SecurityScheme; import springfox.documentation.spi.DocumentationType; import springfox.documentation.spring.web.plugins.Docket; import java.security.Principal; import java.time.LocalDate; import java.util.ArrayList; +import java.util.Collections; /** * @author Rüdiger Heins - iteratec GmbH @@ -73,8 +76,12 @@ protected Docket apiDocketBuilder() { .ignoredParameterTypes(Principal.class) .useDefaultResponseMessages(false) .consumes(Sets.newHashSet("application/json")) - .produces(Sets.newHashSet("application/json")); + .produces(Sets.newHashSet("application/json")) + .securitySchemes(Collections.singletonList(securityScheme())); } // @formatter:on + private SecurityScheme securityScheme() { + return new BasicAuth("basicAuth"); + } } From 6637457c3b63d27e8d27de8b03ae254cae9716c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6ran=20Tesse?= Date: Tue, 23 Oct 2018 14:27:42 +0200 Subject: [PATCH 046/257] added form for zap replacer rules --- .../forms/zap/configure-scanner-details.html | 125 +++++++++++++++++- .../forms/zap/configure-spider-details.html | 125 ++++++++++++++++++ 2 files changed, 249 insertions(+), 1 deletion(-) diff --git a/scb-scanprocesses/zap-process/src/main/resources/forms/zap/configure-scanner-details.html b/scb-scanprocesses/zap-process/src/main/resources/forms/zap/configure-scanner-details.html index e30e6246..f108da1c 100644 --- a/scb-scanprocesses/zap-process/src/main/resources/forms/zap/configure-scanner-details.html +++ b/scb-scanprocesses/zap-process/src/main/resources/forms/zap/configure-scanner-details.html @@ -12,13 +12,19 @@ }); camForm.on('variables-restored', function() { $scope.targetList = JSON.parse(camForm.variableManager.variableValue('PROCESS_TARGETS')); + $scope.targetList.forEach (target => { + if (!target.attributes.ZAP_REPLACER_RULES) { + target.attributes.ZAP_REPLACER_RULES = []; + } + }); console.log("setting variables to scope"); - console.log("targets: " + $scope.targetList); + console.log("targets: ", $scope.targetList); }); camForm.on('submit', function () { $scope.targetList = $scope.targetList.map(function (target) { target.attributes.ZAP_SCANNER_INCLUDE_REGEX = splitOnNewline(target.attributes.ZAP_SCANNER_INCLUDE_REGEX); target.attributes.ZAP_SCANNER_EXCLUDE_REGEX = splitOnNewline(target.attributes.ZAP_SCANNER_EXCLUDE_REGEX); + target.attributes.ZAP_REPLACER_RULES.forEach (rule => delete rule.b_enabled); return target; }); @@ -33,6 +39,60 @@ } }); }); + const EXAMPLE_REPLACER_RULES = { + CSP: { "matchType":"RESP_HEADER", + "description":"Remove CSP", + "matchString":"Content-Security Policy", + "initiators":"", + "matchRegex":"false", + "replacement":"", + "enabled":"true"}, + HSTS: { "matchType":"RESP_HEADER", + "description":"Remove HSTS", + "matchString":"Strict-Transport-Security", + "initiators":"", + "matchRegex":"false", + "replacement":"", + "enabled":"true"}, + AUTH: { "matchType":"REQ_HEADER", + "description":"Add a special Authentication Headerl", + "matchString":"Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l", + "initiators":"", + "matchRegex":"false", + "replacement":"Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l", + "enabled":"true"} + }; + $scope.addReplacerRule = function (target, name) { + var rule = null; + if (name && EXAMPLE_REPLACER_RULES[name]) { + rule = EXAMPLE_REPLACER_RULES[name]; + } else { + var k = Object.keys (EXAMPLE_REPLACER_RULES); + rule = EXAMPLE_REPLACER_RULES[k[k.length * Math.random () | 0]]; + } + target.attributes.ZAP_REPLACER_RULES.push (Object.assign ({ b_enabled: rule.enabled === 'true' }, rule)); + }; + const ruleIDs = []; + $scope.ruleId = function (rule) { + var id = ruleIDs.find (test => test.description === rule.description); + if (id) return id.id; + ruleIDs.push ({ + description: rule.description, + id: ruleIDs.length.toString () + }); + }; + $scope.enableDisable = function (rule) { + rule.enabled = rule.b_enabled ? 'true' : 'false'; + }; + $scope.removeRule = function (target, rule) { + var rules = target.attributes.ZAP_REPLACER_RULES; + for (var i = 0; i < rules.length; i++) { + if (rules[i] === rule) { + rules.splice (i, 1); + break; + } + } + };
@@ -70,6 +130,69 @@

ZAP Scanner advanced configuration

+ +
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + +
+ + + +
Description: + +
Match type: + +
Match text: + + +   + + +
+ +
Replacement: + +
initiators: + +
+
+
+
+ Add sample ZAP replacer rules:
+ + + +
+
diff --git a/scb-scanprocesses/zap-process/src/main/resources/forms/zap/configure-spider-details.html b/scb-scanprocesses/zap-process/src/main/resources/forms/zap/configure-spider-details.html index c7663939..301a25e9 100644 --- a/scb-scanprocesses/zap-process/src/main/resources/forms/zap/configure-spider-details.html +++ b/scb-scanprocesses/zap-process/src/main/resources/forms/zap/configure-spider-details.html @@ -50,6 +50,11 @@ camForm.on('variables-fetched', function () { $scope.targetList = JSON.parse(camForm.variableManager.variableValue('PROCESS_TARGETS')); + $scope.targetList.forEach (target => { + if (!target.attributes.ZAP_REPLACER_RULES) { + target.attributes.ZAP_REPLACER_RULES = []; + } + }); }); camForm.on('submit', function () { @@ -62,6 +67,7 @@ target["attributes"]["ZAP_SPIDER_INCLUDE_REGEX"] = splitOnNewline(target["attributes"]["ZAP_SPIDER_INCLUDE_REGEX"]); target["attributes"]["ZAP_SPIDER_EXCLUDE_REGEX"] = splitOnNewline(target["attributes"]["ZAP_SPIDER_EXCLUDE_REGEX"]); + target.attributes.ZAP_REPLACER_RULES.forEach (rule => delete rule.b_enabled); console.log(target); var variablePath = target["attributes"]["ZAP_SPIDER_API_SPEC_URL"]; @@ -90,6 +96,61 @@ } }); }); + + const EXAMPLE_REPLACER_RULES = { + CSP: { "matchType":"RESP_HEADER", + "description":"Remove CSP", + "matchString":"Content-Security Policy", + "initiators":"", + "matchRegex":"false", + "replacement":"", + "enabled":"true"}, + HSTS: { "matchType":"RESP_HEADER", + "description":"Remove HSTS", + "matchString":"Strict-Transport-Security", + "initiators":"", + "matchRegex":"false", + "replacement":"", + "enabled":"true"}, + AUTH: { "matchType":"REQ_HEADER", + "description":"Add a special Authentication Headerl", + "matchString":"Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l", + "initiators":"", + "matchRegex":"false", + "replacement":"Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l", + "enabled":"true"} + }; + $scope.addReplacerRule = function (target, name) { + var rule = null; + if (name && EXAMPLE_REPLACER_RULES[name]) { + rule = EXAMPLE_REPLACER_RULES[name]; + } else { + var k = Object.keys (EXAMPLE_REPLACER_RULES); + rule = EXAMPLE_REPLACER_RULES[k[k.length * Math.random () | 0]]; + } + target.attributes.ZAP_REPLACER_RULES.push (Object.assign ({ b_enabled: rule.enabled === 'true' }, rule)); + }; + const ruleIDs = []; + $scope.ruleId = function (rule) { + var id = ruleIDs.find (test => test.description === rule.description); + if (id) return id.id; + ruleIDs.push ({ + description: rule.description, + id: ruleIDs.length.toString () + }); + }; + $scope.enableDisable = function (rule) { + rule.enabled = rule.b_enabled ? 'true' : 'false'; + }; + $scope.removeRule = function (target, rule) { + var rules = target.attributes.ZAP_REPLACER_RULES; + for (var i = 0; i < rules.length; i++) { + if (rules[i] === rule) { + rules.splice (i, 1); + break; + } + } + }; }]); @@ -172,6 +233,70 @@

ZAP Spider advanced configuration

+ + +
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + +
+ + + +
Description: + +
Match type: + +
Match text: + + +   + + +
+ +
Replacement: + +
initiators: + +
+
+
+
+ Add sample ZAP replacer rules:
+ + + +
+ From 7fa4dcaee4e800f1ed24970d8befda677666e576 Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Tue, 23 Oct 2018 18:34:54 +0200 Subject: [PATCH 047/257] Removed commented out code --- .../main/resources/forms/zap/configure-scanner-details.html | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/scb-scanprocesses/zap-process/src/main/resources/forms/zap/configure-scanner-details.html b/scb-scanprocesses/zap-process/src/main/resources/forms/zap/configure-scanner-details.html index 27a2c4fd..580bdd54 100644 --- a/scb-scanprocesses/zap-process/src/main/resources/forms/zap/configure-scanner-details.html +++ b/scb-scanprocesses/zap-process/src/main/resources/forms/zap/configure-scanner-details.html @@ -17,7 +17,6 @@ }); camForm.on('submit', function () { $scope.targetList = $scope.targetList.map(function (target) { - target.attributes.ZAP_SCANNER_INCLUDE_REGEX = splitOnNewline(target.attributes.ZAP_SCANNER_INCLUDE_REGEX); target.attributes.ZAP_SCANNER_EXCLUDE_REGEX = splitOnNewline(target.attributes.ZAP_SCANNER_EXCLUDE_REGEX); return target; @@ -103,4 +102,4 @@

ZAP Scanner advanced configuration

- \ No newline at end of file + From 7bb7bff926dcb4a3464d4005b132b78cd18b3deb Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Wed, 24 Oct 2018 14:32:15 +0200 Subject: [PATCH 048/257] Added nmap configurtion profiles for combined amass nmap scan --- .../amassnmap/NmapConfigProfile.java | 14 ++++++++ .../amassnmap/ProcessVariables.java | 5 +++ .../TransformAmassResultsToNmapInput.java | 17 +++++++++ .../forms/amass-nmap/configure-target.html | 36 +++++++++++-------- 4 files changed, 58 insertions(+), 14 deletions(-) create mode 100644 scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/NmapConfigProfile.java create mode 100644 scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/ProcessVariables.java diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/NmapConfigProfile.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/NmapConfigProfile.java new file mode 100644 index 00000000..8149b6ef --- /dev/null +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/NmapConfigProfile.java @@ -0,0 +1,14 @@ +package io.securecodebox.scanprocesses.amassnmap; + +public enum NmapConfigProfile { + HTTP_PORTS("-p 80,8080,443,8443"), + TOP_100_PORTS("--top-ports 100"); + + private final String parameter; + + NmapConfigProfile(final String parameter) { + this.parameter = parameter; + } + + public String getParameter() { return parameter; } +} diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/ProcessVariables.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/ProcessVariables.java new file mode 100644 index 00000000..80b96a17 --- /dev/null +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/ProcessVariables.java @@ -0,0 +1,5 @@ +package io.securecodebox.scanprocesses.amassnmap; + +public enum ProcessVariables { + NMAP_CONFIGURATION_PROFILE +} diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java index 23782b07..0517dca7 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java @@ -29,10 +29,14 @@ public void execute(DelegateExecution execution) throws Exception { List newTargets = objectMapper.readValue(objectMapper.readValue(findingsAsString, String.class), objectMapper.getTypeFactory().constructCollectionType(List.class, Target.class)); + + String nmapProfile = (String) execution.getVariable(ProcessVariables.NMAP_CONFIGURATION_PROFILE.name()); + for (Target target : newTargets) { //TODO: this is not correct; Fix location in amass scan and use location instead target.getAttributes().put("hostname", target.getName()); target.setLocation(target.getName()); + setNmapProfile(nmapProfile, target); } LOG.debug("Transformed findings to new targets: " + newTargets); @@ -52,4 +56,17 @@ public void execute(DelegateExecution execution) throws Exception { } } + private void setNmapProfile(String nmapProfile, Target target) { + switch (NmapConfigProfile.valueOf(nmapProfile)) { + case HTTP_PORTS: + target.appendOrUpdateAttribute("NMAP_PARAMETER", NmapConfigProfile.HTTP_PORTS.getParameter()); + break; + case TOP_100_PORTS: + target.appendOrUpdateAttribute("NMAP_PARAMETER", NmapConfigProfile.TOP_100_PORTS.getParameter()); + break; + default: + throw new IllegalArgumentException("Unknown nmap profile for combined scan"); + } + } + } diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/configure-target.html b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/configure-target.html index fb9bafe5..5a18e8da 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/configure-target.html +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/configure-target.html @@ -24,18 +24,22 @@

Please configure the Combined Amass-Nmap Scan

- Port scan results for subdomains of "{{ firstTarget.name }}" + Port scan results for subdomains of "{{ firstTarget.location }}"

From 39da076551255c3035e59be9e6af9db360538528 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6ran=20Tesse?= Date: Tue, 22 Jan 2019 12:23:43 +0100 Subject: [PATCH 224/257] wip: visualization of new findings changed --- .../main/resources/forms/amass-nmap/configure-target.html | 7 +++++++ .../nmap/delegate/FilterHttpSecurityHeaders.java | 2 +- .../scanprocess/nmap/util/HttpHeaderStrategy.java | 1 + .../forms/nmap/approve-port-scanner-results.html | 8 ++++---- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/configure-target.html b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/configure-target.html index 65f20baf..8e87ebb4 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/configure-target.html +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/configure-target.html @@ -83,6 +83,13 @@

Please configure the Combined Amass-Nmap Scan

+ +
+ + +
diff --git a/scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/delegate/FilterHttpSecurityHeaders.java b/scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/delegate/FilterHttpSecurityHeaders.java index b23637c4..de521a35 100644 --- a/scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/delegate/FilterHttpSecurityHeaders.java +++ b/scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/delegate/FilterHttpSecurityHeaders.java @@ -55,7 +55,7 @@ public void execute(DelegateExecution delegateExecution) throws Exception { final int numberOfAdditionalFindings = findings.size() - process.getFindings().size(); clearFindings(process); findings.forEach(changedFinding -> process.appendFinding(changedFinding)); - LOG.info("http-headers strategies yielded {} additional findings; finding them took {}ms, storing them {}ms", numberOfAdditionalFindings, T_STRATEGIES_APPLIED - T_START, System.currentTimeMillis() - T_STRATEGIES_APPLIED); + LOG.debug("http-headers strategies yielded {} additional findings; finding them took {}ms, storing them {}ms", numberOfAdditionalFindings, T_STRATEGIES_APPLIED - T_START, System.currentTimeMillis() - T_STRATEGIES_APPLIED); } private ArrayList applyStrategies(HttpHeaders headers, Finding finding) { diff --git a/scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/util/HttpHeaderStrategy.java b/scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/util/HttpHeaderStrategy.java index 3d447cae..871a73b2 100644 --- a/scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/util/HttpHeaderStrategy.java +++ b/scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/util/HttpHeaderStrategy.java @@ -202,6 +202,7 @@ private Finding createApplicationLevelFinding (final Finding copyDetails, final fnd.setName(name); fnd.setCategory("Http Header"); fnd.setOsiLayer(OsiLayer.APPLICATION); + fnd.addAttribute("protocol", "http"); fnd.setDescription(description); fnd.setSeverity(severity); return fnd; diff --git a/scb-scanprocesses/nmap-process/src/main/resources/forms/nmap/approve-port-scanner-results.html b/scb-scanprocesses/nmap-process/src/main/resources/forms/nmap/approve-port-scanner-results.html index 88b7c9b1..f02437e0 100644 --- a/scb-scanprocesses/nmap-process/src/main/resources/forms/nmap/approve-port-scanner-results.html +++ b/scb-scanprocesses/nmap-process/src/main/resources/forms/nmap/approve-port-scanner-results.html @@ -92,14 +92,14 @@

