Merge branch 'main' into v3

J12934 · J12934 · commit 345a431a0005 · 2021-06-18T16:14:41.000+02:00
diff --git a/.eslintrc.json.license b/.eslintrc.json.license
diff --git a/.github/workflows/helm-docs.yaml b/.github/workflows/helm-docs.yaml
@@ -23,6 +23,7 @@ jobs:
           passphrase: ${{ secrets.GPG_COMMITS_PASSPHRASE }}
           git-user-signingkey: true
           git-commit-gpgsign: true
+          commit_options: '--signoff'
 
       - name: Download Helm Docs
         run: |
diff --git a/.reuse/dep5 b/.reuse/dep5
@@ -1,4 +1,4 @@
 Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: secureCodeBox
 Upstream-Contact: Robert Seedorff <robert.seedorff@iteratec.com>
-Source: www.securecodebox.io
+Source: https://github.com/secureCodeBox/secureCodeBox
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -14,6 +14,7 @@ SPDX-License-Identifier: Apache-2.0
   - [Working with Issues - How to Contribute in Issues](#working-with-issues---how-to-contribute-in-issues)
   - [How to Write Commit Messages](#how-to-write-commit-messages)
   - [Code of Conduct](#code-of-conduct)
+  - [Developer Certificate of Origin and Licensing](#developer-certificate-of-origin-and-licensing)
 
 ## GitHub Flow
 
@@ -79,7 +80,7 @@ For bugfixes and security fixes of the current release please follow the followi
 - For the main branch:
   - Create a bugfix branch from `main` branch
   - Cherry-Pick Bugfix and commit to bugfix branch
-  - Create PR to `main` branch 
+  - Create PR to `main` branch
 
 ## Working with Issues - How to Contribute in Issues
 
@@ -88,7 +89,7 @@ Before you open an issue please verify there is no existing one covering your is
 
 ## How to Write Commit Messages
 
-For more information see [here](https://chris.beams.io/posts/git-commit/).
+For more information see [Chris Beams article](https://chris.beams.io/posts/git-commit/).
 
 TL;DR
 
@@ -100,8 +101,21 @@ TL;DR
 6. Wrap the body at 72 characters
 7. Use the body to explain what and why vs. how
 
-NOTE: Make sure you don't include `@mentions` or `fixes` keywords in your git commit messages. These should be included in the PR body instead.
+**NOTE**: Make sure you don't include `@mentions` or `fixes` keywords in your git commit messages. These should be included in the PR body instead.
+
+**NOTE**: Make sure to add your signed-off-by tag as described in our [contributors file][contributors-file].
 
 ## Code of Conduct
 
 Please have a look at our [Code of Conduct](./CODE_OF_CONDUCT.md) before you write an Issue or make a PR.
+
+## Developer Certificate of Origin and Licensing
+
+We decided to use [DCO](https://en.wikipedia.org/wiki/Developer_Certificate_of_Origin) instead of [CLA](https://en.wikipedia.org/wiki/Contributor_License_Agreement) as described in [CLAs and using DCO clearly](https://medium.com/@flamefew/clas-and-using-dco-clearly-e46b09a4c048). The reason for that: We need to be sure that one submitting a contribution to this repository is allowed to do this and does not violates copyrights of someone else. For that purpose you have to do some steps to to fullfil our DCO requirements:
+
+1. Read carefully our [contributors file][contributors-file].
+2. Open a pull request which adds you to the [contributors file][contributors-file] to agree the DCO.
+3. Always add a signed-of tag to all your commits as described in the [contributors file][contributors-file].
+4. Add a SPDX license header to all files your contribution will create. You can use the [reuse tool](https://reuse.software) with our [helper script](./bin/add-license-header.sh).
+
+[contributors-file]: ./CONTRIBUTORS.md
diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md
@@ -1,3 +1,9 @@
+<!--
+SPDX-FileCopyrightText: 2021 iteratec GmbH
+
+SPDX-License-Identifier: Apache-2.0
+-->
+
 # Contributors
 
