This repository was archived by the owner on Oct 14, 2020. It is now read-only.
This repository was archived by the owner on Oct 14, 2020. It is now read-only.
Declarative scan hook is failing in combination with scheduled scans #62
Description
Describe the bug
Using scheduledScans in combination with an installed declarative-scan-hook will always fail, even if no cascading is defined in the scanSpec.
To Reproduce
- Create a new namespace like demo-scans
- Install the nmap scanType via helm into the namespace
- Install the demo-apps via helm into the namespace
- Install the declarative-scan-hook via helm into the namespace
- Apply a ScheduledScan to your namespace (with installed demo-targets in a namespace):
apiVersion: "execution.experimental.securecodebox.io/v1"
kind: ScheduledScan
metadata:
name: "nmap-cascading-dummy-ssh"
namespace: demo-scans
labels:
organization: "Demo"
product: "kubernetes"
attack-surface: internal
spec:
interval: 24h
historyLimit: 1
scanSpec:
scanType: "nmap"
parameters:
# Internal cluster is blocking our ping probes, therefore we skip them
- "-Pn"
# Service Detection enabled
- "-sV"
# Actual Service Address will depend on you cluster and namespace configuration. 🤷
- "dummy-ssh.demo-scans.svc"- Check the errored pod of the hook:
kubectl logs dssh-declarative-subsequent-scans-nmap-cascading-dummy-ss-qknrw -n demo-scans
Starting hook for Scan "nmap-cascading-dummy-ssh-1595498493"
Fetched 2 findings from the file storage
Fetching CascadingScans using LabelSelector: "securecodebox.io/intensive=light"
Fetched 9 CascadingRules
Error was thrown while running hooks handle function
TypeError: Cannot read property 'cascading.securecodebox.io/chain' of undefined
at getCascadingScans (/home/app/hook-wrapper/hook/hook.js:111:40)
at /home/app/hook-wrapper/hook/hook.js:66:38
at step (/home/app/hook-wrapper/hook/hook.js:44:23)
at Object.next (/home/app/hook-wrapper/hook/hook.js:25:53)
at fulfilled (/home/app/hook-wrapper/hook/hook.js:16:58)
at processTicksAndRejections (internal/process/task_queues.js:97:5)- Apply another ScheduledScan to your namespace (with installed demo-targets in a namespace):
apiVersion: "execution.experimental.securecodebox.io/v1"
kind: ScheduledScan
metadata:
name: "nmap-cascading-bodgeit"
namespace: demo-scans
labels:
organization: "Demo"
product: "kubernetes"
attack-surface: internal
spec:
interval: 24h
historyLimit: 1
scanSpec:
scanType: "nmap"
parameters:
# Internal cluster is blocking our ping probes, therefore we skip them
- "-Pn"
# Service Detection enabled
- "-sV"
# Actual Service Address will depend on you cluster and namespace configuration. 🤷
- "bodgeit.demo-scans.svc"
cascades:
matchLabels:
securecodebox.io/intensive: light- Check the errored pod of the hook:
kubectl logs dssh-declarative-subsequent-scans-nmap-cascading-bodgeit--7lgs9 -n demo-scans
Starting hook for Scan "nmap-cascading-bodgeit-1595499882"
Fetched 2 findings from the file storage
Skipping cascades as no selector was defined.
Error was thrown while running hooks handle function
TypeError: Cannot read property 'cascading.securecodebox.io/chain' of undefined
at getCascadingScans (/home/app/hook-wrapper/hook/hook.js:111:40)
at /home/app/hook-wrapper/hook/hook.js:66:38
at step (/home/app/hook-wrapper/hook/hook.js:44:23)
at Object.next (/home/app/hook-wrapper/hook/hook.js:25:53)
at fulfilled (/home/app/hook-wrapper/hook/hook.js:16:58)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
Expected behavior
It should be possible to use the delcarative-scan-hook in combination with ScheduledScan Types.