Merge branch 'master' into refactoring-examples

Author: nigthknight

.github/workflows/helm-charts.yaml

@@ -0,0 +1,34 @@
+on:
+  release:
+    types: [published]
+name: "Publish Helm Charts"
+jobs:
+  helm:
+    name: Package and Publish
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: "Install yq"
+        run: |
+          sudo snap install yq
+      - name: Parse Tag 
+        run: echo ::set-env name=RELEASE_VERSION::${GITHUB_REF#refs/*/}
+      - name: "Publish Helm Chart"
+        env:
+          HELM_REGISTRY: https://charts.securecodebox.io
+          USERNAME: ${{ secrets.HELM_REGISTRY_USERNAME }}
+          PASSWORD: ${{ secrets.HELM_REGISTRY_PASSWORD }}
+        run: |
+          # Publish charts in all folders containing a `Chart.yaml` file
+          # https://github.com/koalaman/shellcheck/wiki/SC2044
+          find . -type f -name Chart.yaml -print0 | while IFS= read -r -d '' chart; do
+          (
+            dir="$(dirname "${chart}")"
+            cd "${dir}" || exit
+            echo "Processing Chart in $dir"
+            helm lint .
+            helm package --version $RELEASE_VERSION .
+            NAME=$(yq read - name < Chart.yaml)
+            curl --silent --show-error --user "${USERNAME}:${PASSWORD}" --data-binary "@${NAME}-${RELEASE_VERSION}.tgz" "${HELM_REGISTRY}/api/charts"
+          )
+          done

README.md

@@ -35,6 +35,7 @@
       - [Local Scan Examples](#local-scan-examples)
       - [Public Scan Examples](#public-scan-examples)
       - [Then get the current State of the Scan by running:](#then-get-the-current-state-of-the-scan-by-running)
+      - [To delete a scan, use ```kubectl delete```, e.g. for localhost nmap scan:](#to-delete-a-scan-use-kubectl-delete-eg-for-localhost-nmap-scan)
     - [Access Services](#access-services)
   - [How does it work?](#how-does-it-work)
   - [Architecture](#architecture)
@@ -109,9 +110,10 @@ helm upgrade --install swagger-petstore ./demo-apps/swagger-petstore/
 Deploy secureCodeBox Hooks:
 
 ```bash
-helm upgrade --install aah ./hooks/update-field/
+helm upgrade --install ufh ./hooks/update-field/
 helm upgrade --install gwh ./hooks/generic-webhook/
 helm upgrade --install issh ./hooks/imperative-subsequent-scans/
+helm upgrade --install dssh ./hooks/declarative-subsequent-scans/
 ```
 
 Persistence provider Elasticsearch:

demo-apps/bodgeit/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 version: 0.1.0
 type: application
-appVersion: "latest"
+appVersion: "v1.4.0"
 name: bodgeit
 description: "The BodgeIt Store is a vulnerable web app which is aimed at people who are new to pen testing"
 home: https://github.com/psiinon/bodgeit

demo-apps/juice-shop/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 version: 0.1.0
-appVersion: "v10.0.0"
+appVersion: "v11.1.2"
 name: juice-shop
 description: "OWASP Juice Shop: Probably the most modern and sophisticated insecure web application"
 type: application