 If you would like to make contributions to this repository, please certify to the following Developer's Certificate of Origin (DCO) in [this repository](DCO). Please confirm your certification to the DCO by adding a sign-of tag to all your commit messages and adding your author name (e.g. `gordon shumway <alf@melmak.com>`) to the following list of contributors and open a pull request.
@@ -20,4 +26,5 @@ Committing with `git commit -s` will add the sign-off at the end of the commit m
 - Sven Strittmatter <sven.strittmatter@iteratec.com>
 - Tim Walter <tim.walter@iteratec.com>
 - Yannik Fuhrmeister <yannik.fuhrmeister@iteratec.com>
-
+- Jannik Hollenbach <jannik.hollenbach@iteratec.com>
+- Johannes Zahn <johannes.zahn@iteratec.com>
diff --git a/bin/add-license-header.sh b/bin/add-license-header.sh
@@ -14,6 +14,9 @@
 #   add-license-header.sh file1 file2 file3
 #   cat file_list.txt | add-license-header.sh
 #
+# To generate the file list use `reuse lint`. This produces a Markdown report:
+#   reuse lint > spdx-report.md
+#
 # See also:
 # - https://spdx.org
 # - https://reuse.software
diff --git a/hooks/notification/README.md b/hooks/notification/README.md
@@ -34,6 +34,7 @@ notificationChannels:
   - name: slack
     type: slack
     template: slack-messageCard
+    skipNotificationOnZeroFinding: true
     rules:
       - matches:
           anyOf:
@@ -54,14 +55,19 @@ The `name` is used to for debugging failing notifications.
 it can be a _string_ of you choice.
 
 The `type` specifies the type of the notification (in this example slack).
-Currently `slack` is the only available type, but we are working on others (e.g. MS Teams or email) as well.
+See [Available Notifier](#available-notifier).
 
 The `template` field defines the name of a Nunjucks template to send to your notification channel.
 These templates are usually tied to their notification channel (slack templates will not work for teams).
 The template `slack-messageCard` is provided by default.
 Notice that for the name of the template we chose to omit the file type.
 The template `slack-messageCard` will point to `slack-messageCard.njk` in the filesystem of the hook.
 
+The `skipNotificationOnZeroFindings` if set to true will cause the notifier when there were no findings.
+This can happen when the scan did not identify any or if all findings were filtered out using [rules](#rule-configuration).
+Defaults to `false` if not set.
+You can use `skipNotificationOnZeroFindings` to only send out notification for non duplicate findings, e.g. by combining the DefectDojo hook with this one and filtering out the `duplicate` attribute in the rules.
+
 The `endPoint` specifies where the notification has to go to.
 To protect the actual endPoint (e.g. a webhook url) this should point to an env name defined under `env`
 For slack this would be your webhook URL to slack.
@@ -177,10 +183,15 @@ The identifier for this config has to be `SMTP_CONFIG`.
 A basic configuration could look like this:
 
 ```
-...
+notificationChannels:
+  - name: email
+    type: email
+    template: email
+    rules: []
+    endPoint: "someone@somewhere.xyz"
 env:
   - name: SMTP_CONFIG
-    value: "smtp://user@domain.tld:pass@smtp.domain.tld/"
+    value: "smtp://user:pass@smtp.domain.tld/"
 ```
 
 To provide a custom `from` field for your email you can specify `EMAIL_FROM` under env.
@@ -189,7 +200,7 @@ For example:
 ```
 env:
   - name: SMTP_CONFIG
-    value: "smtp://user@domain.tld:pass@smtp.domain.tld/"
+    value: "smtp://user:pass@smtp.domain.tld/"
   - name: EMAIL_FROM
     value: secureCodeBox
 ```
diff --git a/hooks/notification/README.md.gotmpl b/hooks/notification/README.md.gotmpl
@@ -39,6 +39,7 @@ notificationChannels:
   - name: slack
     type: slack
     template: slack-messageCard
+    skipNotificationOnZeroFinding: true
     rules:
       - matches:
           anyOf:
@@ -59,14 +60,19 @@ The `name` is used to for debugging failing notifications.
 it can be a _string_ of you choice.
 
 The `type` specifies the type of the notification (in this example slack).
-Currently `slack` is the only available type, but we are working on others (e.g. MS Teams or email) as well.
+See [Available Notifier](#available-notifier).
 
 The `template` field defines the name of a Nunjucks template to send to your notification channel.
 These templates are usually tied to their notification channel (slack templates will not work for teams).
 The template `slack-messageCard` is provided by default.
 Notice that for the name of the template we chose to omit the file type.
 The template `slack-messageCard` will point to `slack-messageCard.njk` in the filesystem of the hook.
 
