#33 Restrict query for CascadingRules by the Scans selector

Author: J12934

hooks/declarative-subsequent-scans/Dockerfile

@@ -10,10 +10,10 @@ RUN mkdir -p /home/app
 WORKDIR /home/app
 COPY package.json package-lock.json ./
 RUN npm ci
-COPY hook.ts scan-helpers.ts ./
+COPY hook.ts scan-helpers.ts kubernetes-label-selector.ts ./
 RUN npm run build
 
 FROM scbexperimental/hook-sdk-nodejs:${baseImageTag:-latest}
 WORKDIR /home/app/hook-wrapper/hook/
 COPY --from=install --chown=app:app /home/app/node_modules/ ./node_modules/
-COPY --from=build --chown=app:app /home/app/hook.js /home/app/scan-helpers.js ./
+COPY --from=build --chown=app:app /home/app/hook.js /home/app/scan-helpers.js /home/app/kubernetes-label-selector.js ./

hooks/declarative-subsequent-scans/hook.test.js

@@ -13,7 +13,8 @@ beforeEach(() => {
     },
     spec: {
       scanType: "nmap",
-      parameters: "foobar.com"
+      parameters: "foobar.com",
+      cascades: {}
     }
   };
 
@@ -74,6 +75,7 @@ test("should create subsequent scans for open HTTPS ports (NMAP findings)", () =
   expect(cascadedScans).toMatchInlineSnapshot(`
     Array [
       Object {
+        "cascades": Object {},
         "generatedBy": "tls-scans",
         "name": "sslyze-foobar.com-tls-scans",
         "parameters": Array [
@@ -132,6 +134,7 @@ test("should not try to do magic to the scan name if its something random", () =
   expect(cascadedScans).toMatchInlineSnapshot(`
     Array [
       Object {
+        "cascades": Object {},
         "generatedBy": "tls-scans",
         "name": "foobar.com-tls-scans",
         "parameters": Array [

hooks/declarative-subsequent-scans/hook.ts

@@ -1,62 +1,24 @@
 import { isMatch } from "lodash";
 import * as Mustache from "mustache";
-import * as k8s from "@kubernetes/client-node";
 
 import {
   startSubsequentSecureCodeBoxScan,
-  getCascadingRulesFromCluster,
+  getCascadingRulesForScan,
+  // types
+  Scan,
+  Finding,
+  CascadingRule,
+  ExtendedScanSpec
 } from "./scan-helpers";
 
-interface Finding {
-  name: string;
-  location: string;
-  category: string;
-  severity: string;
-  osi_layer: string;
-  attributes: Map<string, string | number>;
-}
-
-interface CascadingRule {
-  metadata: k8s.V1ObjectMeta;
-  spec: CascadingRuleSpec;
-}
-
-interface CascadingRuleSpec {
-  matches: Matches;
-  scanSpec: ScanSpec;
-}
-
-interface Matches {
-  anyOf: Array<Finding>;
-}
-
-interface Scan {
-  metadata: k8s.V1ObjectMeta;
-  spec: ScanSpec;
-}
-
-interface ScanSpec {
-  scanType: string;
-  parameters: Array<string>;
-}
-
-interface ExtendedScanSpec extends ScanSpec {
-  // This is the name of the scan. Its not "really" part of the scan spec
-  // But this makes the object smaller
-  name: string;
-
-  // Indicates which CascadingRule was used to generate the resulting Scan
-  generatedBy: string;
-}
-
 interface HandleArgs {
   scan: Scan;
   getFindings: () => Array<Finding>;
 }
 
 export async function handle({ scan, getFindings }: HandleArgs) {
   const findings = await getFindings();
-  const cascadingRules = await getCascadingRules();
+  const cascadingRules = await getCascadingRules(scan);
 
   const cascadingScans = getCascadingScans(scan, findings, cascadingRules);
 
@@ -66,14 +28,14 @@ export async function handle({ scan, getFindings }: HandleArgs) {
       parentScan: scan,
       generatedBy,
       scanType,
-      parameters,
+      parameters
     });
   }
 }
 
-async function getCascadingRules(): Promise<Array<CascadingRule>> {
+async function getCascadingRules(scan: Scan): Promise<Array<CascadingRule>> {
   // Explicit Cast to the proper Type
-  return <Array<CascadingRule>>await getCascadingRulesFromCluster();
+  return <Array<CascadingRule>>await getCascadingRulesForScan(scan);
 }
 
 /**
@@ -112,7 +74,7 @@ export function getCascadingScans(
 
     for (const finding of findings) {
       // Check if one (ore more) of the CascadingRule matchers apply to the finding
-      const matches = cascadingRule.spec.matches.anyOf.some((matchesRule) =>
+      const matches = cascadingRule.spec.matches.anyOf.some(matchesRule =>
         isMatch(finding, matchesRule)
       );
 