hooks/declarative-subsequent-scans/README.md

@@ -0,0 +1,116 @@
+---
+title: "Cascading Scans"
+path: "hooks/declarative-subsequent-scans"
+category: "hook"
+type: "processing"
+state: "released"
+usecase: "Cascading Scans based declarative Rules."
+---
+
+<!-- end -->
+
+## Deployment
+
+Installing the Cascading Scans hook will add a ReadOnly Hook to your namespace which looks for matching _CascadingRules_ in the namespace and start the according scans. 
+
+```bash
+helm upgrade --install dssh ./hooks/declarative-subsequent-scans/
+```
+
+### Verification
+```bash
+kubectl get ScanCompletionHooks
+NAME   TYPE       IMAGE
+dssh   ReadOnly   docker.io/scbexperimental/hook-declarative-subsequent-scans:latest
+```
+
+## CascadingScan Rules
+The CascadingRules are included directly in each helm chart of the individual scanners. 
+
+```bash
+# Check your CascadingRules
+kubectl get CascadingRules
+NAME             STARTS         INVASIVENESS   INTENSIVENESS
+https-tls-scan   sslyze         non-invasive   light
+imaps-tls-scan   sslyze         non-invasive   light
+nikto-http       nikto          non-invasive   medium
+nmap-smb         nmap           non-invasive   light
+pop3s-tls-scan   sslyze         non-invasive   light
+smtps-tls-scan   sslyze         non-invasive   light
+ssh-scan         ssh-scan       non-invasive   light
+zap-http         zap-baseline   non-invasive   medium
+```
+
+## Starting a cascading Scan
+When you start a normal Scan, no CascadingRule will be applied. To use a _CascadingRule_ the scan must be marked to allow cascading rules.
+This is implemented using kubernetes label selectors, meaning that scans mark the classes of scans which are allowed to be cascaded by the current one.
+
+### Example
+```yaml
+cat <<EOF | kubectl apply -f -
+apiVersion: "execution.experimental.securecodebox.io/v1"
+kind: Scan
+metadata:
+  name: "example.com"
+spec:
+  scanType: nmap
+  parameters:
+    - -p22,80,443
+    - example.com
+  cascades:
+    matchLabels:
+      securecodebox.io/intensive: light
+EOF
+```
+
+This Scan will used all CascadingRules which are labeled with a "light" intensity.
+You can lookup which CascadingRules this selects by running:
+
+```bash
+kubectl get CascadingRules -l "securecodebox.io/intensive=light"
+NAME             STARTS     INVASIVENESS   INTENSIVENESS
+https-tls-scan   sslyze     non-invasive   light
+imaps-tls-scan   sslyze     non-invasive   light
+nmap-smb         nmap       non-invasive   light
+pop3s-tls-scan   sslyze     non-invasive   light
+smtps-tls-scan   sslyze     non-invasive   light
+ssh-scan         ssh-scan   non-invasive   light
+```
+
+The label selectors also allow the more powerful matchExpression selectors:
+
+```yaml
+cat <<EOF | kubectl apply -f -
+apiVersion: "execution.experimental.securecodebox.io/v1"
+kind: Scan
+metadata:
+  name: "example.com"
+spec:
+  scanType: nmap
+  parameters:
+    - -p22,80,443
+    - example.com
+  cascades:
+    # Using matchExpression instead of matchLabels
+    matchExpression:
+      key: "securecodebox.io/intensive"
+      operator: In
+      # This select both light and medium intensity rules
+      values: [light, medium]
+EOF
+```
+
+This selection can be replicated in kubectl using:
+
+```bash
+kubectl get CascadingRules -l "securecodebox.io/intensive in (light,medium)"
+NAME             STARTS         INVASIVENESS   INTENSIVENESS
+https-tls-scan   sslyze         non-invasive   light
+imaps-tls-scan   sslyze         non-invasive   light
+nikto-http       nikto          non-invasive   medium
+nmap-smb         nmap           non-invasive   light
+pop3s-tls-scan   sslyze         non-invasive   light
+smtps-tls-scan   sslyze         non-invasive   light
+ssh-scan         ssh-scan       non-invasive   light
+zap-http         zap-baseline   non-invasive   medium
+```

hooks/generic-webhook/README.md

@@ -0,0 +1,18 @@
+---
+title: "Generic WebHook"
+path: "hooks/generic-webhook"
+category: "hook"
+type: "integration"
+state: "released"
+usecase: "Publishes Scan Findings as WebHook."
+---
+
+<!-- end -->
+
+## Deployment
+
+Installing the Generic WebHook hook will add a ReadOnly Hook to your namespace. 
+
+```bash
+helm upgrade --install gwh ./hooks/generic-webhook/ --set webhookUrl="http://example.com/my/webhook/target"
+```

