#33 Implement Declarative CascadingScans

Migrated to main hook file to typescript

Author: J12934

hooks/declarative-subsequent-scans/Dockerfile

@@ -1,5 +1,19 @@
-# This image doesn't install the hooks dependencies, as it only has the @kubernetes/client-node dependencies which is already installed via the hook-sdk
+FROM node:12-alpine as install
+RUN mkdir -p /home/app
+WORKDIR /home/app
+COPY package.json package-lock.json ./
+RUN npm ci --production
+
+FROM node:12-alpine as build
+RUN mkdir -p /home/app
+WORKDIR /home/app
+COPY package.json package-lock.json ./
+RUN npm ci
+COPY hook.ts scan-helpers.js ./
+RUN npm run build
 
 FROM scbexperimental/hook-sdk-nodejs:latest
 WORKDIR /home/app/hook-wrapper/hook/
-COPY --chown=app:app hook.js scan-helpers.js ./
+COPY --chown=app:app scan-helpers.js ./
+COPY --from=build --chown=app:app /home/app/hook.js ./
+COPY --from=install --chown=app:app /home/app/node_modules/ ./node_modules/

hooks/declarative-subsequent-scans/hook.js

@@ -1,46 +1,119 @@
-const { startSubsequentSecureCodeBoxScan } = require("./scan-helpers");
-const isMatch = require("lodash.ismatch");
-
-async function handle({ scan, getFindings }) {
-  const findings = await getFindings();
-  const cascadingRules = await getCascadingRules();
-
-  const cascadingScans = getCascadingScans(findings, cascadingRules);
-
-  for (const { scanType, parameters } of cascadingScans) {
-    await startSubsequentSecureCodeBoxScan({
-      parentScan: scan,
-      scanType,
-      parameters,
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (_) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+exports.__esModule = true;
+exports.getCascadingScans = exports.handle = void 0;
+var lodash_1 = require("lodash");
+var Mustache = require("mustache");
+var scan_helpers_1 = require("./scan-helpers");
+function handle(_a) {
+    var scan = _a.scan, getFindings = _a.getFindings;
+    return __awaiter(this, void 0, void 0, function () {
+        var findings, cascadingRules, cascadingScans, _i, cascadingScans_1, _b, name_1, parameters;
+        return __generator(this, function (_c) {
+            switch (_c.label) {
+                case 0: return [4 /*yield*/, getFindings()];
+                case 1:
+                    findings = _c.sent();
+                    return [4 /*yield*/, getCascadingRules()];
+                case 2:
+                    cascadingRules = _c.sent();
+                    cascadingScans = getCascadingScans(findings, cascadingRules);
+                    _i = 0, cascadingScans_1 = cascadingScans;
+                    _c.label = 3;
+                case 3:
+                    if (!(_i < cascadingScans_1.length)) return [3 /*break*/, 6];
+                    _b = cascadingScans_1[_i], name_1 = _b.name, parameters = _b.parameters;
+                    return [4 /*yield*/, scan_helpers_1.startSubsequentSecureCodeBoxScan({
+                            parentScan: scan,
+                            scanType: name_1,
+                            parameters: parameters
+                        })];
+                case 4:
+                    _c.sent();
+                    _c.label = 5;
+                case 5:
+                    _i++;
+                    return [3 /*break*/, 3];
+                case 6: return [2 /*return*/];
+            }
+        });
     });
-  }
 }
-
-async function getCascadingRules() {
-  // Todo: Get all CascadingRules of the current Namespace via k8s api
-  return [];
+exports.handle = handle;
+function getCascadingRules() {
+    return __awaiter(this, void 0, void 0, function () {
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, scan_helpers_1.getCascadingRulesFromCluster()];
+                case 1: 
+                // Explicit Cast to the proper Type
+                return [2 /*return*/, _a.sent()];
+            }
+        });
+    });
 }
-
-// Todo remove eslint disable
-// eslint-disable-next-line no-unused-vars
+/**
+ * Goes thought the Findings and the CascadingRules
+ * and returns a List of Scans which should be started based on both.
+ */
 function getCascadingScans(findings, cascadingRules) {
-  const cascadingScans = [];
-
-  for (const cascadingRule of cascadingRules) {
-    for (const finding of findings) {
-      const matches = cascadingRule.spec.matches.some((matchesRule) =>
-        isMatch(finding, matchesRule)
-      );
-
-      if (matches) {
-        // Todo templating
-        cascadingScans.push(cascadingRule.spec.scanSpec);
-      }
+    var cascadingScans = [];
+    for (var _i = 0, cascadingRules_1 = cascadingRules; _i < cascadingRules_1.length; _i++) {
+        var cascadingRule = cascadingRules_1[_i];
+        var _loop_1 = function (finding) {
+            var matches = cascadingRule.spec.matches.some(function (matchesRule) {
+                return lodash_1.isMatch(finding, matchesRule);
+            });
+            if (matches) {
+                var _a = cascadingRule.spec.scanSpec, name_2 = _a.name, parameters = _a.parameters;
+                cascadingScans.push({
+                    name: Mustache.render(name_2, finding),
+                    parameters: parameters.map(function (parameter) {
+                        return Mustache.render(parameter, finding);
+                    })
+                });
+            }
+        };
+        for (var _a = 0, findings_1 = findings; _a < findings_1.length; _a++) {
+            var finding = findings_1[_a];
+            _loop_1(finding);
+        }
     }
-  }
-
-  return cascadingScans;
+    return cascadingScans;
 }
-
-module.exports.getCascadingScans = getCascadingScans;
-module.exports.handle = handle;
+exports.getCascadingScans = getCascadingScans;

