#33 Add WIP declarative subsequent hook implementation

Author: J12934

hooks/declarative-subsequent-scans/.dockerignore

@@ -0,0 +1 @@
+node_modules/

hooks/declarative-subsequent-scans/.gitignore

@@ -0,0 +1 @@
+node_modules

hooks/declarative-subsequent-scans/.helmignore

@@ -0,0 +1,30 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+# Node.js files
+node_modules/*
+package.json
+package-lock.json
+src/*
+config/*
+Dockerfile
+.dockerignore

hooks/declarative-subsequent-scans/Chart.lock

@@ -0,0 +1,3 @@
+dependencies: []
+digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726
+generated: "2020-05-26T16:56:03.119255+02:00"

hooks/declarative-subsequent-scans/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: declarative-subsequent-scans
+description: Starts possible subsequent security scans based on findings (e.g. open ports found by NMAP or subdomains found by AMASS).
+
+type: application
+
+version: 0.1.0
+
+appVersion: latest
+
+dependencies: []

hooks/declarative-subsequent-scans/Dockerfile

@@ -0,0 +1,5 @@
+# This image doesn't install the hooks dependencies, as it only has the @kubernetes/client-node dependencies which is already installed via the hook-sdk
+
+FROM scbexperimental/hook-sdk-nodejs:latest
+WORKDIR /home/app/hook-wrapper/hook/
+COPY --chown=app:app hook.js scan-helpers.js ./

hooks/declarative-subsequent-scans/hook.js

@@ -0,0 +1,46 @@
+const { startSubsequentSecureCodeBoxScan } = require("./scan-helpers");
+const isMatch = require("lodash.ismatch");
+
+async function handle({ scan, getFindings }) {
+  const findings = await getFindings();
+  const cascadingRules = await getCascadingRules();
+
+  const cascadingScans = getCascadingScans(findings, cascadingRules);
+
+  for (const { scanType, parameters } of cascadingScans) {
+    await startSubsequentSecureCodeBoxScan({
+      parentScan: scan,
+      scanType,
+      parameters,
+    });
+  }
+}
+
+async function getCascadingRules() {
+  // Todo: Get all CascadingRules of the current Namespace via k8s api
+  return [];
+}
+
+// Todo remove eslint disable
+// eslint-disable-next-line no-unused-vars
+function getCascadingScans(findings, cascadingRules) {
+  const cascadingScans = [];
+
+  for (const cascadingRule of cascadingRules) {
+    for (const finding of findings) {
+      const matches = cascadingRule.spec.matches.some((matchesRule) =>
+        isMatch(finding, matchesRule)
+      );
+
+      if (matches) {
+        // Todo templating
+        cascadingScans.push(cascadingRule.spec.scanSpec);
+      }
+    }
+  }
+
+  return cascadingScans;
+}
+
+module.exports.getCascadingScans = getCascadingScans;
+module.exports.handle = handle;

hooks/declarative-subsequent-scans/hook.test.js

@@ -0,0 +1,82 @@
+const { getCascadingScans } = require("./hook");
+
+test("Should create subsequent scans for open HTTPS ports (NMAP findings)", () => {
+  const findings = [
+    {
+      name: "Port 443 is open",
+      category: "Open Port",
+      attributes: {
+        state: "open",
+        hostname: "foobar.com",
+        port: 443,
+        service: "https"
+      }
+    }
+  ];
+
+  const cascadingRules = [
+    {
+      apiVersion: "cascading.experimental.securecodebox.io/v1",
+      kind: "CascadingRule",
+      metadata: {
+        name: "tls-scans"
+      },
+      spec: {
+        matches: [
+          {
+            category: "Open Port",
+            attributes: {
+              port: 443,
+              service: "https"
+            }
+          },
+          {
+            category: "Open Port",
+            attributes: {
+              service: "https"
+            }
+          }
+        ],
+        scanSpec: {
+          name: "sslyze",
+          parameters: ["--regular", "{attributes.hostname}"]
+        }
+      }
+    }
+  ];
+
+  const cascadedScans = getCascadingScans(findings, cascadingRules);
+
+  expect(cascadedScans).toMatchInlineSnapshot(`
+    Array [
+      Object {
+        "name": "sslyze",
+        "parameters": Array [
+          "--regular",
+          "{attributes.hostname}",
+        ],
+      },
+    ]
+  `);
+});
+
+test("Should create no subsequent scans if there are no rules", () => {
+  const findings = [
+    {
+      name: "Port 443 is open",
+      category: "Open Port",
+      attributes: {
+        state: "open",
+        hostname: "foobar.com",
+        port: 443,
+        service: "https"
+      }
+    }
+  ];
+
+  const cascadingRules = [];
+
+  const cascadedScans = getCascadingScans(findings, cascadingRules);
+
+  expect(cascadedScans).toMatchInlineSnapshot(`Array []`);
+});