@@ -122,10 +84,11 @@ export function getCascadingScans(
         cascadingScans.push({
           name: generateCascadingScanName(parentScan, cascadingRule),
           scanType: Mustache.render(scanType, finding),
-          parameters: parameters.map((parameter) =>
+          parameters: parameters.map(parameter =>
             Mustache.render(parameter, finding)
           ),
-          generatedBy: cascadingRule.metadata.name,
+          cascades: null,
+          generatedBy: cascadingRule.metadata.name
         });
       }
     }

hooks/declarative-subsequent-scans/kubernetes-label-selector.test.js

@@ -0,0 +1,133 @@
+const { generateLabelSelectorString } = require("./kubernetes-label-selector");
+
+test("should generate a empty string if passed an empty object", () => {
+  expect(generateLabelSelectorString({})).toBe("");
+});
+
+test("should generate basic label string for key values selector", () => {
+  expect(
+    generateLabelSelectorString({
+      matchLabels: { environment: "production" }
+    })
+  ).toBe("environment=production");
+
+  expect(
+    generateLabelSelectorString({
+      matchLabels: { environment: "testing" }
+    })
+  ).toBe("environment=testing");
+});
+
+test("should generate basic label string for multiple key values selector", () => {
+  expect(
+    generateLabelSelectorString({
+      matchLabels: {
+        environment: "production",
+        team: "search"
+      }
+    })
+  ).toBe("environment=production,team=search");
+
+  expect(
+    generateLabelSelectorString({
+      matchLabels: {
+        environment: "testing",
+        team: "payment"
+      }
+    })
+  ).toBe("environment=testing,team=payment");
+});
+
+test("should generate label string for set based expressions", () => {
+  expect(
+    generateLabelSelectorString({
+      matchExpression: [
+        {
+          key: "environment",
+          operator: "In",
+          values: ["testing", "development"]
+        }
+      ]
+    })
+  ).toBe("environment in (testing,development)");
+
+  expect(
+    generateLabelSelectorString({
+      matchExpression: [
+        {
+          key: "environment",
+          operator: "In",
+          values: ["development"]
+        }
+      ]
+    })
+  ).toBe("environment in (development)");
+});
+
+test("should generate label string for set based expressions with multiple entries", () => {
+  expect(
+    generateLabelSelectorString({
+      matchExpression: [
+        {
+          key: "environment",
+          operator: "NotIn",
+          values: ["production"]
+        },
+        {
+          key: "team",
+          operator: "In",
+          values: ["search", "payment"]
+        }
+      ]
+    })
+  ).toBe("environment notin (production),team in (search,payment)");
+});
+
+test("should generate label string for set based Exists and DoesNotExist operators", () => {
+  expect(
+    generateLabelSelectorString({
+      matchExpression: [
+        {
+          key: "environment",
+          operator: "Exists"
+        },
+        {
+          key: "team",
+          operator: "DoesNotExist"
+        }
+      ]
+    })
+  ).toBe("environment,!team");
+});
+
+test("should generate selectors with both expression and labelMatching", () => {
+  expect(
+    generateLabelSelectorString({
+      matchExpression: [
+        {
+          key: "environment",
+          operator: "NotIn",
+          values: ["production"]
+        },
+        {
+          key: "team",
+          operator: "In",
+          values: ["search", "payment"]
+        },
+        {
+          key: "foobar",
+          operator: "Exists"
+        },
+        {
+          key: "barfoo",
+          operator: "DoesNotExist"
+        }
+      ],
+      matchLabels: {
+        critical: "true"
+      }
+    })
+  ).toBe(
+    "critical=true,environment notin (production),team in (search,payment),foobar,!barfoo"
+  );
+});

hooks/declarative-subsequent-scans/kubernetes-label-selector.ts

@@ -0,0 +1,50 @@
+export enum LabelSelectorRequirementOperator {
+  In = "In",
+  NotIn = "NotIn",
+  Exists = "Exists",
+  DoesNotExist = "DoesNotExist"
+}
+
+// See: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#labelselectorrequirement-v1-meta
+// Re created in TS because the included types suck 😕
+export interface LabelSelectorRequirement {
+  key: string;
+  values: Array<string>;
+
+  operator: LabelSelectorRequirementOperator;
+}
+
+export interface LabelSelector {
+  matchExpression: Array<LabelSelectorRequirement>;
+  matchLabels: Map<string, string>;
+}
+
+// generateLabelSelectorString transforms a kubernetes labelSelector object in to the string representation
+export function generateLabelSelectorString({
+  matchExpression = [],
+  matchLabels = new Map()
+}: LabelSelector): string {
+  const matchLabelsSelector = Array.from(Object.entries(matchLabels)).map(
+    ([key, values]) => `${key}=${values}`
+  );
+
+  const matchExpressionsSelector = matchExpression.map(
+    ({ key, values, operator }) => {
+      if (
+        operator === LabelSelectorRequirementOperator.In ||
+        operator === LabelSelectorRequirementOperator.NotIn
+      ) {
+        return `${key} ${operator.toLowerCase()} (${values.join(",")})`;
+      }
+
+      if (operator === LabelSelectorRequirementOperator.Exists) {
+        return key;
+      }
+      if (operator === LabelSelectorRequirementOperator.DoesNotExist) {
+        return `!${key}`;
+      }
+    }
+  );
+
+  return [...matchLabelsSelector, ...matchExpressionsSelector].join(",");
+}