hooks/imperative-subsequent-scans/values.yaml

@@ -6,15 +6,15 @@ cascade:
   # Cascade nmap scans for each subdomain found by amass
   amassNmap: true
   # Cascade nmap SMB scans for each SMB Port found by nmap
-  nmapSmb: true
+  nmapSmb: false
   # Cascade SSH scans for each SSH Port found by nmap
   nmapSsh: true
   # Cascade SSL scans for each HTTP Port found by nmap
   nmapSsl: true
   # Cascade Nikto scans for each HTTP Port found by nmap
-  nmapNikto: true
+  nmapNikto: false
   # Cascade ZAP scans for each HTTP Port found by nmap
-  nmapZapBaseline: true
+  nmapZapBaseline: false
 
 image:
   registry: docker.io

hooks/persistence-defectdojo/README.md

@@ -0,0 +1,26 @@
+---
+title: "DefectDojo"
+path: "hooks/persistence-defectdojo"
+category: "hook"
+type: "persistenceProvider"
+state: "roadmap"
+usecase: "Publishes all Scan Findings to DefectDojo."
+---
+
+<!-- end -->
+
+## About
+
+DefectDojo is an open-source tool for importing and managing findings of security scanners. The DefectDojo persistence provider can be used to create new Engagements for SecurityTests run via the secureCodeBox and import all findings which were identified automatically to DefectDojo.
+
+Tools which are supported both by the secureCodeBox and DefectDojo (OWASP ZAP & Nmap) this is done by importing the raw scan report into DefectDojo. Findings by other secureCodeBox supported scanners are currently not directly supported by DefectDojo. These findings are imported via a generic finding API of DefectDojo, which might cause some loss of information on the findings.  
+
+To learn more about DefectDojo visit [DefectDojo GitHub] or [DefectDojo Website].
+
+## Deployment
+The secureCodeBox core team is working on an integration of DefectDojo. We will keep you informed.
+
+
+[DefectDojo Website]: https://www.defectdojo.org/
+[DefectDojo GitHub]: https://github.com/DefectDojo/django-DefectDojo
+[DefectDojo Documentation]: https://defectdojo.readthedocs.io/en/latest/

hooks/persistence-elastic/README.md

@@ -0,0 +1,55 @@
+---
+title: "Elasticsearch"
+path: "hooks/persistence-elastic"
+category: "hook"
+type: "persistenceProvider"
+state: "released"
+usecase: "Publishes all Scan Findings to Elasticsearch."
+---
+
+<!-- end -->
+
+## About
+The ElasticSearch persistenceProvider hook saves all findings and reports into the configured ElasticSearch index. This allows for some easy searching and visualization of the findings. To learn more about Elasticsearch visit elastic.io.
+
+## Deployment
+
+Installing the Elasticsearch persistenceProvider hook will add a _ReadOnly Hook_ to your namespace. 
+
+```bash
+helm upgrade --install elkh ./hooks/persistence-elastic/
+```
+
+## Configuration
+see values.yaml
+
+```yaml
+# Define a specific index prefix
+indexPrefix: "scbv2"
+
+# Enable this when you already have an Elastic Stack running to which you want to send your results
+externalElasticStack:
+  enabled: false
+  elasticsearchAddress: "https://elasticsearch.example.com"
+  kibanaAddress: "https://kibana.example.com"
+
+# Configure authentication schema and credentials the persistence provider should use to connect to elasticsearch
+# user and apikey are mutually exclusive, only set one!
+authentication:
+  # Link a pre-existing generic secret with `username` and `password` key / value pairs
+  userSecret: null
+  # Link a pre-existing generic secret with `id` and `key` key / value pairs
+  apiKeySecret: null
+
+# Configures included Elasticsearch subchart
+elasticsearch:
+  enabled: true
+  replicas: 1
+  minimumMasterNodes: 1
+  # image: docker.elastic.co/elasticsearch/elasticsearch-oss
+
+# Configures included Elasticsearch subchart
+kibana:
+  enabled: true
+  # image: docker.elastic.co/kibana/kibana-oss
+```

hooks/persistence-elastic/values.yaml

@@ -8,6 +8,7 @@ image:
   tag: latest
   digest: null
 
+# Define a specific index prefix
 indexPrefix: "scbv2"
 
 # Enable this when you already have an Elastic Stack running to which you want to send your results