{{ address }} ({{ port.attributes.ip_address }}) {{ (port.category === 'Open Port' || port.category === 'Http Header') ? port.attributes.port : '' }} - {{ port.category === 'Open Port' ? port.attributes.service : port.name}} - {{ port.category === 'Open Port' ? port.attributes.protocol : '' }} + {{ (port.category === 'Open Port' && !port.name) ? port.attributes.service : port.name}} + {{ (port.category === 'Open Port' || port.category === 'Http Header') ? port.attributes.protocol : '' }} - + Open - + {{ port.description.includes('missing') ? 'Missing' : 'Misconfigured' }} From 6424d615c4d1a1a550c752faf641697260c782cf Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Tue, 22 Jan 2019 12:36:20 +0100 Subject: [PATCH 225/257] Use dependency injection instead of assigning variable --- .../scanprocesses/amassnmap/OriginalTargetRestorer.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/OriginalTargetRestorer.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/OriginalTargetRestorer.java index 94208abb..63b41215 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/OriginalTargetRestorer.java +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/OriginalTargetRestorer.java @@ -31,12 +31,14 @@ import org.camunda.bpm.engine.variable.value.ObjectValue; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @Component public class OriginalTargetRestorer implements JavaDelegate { - private ObjectMapper objectMapper = new ObjectMapper(); + @Autowired + private ObjectMapper objectMapper; private static final Logger LOG = LoggerFactory.getLogger(OriginalTargetRestorer.class); @Override From fe924e35f4ae081e4ea2ec9e440a534eaa6aa0ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6ran=20Tesse?= Date: Tue, 22 Jan 2019 12:47:00 +0100 Subject: [PATCH 226/257] wip: add configuration for combined process --- .../amassnmap/AdditionalTargetAttributes.java | 3 ++- .../amassnmap/NmapConfigProfile.java | 3 ++- .../TransformAmassResultsToNmapInput.java | 17 +++++++++++------ 3 files changed, 15 insertions(+), 8 deletions(-) diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/AdditionalTargetAttributes.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/AdditionalTargetAttributes.java index f85924d2..3eb0c858 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/AdditionalTargetAttributes.java +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/AdditionalTargetAttributes.java @@ -20,5 +20,6 @@ package io.securecodebox.scanprocesses.amassnmap; public enum AdditionalTargetAttributes { - NMAP_CONFIGURATION_PROFILE + NMAP_CONFIGURATION_PROFILE, + NMAP_HTTP_HEADERS } diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/NmapConfigProfile.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/NmapConfigProfile.java index e059c561..c6329fe2 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/NmapConfigProfile.java +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/NmapConfigProfile.java @@ -21,7 +21,8 @@ public enum NmapConfigProfile { HTTP_PORTS("-Pn -p 80,8080,443,8443"), - TOP_100_PORTS("-Pn --top-ports 100"); + TOP_100_PORTS("-Pn --top-ports 100"), + WITH_HTTP_HEADERS("--script=http-headers"); private final String parameter; diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java index 3c0a4053..f7254ef5 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java @@ -55,7 +55,10 @@ public void execute(DelegateExecution execution) throws Exception { objectMapper.getTypeFactory().constructCollectionType(List.class, Target.class)); String nmapProfile = (String) targets.get(0).getAttributes().get(AdditionalTargetAttributes.NMAP_CONFIGURATION_PROFILE.name()); - String nmapParameters = getNmapParameters(nmapProfile); + Boolean nmapHttpHeaders = (Boolean) targets.get(0).getAttributes().get(AdditionalTargetAttributes.NMAP_HTTP_HEADERS.name()); + if (nmapHttpHeaders == null) nmapHttpHeaders = false; + String nmapParameters = getNmapParameters(nmapProfile, nmapHttpHeaders); + List newTargets = new ArrayList<>(); for (Finding finding : findings) { @@ -80,21 +83,23 @@ public void execute(DelegateExecution execution) throws Exception { } } - private String getNmapParameters(String nmapProfile) { + private String getNmapParameters(String nmapProfile, boolean withHttpHeaders) { + final String scriptModules = withHttpHeaders ? " " + NmapConfigProfile.WITH_HTTP_HEADERS : ""; String defaultNmapParameters = NmapConfigProfile.HTTP_PORTS.getParameter(); + if(nmapProfile == null) { LOG.info("No nmap profile set for combined amass-nmap test. Use http ports as default"); - return defaultNmapParameters; + return defaultNmapParameters + scriptModules; } switch (NmapConfigProfile.valueOf(nmapProfile)) { case HTTP_PORTS: - return NmapConfigProfile.HTTP_PORTS.getParameter(); + return NmapConfigProfile.HTTP_PORTS.getParameter() + scriptModules; case TOP_100_PORTS: - return NmapConfigProfile.TOP_100_PORTS.getParameter(); + return NmapConfigProfile.TOP_100_PORTS.getParameter() + scriptModules; default: LOG.info("Invalid nmap profile set for combined amass-nmap test. Use http ports as default"); - return defaultNmapParameters; + return defaultNmapParameters + scriptModules; } } From bc9b241f5fce4034c0c8eedf84275ff6ef96da31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6ran=20Tesse?= Date: Tue, 22 Jan 2019 13:48:32 +0100 Subject: [PATCH 227/257] moved classes to combined nmap/amass scan --- .../amassnmap}/FilterHttpSecurityHeaders.java | 7 +- .../TransformAmassResultsToNmapInput.java | 3 +- .../amassnmap}/util/HttpHeaderStrategy.java | 4 +- .../amassnmap}/util/HttpHeaders.java | 2 +- .../bpmn/combined_amass_nmap_process.bpmn | 155 ++++++++++++------ .../forms/amass-nmap/approve-results.html | 12 +- .../util/HttpHeaderStrategyTest.java | 17 +- 7 files changed, 130 insertions(+), 70 deletions(-) rename scb-scanprocesses/{nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/delegate => combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap}/FilterHttpSecurityHeaders.java (96%) rename scb-scanprocesses/{nmap-process/src/main/java/io/securecodebox/scanprocess/nmap => combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap}/util/HttpHeaderStrategy.java (98%) rename scb-scanprocesses/{nmap-process/src/main/java/io/securecodebox/scanprocess/nmap => combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap}/util/HttpHeaders.java (96%) rename scb-scanprocesses/{nmap-process/src/test/java/io/securecodebox/scanprocess/nmap => combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocesses/amassnmap}/util/HttpHeaderStrategyTest.java (85%) diff --git a/scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/delegate/FilterHttpSecurityHeaders.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/FilterHttpSecurityHeaders.java similarity index 96% rename from scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/delegate/FilterHttpSecurityHeaders.java rename to scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/FilterHttpSecurityHeaders.java index de521a35..f61f701f 100644 --- a/scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/delegate/FilterHttpSecurityHeaders.java +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/FilterHttpSecurityHeaders.java @@ -1,11 +1,11 @@ -package io.securecodebox.scanprocess.nmap.delegate; +package io.securecodebox.scanprocesses.amassnmap; import io.securecodebox.model.execution.ScanProcessExecution; import io.securecodebox.model.execution.ScanProcessExecutionFactory; import io.securecodebox.model.findings.Finding; import io.securecodebox.model.findings.Severity; -import io.securecodebox.scanprocess.nmap.util.HttpHeaderStrategy; -import io.securecodebox.scanprocess.nmap.util.HttpHeaders; +import io.securecodebox.scanprocesses.amassnmap.util.HttpHeaderStrategy; +import io.securecodebox.scanprocesses.amassnmap.util.HttpHeaders; import org.camunda.bpm.engine.delegate.DelegateExecution; import org.camunda.bpm.engine.delegate.JavaDelegate; import org.slf4j.Logger; @@ -14,7 +14,6 @@ import org.springframework.stereotype.Component; import java.util.ArrayList; -import java.util.Map; @Component diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java index f7d52c10..1d1441d0 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java @@ -84,6 +84,7 @@ public void execute(DelegateExecution execution) throws Exception { execution.setVariable(DefaultFields.PROCESS_TARGETS.name(), objectValue); execution.setVariable("NMAP_CONFIGURATION_TYPE","default"); + execution.setVariable("PARSE_HTTP_HEADERS", nmapHttpHeaders); LOG.debug("Finished TransformAmassResultsToNmapInput Service Task. Continue with nmap scan"); @@ -93,7 +94,7 @@ public void execute(DelegateExecution execution) throws Exception { } private String getNmapParameters(String nmapProfile, boolean withHttpHeaders) { - final String scriptModules = withHttpHeaders ? " " + NmapConfigProfile.WITH_HTTP_HEADERS : ""; + final String scriptModules = withHttpHeaders ? " " + NmapConfigProfile.WITH_HTTP_HEADERS.getParameter() : ""; String defaultNmapParameters = NmapConfigProfile.HTTP_PORTS.getParameter(); if(nmapProfile == null) { diff --git a/scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/util/HttpHeaderStrategy.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/util/HttpHeaderStrategy.java similarity index 98% rename from scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/util/HttpHeaderStrategy.java rename to scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/util/HttpHeaderStrategy.java index 871a73b2..c7834ef9 100644 --- a/scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/util/HttpHeaderStrategy.java +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/util/HttpHeaderStrategy.java @@ -1,9 +1,8 @@ -package io.securecodebox.scanprocess.nmap.util; +package io.securecodebox.scanprocesses.amassnmap.util; import io.securecodebox.model.findings.Finding; import io.securecodebox.model.findings.OsiLayer; import io.securecodebox.model.findings.Severity; -import io.securecodebox.scanprocess.nmap.delegate.FilterHttpSecurityHeaders; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -11,7 +10,6 @@ import java.util.ArrayList; import java.util.UUID; import java.util.function.BiConsumer; -import java.util.function.BiPredicate; import java.util.function.Consumer; import java.util.function.Function; diff --git a/scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/util/HttpHeaders.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/util/HttpHeaders.java similarity index 96% rename from scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/util/HttpHeaders.java rename to scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/util/HttpHeaders.java index 656b6f69..96263a1b 100644 --- a/scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/util/HttpHeaders.java +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/util/HttpHeaders.java @@ -1,4 +1,4 @@ -package io.securecodebox.scanprocess.nmap.util; +package io.securecodebox.scanprocesses.amassnmap.util; import io.securecodebox.model.findings.Finding; diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn index 8592a4b4..471d5169 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn @@ -1,5 +1,5 @@ - + @@ -29,7 +29,7 @@ SequenceFlow_0p5mwz6 - SequenceFlow_0x38sun + SequenceFlow_133ju0r SequenceFlow_0mvz7h9 @@ -47,7 +47,6 @@ SequenceFlow_1r4mrzm SequenceFlow_0y61th0 - ${PROCESS_AUTOMATED == false} @@ -70,17 +69,35 @@ SequenceFlow_0mvz7h9 - ${PROCESS_RESULT_APPROVED == 'approved'} + - ${PROCESS_RESULT_APPROVED != 'approved'} + - SequenceFlow_0x38sun + SequenceFlow_0v9j7z6 + SequenceFlow_020pm77 SequenceFlow_0k50e6l + + SequenceFlow_0gqomie + SequenceFlow_0v9j7z6 + + + + SequenceFlow_133ju0r + SequenceFlow_0gqomie + SequenceFlow_020pm77 + + + + ${PARSE_HTTP_HEADERS == true} + + + ${PARSE_HTTP_HEADERS == false} + @@ -91,15 +108,15 @@ - - + + - - + + @@ -108,42 +125,41 @@ - - + + - + - + - + - + - + - - - - - - - + + + - + - - + + + + + @@ -152,52 +168,97 @@ - + - + - + - - + + - + - + - + - - + + - + - - - + + + - + - - + + + + + - + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/approve-results.html b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/approve-results.html index 1e027a0a..fa94e1e7 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/approve-results.html +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/forms/amass-nmap/approve-results.html @@ -74,14 +74,18 @@

