Add Declarative Combined Scans Implementation

.eslintignore

@@ -1,2 +1,5 @@
 **/node_modules
-**/coverage
+**/coverage
+hooks/declarative-subsequent-scans/hook.js
+hooks/declarative-subsequent-scans/scan-helpers.js
+hooks/declarative-subsequent-scans/kubernetes-label-selector.js

.github/workflows/ci.yaml

@@ -40,6 +40,10 @@ jobs:
           cd -
           cd hooks/
           npm ci
+      - name: "Compile Typescript"
+        run: |
+          cd hooks/declarative-subsequent-scans
+          npm run build
       - name: "Run tests & publish code coverage"
         uses: paambaati/codeclimate-action@v2.6.0
         env:
@@ -248,6 +252,16 @@ jobs:
           path: ./hooks/imperative-subsequent-scans/
           tag_with_ref: true
           build_args: baseImageTag=ci-local
+      - uses: docker/build-push-action@v1
+        name: "Build & Push DeclarativeSubsequentScans Hook Image"
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+          repository: scbexperimental/hook-declarative-subsequent-scans
+          path: ./hooks/declarative-subsequent-scans/
+          tag_with_ref: true
+          tag_with_sha: true
+          build_args: baseImageTag=ci-local
       - uses: docker/build-push-action@v1
         name: "Build & Push UpdateField Hook Image"
         with:

hooks/declarative-subsequent-scans/.dockerignore

@@ -0,0 +1 @@
+node_modules/

hooks/declarative-subsequent-scans/.gitignore

@@ -0,0 +1,4 @@
+node_modules
+*.map
+**.js
+!**.test.js

hooks/declarative-subsequent-scans/.helmignore

@@ -0,0 +1,30 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+# Node.js files
+node_modules/*
+package.json
+package-lock.json
+src/*
+config/*
+Dockerfile
+.dockerignore

hooks/declarative-subsequent-scans/Chart.lock

@@ -0,0 +1,3 @@
+dependencies: []
+digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726
+generated: "2020-05-26T16:56:03.119255+02:00"

hooks/declarative-subsequent-scans/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: declarative-subsequent-scans
+description: Starts possible subsequent security scans based on findings (e.g. open ports found by NMAP or subdomains found by AMASS).
+
+type: application
+
+version: 0.1.0
+
+appVersion: latest
+
+dependencies: []

hooks/declarative-subsequent-scans/Dockerfile

@@ -0,0 +1,19 @@
+ARG baseImageTag
+FROM node:12-alpine as install
+RUN mkdir -p /home/app
+WORKDIR /home/app
+COPY package.json package-lock.json ./
+RUN npm ci --production
+
+FROM node:12-alpine as build
+RUN mkdir -p /home/app
+WORKDIR /home/app
+COPY package.json package-lock.json ./
+RUN npm ci
+COPY hook.ts scan-helpers.ts kubernetes-label-selector.ts ./
+RUN npm run build
+
+FROM scbexperimental/hook-sdk-nodejs:${baseImageTag:-latest}
+WORKDIR /home/app/hook-wrapper/hook/
+COPY --from=install --chown=app:app /home/app/node_modules/ ./node_modules/
+COPY --from=build --chown=app:app /home/app/hook.js /home/app/scan-helpers.js /home/app/kubernetes-label-selector.js ./

hooks/declarative-subsequent-scans/hook.test.js

@@ -0,0 +1,175 @@
+const { getCascadingScans } = require("./hook");
+
+let parentScan = undefined;
+let sslyzeCascadingRules = undefined;
+
+beforeEach(() => {
+  parentScan = {
+    apiVersion: "execution.experimental.securecodebox.io/v1",
+    kind: "Scan",
+    metadata: {
+      name: "nmap-foobar.com",
+      annotations: {}
+    },
+    spec: {
+      scanType: "nmap",
+      parameters: "foobar.com",
+      cascades: {}
+    }
+  };
+
+  sslyzeCascadingRules = [
+    {
+      apiVersion: "cascading.experimental.securecodebox.io/v1",
+      kind: "CascadingRule",
+      metadata: {
+        name: "tls-scans"
+      },
+      spec: {
+        matches: {
+          anyOf: [
+            {
+              category: "Open Port",
+              attributes: {
+                port: 443,
+                service: "https"
+              }
+            },
+            {
+              category: "Open Port",
+              attributes: {
+                service: "https"
+              }
+            }
+          ]
+        },
+        scanSpec: {
+          scanType: "sslyze",
+          parameters: ["--regular", "{{$.hostOrIP}}:{{attributes.port}}"]
+        }
+      }
+    }
+  ];
+});
+
+test("should create subsequent scans for open HTTPS ports (NMAP findings)", () => {
+  const findings = [
+    {
+      name: "Port 443 is open",
+      category: "Open Port",
+      attributes: {
+        state: "open",
+        hostname: "foobar.com",
+        port: 443,
+        service: "https"
+      }
+    }
+  ];
+
+  const cascadedScans = getCascadingScans(
+    parentScan,
+    findings,
+    sslyzeCascadingRules
+  );
+
+  expect(cascadedScans).toMatchInlineSnapshot(`
+    Array [
+      Object {
+        "cascades": null,
+        "generatedBy": "tls-scans",
+        "name": "sslyze-foobar.com-tls-scans",
+        "parameters": Array [
+          "--regular",
+          "foobar.com:443",
+        ],
+        "scanType": "sslyze",
+      },
+    ]
+  `);
+});
+
+test("Should create no subsequent scans if there are no rules", () => {
+  const findings = [
+    {
+      name: "Port 443 is open",
+      category: "Open Port",
+      attributes: {
+        state: "open",
+        hostname: "foobar.com",
+        port: 443,
+        service: "https"
+      }
+    }
+  ];
+
+  const cascadingRules = [];
+
+  const cascadedScans = getCascadingScans(parentScan, findings, cascadingRules);
+
+  expect(cascadedScans).toMatchInlineSnapshot(`Array []`);
+});
+
+test("should not try to do magic to the scan name if its something random", () => {
+  parentScan.metadata.name = "foobar.com";
+
+  const findings = [
+    {
+      name: "Port 443 is open",
+      category: "Open Port",
+      attributes: {
+        state: "open",
+        hostname: undefined,
+        ip_address: "10.42.42.42",
+        port: 443,
+        service: "https"
+      }
+    }
+  ];
+
+  const cascadedScans = getCascadingScans(
+    parentScan,
+    findings,
+    sslyzeCascadingRules
+  );
+
+  expect(cascadedScans).toMatchInlineSnapshot(`
+    Array [
+      Object {
+        "cascades": null,
+        "generatedBy": "tls-scans",
+        "name": "foobar.com-tls-scans",
+        "parameters": Array [
+          "--regular",
+          "10.42.42.42:443",
+        ],
+        "scanType": "sslyze",
+      },
+    ]
+  `);
+});
+
+test("should not start scan when the cascadingrule for it is already in the chain", () => {
+  parentScan.metadata.annotations["cascading.securecodebox.io/chain"] =
+    sslyzeCascadingRules[0].metadata.name;
+
+  const findings = [
+    {
+      name: "Port 443 is open",
+      category: "Open Port",
+      attributes: {
+        state: "open",
+        hostname: "foobar.com",
+        port: 443,
+        service: "https"
+      }
+    }
+  ];
+
+  const cascadedScans = getCascadingScans(
+    parentScan,
+    findings,
+    sslyzeCascadingRules
+  );
+
+  expect(cascadedScans).toMatchInlineSnapshot(`Array []`);
+});