hooks/declarative-subsequent-scans/hook.test.js

@@ -39,7 +39,7 @@ test("Should create subsequent scans for open HTTPS ports (NMAP findings)", () =
         ],
         scanSpec: {
           name: "sslyze",
-          parameters: ["--regular", "{attributes.hostname}"]
+          parameters: ["--regular", "{{attributes.hostname}}"]
         }
       }
     }
@@ -53,7 +53,7 @@ test("Should create subsequent scans for open HTTPS ports (NMAP findings)", () =
         "name": "sslyze",
         "parameters": Array [
           "--regular",
-          "{attributes.hostname}",
+          "foobar.com",
         ],
       },
     ]

hooks/declarative-subsequent-scans/hook.ts

@@ -0,0 +1,94 @@
+import { isMatch } from "lodash";
+import * as Mustache from "mustache";
+import * as k8s from "@kubernetes/client-node";
+
+import {
+  startSubsequentSecureCodeBoxScan,
+  getCascadingRulesFromCluster,
+} from "./scan-helpers";
+
+interface Finding {
+  name: string;
+  location: string;
+  category: string;
+  severity: string;
+  osi_layer: string;
+  attributes: Map<string, string | number>;
+}
+
+interface HandleArgs {
+  scan: any;
+  getFindings: () => Array<Finding>;
+}
+
+interface CascadingRules {
+  metadata: k8s.V1ObjectMeta;
+  spec: CascadingRuleSpec;
+}
+
+interface CascadingRuleSpec {
+  matches: Array<Finding>;
+  scanSpec: ScanSpec;
+}
+
+interface Scan {
+  metadata: k8s.V1ObjectMeta;
+  spec: ScanSpec;
+}
+
+interface ScanSpec {
+  name: string;
+  parameters: Array<string>;
+}
+
+export async function handle({ scan, getFindings }: HandleArgs) {
+  const findings = await getFindings();
+  const cascadingRules = await getCascadingRules();
+
+  const cascadingScans = getCascadingScans(findings, cascadingRules);
+
+  for (const { name, parameters } of cascadingScans) {
+    await startSubsequentSecureCodeBoxScan({
+      parentScan: scan,
+      scanType: name,
+      parameters,
+    });
+  }
+}
+
+async function getCascadingRules(): Promise<Array<CascadingRules>> {
+  // Explicit Cast to the proper Type
+  return <Array<CascadingRules>>await getCascadingRulesFromCluster();
+}
+
+/**
+ * Goes thought the Findings and the CascadingRules
+ * and returns a List of Scans which should be started based on both.
+ */
+export function getCascadingScans(
+  findings: Array<Finding>,
+  cascadingRules: Array<CascadingRules>
+): Array<ScanSpec> {
+  const cascadingScans: Array<ScanSpec> = [];
+
+  for (const cascadingRule of cascadingRules) {
+    for (const finding of findings) {
+      const matches = cascadingRule.spec.matches.some((matchesRule) =>
+        isMatch(finding, matchesRule)
+      );
+
+      if (matches) {
+        const { name, parameters } = cascadingRule.spec.scanSpec;
+
+        cascadingScans.push({
+          name: Mustache.render(name, finding),
+          parameters: parameters.map((parameter) =>
+            Mustache.render(parameter, finding)
+          ),
+        });
+      }
+    }
+  }
+
+  return cascadingScans;
+}

hooks/declarative-subsequent-scans/package-lock.json

@@ -4,16 +4,19 @@
   "description": "",
   "main": "hook.js",
   "scripts": {
+    "build": "npx typescript hook.ts",
     "test": "jest ."
   },
   "keywords": [],
   "author": "",
   "license": "Apache-2.0",
   "dependencies": {
     "@kubernetes/client-node": "^0.12.0",
-    "lodash.ismatch": "^4.4.0"
+    "lodash": "^4.17.15",
+    "mustache": "^4.0.1"
   },
   "devDependencies": {
-    "jest": "^25.1.0"
+    "jest": "^25.1.0",
+    "typescript": "^3.9.5"
   }
 }