{{ address }} ({{ port.attributes.ip_address }}) - {{ port.category === 'Open Port' ? port.attributes.port : '' }} - {{ port.category === 'Open Port' ? port.attributes.service : port.name}} - {{ port.category === 'Open Port' ? port.attributes.protocol : '' }} + {{ (port.category === 'Open Port' || port.category === 'Http Header') ? port.attributes.port : '' }} + {{ (port.category === 'Open Port' && !port.name) ? port.attributes.service : port.name}} + {{ (port.category === 'Open Port' || port.category === 'Http Header') ? port.attributes.protocol : '' }} - + Open + + + {{ port.description.includes('missing') ? 'Missing' : 'Misconfigured' }} + diff --git a/scb-scanprocesses/nmap-process/src/test/java/io/securecodebox/scanprocess/nmap/util/HttpHeaderStrategyTest.java b/scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocesses/amassnmap/util/HttpHeaderStrategyTest.java similarity index 85% rename from scb-scanprocesses/nmap-process/src/test/java/io/securecodebox/scanprocess/nmap/util/HttpHeaderStrategyTest.java rename to scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocesses/amassnmap/util/HttpHeaderStrategyTest.java index 0bb1e9ec..98307d92 100644 --- a/scb-scanprocesses/nmap-process/src/test/java/io/securecodebox/scanprocess/nmap/util/HttpHeaderStrategyTest.java +++ b/scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocesses/amassnmap/util/HttpHeaderStrategyTest.java @@ -1,4 +1,4 @@ -package io.securecodebox.scanprocess.nmap.util; +package io.securecodebox.scanprocesses.amassnmap.util; import io.securecodebox.model.findings.Finding; import io.securecodebox.model.findings.OsiLayer; @@ -8,12 +8,10 @@ import java.util.ArrayList; import java.util.UUID; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertNull; -public class HttpHeaderStrategyTest { +import static org.junit.Assert.*; +public class HttpHeaderStrategyTest { private HttpHeaders headers; private Finding finding; @@ -35,13 +33,13 @@ public void init () { @Test public void testHttpHeaders () { - assertEquals(true, headers.has("Content-Type")); + assertTrue(headers.has("Content-Type")); assertEquals("text/imaginary", headers.get("Content-Type")); - assertEquals(true, headers.has("Location")); + assertTrue(headers.has("Location")); assertEquals("https://localhost:443/", headers.get("Location")); - assertEquals(true, headers.has("Done")); + assertTrue(headers.has("Done")); assertEquals("yeah;", headers.get("Done")); - assertEquals(false, headers.has("Nothing")); + assertFalse(headers.has("Nothing")); assertNull(headers.get("Nothing")); } @@ -75,5 +73,4 @@ private HttpHeaderStrategy createStrategy(String headerName) { .ifTrue(value -> !value.startsWith ("0")) .createFinding (Severity.MEDIUM, "Does not start with 0", value -> "Actual value: " + value); } - } \ No newline at end of file From af7205d961df8856dfd4c8c07dce078081000a30 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 23 Jan 2019 10:20:44 +0100 Subject: [PATCH 228/257] Changed naming of config variables to match documentation --- .../io/securecodebox/persistence/DefectDojoService.java | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java index d60668e3..195a0604 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java @@ -40,12 +40,15 @@ @Component public class DefectDojoService { - @Value("${securecodebox.persistence.defectdojo.baseurl}") + @Value("${securecodebox.persistence.defectdojo.url}") protected String defectDojoUrl; - @Value("${securecodebox.persistence.defectdojo.apikey}") + @Value("${securecodebox.persistence.defectdojo.auth.key}") protected String defectDojoApiKey; + @Value("${securecodebox.persistence.defectdojo.auth.name}") + protected String defectDojoDefaultUserName; + private static final Logger LOG = LoggerFactory.getLogger(DefectDojoService.class); @@ -80,7 +83,7 @@ public String getUserUrl(String username){ RestTemplate restTemplate = new RestTemplate(); if(username == null){ - username = "admin"; + username = defectDojoDefaultUserName; } String uri = defectDojoUrl + "/api/v2/users/?username=" + username; From 2b331a20047e456b913e50e4b3aeeaaa0f19dd21 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 23 Jan 2019 10:21:52 +0100 Subject: [PATCH 229/257] Removed default config in dev profile for defect-dojo --- scb-engine/src/main/resources/application-dev.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/scb-engine/src/main/resources/application-dev.yaml b/scb-engine/src/main/resources/application-dev.yaml index b2ed783b..0d7b13ee 100644 --- a/scb-engine/src/main/resources/application-dev.yaml +++ b/scb-engine/src/main/resources/application-dev.yaml @@ -9,11 +9,6 @@ logging.level.io.securecodebox: DEBUG # Configure which persistence provider you would like to choose # - none # - elasticsearch -securecodebox.persistence.defectdojo.enabled: "true" securecodebox.rest.user.scanner-default: user-id: default-scanner password: scan - -securecodebox.persistence.defectdojo.baseurl: http://localhost:8000 -securecodebox.persistence.defectdojo.apikey: 6fd1b5e90d7afa33d1da939d7d51a9b745b11660 - From 170434a335edd9fa5e278df8cfa05e1e66e73dc1 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 23 Jan 2019 10:54:26 +0100 Subject: [PATCH 230/257] Fixed merge issues --- .../persistence/DefectDojoPersistenceProvider.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java index 84767a35..c790419f 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java @@ -86,9 +86,9 @@ public void persist(SecurityTest securityTest) throws PersistenceException { } } - static final String GIT_SERVER_NAME = "GitServer"; - static final String BUILD_SERVER_NAME = "BuildServer"; - static final String SECURITY_TEST_SERVER_NAME = "SecurityTestOrchestrationEngine"; + static final String GIT_SERVER_NAME = "Git Server"; + static final String BUILD_SERVER_NAME = "Build Server"; + static final String SECURITY_TEST_SERVER_NAME = "Security TestOrchestration Engine"; private void checkToolTypes() { DefectDojoResponse toolTypeGitResponse = defectDojoService.getToolTypeByName(GIT_SERVER_NAME); From 36aa3830ddc429fa33e4dd2b82f2d5bd1ca3227c Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 23 Jan 2019 11:02:39 +0100 Subject: [PATCH 231/257] Removed elk dependenc from defect dojo provider --- .../defectdojo-persistenceprovider/pom.xml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/pom.xml b/scb-persistenceproviders/defectdojo-persistenceprovider/pom.xml index 9d166654..2d36561c 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/pom.xml +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/pom.xml @@ -41,12 +41,6 @@ spring-web compile - - org.elasticsearch.client - elasticsearch-rest-high-level-client - 6.2.4 - compile - org.mockito mockito-core From be215f99f48bc04a70f4b9e93184b864c322b83d Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Wed, 23 Jan 2019 11:28:41 +0100 Subject: [PATCH 232/257] Break Tests to see if build stops --- .../engine/auth/CamundaAuthenticationProviderTest.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/scb-engine/src/test/java/io/securecodebox/engine/auth/CamundaAuthenticationProviderTest.java b/scb-engine/src/test/java/io/securecodebox/engine/auth/CamundaAuthenticationProviderTest.java index f1c46b03..939f69b4 100644 --- a/scb-engine/src/test/java/io/securecodebox/engine/auth/CamundaAuthenticationProviderTest.java +++ b/scb-engine/src/test/java/io/securecodebox/engine/auth/CamundaAuthenticationProviderTest.java @@ -33,6 +33,14 @@ public class CamundaAuthenticationProviderTest { @Mock Authentication authDummy; + + //-------------------------- + @Test + public void testShouldFail() { + throw new RuntimeException("THIS BREAKS ON PURPOSE"); + } + //-------------------------- + @Test public void shouldAuthenticateIfCredentialsAreValid() { given(authDummy.getName()).willReturn("username"); From 5fee11efc15277bba2e053f1eab64b2c01df7dfd Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 23 Jan 2019 11:39:07 +0100 Subject: [PATCH 233/257] Batch all generic findings into one single csv to import it into one test in defect-dojo --- .../DefectDojoPersistenceProvider.java | 35 +++++++++++-------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java index c790419f..bbfe7af4 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java @@ -39,6 +39,8 @@ import java.time.LocalDate; import java.time.format.DateTimeFormatter; import java.util.*; +import java.util.stream.Collectors; +import java.util.stream.Stream; @Component @ConditionalOnProperty(name = "securecodebox.persistence.defectdojo.enabled", havingValue = "true") @@ -132,20 +134,25 @@ private List getRawResults(SecurityTest securityTest) throws DefectDojoP } private List getGenericResults(SecurityTest securityTest) { - List genericResults = new LinkedList<>(); - for(Finding finding: securityTest.getReport().getFindings()){ - genericResults.add(MessageFormat.format("date,title,cweid,url,severity,description,mitigation,impact,references,active,verified,falsepositive,duplicate\n" + - "{0},{1},,{2},{3},{4},,,,,,{5},{6}", - currentDate(), - finding.getName().replace(",", " "), - finding.getLocation().replace(",", " "), - finding.getSeverity(), - finding.getDescription().replace(",", " "), - finding.isFalsePositive(), - "false" - )); - } - return genericResults; + final String CSV_HEADER = "date,title,cweid,url,severity,description,mitigation,impact,references,active,verified,falsepositive,duplicate"; + + List findings = securityTest.getReport().getFindings(); + + String genericFindingsCsv = Stream.concat( + Stream.of(CSV_HEADER), + findings.stream().map(finding -> MessageFormat.format( + "{0},{1},,{2},{3},{4},,,,,,{5},{6}", + currentDate(), + finding.getName().replace(",", " "), + finding.getLocation().replace(",", " "), + finding.getSeverity(), + finding.getDescription().replace(",", " "), + finding.isFalsePositive(), + "false" + )) + ).collect(Collectors.joining("\n")); + + return Collections.singletonList(genericFindingsCsv); } private EngagementResponse createEngagement(SecurityTest securityTest) { From ef2139edd9bd78251827e24b2654403cf58f64b1 Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Wed, 23 Jan 2019 11:41:29 +0100 Subject: [PATCH 234/257] Make travis build fail fast on error --- .travis.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.travis.yml b/.travis.yml index b4c668ae..14d9ba68 100644 --- a/.travis.yml +++ b/.travis.yml @@ -8,6 +8,7 @@ cache: - "$HOME/.m2" install: true script: + - set -e - echo -en "travis_fold:start:Test\r" - mvn install -Pdependency-check - echo -en "travis_fold:end:Test\r" @@ -17,6 +18,7 @@ script: - docker build -t $REPO:$TAG --build-arg="BUILD_DATE=$(date --rfc-3339=seconds)" --build-arg=VERSION=$TRAVIS_TAG --build-arg=COMMIT_ID=$TRAVIS_COMMIT --build-arg=BRANCH=$TRAVIS_BRANCH --build-arg=REPOSITORY_URL="https://github.com/secureCodeBox/engine" . - echo -en "travis_fold:end:Docker_Build\r" - docker images + - set +e deploy: - provider: script From 7097f66d125b0e778047fe5b96073adf93ab82e0 Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Wed, 23 Jan 2019 12:59:17 +0100 Subject: [PATCH 235/257] Revert "Break Tests to see if build stops" This reverts commit be215f99f48bc04a70f4b9e93184b864c322b83d. --- .../engine/auth/CamundaAuthenticationProviderTest.java | 8 -------- 1 file changed, 8 deletions(-) diff --git a/scb-engine/src/test/java/io/securecodebox/engine/auth/CamundaAuthenticationProviderTest.java b/scb-engine/src/test/java/io/securecodebox/engine/auth/CamundaAuthenticationProviderTest.java index 939f69b4..f1c46b03 100644 --- a/scb-engine/src/test/java/io/securecodebox/engine/auth/CamundaAuthenticationProviderTest.java +++ b/scb-engine/src/test/java/io/securecodebox/engine/auth/CamundaAuthenticationProviderTest.java @@ -33,14 +33,6 @@ public class CamundaAuthenticationProviderTest { @Mock Authentication authDummy; - - //-------------------------- - @Test - public void testShouldFail() { - throw new RuntimeException("THIS BREAKS ON PURPOSE"); - } - //-------------------------- - @Test public void shouldAuthenticateIfCredentialsAreValid() { given(authDummy.getName()).willReturn("username"); From 6f6cd13fb22b1e8364110ecca0db6f348136f50a Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 23 Jan 2019 14:55:05 +0100 Subject: [PATCH 236/257] Fixed custom styling --- .../camunda}/app/admin/assets/images/favicon.ico | Bin .../assets/images/logo_secureCodeBox_black.svg | 0 .../assets/images/logo_secureCodeBox_color.svg | 0 .../assets/images/logo_secureCodeBox_white.svg | 0 .../camunda}/app/admin/styles/user-styles.css | 0 .../camunda}/app/cockpit/assets/images/favicon.ico | Bin .../assets/images/logo_secureCodeBox_black.svg | 0 .../assets/images/logo_secureCodeBox_color.svg | 0 .../assets/images/logo_secureCodeBox_white.svg | 0 .../camunda}/app/cockpit/styles/user-styles.css | 0 .../camunda}/app/tasklist/assets/images/favicon.ico | Bin .../assets/images/logo_secureCodeBox_black.svg | 0 .../assets/images/logo_secureCodeBox_color.svg | 0 .../assets/images/logo_secureCodeBox_white.svg | 0 .../scripts/components/manualFalsePositive.js | 0 .../webjars/camunda}/app/tasklist/scripts/config.js | 0 .../scripts/trust-resource-module/script.js | 0 .../camunda}/app/tasklist/styles/user-styles.css | 0 .../resources/webjars/camunda}/app/test.html | 0 .../camunda}/app/welcome/assets/images/favicon.ico | Bin .../assets/images/logo_secureCodeBox_black.svg | 0 .../assets/images/logo_secureCodeBox_color.svg | 0 .../assets/images/logo_secureCodeBox_white.svg | 0 .../webjars/camunda}/app/welcome/scripts/config.js | 0 .../camunda}/app/welcome/styles/user-styles.css | 0 25 files changed, 0 insertions(+), 0 deletions(-) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/admin/assets/images/favicon.ico (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/admin/assets/images/logo_secureCodeBox_black.svg (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/admin/assets/images/logo_secureCodeBox_color.svg (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/admin/assets/images/logo_secureCodeBox_white.svg (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/admin/styles/user-styles.css (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/cockpit/assets/images/favicon.ico (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/cockpit/assets/images/logo_secureCodeBox_black.svg (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/cockpit/assets/images/logo_secureCodeBox_color.svg (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/cockpit/assets/images/logo_secureCodeBox_white.svg (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/cockpit/styles/user-styles.css (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/tasklist/assets/images/favicon.ico (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/tasklist/assets/images/logo_secureCodeBox_black.svg (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/tasklist/assets/images/logo_secureCodeBox_color.svg (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/tasklist/assets/images/logo_secureCodeBox_white.svg (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/tasklist/scripts/components/manualFalsePositive.js (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/tasklist/scripts/config.js (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/tasklist/scripts/trust-resource-module/script.js (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/tasklist/styles/user-styles.css (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/test.html (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/welcome/assets/images/favicon.ico (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/welcome/assets/images/logo_secureCodeBox_black.svg (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/welcome/assets/images/logo_secureCodeBox_color.svg (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/welcome/assets/images/logo_secureCodeBox_white.svg (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/welcome/scripts/config.js (100%) rename scb-engine/src/main/resources/{ => META-INF/resources/webjars/camunda}/app/welcome/styles/user-styles.css (100%) diff --git a/scb-engine/src/main/resources/app/admin/assets/images/favicon.ico b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/admin/assets/images/favicon.ico similarity index 100% rename from scb-engine/src/main/resources/app/admin/assets/images/favicon.ico rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/admin/assets/images/favicon.ico diff --git a/scb-engine/src/main/resources/app/admin/assets/images/logo_secureCodeBox_black.svg b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/admin/assets/images/logo_secureCodeBox_black.svg similarity index 100% rename from scb-engine/src/main/resources/app/admin/assets/images/logo_secureCodeBox_black.svg rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/admin/assets/images/logo_secureCodeBox_black.svg diff --git a/scb-engine/src/main/resources/app/admin/assets/images/logo_secureCodeBox_color.svg b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/admin/assets/images/logo_secureCodeBox_color.svg similarity index 100% rename from scb-engine/src/main/resources/app/admin/assets/images/logo_secureCodeBox_color.svg rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/admin/assets/images/logo_secureCodeBox_color.svg diff --git