+The `skipNotificationOnZeroFindings` if set to true will cause the notifier when there were no findings.
+This can happen when the scan did not identify any or if all findings were filtered out using [rules](#rule-configuration).
+Defaults to `false` if not set.
+You can use `skipNotificationOnZeroFindings` to only send out notification for non duplicate findings, e.g. by combining the DefectDojo hook with this one and filtering out the `duplicate` attribute in the rules.
+
 The `endPoint` specifies where the notification has to go to.
 To protect the actual endPoint (e.g. a webhook url) this should point to an env name defined under `env`
 For slack this would be your webhook URL to slack.
@@ -182,10 +188,15 @@ The identifier for this config has to be `SMTP_CONFIG`.
 A basic configuration could look like this:
 
 ```
-...
+notificationChannels:
+  - name: email
+    type: email
+    template: email
+    rules: []
+    endPoint: "someone@somewhere.xyz"
 env:
   - name: SMTP_CONFIG
-    value: "smtp://user@domain.tld:pass@smtp.domain.tld/"
+    value: "smtp://user:pass@smtp.domain.tld/"
 ```
 
 To provide a custom `from` field for your email you can specify `EMAIL_FROM` under env.
@@ -194,7 +205,7 @@ For example:
 ```
 env:
   - name: SMTP_CONFIG
-    value: "smtp://user@domain.tld:pass@smtp.domain.tld/"
+    value: "smtp://user:pass@smtp.domain.tld/"
   - name: EMAIL_FROM
     value: secureCodeBox
 ```
diff --git a/hooks/notification/hook.test.ts b/hooks/notification/hook.test.ts
@@ -3,162 +3,11 @@
 // SPDX-License-Identifier: Apache-2.0
 
 import * as path from "path";
-import { handle, matches, getNotificationChannels, mapToEndPoint } from "./hook";
+import { matches, getNotificationChannels, mapToEndPoint } from "./hook";
 import { Finding } from "./model/Finding";
 import { NotificationChannel } from "./model/NotificationChannel";
 import { NotifierType } from "./NotifierType";
 
