#33 Improved the generation of the cascading scans name

J12934 · J12934 · commit 112b45f2df33 · 2020-06-25T12:48:23.000+02:00
If the scan was previously prefixed by the scanType, this prefix will now be replaced with the cascading Scans scanType
diff --git a/hooks/declarative-subsequent-scans/hook.test.js b/hooks/declarative-subsequent-scans/hook.test.js
@@ -1,60 +1,83 @@
 const { getCascadingScans } = require("./hook");
 
-test("Should create subsequent scans for open HTTPS ports (NMAP findings)", () => {
-  const findings = [
-    {
-      name: "Port 443 is open",
-      category: "Open Port",
-      attributes: {
-        state: "open",
-        hostname: "foobar.com",
-        port: 443,
-        service: "https"
-      }
-    }
-  ];
+let parentScan = undefined;
 
-  const cascadingRules = [
-    {
-      apiVersion: "cascading.experimental.securecodebox.io/v1",
-      kind: "CascadingRule",
-      metadata: {
-        name: "tls-scans"
-      },
-      spec: {
-        matches: [
+beforeEach(() => {
+  parentScan = {
+    apiVersion: "execution.experimental.securecodebox.io/v1",
+    kind: "Scan",
+    metadata: {
+      name: "nmap-foobar.com",
+    },
+    spec: {
+      scanType: "nmap",
+      parameters: "foobar.com",
+    },
+  };
+});
+
+const sslyzeCascadingRules = [
+  {
+    apiVersion: "cascading.experimental.securecodebox.io/v1",
+    kind: "CascadingRule",
+    metadata: {
+      name: "tls-scans",
+    },
+    spec: {
+      matches: {
+        anyOf: [
           {
             category: "Open Port",
             attributes: {
               port: 443,
-              service: "https"
-            }
+              service: "https",
+            },
           },
           {
             category: "Open Port",
             attributes: {
-              service: "https"
-            }
-          }
+              service: "https",
+            },
+          },
         ],
-        scanSpec: {
-          name: "sslyze",
-          parameters: ["--regular", "{{attributes.hostname}}"]
-        }
-      }
-    }
+      },
+      scanSpec: {
+        scanType: "sslyze",
+        parameters: ["--regular", "{{attributes.hostname}}"],
+      },
+    },
+  },
+];
+
+test("should create subsequent scans for open HTTPS ports (NMAP findings)", () => {
+  const findings = [
+    {
+      name: "Port 443 is open",
+      category: "Open Port",
+      attributes: {
+        state: "open",
+        hostname: "foobar.com",
+        port: 443,
+        service: "https",
+      },
+    },
   ];
 
-  const cascadedScans = getCascadingScans(findings, cascadingRules);
+  const cascadedScans = getCascadingScans(
+    parentScan,
+    findings,
+    sslyzeCascadingRules
+  );
 
   expect(cascadedScans).toMatchInlineSnapshot(`
     Array [
       Object {
-        "name": "sslyze",
+        "name": "sslyze-foobar.com-tls-scans-",
         "parameters": Array [
           "--regular",
           "foobar.com",
         ],
+        "scanType": "sslyze",
       },
     ]
   `);
@@ -69,14 +92,50 @@ test("Should create no subsequent scans if there are no rules", () => {
         state: "open",
         hostname: "foobar.com",
         port: 443,
-        service: "https"
-      }
-    }
+        service: "https",
+      },
+    },
   ];
 
   const cascadingRules = [];
 