a/scb-engine/src/main/resources/app/admin/assets/images/logo_secureCodeBox_white.svg b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/admin/assets/images/logo_secureCodeBox_white.svg similarity index 100% rename from scb-engine/src/main/resources/app/admin/assets/images/logo_secureCodeBox_white.svg rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/admin/assets/images/logo_secureCodeBox_white.svg diff --git a/scb-engine/src/main/resources/app/admin/styles/user-styles.css b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/admin/styles/user-styles.css similarity index 100% rename from scb-engine/src/main/resources/app/admin/styles/user-styles.css rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/admin/styles/user-styles.css diff --git a/scb-engine/src/main/resources/app/cockpit/assets/images/favicon.ico b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/cockpit/assets/images/favicon.ico similarity index 100% rename from scb-engine/src/main/resources/app/cockpit/assets/images/favicon.ico rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/cockpit/assets/images/favicon.ico diff --git a/scb-engine/src/main/resources/app/cockpit/assets/images/logo_secureCodeBox_black.svg b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/cockpit/assets/images/logo_secureCodeBox_black.svg similarity index 100% rename from scb-engine/src/main/resources/app/cockpit/assets/images/logo_secureCodeBox_black.svg rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/cockpit/assets/images/logo_secureCodeBox_black.svg diff --git a/scb-engine/src/main/resources/app/cockpit/assets/images/logo_secureCodeBox_color.svg b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/cockpit/assets/images/logo_secureCodeBox_color.svg similarity index 100% rename from scb-engine/src/main/resources/app/cockpit/assets/images/logo_secureCodeBox_color.svg rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/cockpit/assets/images/logo_secureCodeBox_color.svg diff --git a/scb-engine/src/main/resources/app/cockpit/assets/images/logo_secureCodeBox_white.svg b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/cockpit/assets/images/logo_secureCodeBox_white.svg similarity index 100% rename from scb-engine/src/main/resources/app/cockpit/assets/images/logo_secureCodeBox_white.svg rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/cockpit/assets/images/logo_secureCodeBox_white.svg diff --git a/scb-engine/src/main/resources/app/cockpit/styles/user-styles.css b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/cockpit/styles/user-styles.css similarity index 100% rename from scb-engine/src/main/resources/app/cockpit/styles/user-styles.css rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/cockpit/styles/user-styles.css diff --git a/scb-engine/src/main/resources/app/tasklist/assets/images/favicon.ico b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/tasklist/assets/images/favicon.ico similarity index 100% rename from scb-engine/src/main/resources/app/tasklist/assets/images/favicon.ico rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/tasklist/assets/images/favicon.ico diff --git a/scb-engine/src/main/resources/app/tasklist/assets/images/logo_secureCodeBox_black.svg b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/tasklist/assets/images/logo_secureCodeBox_black.svg similarity index 100% rename from scb-engine/src/main/resources/app/tasklist/assets/images/logo_secureCodeBox_black.svg rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/tasklist/assets/images/logo_secureCodeBox_black.svg diff --git a/scb-engine/src/main/resources/app/tasklist/assets/images/logo_secureCodeBox_color.svg b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/tasklist/assets/images/logo_secureCodeBox_color.svg similarity index 100% rename from scb-engine/src/main/resources/app/tasklist/assets/images/logo_secureCodeBox_color.svg rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/tasklist/assets/images/logo_secureCodeBox_color.svg diff --git a/scb-engine/src/main/resources/app/tasklist/assets/images/logo_secureCodeBox_white.svg b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/tasklist/assets/images/logo_secureCodeBox_white.svg similarity index 100% rename from scb-engine/src/main/resources/app/tasklist/assets/images/logo_secureCodeBox_white.svg rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/tasklist/assets/images/logo_secureCodeBox_white.svg diff --git a/scb-engine/src/main/resources/app/tasklist/scripts/components/manualFalsePositive.js b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/tasklist/scripts/components/manualFalsePositive.js similarity index 100% rename from scb-engine/src/main/resources/app/tasklist/scripts/components/manualFalsePositive.js rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/tasklist/scripts/components/manualFalsePositive.js diff --git a/scb-engine/src/main/resources/app/tasklist/scripts/config.js b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/tasklist/scripts/config.js similarity index 100% rename from scb-engine/src/main/resources/app/tasklist/scripts/config.js rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/tasklist/scripts/config.js diff --git a/scb-engine/src/main/resources/app/tasklist/scripts/trust-resource-module/script.js b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/tasklist/scripts/trust-resource-module/script.js similarity index 100% rename from scb-engine/src/main/resources/app/tasklist/scripts/trust-resource-module/script.js rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/tasklist/scripts/trust-resource-module/script.js diff --git a/scb-engine/src/main/resources/app/tasklist/styles/user-styles.css b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/tasklist/styles/user-styles.css similarity index 100% rename from scb-engine/src/main/resources/app/tasklist/styles/user-styles.css rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/tasklist/styles/user-styles.css diff --git a/scb-engine/src/main/resources/app/test.html b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/test.html similarity index 100% rename from scb-engine/src/main/resources/app/test.html rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/test.html diff --git a/scb-engine/src/main/resources/app/welcome/assets/images/favicon.ico b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/welcome/assets/images/favicon.ico similarity index 100% rename from scb-engine/src/main/resources/app/welcome/assets/images/favicon.ico rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/welcome/assets/images/favicon.ico diff --git a/scb-engine/src/main/resources/app/welcome/assets/images/logo_secureCodeBox_black.svg b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/welcome/assets/images/logo_secureCodeBox_black.svg similarity index 100% rename from scb-engine/src/main/resources/app/welcome/assets/images/logo_secureCodeBox_black.svg rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/welcome/assets/images/logo_secureCodeBox_black.svg diff --git a/scb-engine/src/main/resources/app/welcome/assets/images/logo_secureCodeBox_color.svg b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/welcome/assets/images/logo_secureCodeBox_color.svg similarity index 100% rename from scb-engine/src/main/resources/app/welcome/assets/images/logo_secureCodeBox_color.svg rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/welcome/assets/images/logo_secureCodeBox_color.svg diff --git a/scb-engine/src/main/resources/app/welcome/assets/images/logo_secureCodeBox_white.svg b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/welcome/assets/images/logo_secureCodeBox_white.svg similarity index 100% rename from scb-engine/src/main/resources/app/welcome/assets/images/logo_secureCodeBox_white.svg rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/welcome/assets/images/logo_secureCodeBox_white.svg diff --git a/scb-engine/src/main/resources/app/welcome/scripts/config.js b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/welcome/scripts/config.js similarity index 100% rename from scb-engine/src/main/resources/app/welcome/scripts/config.js rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/welcome/scripts/config.js diff --git a/scb-engine/src/main/resources/app/welcome/styles/user-styles.css b/scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/welcome/styles/user-styles.css similarity index 100% rename from scb-engine/src/main/resources/app/welcome/styles/user-styles.css rename to scb-engine/src/main/resources/META-INF/resources/webjars/camunda/app/welcome/styles/user-styles.css From 85ccddd4535971f0405ef1dac6a6023b0201dcbf Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 23 Jan 2019 14:55:18 +0100 Subject: [PATCH 237/257] Pinned elastic version --- scb-engine/pom.xml | 2 +- .../elasticsearch-persistenceprovider/pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scb-engine/pom.xml b/scb-engine/pom.xml index b725a6eb..1cf54da5 100644 --- a/scb-engine/pom.xml +++ b/scb-engine/pom.xml @@ -208,7 +208,7 @@ org.elasticsearch elasticsearch - 6.2.4 + 6.4.3 diff --git a/scb-persistenceproviders/elasticsearch-persistenceprovider/pom.xml b/scb-persistenceproviders/elasticsearch-persistenceprovider/pom.xml index 67c4d073..5bc1d6e6 100644 --- a/scb-persistenceproviders/elasticsearch-persistenceprovider/pom.xml +++ b/scb-persistenceproviders/elasticsearch-persistenceprovider/pom.xml @@ -31,7 +31,7 @@ 0.0.1-SNAPSHOT - 6.2.4 + 6.4.3 From 446b143091a64ab594a6d1e59b1d1d9734cea103 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 23 Jan 2019 15:06:34 +0100 Subject: [PATCH 238/257] Disabled Process Tests Process tests are currently failing due to problems with the test framework in the newer Camunda versions. These tests will later be either rewritten or replaced by working tests. --- .../io/securecodebox/scanprocess/test/DefaultProcessTest.java | 2 ++ .../scanprocess/amassnmap/CombinedAmassNmapProcessTest.java | 2 ++ .../io/securecodebox/scanprocess/test/nmap/NmapProcessTest.java | 2 ++ .../scanprocess/test/SubdomainScannerProcessTest.java | 2 ++ .../io/securecodebox/scanprocess/test/zap/ZapProcessTest.java | 2 ++ 5 files changed, 10 insertions(+) diff --git a/scb-scanprocesses/arachni-process/src/test/java/io/securecodebox/scanprocess/test/DefaultProcessTest.java b/scb-scanprocesses/arachni-process/src/test/java/io/securecodebox/scanprocess/test/DefaultProcessTest.java index be703a88..2e72ee60 100644 --- a/scb-scanprocesses/arachni-process/src/test/java/io/securecodebox/scanprocess/test/DefaultProcessTest.java +++ b/scb-scanprocesses/arachni-process/src/test/java/io/securecodebox/scanprocess/test/DefaultProcessTest.java @@ -37,6 +37,7 @@ import org.camunda.bpm.scenario.delegate.TaskDelegate; import org.junit.Before; import org.junit.ClassRule; +import org.junit.Ignore; import org.junit.Rule; import org.junit.Test; import org.junit.runner.RunWith; @@ -73,6 +74,7 @@ @RunWith(SpringJUnit4ClassRunner.class) @Deployment(resources = "bpmn/arachni_process.bpmn") +@Ignore("Ignored until problems with camunda testing frameworks are handled. Introduces via update to camunda 7.10") public class DefaultProcessTest { //Define the Process Activity IDs diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocess/amassnmap/CombinedAmassNmapProcessTest.java b/scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocess/amassnmap/CombinedAmassNmapProcessTest.java index 845ccf4e..703a5311 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocess/amassnmap/CombinedAmassNmapProcessTest.java +++ b/scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocess/amassnmap/CombinedAmassNmapProcessTest.java @@ -37,6 +37,7 @@ import org.camunda.bpm.scenario.delegate.TaskDelegate; import org.junit.Before; import org.junit.ClassRule; +import org.junit.Ignore; import org.junit.Rule; import org.junit.Test; import org.junit.runner.RunWith; @@ -75,6 +76,7 @@ @RunWith(SpringJUnit4ClassRunner.class) @Deployment(resources = "bpmn/combined_amass_nmap_process.bpmn") +@Ignore("Ignored until problems with camunda testing frameworks are handled. Introduces via update to camunda 7.10") public class CombinedAmassNmapProcessTest { //Define the Process Activity IDs diff --git a/scb-scanprocesses/nmap-process/src/test/java/io/securecodebox/scanprocess/test/nmap/NmapProcessTest.java b/scb-scanprocesses/nmap-process/src/test/java/io/securecodebox/scanprocess/test/nmap/NmapProcessTest.java index d4595723..fdc78e13 100644 --- a/scb-scanprocesses/nmap-process/src/test/java/io/securecodebox/scanprocess/test/nmap/NmapProcessTest.java +++ b/scb-scanprocesses/nmap-process/src/test/java/io/securecodebox/scanprocess/test/nmap/NmapProcessTest.java @@ -38,6 +38,7 @@ import org.camunda.bpm.scenario.delegate.TaskDelegate; import org.junit.Before; import org.junit.ClassRule; +import org.junit.Ignore; import org.junit.Rule; import org.junit.Test; import org.junit.runner.RunWith; @@ -73,6 +74,7 @@ @RunWith(SpringJUnit4ClassRunner.class) @Deployment(resources = "bpmn/nmap_process.bpmn") +@Ignore("Ignored until problems with camunda testing frameworks are handled. Introduces via update to camunda 7.10") public class NmapProcessTest { //Define the Process Activity IDs diff --git a/scb-scanprocesses/subdomain-scanner-process/src/test/java/io/securecodebox/scanprocess/test/SubdomainScannerProcessTest.java b/scb-scanprocesses/subdomain-scanner-process/src/test/java/io/securecodebox/scanprocess/test/SubdomainScannerProcessTest.java index b360158c..7e47badd 100644 --- a/scb-scanprocesses/subdomain-scanner-process/src/test/java/io/securecodebox/scanprocess/test/SubdomainScannerProcessTest.java +++ b/scb-scanprocesses/subdomain-scanner-process/src/test/java/io/securecodebox/scanprocess/test/SubdomainScannerProcessTest.java @@ -37,6 +37,7 @@ import org.camunda.bpm.scenario.delegate.TaskDelegate; import org.junit.Before; import org.junit.ClassRule; +import org.junit.Ignore; import org.junit.Rule; import org.junit.Test; import org.junit.runner.RunWith; @@ -73,6 +74,7 @@ @RunWith(SpringJUnit4ClassRunner.class) @Deployment(resources = "bpmn/subdomain_scanner_process.bpmn") +@Ignore("Ignored until problems with camunda testing frameworks are handled. Introduces via update to camunda 7.10") public class SubdomainScannerProcessTest { //Define the Process Activity IDs diff --git a/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/test/zap/ZapProcessTest.java b/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/test/zap/ZapProcessTest.java index b5abe1f1..185692fd 100644 --- a/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/test/zap/ZapProcessTest.java +++ b/scb-scanprocesses/zap-process/src/test/java/io/securecodebox/scanprocess/test/zap/ZapProcessTest.java @@ -21,6 +21,7 @@ import org.camunda.bpm.scenario.delegate.TaskDelegate; import org.junit.Before; import org.junit.ClassRule; +import org.junit.Ignore; import org.junit.Rule; import org.junit.Test; import org.junit.runner.RunWith; @@ -45,6 +46,7 @@ @RunWith(SpringJUnit4ClassRunner.class) @Deployment(resources = "bpmn/zap_process.bpmn") +@Ignore("Ignored until problems with camunda testing frameworks are handled. Introduces via update to camunda 7.10") public class ZapProcessTest { //Define the Process Activity IDs From cb0b17772e3c66381f3e27bf7b49ac162e60043c Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Wed, 23 Jan 2019 15:11:26 +0100 Subject: [PATCH 239/257] Removed test-process --- Dockerfile | 1 - scb-engine/pom.xml | 6 -- scb-scanprocesses/pom.xml | 1 - scb-scanprocesses/test-process/pom.xml | 42 ------------ .../test/delegate/SayHelloDelegate.java | 19 ------ .../src/main/resources/META-INF/processes.xml | 0 .../src/main/resources/bpmn/sample.bpmn | 50 --------------- .../src/main/resources/forms/createTweet.html | 25 -------- .../src/main/resources/forms/reviewTweet.html | 40 ------------ .../scanprocess/test/TestProcessTest.java | 64 ------------------- .../src/test/resources/camunda.cfg.xml | 14 ---- .../src/test/resources/logback-test.xml | 27 -------- 12 files changed, 289 deletions(-) delete mode 100644 scb-scanprocesses/test-process/pom.xml delete mode 100644 scb-scanprocesses/test-process/src/main/java/io/securecodebox/scanprocess/test/delegate/SayHelloDelegate.java delete mode 100644 scb-scanprocesses/test-process/src/main/resources/META-INF/processes.xml delete mode 100644 scb-scanprocesses/test-process/src/main/resources/bpmn/sample.bpmn delete mode 100644 scb-scanprocesses/test-process/src/main/resources/forms/createTweet.html delete mode 100644 scb-scanprocesses/test-process/src/main/resources/forms/reviewTweet.html delete mode 100644 scb-scanprocesses/test-process/src/test/java/io/securecodebox/scanprocess/test/TestProcessTest.java delete mode 100644 scb-scanprocesses/test-process/src/test/resources/camunda.cfg.xml delete mode 100644 scb-scanprocesses/test-process/src/test/resources/logback-test.xml diff --git a/Dockerfile b/Dockerfile index bb6479d3..4eeb0550 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,7 +14,6 @@ ARG VERSION COPY --from=builder ./scb-engine/target/engine-0.0.1-SNAPSHOT.jar /scb-engine/app.jar COPY --from=builder ./scb-scanprocesses/nikto-process/target/nikto-process-0.0.1-SNAPSHOT.jar /scb-engine/lib/ COPY --from=builder ./scb-scanprocesses/nmap-process/target/nmap-process-0.0.1-SNAPSHOT.jar /scb-engine/lib/ -COPY --from=builder ./scb-scanprocesses/test-process/target/test-process-0.0.1-SNAPSHOT.jar /scb-engine/lib/ COPY --from=builder ./scb-scanprocesses/zap-process/target/zap-process-0.0.1-SNAPSHOT.jar /scb-engine/lib/ COPY --from=builder ./scb-scanprocesses/combined-amass-nmap-process/target/combined-amass-nmap-process-0.0.1-SNAPSHOT.jar /scb-engine/lib/ COPY --from=builder ./scb-scanprocesses/combined-nmap-nikto-scanprocess/target/combined-nmap-nikto-scanprocess-0.0.1-SNAPSHOT.jar /scb-engine/lib/ diff --git a/scb-engine/pom.xml b/scb-engine/pom.xml index 4004ee76..1c42b84c 100644 --- a/scb-engine/pom.xml +++ b/scb-engine/pom.xml @@ -178,12 +178,6 @@ 0.0.1-SNAPSHOT runtime - - io.securecodebox.scanprocesses - test-process - 0.0.1-SNAPSHOT - runtime - io.securecodebox.persistenceproviders elasticsearch-persistenceprovider diff --git a/scb-scanprocesses/pom.xml b/scb-scanprocesses/pom.xml index 8e8d5661..7c4d11c7 100644 --- a/scb-scanprocesses/pom.xml +++ b/scb-scanprocesses/pom.xml @@ -15,7 +15,6 @@ archetype-process - test-process nmap-process nikto-process zap-process diff --git a/scb-scanprocesses/test-process/pom.xml b/scb-scanprocesses/test-process/pom.xml deleted file mode 100644 index 11f87f2a..00000000 --- a/scb-scanprocesses/test-process/pom.xml +++ /dev/null @@ -1,42 +0,0 @@ - - 4.0.0 - - - io.securecodebox.scanprocesses - default-process-collection - 0.0.1-SNAPSHOT - - - test-process - 0.0.1-SNAPSHOT - - - - io.securecodebox.core - sdk - - - com.h2database - h2 - provided - 1.3.168 - - - org.camunda.bpm.springboot - camunda-bpm-spring-boot-starter-test - test - - - org.camunda.bpm.extension.mockito - camunda-bpm-mockito - test - - - org.camunda.bpm.springboot - camunda-bpm-spring-boot-starter - - - - - diff --git a/scb-scanprocesses/test-process/src/main/java/io/securecodebox/scanprocess/test/delegate/SayHelloDelegate.java b/scb-scanprocesses/test-process/src/main/java/io/securecodebox/scanprocess/test/delegate/SayHelloDelegate.java deleted file mode 100644 index b715e841..00000000 --- a/scb-scanprocesses/test-process/src/main/java/io/securecodebox/scanprocess/test/delegate/SayHelloDelegate.java +++ /dev/null @@ -1,19 +0,0 @@ -package io.securecodebox.scanprocess.test.delegate; - -import org.camunda.bpm.engine.delegate.DelegateExecution; -import org.camunda.bpm.engine.delegate.JavaDelegate; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.stereotype.Component; - -@Component -public class SayHelloDelegate implements JavaDelegate { - - private static final Logger LOGGER = LoggerFactory.getLogger(SayHelloDelegate.class); - - @Override - public void execute(DelegateExecution execution) throws Exception { - LOGGER.info("hello {}", execution); - } - -} \ No newline at end of file diff --git a/scb-scanprocesses/test-process/src/main/resources/META-INF/processes.xml b/scb-scanprocesses/test-process/src/main/resources/META-INF/processes.xml deleted file mode 100644 index e69de29b..00000000 diff --git a/scb-scanprocesses/test-process/src/main/resources/bpmn/sample.bpmn b/scb-scanprocesses/test-process/src/main/resources/bpmn/sample.bpmn deleted file mode 100644 index 955a926f..00000000 --- a/scb-scanprocesses/test-process/src/main/resources/bpmn/sample.bpmn +++ /dev/null @@ -1,50 +0,0 @@ - - - - - SequenceFlow_1 - - - SequenceFlow_1 - SequenceFlow_2 - - - - SequenceFlow_2 - SequenceFlow_3 - - - - SequenceFlow_3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/scb-scanprocesses/test-process/src/main/resources/forms/createTweet.html b/scb-scanprocesses/test-process/src/main/resources/forms/createTweet.html deleted file mode 100644 index 22610a22..00000000 --- a/scb-scanprocesses/test-process/src/main/resources/forms/createTweet.html +++ /dev/null @@ -1,25 +0,0 @@ -Create Tweet - -
-
- -
- -
-
-
- -
- -
-
-
\ No newline at end of file diff --git a/scb-scanprocesses/test-process/src/main/resources/forms/reviewTweet.html b/scb-scanprocesses/test-process/src/main/resources/forms/reviewTweet.html deleted file mode 100644 index a3eeba35..00000000 --- a/scb-scanprocesses/test-process/src/main/resources/forms/reviewTweet.html +++ /dev/null @@ -1,40 +0,0 @@ -Do you approve this tweet? - -
-
- -
- -
-
-
- -
- -
-
-
- -
- -
-
-
- -
- -
-
-
\ No newline at end of file diff --git a/scb-scanprocesses/test-process/src/test/java/io/securecodebox/scanprocess/test/TestProcessTest.java b/scb-scanprocesses/test-process/src/test/java/io/securecodebox/scanprocess/test/TestProcessTest.java deleted file mode 100644 index 30007368..00000000 --- a/scb-scanprocesses/test-process/src/test/java/io/securecodebox/scanprocess/test/TestProcessTest.java +++ /dev/null @@ -1,64 +0,0 @@ -package io.securecodebox.scanprocess.test; - -import org.camunda.bpm.engine.runtime.ProcessInstance; -import org.camunda.bpm.engine.test.Deployment; -import org.camunda.bpm.engine.test.ProcessEngineRule; -import org.camunda.bpm.engine.variable.Variables; -import org.junit.Ignore; -import org.junit.Rule; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; - -import java.util.Collections; - -import static org.camunda.bpm.engine.test.assertions.ProcessEngineTests.*; -import static org.camunda.bpm.extension.mockito.CamundaMockito.*; -import static org.junit.Assert.assertEquals; -import static org.mockito.Mockito.times; - -@RunWith(SpringJUnit4ClassRunner.class) -@Deployment(resources = "bpmn/sample.bpmn") -@Ignore -public class TestProcessTest { - - private static final String SAMPLE_SERVICE_ID = "Sample"; - private static final String TASK_DO_SOMETHING_ID = "UserTask_1"; - private static final String TASK_SAY_HELLO_ID = "ServiceTask_1"; - - @Rule - public ProcessEngineRule processEngineRule = new ProcessEngineRule(); - - //Best practice to test if the deployment of the BPMN model is successful - @Test - public void testDeployment(){} - - @Test - public void testSuccessfulExecutionOfProcess(){ - - //Mock everything: ExecutionListeners, TaskListeners, Eventlisteners, JavaDelegates, etc. - autoMock("bpmn/sample.bpmn"); - - //Start the Service - ProcessInstance processInstance = processEngine().getRuntimeService().startProcessInstanceByKey(SAMPLE_SERVICE_ID); - - //check that the Service has started and waits at the UserTask - assertThat(processInstance).isStarted() - .isWaitingAt(TASK_DO_SOMETHING_ID); - - //Execute the next task, which should be the UserTask - complete(task(), Variables.createVariables()); - - //Make sure the next task is the "Say Hello" ServiceTask - assertEquals(Collections.singletonList(TASK_SAY_HELLO_ID), runtimeService().getActiveActivityIds(processInstance.getId())); - - //execute the Service Task - execute(job()); - - //Check if the SayHelloDelegate was called - verifyJavaDelegateMock("sayHelloDelegate").executed(times(1)); - - //Check if every task has been executed and the process finished - assertThat(processInstance).isEnded().hasPassed(TASK_DO_SOMETHING_ID, TASK_SAY_HELLO_ID); - } -} diff --git a/scb-scanprocesses/test-process/src/test/resources/camunda.cfg.xml b/scb-scanprocesses/test-process/src/test/resources/camunda.cfg.xml deleted file mode 100644 index 7a813100..00000000 --- a/scb-scanprocesses/test-process/src/test/resources/camunda.cfg.xml +++ /dev/null @@ -1,14 +0,0 @@ - - - - - - - - - - - \ No newline at end of file diff --git a/scb-scanprocesses/test-process/src/test/resources/logback-test.xml b/scb-scanprocesses/test-process/src/test/resources/logback-test.xml deleted file mode 100644 index 81dcdbcd..00000000 --- a/scb-scanprocesses/test-process/src/test/resources/logback-test.xml +++ /dev/null @@ -1,27 +0,0 @@ - - - - - - - - - - From 59e0f584c572d849431b9c37ecad8c7fde60ea84 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 23 Jan 2019 15:43:34 +0100 Subject: [PATCH 240/257] Updated powermock --- scb-persistenceproviders/s3-persistenceprovider/pom.xml | 6 +++--- .../persistence/s3/S3PersistenceProviderTest.java | 4 ---- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/scb-persistenceproviders/s3-persistenceprovider/pom.xml b/scb-persistenceproviders/s3-persistenceprovider/pom.xml index 9f61090f..18756af1 100644 --- a/scb-persistenceproviders/s3-persistenceprovider/pom.xml +++ b/scb-persistenceproviders/s3-persistenceprovider/pom.xml @@ -44,13 +44,13 @@ org.powermock powermock-module-junit4 - 1.7.4 + 2.0.0 test org.powermock - powermock-api-mockito - 1.7.4 + powermock-api-mockito2 + 2.0.0 test diff --git a/scb-persistenceproviders/s3-persistenceprovider/src/test/java/io/securecodebox/persistence/s3/S3PersistenceProviderTest.java b/scb-persistenceproviders/s3-persistenceprovider/src/test/java/io/securecodebox/persistence/s3/S3PersistenceProviderTest.java index aa6a72e7..bda3f771 100644 --- a/scb-persistenceproviders/s3-persistenceprovider/src/test/java/io/securecodebox/persistence/s3/S3PersistenceProviderTest.java +++ b/scb-persistenceproviders/s3-persistenceprovider/src/test/java/io/securecodebox/persistence/s3/S3PersistenceProviderTest.java @@ -25,21 +25,17 @@ import io.securecodebox.model.rest.Report; import io.securecodebox.model.securitytest.SecurityTest; import java.io.IOException; -import java.lang.reflect.Array; -import java.sql.DriverManager; import java.util.Arrays; import org.junit.Test; import org.junit.runner.RunWith; import org.mockito.InjectMocks; import org.mockito.Mock; -import org.mockito.runners.MockitoJUnitRunner; import org.powermock.api.mockito.PowerMockito; import org.powermock.core.classloader.annotations.PowerMockIgnore; import org.powermock.core.classloader.annotations.PrepareForTest; import org.powermock.modules.junit4.PowerMockRunner; -import static org.junit.Assert.*; import static org.mockito.BDDMockito.given; import static org.mockito.Matchers.any; import static org.mockito.Mockito.times; From a7e18a3cf05d2d52e2faa39301fac4700b1596be Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 23 Jan 2019 17:31:38 +0100 Subject: [PATCH 241/257] =?UTF-8?q?Ensured=20that=20the=20DefectDojoServic?= =?UTF-8?q?e=20doesn=E2=80=99t=20get=20initialised=20when=20it=20is=20not?= =?UTF-8?q?=20configured?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../java/io/securecodebox/persistence/DefectDojoService.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java index 39c07352..3a25dd6f 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java @@ -23,6 +23,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Value; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.core.ParameterizedTypeReference; import org.springframework.core.io.ByteArrayResource; import org.springframework.http.*; @@ -40,6 +41,7 @@ import java.util.Arrays; @Component +@ConditionalOnProperty(name = "securecodebox.persistence.defectdojo.enabled", havingValue = "true") public class DefectDojoService { @Value("${securecodebox.persistence.defectdojo.url}") protected String defectDojoUrl; From 7704a883276319b116581dfbedfb704af0617f26 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 23 Jan 2019 17:36:39 +0100 Subject: [PATCH 242/257] =?UTF-8?q?Replaced=20uuids=20with=20strings,=20as?= =?UTF-8?q?=20elasticsearch=20doesn=E2=80=99t=20support=20uuids=20directly?= =?UTF-8?q?=20as=20inputs=20anymore?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../elasticsearch/ElasticSearchPersistenceProvider.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java b/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java index a6a75285..5648db77 100644 --- a/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java +++ b/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java @@ -175,6 +175,7 @@ public void persist(SecurityTest securityTest) throws PersistenceException{ BulkRequest bulkRequest = new BulkRequest(); Map securityTestAsMap = serializeAndRemove(securityTest, "report"); + securityTestAsMap.put("id", securityTest.getId().toString()); securityTestAsMap.put("type", indexTypeNameForSecurityTests); String timestamp = new SimpleDateFormat(dateTimeFormatToPersist).format(new Date()); @@ -191,8 +192,10 @@ public void persist(SecurityTest securityTest) throws PersistenceException{ for (Finding f : securityTest.getReport().getFindings()) { Map findingAsMap = serializeAndRemove(f); + + findingAsMap.put("id", f.getId().toString()); findingAsMap.put("type", indexTypeNameForFindings); - findingAsMap.put("security_test_id", securityTest.getId()); + findingAsMap.put("security_test_id", securityTest.getId().toString()); findingAsMap.put("security_test_name", securityTest.getName()); findingAsMap.put("@timestamp", new SimpleDateFormat(dateTimeFormatToPersist).format(new Date())); From b1898be2a2fe9f275d584d60e219613c6051150d Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 23 Jan 2019 17:53:45 +0100 Subject: [PATCH 243/257] Replaced another uuid with its string representation --- .../elasticsearch/ElasticSearchPersistenceProvider.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java b/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java index 5648db77..7638accc 100644 --- a/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java +++ b/scb-persistenceproviders/elasticsearch-persistenceprovider/src/main/java/io/securecodebox/persistence/elasticsearch/ElasticSearchPersistenceProvider.java @@ -238,7 +238,7 @@ public void onFailure(Exception e) { private void checkForSecurityTestIdExistence(SecurityTest securityTest) throws ElasticsearchPersistenceException, DuplicateUuidException, IOException { SearchRequest searchRequest = new SearchRequest(); SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder(); - searchSourceBuilder.query(QueryBuilders.matchQuery("id.keyword", securityTest.getId())); + searchSourceBuilder.query(QueryBuilders.matchQuery("id.keyword", securityTest.getId().toString())); searchRequest.source(searchSourceBuilder); SearchResponse searchResponse = highLevelClient.search(searchRequest); LOG.debug("Search Response Status: {}", searchResponse.status()); From 88f84983ccb2eb46264b930ad9eba9a402902cf5 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 23 Jan 2019 17:31:38 +0100 Subject: [PATCH 244/257] =?UTF-8?q?Ensured=20that=20the=20DefectDojoServic?= =?UTF-8?q?e=20doesn=E2=80=99t=20get=20initialised=20when=20it=20is=20not?= =?UTF-8?q?=20configured?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../java/io/securecodebox/persistence/DefectDojoService.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java index 39c07352..3a25dd6f 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java @@ -23,6 +23,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Value; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.core.ParameterizedTypeReference; import org.springframework.core.io.ByteArrayResource; import org.springframework.http.*; @@ -40,6 +41,7 @@ import java.util.Arrays; @Component +@ConditionalOnProperty(name = "securecodebox.persistence.defectdojo.enabled", havingValue = "true") public class DefectDojoService { @Value("${securecodebox.persistence.defectdojo.url}") protected String defectDojoUrl; From 2772ff3874ed63db43de4edf77b81d4307dd0fa0 Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Thu, 24 Jan 2019 12:49:50 +0100 Subject: [PATCH 245/257] Deleted test-process pom.xml --- scb-scanprocesses/test-process/pom.xml | 46 -------------------------- 1 file changed, 46 deletions(-) delete mode 100644 scb-scanprocesses/test-process/pom.xml diff --git a/scb-scanprocesses/test-process/pom.xml b/scb-scanprocesses/test-process/pom.xml deleted file mode 100644 index 4a98a37b..00000000 --- a/scb-scanprocesses/test-process/pom.xml +++ /dev/null @@ -1,46 +0,0 @@ - - 4.0.0 - - - io.securecodebox.scanprocesses - default-process-collection - 0.0.1-SNAPSHOT - - - test-process - 0.0.1-SNAPSHOT - - - - io.securecodebox.core - sdk - - - com.h2database - h2 - provided - 1.3.168 - - - org.camunda.bpm.springboot - camunda-bpm-spring-boot-starter-test - test - - - org.camunda.bpm.extension.mockito - camunda-bpm-mockito - test - - - org.camunda.bpm.springboot - camunda-bpm-spring-boot-starter - - - org.camunda.bpm.extension - camunda-bpm-assert - - - - - From 60144f9fb49a20a0ea1cd7ba48e4d086dedbfbd7 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Thu, 24 Jan 2019 16:38:36 +0100 Subject: [PATCH 246/257] Fixed Typo in defectdojo persistence provider --- .../persistence/DefectDojoPersistenceProvider.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java index bbfe7af4..471559f5 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java @@ -90,7 +90,7 @@ public void persist(SecurityTest securityTest) throws PersistenceException { static final String GIT_SERVER_NAME = "Git Server"; static final String BUILD_SERVER_NAME = "Build Server"; - static final String SECURITY_TEST_SERVER_NAME = "Security TestOrchestration Engine"; + static final String SECURITY_TEST_SERVER_NAME = "Security Test Orchestration Engine"; private void checkToolTypes() { DefectDojoResponse toolTypeGitResponse = defectDojoService.getToolTypeByName(GIT_SERVER_NAME); @@ -173,9 +173,9 @@ private EngagementResponse createEngagement(SecurityTest securityTest) { engagementPayload.setRepo(securityTest.getMetaData().get(CommonMetaFields.SCB_REPO.name())); engagementPayload.setTracker(securityTest.getMetaData().get(CommonMetaFields.SCB_TRACKER.name())); - engagementPayload.setBuildServer(defectDojoService.getToolConfiguration(securityTest.getMetaData().get(CommonMetaFields.SCB_BUILD_SERVER.name()), "Build Server")); - engagementPayload.setScmServer(defectDojoService.getToolConfiguration(securityTest.getMetaData().get(CommonMetaFields.SCB_SCM_SERVER.name()), "Git Server")); - engagementPayload.setOrchestrationEngine(defectDojoService.getToolConfiguration("https://github.com/secureCodeBox","Security Test Orchestration Engine")); + engagementPayload.setBuildServer(defectDojoService.getToolConfiguration(securityTest.getMetaData().get(CommonMetaFields.SCB_BUILD_SERVER.name()), BUILD_SERVER_NAME)); + engagementPayload.setScmServer(defectDojoService.getToolConfiguration(securityTest.getMetaData().get(CommonMetaFields.SCB_SCM_SERVER.name()), GIT_SERVER_NAME)); + engagementPayload.setOrchestrationEngine(defectDojoService.getToolConfiguration("https://github.com/secureCodeBox", SECURITY_TEST_SERVER_NAME)); engagementPayload.setTargetStart(currentDate()); engagementPayload.setTargetEnd(currentDate()); From 7c65c00501f1d4cd29d794154cdc2476a9585234 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6ran=20Tesse?