-const scan = {
-  metadata: {
-    uid: "09988cdf-1fc7-4f85-95ee-1b1d65dbc7cc",
-    name: "demo-scan-1601086432",
-    namespace: "my-scans",
-    creationTimestamp: "2021-01-01T14:29:25Z",
-    labels: {
-      company: "iteratec",
-      "attack-surface": "external",
-    },
-  },
-  spec: {
-    scanType: "Nmap",
-    parameters: ["-Pn", "localhost"],
-  },
-  status: {
-    findingDownloadLink:
-      "https://my-secureCodeBox-instance.com/scan-b9as-sdweref--sadf-asdfsdf-dasdgf-asdffdsfa7/findings.json",
-    findings: {
-      categories: {
-        "A Client Error response code was returned by the server": 1,
-        "Information Disclosure - Sensitive Information in URL": 1,
-        "Strict-Transport-Security Header Not Set": 1,
-      },
-      count: 3,
-      severities: {
-        high: 10,
-        medium: 5,
-        low: 2,
-        informational: 1,
-      },
-    },
-    finishedAt: "2020-05-25T02:38:13Z",
-    rawResultDownloadLink:
-      "https://my-secureCodeBox-instance.com/scan-blkfsdg-sdgfsfgd-sfg-sdfg-dfsg-gfs98-e8af2172caa7/zap-results.json?Expires=1601691232",
-    rawResultFile: "zap-results.json",
-    rawResultType: "zap-json",
-    state: "Done",
-  },
-};
-
-const findings = [
-  {
-    name: "SSH Service",
-    description: "SSH Service Information",
-    category: "SSH Service",
-    osi_layer: "APPLICATION",
-    severity: "INFORMATIONAL",
-    reference: {},
-    hint: "",
-    location: "dummy-ssh.demo-apps.svc",
-    attributes: {
-      hostname: "dummy-ssh.demo-apps.svc",
-      ip_address: "10.102.131.102",
-      server_banner: "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8",
-      ssh_version: 2,
-      os_cpe: "o:canonical:ubuntu:16.04",
-      ssh_lib_cpe: "a:openssh:openssh:7.2p2",
-      compliance_policy: "Mozilla Modern",
-      compliant: false,
-      grade: "D",
-      references: ["https://wiki.mozilla.org/Security/Guidelines/OpenSSH"],
-      auth_methods: ["publickey", "password"],
-      key_algorithms: [
-        "curve25519-sha256@libssh.org",
-        "ecdh-sha2-nistp256",
-        "ecdh-sha2-nistp384",
-        "ecdh-sha2-nistp521",
-        "diffie-hellman-group-exchange-sha256",
-        "diffie-hellman-group14-sha1",
-      ],
-      encryption_algorithms: [
-        "chacha20-poly1305@openssh.com",
-        "aes128-ctr",
-        "aes192-ctr",
-        "aes256-ctr",
-        "aes128-gcm@openssh.com",
-        "aes256-gcm@openssh.com",
-      ],
-      mac_algorithms: [
-        "umac-64-etm@openssh.com",
-        "umac-128-etm@openssh.com",
-        "hmac-sha2-256-etm@openssh.com",
-        "hmac-sha2-512-etm@openssh.com",
-        "hmac-sha1-etm@openssh.com",
-        "umac-64@openssh.com",
-        "umac-128@openssh.com",
-        "hmac-sha2-256",
-        "hmac-sha2-512",
-        "hmac-sha1",
-      ],
-      compression_algorithms: ["none", "zlib@openssh.com"],
-    },
-    id: "17ac9886-d083-4c58-8518-557aa3b38d2d",
-  },
-  {
-    name: "Insecure SSH Key Algorithms",
-    description: "Deprecated / discouraged SSH key algorithms are used",
-    category: "SSH Policy Violation",
-    osi_layer: "NETWORK",
-    severity: "MEDIUM",
-    reference: {},
-    hint: "Remove these key exchange algorithms: diffie-hellman-group14-sha1",
-    location: "dummy-ssh.demo-apps.svc",
-    attributes: {
-      hostname: "dummy-ssh.demo-apps.svc",
-      ip_address: "10.102.131.102",
-      payload: ["diffie-hellman-group14-sha1"],
-    },
-    id: "650c5ed1-00fb-44e3-933c-515dca4a1eda",
-  },
-  {
-    name: "Insecure SSH MAC Algorithms",
-    description: "Deprecated / discouraged SSH MAC algorithms are used",
-    category: "SSH Policy Violation",
-    osi_layer: "NETWORK",
-    severity: "MEDIUM",
-    reference: {},
-    hint:
-      "Remove these MAC algorithms: umac-64-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, hmac-sha1",
-    location: "dummy-ssh.demo-apps.svc",
-    attributes: {
-      hostname: "dummy-ssh.demo-apps.svc",
-      ip_address: "10.102.131.102",
-      payload: [
-        "umac-64-etm@openssh.com",
-        "hmac-sha1-etm@openssh.com",
-        "umac-64@openssh.com",
-        "hmac-sha1",
-      ],
-    },
-    id: "5b681ed0-b509-400b-bb1e-ae839bb1b766",
-  },
-  {
-    name: "Discouraged SSH authentication methods",
-    description: "Discouraged SSH authentication methods are used",
-    category: "SSH Policy Violation",
-    osi_layer: "NETWORK",
-    severity: "MEDIUM",
-    reference: {},
-    hint: "Remove these authentication methods: password",
-    location: "dummy-ssh.demo-apps.svc",
-    attributes: {
-      hostname: "dummy-ssh.demo-apps.svc",
-      ip_address: "10.102.131.102",
-      payload: ["password"],
-    },
-    id: "4485916d-3747-4c16-a730-a9b1146dd9a2",
-  },
-];
-
 test("Should Match for High Severity Findings", async () => {
   const finding: Finding = {
     name: "test finding",
diff --git a/hooks/notification/hook.ts b/hooks/notification/hook.ts
@@ -19,6 +19,11 @@ export async function handle({ getFindings, scan }) {
   for (const channel of notificationChannels) {
     channel.endPoint = mapToEndPoint(channel.endPoint);
     const findingsToNotify = findings.filter(finding => matches(finding, channel.rules));
+
+    if (channel.skipNotificationOnZeroFindings === true && findings.length === 0) {
+      continue;
+    }
+
     const notifier: Notifier = NotifierFactory.create(channel, scan, findingsToNotify, args);
     await notifier.sendMessage();
   }
diff --git a/hooks/notification/model/NotificationChannel.ts b/hooks/notification/model/NotificationChannel.ts
@@ -7,6 +7,7 @@ import { NotifierType } from "../NotifierType";
 export interface NotificationChannel {
   name: string;
   type: NotifierType;
+  skipNotificationOnZeroFindings?: boolean;
   template: string;
   rules: any;
   endPoint?: string;
diff --git a/hooks/notification/package-lock.json b/hooks/notification/package-lock.json
diff --git a/hooks/notification/package.json b/hooks/notification/package.json
diff --git a/hooks/persistence-defectdojo/README.md b/hooks/persistence-defectdojo/README.md
diff --git a/hooks/persistence-defectdojo/README.md.gotmpl b/hooks/persistence-defectdojo/README.md.gotmpl