-  const cascadedScans = getCascadingScans(findings, cascadingRules);
+  const cascadedScans = getCascadingScans(parentScan, findings, cascadingRules);
 
   expect(cascadedScans).toMatchInlineSnapshot(`Array []`);
 });
+
+test("should not try to do magic to the scan name if its something random", () => {
+  parentScan.metadata.name = "foobar.com";
+
+  const findings = [
+    {
+      name: "Port 443 is open",
+      category: "Open Port",
+      attributes: {
+        state: "open",
+        hostname: "foobar.com",
+        port: 443,
+        service: "https",
+      },
+    },
+  ];
+
+  const cascadedScans = getCascadingScans(
+    parentScan,
+    findings,
+    sslyzeCascadingRules
+  );
+
+  expect(cascadedScans).toMatchInlineSnapshot(`
+    Array [
+      Object {
+        "name": "foobar.com-tls-scans-",
+        "parameters": Array [
+          "--regular",
+          "foobar.com",
+        ],
+        "scanType": "sslyze",
+      },
+    ]
+  `);
+});
diff --git a/hooks/declarative-subsequent-scans/hook.ts b/hooks/declarative-subsequent-scans/hook.ts
@@ -16,7 +16,7 @@ interface Finding {
   attributes: Map<string, string | number>;
 }
 
-interface CascadingRules {
+interface CascadingRule {
   metadata: k8s.V1ObjectMeta;
   spec: CascadingRuleSpec;
 }
@@ -41,7 +41,9 @@ interface ScanSpec {
 }
 
 interface ExtendedScanSpec extends ScanSpec {
-  generatedBy: string;
+  // This is the name of the scan. Its not "really" part of the scan spec
+  // But this makes the object smaller
+  name: string;
 }
 
 interface HandleArgs {
@@ -53,30 +55,31 @@ export async function handle({ scan, getFindings }: HandleArgs) {
   const findings = await getFindings();
   const cascadingRules = await getCascadingRules();
 
-  const cascadingScans = getCascadingScans(findings, cascadingRules);
+  const cascadingScans = getCascadingScans(scan, findings, cascadingRules);
 
-  for (const { scanType, parameters, generatedBy } of cascadingScans) {
+  for (const { name, scanType, parameters } of cascadingScans) {
     await startSubsequentSecureCodeBoxScan({
-      name: `${scan.metadata.name}-${generatedBy}`,
+      name,
       parentScan: scan,
       scanType,
       parameters,
     });
   }
 }
 
-async function getCascadingRules(): Promise<Array<CascadingRules>> {
+async function getCascadingRules(): Promise<Array<CascadingRule>> {
   // Explicit Cast to the proper Type
-  return <Array<CascadingRules>>await getCascadingRulesFromCluster();
+  return <Array<CascadingRule>>await getCascadingRulesFromCluster();
 }
 
 /**
  * Goes thought the Findings and the CascadingRules
  * and returns a List of Scans which should be started based on both.
  */
 export function getCascadingScans(
+  parentScan: Scan,
   findings: Array<Finding>,
-  cascadingRules: Array<CascadingRules>
+  cascadingRules: Array<CascadingRule>
 ): Array<ExtendedScanSpec> {
   const cascadingScans: Array<ExtendedScanSpec> = [];
 
@@ -91,7 +94,7 @@ export function getCascadingScans(
         const { scanType, parameters } = cascadingRule.spec.scanSpec;
 
         cascadingScans.push({
-          generatedBy: cascadingRule.metadata.name,
+          name: generateCascadingScanName(parentScan, cascadingRule),
           scanType: Mustache.render(scanType, finding),
           parameters: parameters.map((parameter) =>
             Mustache.render(parameter, finding)
@@ -103,3 +106,19 @@ export function getCascadingScans(
 
   return cascadingScans;
 }
+
+function generateCascadingScanName(
+  parentScan: Scan,
+  cascadingRule: CascadingRule
+): string {
+  let namePrefix = parentScan.metadata.name;
+
+  // 🧙‍ If the Parent Scan start with its scanType we'll replace it with the ScanType of the CascadingScan
+  if (namePrefix.startsWith(parentScan.spec.scanType)) {
+    namePrefix = namePrefix.replace(
+      parentScan.spec.scanType,
+      cascadingRule.spec.scanSpec.scanType
+    );
+  }
+  return `${namePrefix}-${cascadingRule.metadata.name}-`;
+}