= Date: Fri, 25 Jan 2019 13:53:52 +0100 Subject: [PATCH 247/257] fixed bug where findings without script output would be removed --- .../amassnmap/FilterHttpSecurityHeaders.java | 9 +- .../src/main/resources/bpmn/nmap_process.bpmn | 93 ++++++++----------- 2 files changed, 45 insertions(+), 57 deletions(-) diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/FilterHttpSecurityHeaders.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/FilterHttpSecurityHeaders.java index f61f701f..8bef4c73 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/FilterHttpSecurityHeaders.java +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/FilterHttpSecurityHeaders.java @@ -45,10 +45,13 @@ public void execute(DelegateExecution delegateExecution) throws Exception { final ArrayList findings = new ArrayList<>(); final long T_START = System.currentTimeMillis(); process.getFindings().stream() - .filter(finding -> HttpHeaders.headersPresentInFinding(finding)) .forEach(finding -> { - final HttpHeaders headers = HttpHeaders.fromFinding(finding); - findings.addAll(applyStrategies (headers, finding)); + if (HttpHeaders.headersPresentInFinding(finding)) { + final HttpHeaders headers = HttpHeaders.fromFinding(finding); + findings.addAll(applyStrategies (headers, finding)); + } else { + findings.add(finding); + } }); final long T_STRATEGIES_APPLIED = System.currentTimeMillis(); final int numberOfAdditionalFindings = findings.size() - process.getFindings().size(); diff --git a/scb-scanprocesses/nmap-process/src/main/resources/bpmn/nmap_process.bpmn b/scb-scanprocesses/nmap-process/src/main/resources/bpmn/nmap_process.bpmn index ac0352b9..53d5239f 100644 --- a/scb-scanprocesses/nmap-process/src/main/resources/bpmn/nmap_process.bpmn +++ b/scb-scanprocesses/nmap-process/src/main/resources/bpmn/nmap_process.bpmn @@ -1,5 +1,5 @@ - + @@ -17,11 +17,10 @@ SequenceFlow_ManualStart SequenceFlow_DefaultConfig SequenceFlow_AdvancedConfig - SequenceFlow_HttpSecConfig - ${NMAP_CONFIGURATION_TYPE == 'default'} + SequenceFlow_ResultApproved @@ -34,7 +33,7 @@ SequenceFlow_PortscanConfigured - ${NMAP_CONFIGURATION_TYPE == 'advanced'} + @@ -51,10 +50,10 @@ SequenceFlow_ResultRejected - ${PROCESS_RESULT_APPROVED == 'approved'} + - ${PROCESS_RESULT_APPROVED == 'disapproved'} + SequenceFlow_TargetConfigured @@ -85,7 +84,6 @@ SequenceFlow_PortscanConfigured SequenceFlow_DefaultConfig SequenceFlow_AutomatedStart - SequenceFlow_HttpSecConfig SequenceFlow_PortscanFinished @@ -96,9 +94,6 @@ - - ${NMAP_CONFIGURATION_TYPE == 'http-security'} - results in a generic format @@ -119,16 +114,16 @@ - - + + - - - + + + @@ -140,8 +135,8 @@ - - + + @@ -150,24 +145,24 @@ - - + + - - - - + + + + - - + + @@ -182,16 +177,16 @@ - - + + - - - + + + @@ -203,16 +198,16 @@ - - + + - - - + + + @@ -224,16 +219,16 @@ - - - + + + - - + + @@ -242,8 +237,8 @@ - - + + @@ -261,18 +256,8 @@ - - - - - - - - - - - - + + From ed9a988a11d53fe31b0300a2afe47de97527d8f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6ran=20Tesse?= Date: Fri, 25 Jan 2019 16:12:08 +0100 Subject: [PATCH 248/257] refactoring and bugfix --- .../amassnmap/FilterHttpSecurityHeaders.java | 14 ++++----- .../amassnmap/NmapConfigProfile.java | 4 +-- .../TransformAmassResultsToNmapInput.java | 19 ++++++++---- .../bpmn/combined_amass_nmap_process.bpmn | 31 ++++++++++--------- .../CombinedAmassNmapProcessTest.java | 1 + 5 files changed, 40 insertions(+), 29 deletions(-) diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/FilterHttpSecurityHeaders.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/FilterHttpSecurityHeaders.java index 8bef4c73..a2735031 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/FilterHttpSecurityHeaders.java +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/FilterHttpSecurityHeaders.java @@ -43,7 +43,7 @@ public class FilterHttpSecurityHeaders implements JavaDelegate { public void execute(DelegateExecution delegateExecution) throws Exception { final ScanProcessExecution process = processExecutionFactory.get(delegateExecution); final ArrayList findings = new ArrayList<>(); - final long T_START = System.currentTimeMillis(); + final long tStart = System.currentTimeMillis(); process.getFindings().stream() .forEach(finding -> { if (HttpHeaders.headersPresentInFinding(finding)) { @@ -53,11 +53,11 @@ public void execute(DelegateExecution delegateExecution) throws Exception { findings.add(finding); } }); - final long T_STRATEGIES_APPLIED = System.currentTimeMillis(); + final long tStrategiesApplied = System.currentTimeMillis(); final int numberOfAdditionalFindings = findings.size() - process.getFindings().size(); clearFindings(process); findings.forEach(changedFinding -> process.appendFinding(changedFinding)); - LOG.debug("http-headers strategies yielded {} additional findings; finding them took {}ms, storing them {}ms", numberOfAdditionalFindings, T_STRATEGIES_APPLIED - T_START, System.currentTimeMillis() - T_STRATEGIES_APPLIED); + LOG.debug("http-headers strategies yielded {} additional findings; finding them took {}ms, storing them {}ms", numberOfAdditionalFindings, tStrategiesApplied - tStart, System.currentTimeMillis() - tStrategiesApplied); } private ArrayList applyStrategies(HttpHeaders headers, Finding finding) { @@ -118,17 +118,17 @@ private static HttpHeaderStrategy requireFrameOptionsToBeDenied() { private static HttpHeaderStrategy requireXssProtectionToBeEnabled() { return new HttpHeaderStrategy("X-XSS-Protection") .ifMissing() - .createFinding(Severity.MEDIUM, "X-XSS-Protection header missing") + .createFinding(Severity.LOW, "X-XSS-Protection header missing") .ifTrue(value -> value.startsWith("0")) - .createFinding(Severity.MEDIUM, "X-XSS-Protection manually disabled"); + .createFinding(Severity.LOW, "X-XSS-Protection manually disabled"); } private static HttpHeaderStrategy requireContentTypeOptionsToEqualNosniff() { return new HttpHeaderStrategy("X-Content-Type-Options") .ifMissing() - .createFinding(Severity.MEDIUM, "X-Content-Type-Options header missing") + .createFinding(Severity.LOW, "X-Content-Type-Options header missing") .ifTrue(value -> !value.equalsIgnoreCase("nosniff")) - .createFinding(Severity.MEDIUM, "X-Content-Type-Options misconfigured", value -> "X-Conntent-Type-Options should be set to 'nosniff' instead of '" + value + "'"); + .createFinding(Severity.LOW, "X-Content-Type-Options misconfigured", value -> "X-Conntent-Type-Options should be set to 'nosniff' instead of '" + value + "'"); } diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/NmapConfigProfile.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/NmapConfigProfile.java index c6329fe2..b3d5a9cf 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/NmapConfigProfile.java +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/NmapConfigProfile.java @@ -21,9 +21,9 @@ public enum NmapConfigProfile { HTTP_PORTS("-Pn -p 80,8080,443,8443"), + HTTP_PORTS_WITH_HTTP_HEADERS("-Pn -p 80,8080,443,8443 --script=http-headers"), TOP_100_PORTS("-Pn --top-ports 100"), - WITH_HTTP_HEADERS("--script=http-headers"); - + TOP_100_PORTS_WITH_HTTP_HEADERS("-Pn --top-ports 100 --script=http-headers"); private final String parameter; NmapConfigProfile(final String parameter) { diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java index 1d1441d0..c6f94520 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/java/io/securecodebox/scanprocesses/amassnmap/TransformAmassResultsToNmapInput.java @@ -94,22 +94,29 @@ public void execute(DelegateExecution execution) throws Exception { } private String getNmapParameters(String nmapProfile, boolean withHttpHeaders) { - final String scriptModules = withHttpHeaders ? " " + NmapConfigProfile.WITH_HTTP_HEADERS.getParameter() : ""; - String defaultNmapParameters = NmapConfigProfile.HTTP_PORTS.getParameter(); + String defaultNmapParameters = (withHttpHeaders ? NmapConfigProfile.HTTP_PORTS_WITH_HTTP_HEADERS : NmapConfigProfile.HTTP_PORTS).getParameter(); if(nmapProfile == null) { LOG.info("No nmap profile set for combined amass-nmap test. Use http ports as default"); - return defaultNmapParameters + scriptModules; + return defaultNmapParameters; } switch (NmapConfigProfile.valueOf(nmapProfile)) { case HTTP_PORTS: - return NmapConfigProfile.HTTP_PORTS.getParameter() + scriptModules; + if (withHttpHeaders) { + return NmapConfigProfile.HTTP_PORTS_WITH_HTTP_HEADERS.getParameter(); + } else { + return NmapConfigProfile.HTTP_PORTS.getParameter(); + } case TOP_100_PORTS: - return NmapConfigProfile.TOP_100_PORTS.getParameter() + scriptModules; + if (withHttpHeaders) { + return NmapConfigProfile.TOP_100_PORTS_WITH_HTTP_HEADERS.getParameter(); + } else { + return NmapConfigProfile.TOP_100_PORTS.getParameter(); + } default: LOG.info("Invalid nmap profile set for combined amass-nmap test. Use http ports as default"); - return defaultNmapParameters + scriptModules; + return defaultNmapParameters; } } diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn index 471d5169..cdc8693f 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn +++ b/scb-scanprocesses/combined-amass-nmap-process/src/main/resources/bpmn/combined_amass_nmap_process.bpmn @@ -88,16 +88,16 @@ SequenceFlow_133ju0r - SequenceFlow_0gqomie SequenceFlow_020pm77 + SequenceFlow_0gqomie - - - ${PARSE_HTTP_HEADERS == true} - ${PARSE_HTTP_HEADERS == false} + + ${PARSE_HTTP_HEADERS == true} + + @@ -117,6 +117,9 @@ + + + @@ -229,7 +232,7 @@ - + @@ -238,11 +241,11 @@ - - - + + + - + @@ -253,11 +256,11 @@ - - - + + + - + diff --git a/scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocess/amassnmap/CombinedAmassNmapProcessTest.java b/scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocess/amassnmap/CombinedAmassNmapProcessTest.java index 75de7d34..540e7d45 100644 --- a/scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocess/amassnmap/CombinedAmassNmapProcessTest.java +++ b/scb-scanprocesses/combined-amass-nmap-process/src/test/java/io/securecodebox/scanprocess/amassnmap/CombinedAmassNmapProcessTest.java @@ -109,6 +109,7 @@ public void init() { //Creating a map of default variables for the process defaultVariables.put(DefaultFields.PROCESS_AUTOMATED.name(), true); defaultVariables.put(DefaultFields.PROCESS_CONTEXT.name(), "BodgeIT"); + defaultVariables.put("PARSE_HTTP_HEADERS", false); /* Mocking everything in the BPMN Model From 9ff7ad4121ed42d06cd1042f5135ce48cd9cd92d Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Mon, 28 Jan 2019 13:59:20 +0100 Subject: [PATCH 249/257] changed defect dojo tool configuration from url to id --- .../securecodebox/persistence/DefectDojoService.java | 4 ++-- .../io/securecodebox/persistence/models/ToolType.java | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java index 3a25dd6f..08e466da 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java @@ -131,11 +131,11 @@ public String getToolConfiguration(String toolUrl, String toolType){ HttpEntity toolTypeRequest = new HttpEntity(getHeaders()); String toolTypeRequestUri = defectDojoUrl + "/api/v2/tool_types/?name=" + toolType; ResponseEntity> toolTypeResponse = restTemplate.exchange(toolTypeRequestUri, HttpMethod.GET, toolTypeRequest, new ParameterizedTypeReference>(){}); - String toolTypeUri = toolTypeResponse.getBody().getResults().get(0).getUrl(); + String toolTypeId = toolTypeResponse.getBody().getResults().get(0).getId(); ToolConfig toolConfig = new ToolConfig(); toolConfig.setName(toolUrl); - toolConfig.setToolType(toolTypeUri); + toolConfig.setToolType(toolTypeId); toolConfig.setConfigUrl(toolUrl); toolConfig.setDescription(toolType); diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/ToolType.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/ToolType.java index b865638e..d6a5b7b4 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/ToolType.java +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/ToolType.java @@ -4,7 +4,7 @@ public class ToolType { @JsonProperty - String url; + String id; @JsonProperty String name; @@ -12,12 +12,12 @@ public class ToolType { @JsonProperty String description; - public String getUrl() { - return url; + public String getId() { + return id; } - public void setUrl(String url) { - this.url = url; + public void setId(String id) { + this.id = id; } public String getName() { From 600532203eee71ab08de7f02915330bef352ad70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6ran=20Tesse?= Date: Mon, 28 Jan 2019 15:13:14 +0100 Subject: [PATCH 250/257] added gui option to start nmap with http-headers script --- .../delegate/ConfigureHttpHeaderCheck.java | 56 +++++++++++++++++++ .../src/main/resources/bpmn/nmap_process.bpmn | 15 +++++ .../nmap/configure-port-scanner-target.html | 1 + 3 files changed, 72 insertions(+) create mode 100644 scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/delegate/ConfigureHttpHeaderCheck.java diff --git a/scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/delegate/ConfigureHttpHeaderCheck.java b/scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/delegate/ConfigureHttpHeaderCheck.java new file mode 100644 index 00000000..5f913ac9 --- /dev/null +++ b/scb-scanprocesses/nmap-process/src/main/java/io/securecodebox/scanprocess/nmap/delegate/ConfigureHttpHeaderCheck.java @@ -0,0 +1,56 @@ +package io.securecodebox.scanprocess.nmap.delegate; + +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; +import io.securecodebox.constants.DefaultFields; +import io.securecodebox.model.execution.ScanProcessExecutionFactory; +import io.securecodebox.model.execution.Target; +import org.camunda.bpm.engine.delegate.DelegateExecution; +import org.camunda.bpm.engine.delegate.JavaDelegate; +import org.camunda.bpm.engine.variable.Variables; +import org.camunda.bpm.engine.variable.value.ObjectValue; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; +import java.util.List; + +@Component +public class ConfigureHttpHeaderCheck implements JavaDelegate { + private static final Logger LOG = LoggerFactory.getLogger(ConfigureHttpHeaderCheck.class); + + @Autowired + ScanProcessExecutionFactory processExecutionFactory; + + @Autowired + ObjectMapper objectMapper; + + @Override + public void execute(DelegateExecution execution) throws Exception { + + LOG.info("Configuring execution profile for http header check..."); + + try { + + String targetsAsString = objectMapper.writeValueAsString(execution.getVariable(DefaultFields.PROCESS_TARGETS.name())); + List targets = objectMapper.readValue(objectMapper.readValue(targetsAsString, String.class), + objectMapper.getTypeFactory().constructCollectionType(List.class, Target.class)); + + for (Target target : targets) { + target.appendOrUpdateAttribute("NMAP_PARAMETER", "-Pn -p 80,8080,443,8443 --script=http-headers"); + } + + ObjectValue objectValue = Variables.objectValue(objectMapper.writeValueAsString(targets)) + .serializationDataFormat(Variables.SerializationDataFormats.JSON) + .create(); + execution.setVariable(DefaultFields.PROCESS_TARGETS.name(), objectValue); + + LOG.info("Finished configuring execution profile"); + + } catch (JsonProcessingException e) { + throw new IllegalStateException("Can't write field to process!", e); + } + + } + +} diff --git a/scb-scanprocesses/nmap-process/src/main/resources/bpmn/nmap_process.bpmn b/scb-scanprocesses/nmap-process/src/main/resources/bpmn/nmap_process.bpmn index 53d5239f..d840ebdf 100644 --- a/scb-scanprocesses/nmap-process/src/main/resources/bpmn/nmap_process.bpmn +++ b/scb-scanprocesses/nmap-process/src/main/resources/bpmn/nmap_process.bpmn @@ -17,6 +17,7 @@ SequenceFlow_ManualStart SequenceFlow_DefaultConfig SequenceFlow_AdvancedConfig + SequenceFlow_0whyqlc @@ -84,6 +85,7 @@ SequenceFlow_PortscanConfigured SequenceFlow_DefaultConfig SequenceFlow_AutomatedStart + SequenceFlow_0whyqlc SequenceFlow_PortscanFinished @@ -94,6 +96,12 @@ + + + + + + results in a generic format @@ -259,6 +267,13 @@ + + + + + + + diff --git a/scb-scanprocesses/nmap-process/src/main/resources/forms/nmap/configure-port-scanner-target.html b/scb-scanprocesses/nmap-process/src/main/resources/forms/nmap/configure-port-scanner-target.html index db0a870d..c5e1ddd2 100644 --- a/scb-scanprocesses/nmap-process/src/main/resources/forms/nmap/configure-port-scanner-target.html +++ b/scb-scanprocesses/nmap-process/src/main/resources/forms/nmap/configure-port-scanner-target.html @@ -142,6 +142,7 @@

Portscan Target

cam-variable-name="NMAP_CONFIGURATION_TYPE" cam-variable-type="String"> + From e792d1294ce0f5acbe2ca5a0363af1c816219754 Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Mon, 28 Jan 2019 16:22:45 +0100 Subject: [PATCH 251/257] Changed urls to ids in defectdojo service calls --- .../DefectDojoPersistenceProvider.java | 18 +++--- .../persistence/DefectDojoService.java | 61 +++++++++++-------- .../persistence/models/DefectDojoProduct.java | 2 +- .../persistence/models/DefectDojoUser.java | 10 +-- .../persistence/models/EngagementPayload.java | 10 +-- .../models/EngagementResponse.java | 10 +-- .../persistence/models/ToolConfig.java | 11 ++++ .../DefectDojoPersistenceProviderTest.java | 36 +++++------ 8 files changed, 89 insertions(+), 69 deletions(-) diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java index 471559f5..f2f9db0d 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java @@ -70,17 +70,17 @@ public void persist(SecurityTest securityTest) throws PersistenceException { checkToolTypes(); EngagementResponse res = createEngagement(securityTest); - String engagementUrl = res.getUrl(); - LOG.debug("Created engagement: '{}'", engagementUrl); + long engagementId = res.getId(); + LOG.debug("Created engagement: '{}'", engagementId); String username = securityTest.getMetaData().get(DefectDojoMetaFields.DEFECT_DOJO_USER.name()); - String userUrl = defectDojoService.getUserUrl(username); + long userUrl = defectDojoService.retrieveUserId(username); List results = getDefectDojoScanName(securityTest.getName()).equals("Generic Findings Import") ? getGenericResults(securityTest) : getRawResults(securityTest); for (String result : results) { defectDojoService.createFindings( result, - engagementUrl, + engagementId, userUrl, currentDate(), getDefectDojoScanName(securityTest.getName()) @@ -157,7 +157,7 @@ private List getGenericResults(SecurityTest securityTest) { private EngagementResponse createEngagement(SecurityTest securityTest) { EngagementPayload engagementPayload = new EngagementPayload(); - engagementPayload.setProduct(defectDojoService.getProductUrl(securityTest.getContext())); + engagementPayload.setProduct(defectDojoService.retrieveProductId(securityTest.getContext())); if(securityTest.getMetaData() == null){ securityTest.setMetaData(new HashMap<>()); @@ -165,7 +165,7 @@ private EngagementResponse createEngagement(SecurityTest securityTest) { engagementPayload.setName(securityTest.getMetaData().get(CommonMetaFields.SCB_ENGAGEMENT_TITLE.name()) != null ? securityTest.getMetaData().get(CommonMetaFields.SCB_ENGAGEMENT_TITLE.name()) : getDefectDojoScanName(securityTest.getName())); - engagementPayload.setLead(defectDojoService.getUserUrl(securityTest.getMetaData().get(DefectDojoMetaFields.DEFECT_DOJO_USER.name()))); + engagementPayload.setLead(defectDojoService.retrieveUserId(securityTest.getMetaData().get(DefectDojoMetaFields.DEFECT_DOJO_USER.name()))); engagementPayload.setDescription(descriptionGenerator.generate(securityTest)); engagementPayload.setBranch(securityTest.getMetaData().get(CommonMetaFields.SCB_BRANCH.name())); engagementPayload.setBuildID(securityTest.getMetaData().get(CommonMetaFields.SCB_BUILD_ID.name())); @@ -173,9 +173,9 @@ private EngagementResponse createEngagement(SecurityTest securityTest) { engagementPayload.setRepo(securityTest.getMetaData().get(CommonMetaFields.SCB_REPO.name())); engagementPayload.setTracker(securityTest.getMetaData().get(CommonMetaFields.SCB_TRACKER.name())); - engagementPayload.setBuildServer(defectDojoService.getToolConfiguration(securityTest.getMetaData().get(CommonMetaFields.SCB_BUILD_SERVER.name()), BUILD_SERVER_NAME)); - engagementPayload.setScmServer(defectDojoService.getToolConfiguration(securityTest.getMetaData().get(CommonMetaFields.SCB_SCM_SERVER.name()), GIT_SERVER_NAME)); - engagementPayload.setOrchestrationEngine(defectDojoService.getToolConfiguration("https://github.com/secureCodeBox", SECURITY_TEST_SERVER_NAME)); + engagementPayload.setBuildServer(defectDojoService.retrieveOrCreateToolConfiguration(securityTest.getMetaData().get(CommonMetaFields.SCB_BUILD_SERVER.name()), BUILD_SERVER_NAME)); + engagementPayload.setScmServer(defectDojoService.retrieveOrCreateToolConfiguration(securityTest.getMetaData().get(CommonMetaFields.SCB_SCM_SERVER.name()), GIT_SERVER_NAME)); + engagementPayload.setOrchestrationEngine(defectDojoService.retrieveOrCreateToolConfiguration("https://github.com/secureCodeBox", SECURITY_TEST_SERVER_NAME)); engagementPayload.setTargetStart(currentDate()); engagementPayload.setTargetEnd(currentDate()); diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java index 08e466da..6690ee84 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java @@ -82,7 +82,7 @@ public void createToolType(String name, String description){ restTemplate.exchange(defectDojoUrl + "/api/v2/tool_types/", HttpMethod.POST, toolPayload, ToolType.class); } - public String getUserUrl(String username){ + public Long retrieveUserId(String username){ RestTemplate restTemplate = new RestTemplate(); if(username == null){ @@ -93,57 +93,66 @@ public String getUserUrl(String username){ HttpEntity userRequest = new HttpEntity(getHeaders()); ResponseEntity> userResponse = restTemplate.exchange(uri, HttpMethod.GET, userRequest, new ParameterizedTypeReference>(){}); if(userResponse.getBody().getCount() == 1){ - return userResponse.getBody().getResults().get(0).getUrl(); + return userResponse.getBody().getResults().get(0).getId(); } else { throw new DefectDojoUserNotFound(MessageFormat.format("Could not find user: \"{0}\" in DefectDojo", username)); } } - public String getProductUrl(String product){ + public long retrieveProductId(String product){ RestTemplate restTemplate = new RestTemplate(); String uri = defectDojoUrl + "/api/v2/products/?name=" + product; HttpEntity productRequest = new HttpEntity(getHeaders()); ResponseEntity> productResponse = restTemplate.exchange(uri, HttpMethod.GET, productRequest, new ParameterizedTypeReference>(){}); if(productResponse.getBody().getCount() == 1){ - return productResponse.getBody().getResults().get(0).getUrl(); + return productResponse.getBody().getResults().get(0).getId(); } else { throw new DefectDojoProductNotFound(MessageFormat.format("Could not find product: \"{0}\" in DefectDojo", product)); } } - public String getToolConfiguration(String toolUrl, String toolType){ - RestTemplate restTemplate = new RestTemplate(); - + public Long retrieveOrCreateToolConfiguration(String toolUrl, String toolType){ if (toolUrl == null){ return null; } - String uri = defectDojoUrl + "/api/v2/tool_configurations/?url=" + toolUrl; - HttpEntity toolRequest = new HttpEntity(getHeaders()); - ResponseEntity> toolResponse = restTemplate.exchange(uri, HttpMethod.GET, toolRequest, new ParameterizedTypeReference>(){}); + ResponseEntity> toolResponse = retrieveToolConfiguration(toolUrl); if(toolResponse.getBody().getCount() > 0){ - return toolResponse.getBody().getResults().get(0).getUrl(); + LOG.info("Tool configuration already exists. Returning existing configuration."); + return toolResponse.getBody().getResults().get(0).getId(); } else { - HttpEntity toolTypeRequest = new HttpEntity(getHeaders()); - String toolTypeRequestUri = defectDojoUrl + "/api/v2/tool_types/?name=" + toolType; - ResponseEntity> toolTypeResponse = restTemplate.exchange(toolTypeRequestUri, HttpMethod.GET, toolTypeRequest, new ParameterizedTypeReference>(){}); - String toolTypeId = toolTypeResponse.getBody().getResults().get(0).getId(); + LOG.info("Tool configuration does not exist yet. Creating new configuration."); + createToolConfiguration(toolUrl, toolType); + return retrieveToolConfiguration(toolUrl).getBody().getResults().get(0).getId(); + } + } + + private ResponseEntity> retrieveToolConfiguration(String toolUrl) { + RestTemplate restTemplate = new RestTemplate(); + String uri = defectDojoUrl + "/api/v2/tool_configurations/?url=" + toolUrl; + HttpEntity toolRequest = new HttpEntity(getHeaders()); + return restTemplate.exchange(uri, HttpMethod.GET, toolRequest, new ParameterizedTypeReference>(){}); + } - ToolConfig toolConfig = new ToolConfig(); - toolConfig.setName(toolUrl); - toolConfig.setToolType(toolTypeId); - toolConfig.setConfigUrl(toolUrl); - toolConfig.setDescription(toolType); + private void createToolConfiguration(String toolUrl, String toolType) { + HttpEntity toolTypeRequest = new HttpEntity(getHeaders()); + String toolTypeRequestUri = defectDojoUrl + "/api/v2/tool_types/?name=" + toolType; + RestTemplate restTemplate = new RestTemplate(); + ResponseEntity> toolTypeResponse = restTemplate.exchange(toolTypeRequestUri, HttpMethod.GET, toolTypeRequest, new ParameterizedTypeReference>(){}); + String toolTypeId = toolTypeResponse.getBody().getResults().get(0).getId(); - HttpEntity toolPayload = new HttpEntity<>(toolConfig, getHeaders()); - restTemplate.exchange(defectDojoUrl + "/api/v2/tool_configurations/", HttpMethod.POST, toolPayload, ToolConfig.class); - return getToolConfiguration(toolUrl, toolType); + ToolConfig toolConfig = new ToolConfig(); + toolConfig.setName(toolUrl); + toolConfig.setToolType(toolTypeId); + toolConfig.setConfigUrl(toolUrl); + toolConfig.setDescription(toolType); - } + HttpEntity toolPayload = new HttpEntity<>(toolConfig, getHeaders()); + restTemplate.exchange(defectDojoUrl + "/api/v2/tool_configurations/", HttpMethod.POST, toolPayload, ToolConfig.class); } public EngagementResponse createEngagement(EngagementPayload engagementPayload) { @@ -161,14 +170,14 @@ public EngagementResponse createEngagement(EngagementPayload engagementPayload) } } - public ImportScanResponse createFindings(String rawResult, String engagementUrl, String lead, String currentDate,String defectDojoScanName) { + public ImportScanResponse createFindings(String rawResult, long engagementId, long lead, String currentDate,String defectDojoScanName) { RestTemplate restTemplate = new RestTemplate(); HttpHeaders headers = getHeaders(); headers.setContentType(MediaType.MULTIPART_FORM_DATA); restTemplate.setMessageConverters(Arrays.asList(new FormHttpMessageConverter(), new ResourceHttpMessageConverter(), new MappingJackson2HttpMessageConverter())); MultiValueMap mvn = new LinkedMultiValueMap<>(); - mvn.add("engagement", engagementUrl); + mvn.add("engagement", engagementId); mvn.add("lead", lead); mvn.add("scan_date", currentDate); mvn.add("scan_type", defectDojoScanName); diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/DefectDojoProduct.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/DefectDojoProduct.java index 95593630..ab20285a 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/DefectDojoProduct.java +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/DefectDojoProduct.java @@ -8,7 +8,7 @@ @Data public class DefectDojoProduct { @JsonProperty - String url; + long id; @JsonProperty String name; diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/DefectDojoUser.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/DefectDojoUser.java index 826113c6..6aea32c6 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/DefectDojoUser.java +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/DefectDojoUser.java @@ -4,7 +4,7 @@ public class DefectDojoUser { @JsonProperty - String url; + Long id; @JsonProperty String username; @@ -15,12 +15,12 @@ public class DefectDojoUser { @JsonProperty("last_name") String lastName; - public String getUrl() { - return url; + public Long getId() { + return id; } - public void setUrl(String url) { - this.url = url; + public void setId(Long id) { + this.id = id; } public String getUsername() { diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/EngagementPayload.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/EngagementPayload.java index 27ee170c..2bf1283f 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/EngagementPayload.java +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/EngagementPayload.java @@ -31,7 +31,7 @@ public class EngagementPayload { protected String name; @JsonProperty - protected String product; + protected long product; @JsonProperty("target_start") protected String targetStart; @@ -40,7 +40,7 @@ public class EngagementPayload { protected String targetEnd; @JsonProperty - protected String lead; + protected Long lead; @JsonProperty("engagement_type") protected String engagementType = "CI/CD"; @@ -67,13 +67,13 @@ public class EngagementPayload { protected String repo; @JsonProperty("build_server") - protected String buildServer; + protected Long buildServer; @JsonProperty("source_code_management_server") - protected String scmServer; + protected Long scmServer; @JsonProperty("orchestration_engine") - protected String orchestrationEngine; + protected Long orchestrationEngine; @JsonProperty protected String description; diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/EngagementResponse.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/EngagementResponse.java index d4d468e0..b4bd7911 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/EngagementResponse.java +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/EngagementResponse.java @@ -22,13 +22,13 @@ public class EngagementResponse { @JsonProperty - protected String url; + protected long id; - public String getUrl() { - return url; + public long getId() { + return id; } - public void setUrl(String url) { - this.url = url; + public void setId(long id) { + this.id = id; } } diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/ToolConfig.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/ToolConfig.java index 22db9c18..b541cb3d 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/ToolConfig.java +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/ToolConfig.java @@ -3,6 +3,9 @@ import com.fasterxml.jackson.annotation.JsonProperty; public class ToolConfig { + @JsonProperty + long id; + @JsonProperty String url; @@ -18,6 +21,14 @@ public class ToolConfig { @JsonProperty String description; + public long getId() { + return id; + } + + public void setId(long id) { + this.id = id; + } + public String getDescription() { return description; } diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/test/java/io/securecodebox/persistence/DefectDojoPersistenceProviderTest.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/test/java/io/securecodebox/persistence/DefectDojoPersistenceProviderTest.java index 7c47b9a7..da045633 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/src/test/java/io/securecodebox/persistence/DefectDojoPersistenceProviderTest.java +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/src/test/java/io/securecodebox/persistence/DefectDojoPersistenceProviderTest.java @@ -55,23 +55,23 @@ public void setUp() { when(defectDojoService.getToolTypeByName(any())).thenReturn(responseExisting); EngagementResponse engagementResponse = new EngagementResponse(); - engagementResponse.setUrl("http://localhost:8000/api/v2/engagements/2/"); + engagementResponse.setId(2); when(defectDojoService.createEngagement(any())).thenReturn(engagementResponse); - when(defectDojoService.getProductUrl("Nmap Scan 11")).thenReturn("http://localhost:8000/api/v2/products/1/"); - when(defectDojoService.getProductUrl("Nonexisting")).thenThrow(DefectDojoProductNotFound.class); + when(defectDojoService.retrieveProductId("Nmap Scan 11")).thenReturn(1l); + when(defectDojoService.retrieveProductId("Nonexisting")).thenThrow(DefectDojoProductNotFound.class); metaData = new HashMap<>(); metaData.put(DefectDojoMetaFields.DEFECT_DOJO_USER.name(), "John Doe"); - when(defectDojoService.getUserUrl(eq("John Doe"))).thenReturn("http://localhost:8000/api/v2/users/5/"); + when(defectDojoService.retrieveUserId(eq("John Doe"))).thenReturn(5l); report = new Report(); report.setRawFindings("\"[]\""); report.setFindings(Collections.emptyList()); - when(defectDojoService.getToolConfiguration(eq("http://crazy.buildserver"), eq("Build Server"))).thenReturn("http://localhost:8000/api/v2/tool_types/5/"); - when(defectDojoService.getToolConfiguration(eq("http://crazy.scm_server"), eq("Git Server"))).thenReturn("http://localhost:8000/api/v2/tool_types/7/"); - when(defectDojoService.getToolConfiguration(eq("https://github.com/secureCodeBox"), eq("Security Test Orchestration Engine"))).thenReturn("http://localhost:8000/api/v2/tool_types/9/"); + when(defectDojoService.retrieveOrCreateToolConfiguration(eq("http://crazy.buildserver"), eq("Build Server"))).thenReturn(5l); + when(defectDojoService.retrieveOrCreateToolConfiguration(eq("http://crazy.scm_server"), eq("Git Server"))).thenReturn(7l); + when(defectDojoService.retrieveOrCreateToolConfiguration(eq("https://github.com/secureCodeBox"), eq("Security Test Orchestration Engine"))).thenReturn(9l); } @@ -130,16 +130,16 @@ public void createsTheEngagement(){ EngagementPayload payload = new EngagementPayload(); payload.setStatus(EngagementPayload.Status.COMPLETED); payload.setName("Nmap Scan"); - payload.setProduct("http://localhost:8000/api/v2/products/1/"); - payload.setLead("http://localhost:8000/api/v2/users/5/"); + payload.setProduct(1l); + payload.setLead(5l); payload.setBranch("master"); payload.setRepo("https://github.com/secureCodeBox/engine"); payload.setDescription("Foobar Description"); payload.setTargetStart("2019-01-07"); payload.setTargetEnd("2019-01-07"); - payload.setBuildServer("http://localhost:8000/api/v2/tool_types/5/"); - payload.setScmServer("http://localhost:8000/api/v2/tool_types/7/"); - payload.setOrchestrationEngine("http://localhost:8000/api/v2/tool_types/9/"); + payload.setBuildServer(5l); + payload.setScmServer(7l); + payload.setOrchestrationEngine(9l); persistenceProvider.persist(securityTest); @@ -150,7 +150,7 @@ public void createsTheEngagement(){ @Test(expected = DefectDojoUserNotFound.class) public void failsIfUserCouldNotBeFound(){ - when(defectDojoService.getUserUrl(any())).thenThrow(new DefectDojoUserNotFound("")); + when(defectDojoService.retrieveUserId(any())).thenThrow(new DefectDojoUserNotFound("")); SecurityTest securityTest = new SecurityTest(); securityTest.setContext("Nmap Scan 11"); @@ -195,8 +195,8 @@ public void createsFindingsForSupportedScanner() throws JsonProcessingException persistenceProvider.persist(securityTest); verify(defectDojoService, times(1)).createFindings( eq("\n"), - eq("http://localhost:8000/api/v2/engagements/2/"), - eq("http://localhost:8000/api/v2/users/5/"), + eq(2l), + eq(5l), eq("2019-01-07"), eq("Nmap Scan") ); @@ -225,10 +225,10 @@ public void createsFindingsForNonSupportedScanner() { verify(defectDojoService, times(1)).createFindings( eq( "date,title,cweid,url,severity,description,mitigation,impact,references,active,verified,falsepositive,duplicate\n"+ "2019-01-07,findingname,,http://someadress,INFORMATIONAL,description,,,,,,false,false"), - eq("http://localhost:8000/api/v2/engagements/2/"), - eq("http://localhost:8000/api/v2/users/5/"), + eq(2l), + eq(5l), eq("2019-01-07"), eq("Generic Findings Import") ); } -} \ No newline at end of file +} From 21ab5a47371b6e2e2ead9c33d552ee88a74b93d2 Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Tue, 29 Jan 2019 13:58:41 +0100 Subject: [PATCH 252/257] changed parameter for defect dojo endpoint --- .../java/io/securecodebox/persistence/DefectDojoService.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java index 6690ee84..cd4329a5 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java @@ -133,7 +133,7 @@ public Long retrieveOrCreateToolConfiguration(String toolUrl, String toolType){ private ResponseEntity> retrieveToolConfiguration(String toolUrl) { RestTemplate restTemplate = new RestTemplate(); - String uri = defectDojoUrl + "/api/v2/tool_configurations/?url=" + toolUrl; + String uri = defectDojoUrl + "/api/v2/tool_configurations/?name=" + toolUrl; HttpEntity toolRequest = new HttpEntity(getHeaders()); return restTemplate.exchange(uri, HttpMethod.GET, toolRequest, new ParameterizedTypeReference>(){}); } From 397d41f395a158f1c3562e896bc76eb6ee4dadfd Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Tue, 29 Jan 2019 15:04:24 +0100 Subject: [PATCH 253/257] converted long to string before sending it as payload --- .../java/io/securecodebox/persistence/DefectDojoService.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java index cd4329a5..05e8be9b 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java @@ -177,8 +177,8 @@ public ImportScanResponse createFindings(String rawResult, long engagementId, lo restTemplate.setMessageConverters(Arrays.asList(new FormHttpMessageConverter(), new ResourceHttpMessageConverter(), new MappingJackson2HttpMessageConverter())); MultiValueMap mvn = new LinkedMultiValueMap<>(); - mvn.add("engagement", engagementId); - mvn.add("lead", lead); + mvn.add("engagement", Long.toString(engagementId)); + mvn.add("lead", Long.toString(lead)); mvn.add("scan_date", currentDate); mvn.add("scan_type", defectDojoScanName); From 7387cfa94aec029e890e67bb548d0db27bc61500 Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Wed, 30 Jan 2019 15:22:41 +0100 Subject: [PATCH 254/257] Add optional property to defect dojo persistence provider --- .../DefectDojoPersistenceProvider.java | 34 ++++++++++++++----- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java index f2f9db0d..f09b8474 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java @@ -27,6 +27,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Component; @@ -47,6 +48,9 @@ public class DefectDojoPersistenceProvider implements PersistenceProvider { private static final Logger LOG = LoggerFactory.getLogger(DefectDojoPersistenceProvider.class); + @Value("${securecodebox.persistence.defectdojo.optional:false}") + protected boolean isOptional; + @Autowired DefectDojoService defectDojoService; @@ -66,6 +70,18 @@ public void persist(SecurityTest securityTest) throws PersistenceException { LOG.debug("Starting defectdojo persistence provider"); LOG.debug("RawFindings: {}", securityTest.getReport().getRawFindings()); + try { + persistInDefectDojo(securityTest); + } catch (Exception e) { + // ignore error if defect dojo provider is set to optional + if(isOptional) { + LOG.error("Failed to persist security test in defect dojo", e); + return; + } else throw e; + } + } + + private void persistInDefectDojo(SecurityTest securityTest) throws PersistenceException { checkConnection(); checkToolTypes(); @@ -77,15 +93,15 @@ public void persist(SecurityTest securityTest) throws PersistenceException { long userUrl = defectDojoService.retrieveUserId(username); List results = getDefectDojoScanName(securityTest.getName()).equals("Generic Findings Import") ? getGenericResults(securityTest) : getRawResults(securityTest); - for (String result : results) { - defectDojoService.createFindings( - result, - engagementId, - userUrl, - currentDate(), - getDefectDojoScanName(securityTest.getName()) - ); - } + for (String result : results) { + defectDojoService.createFindings( + result, + engagementId, + userUrl, + currentDate(), + getDefectDojoScanName(securityTest.getName()) + ); + } } static final String GIT_SERVER_NAME = "Git Server"; From 4bdf7c936a7a104884f6dca38e16776c75897716 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 30 Jan 2019 15:45:15 +0100 Subject: [PATCH 255/257] Marked combined nmap-amass scan results as nmap. This ensures that the results are imported using the raw nmap result importer in defect-dojo. --- .../persistence/DefectDojoPersistenceProvider.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java index f09b8474..f9595cf4 100644 --- a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java +++ b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java @@ -212,6 +212,9 @@ protected static String getDefectDojoScanName(String securityTestName) { scannerDefectDojoMapping.put("nmap", "Nmap Scan"); scannerDefectDojoMapping.put("zap", "ZAP Scan"); + // Map amass-nmap raw results to be imported as Nmap Results + scannerDefectDojoMapping.put("amass-nmap", "Nmap Scan"); + // Nikto is a supported tool as well but currently not accessible for supported import. // Nikto thus will use Generic Findings Import. From 09c351c5b3be03dbb3f36ccd39a75cf0077a3fae Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Thu, 31 Jan 2019 12:32:21 +0100 Subject: [PATCH 256/257] Replaced old spring properties --- scb-engine/src/main/resources/application.yaml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/scb-engine/src/main/resources/application.yaml b/scb-engine/src/main/resources/application.yaml index 62f30f67..88becf07 100644 --- a/scb-engine/src/main/resources/application.yaml +++ b/scb-engine/src/main/resources/application.yaml @@ -14,13 +14,14 @@ server.ssl: key-alias: scb-engine # Spring Boot Actuator configuration -# Used to enable an endpoint for health checks at '/health' -management.port: 8080 -management.security.enabled: true -endpoints: - enabled: false - health.enabled: true - health.path: /status +# Used to enable an endpoint for health checks at '/status' +management.endpoints: + enabled-by-default: false + web.base-path: / + web.path-mapping.health: status +management.endpoint.health.enabled: true + +management.server.port: 8080 camunda.bpm: webapp.index-redirect-enabled: true From ca1e8520dcfec1b7f9d4a0dbd8aa0d91130cff1f Mon Sep 17 00:00:00 2001 From: Martin Lang Date: Thu, 31 Jan 2019 13:01:50 +0100 Subject: [PATCH 257/257] Fixed health check --- scb-engine/src/main/resources/application.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/scb-engine/src/main/resources/application.yaml b/scb-engine/src/main/resources/application.yaml index 88becf07..cc7cd809 100644 --- a/scb-engine/src/main/resources/application.yaml +++ b/scb-engine/src/main/resources/application.yaml @@ -20,6 +20,7 @@ management.endpoints: web.base-path: / web.path-mapping.health: status management.endpoint.health.enabled: true +management.health.elasticsearch.enabled: false management.server.port: 8080