Skip to content

Commit 7ef2c27

Browse files
J12934J12934
committed
Start migrating cascading scan hook
1 parent bd6a329 commit 7ef2c27

15 files changed

Lines changed: 192 additions & 7850 deletions

hooks/Taskfile.yaml

Lines changed: 128 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,128 @@
1+
version: "3"
2+
3+
includes:
4+
demo-targets:
5+
taskfile: ../demo-targets/Taskfile.yaml
6+
internal: true
7+
core:
8+
taskfile: ../Taskfile.yaml
9+
internal: true
10+
11+
vars:
12+
# addtional cli args to pass to the helm install command which installs the hook into the testing environment
13+
additionalHelmInstallArgsForHook: '{{ .additionalHelmInstallArgsForHook | default "" }}'
14+
env:
15+
IMG_TAG:
16+
sh: 'echo "sha-$(git rev-parse --short HEAD)"'
17+
18+
tasks:
19+
build:
20+
desc: Build the Docker image for the {{ .hookName }} hook
21+
status:
22+
- docker images | grep -q "docker.io/securecodebox/hook-{{ .hookName }}:${IMG_TAG}" || false
23+
preconditions:
24+
- msg: "Docker is not running, please start Docker first"
25+
sh: "docker info >/dev/null 2>&1 || false"
26+
deps:
27+
- core:build-hook-sdk-image
28+
cmds:
29+
- |
30+
echo "Building custom hook image for {{ .hookName }} with tag ${IMG_TAG}"
31+
docker build -t docker.io/securecodebox/hook-{{ .hookName }}:${IMG_TAG} \
32+
--build-arg=baseImageTag=${IMG_TAG} \
33+
{{ .ROOT_DIR }}/hook/
34+
kind load docker-image --name testing-env docker.io/securecodebox/hook-{{ .hookName }}:${IMG_TAG}
35+
predeploy:
36+
desc: Can be overwritten by the hook to perform any pre-deployment steps
37+
cmds: []
38+
silent: true
39+
deploy:
40+
desc: Deploy the {{ .hookName }} hook to the testing environment
41+
deps:
42+
- core:prepare-testing-env
43+
- build
44+
status:
45+
- helm ls {{ .hookName }} -n integration-tests | grep -q '{{ .hookName }}' || false
46+
cmds:
47+
- 'echo "Deploying {{ .hookName }} to the testing environment"'
48+
- task: predeploy
49+
- |
50+
helm upgrade --install {{ .hookName }} {{ .ROOT_DIR }} --namespace integration-tests \
51+
--set="hook.image.tag=${IMG_TAG}" \
52+
--set="hook.image.pullPolicy=Never" \
53+
{{ if ne "" .additionalHelmInstallArgsForHook -}}
54+
{{ .additionalHelmInstallArgsForHook -}}
55+
{{ end -}}
56+
--wait
57+
58+
# test:setup tasks
59+
test:setup:hook-sdk:
60+
internal: true
61+
status:
62+
- "[ -d {{ .ROOT_DIR }}/../../hook-sdk/nodejs/node_modules ] || false"
63+
cmds:
64+
- cd {{ .ROOT_DIR }}/../../hook-sdk/nodejs/ && bun install
65+
test:setup:test-helpers:
66+
internal: true
67+
status:
68+
- "[ -d {{ .ROOT_DIR }}/../../tests/integration/node_modules ] || false"
69+
cmds:
70+
- cd {{ .ROOT_DIR }}/../../tests/integration && bun install
71+
test:setup:hook-deps:
72+
internal: true
73+
status:
74+
- "[ -d {{ .ROOT_DIR }}/hook/node_modules ] || false"
75+
cmds:
76+
- cd {{ .ROOT_DIR }}/hook/ && bun install
77+
test:setup:
78+
cmds:
79+
- task: test:setup:hook-sdk
80+
- task: test:setup:test-helpers
81+
- task: test:setup:hook-deps
82+
83+
test:unit:
84+
desc: Run unit tests for the {{ .hookName }} hook
85+
deps:
86+
- test:setup
87+
cmds:
88+
- |
89+
echo "Running unit tests for {{ .hookName }}"
90+
bun test {{ .ROOT_DIR }}/hook/
91+
test:integration:
92+
desc: Run integration tests for the {{ .hookName }} hook
93+
deps:
94+
- test:setup
95+
- deploy
96+
preconditions:
97+
- msg: "kind cluster is not running, run 'task prepare-testing-env' from project root dir first"
98+
sh: "kubectl config get-contexts | grep -q 'kind-testing-env' || false"
99+
- msg: "secureCodeBox operator is not deployed, run 'task prepare-testing-env' from project root dir first"
100+
sh: "kubectl get pods -n securecodebox-system | grep -q 'securecodebox-operator' || false"
101+
- msg: "{{ .hookName }} hook is not deployed, run 'task build deploy' from hook dir first"
102+
sh: "helm -n integration-tests ls | grep -q '{{ .hookName }}' || false"
103+
cmds:
104+
# Workaround for https://github.com/oven-sh/bun/issues/7332
105+
- 'echo "Forwarding the Kubernetes API to localhost"'
106+
- kubectl proxy >/dev/null 2>&1 &
107+
- sleep 1 # Wait a bit to ensure the proxy is up
108+
109+
- defer: |
110+
# kill pid with command "kubectl proxy"
111+
echo "Killing kubectl proxy"
112+
pkill -f "kubectl proxy"
113+
114+
- echo "Running integration tests for {{ .hookName }}"
115+
- bun test {{ .ROOT_DIR }}/integration-tests/
116+
test:helm:
117+
desc: Run helm tests for the {{ .hookName }} hook
118+
preconditions:
119+
- msg: "Helm unittest plugin is not installed, you need to install it first. See: https://github.com/helm-unittest/helm-unittest/"
120+
sh: "helm plugin list | grep -q 'unittest' || false"
121+
cmds:
122+
- helm unittest {{ .ROOT_DIR }}
123+
test:
124+
desc: Run all tests for the {{ .hookName }} hook
125+
cmds:
126+
- task test:unit
127+
- task test:helm
128+
- task test:integration

hooks/cascading-scans/.gitignore

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,3 +7,7 @@ node_modules
77
**.js
88
!**.test.js
99
*.tar
10+
11+
# files generated by the test suite
12+
passwords.txt
13+
users.txt

hooks/cascading-scans/Taskfile.yaml

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
version: "3"
2+
3+
includes:
4+
scanner:
5+
taskfile: ../Taskfile.yaml
6+
flatten: true
7+
excludes:
8+
- predeploy
9+
vars:
10+
hookName: cascading-scans
11+
additionalHelmInstallArgsForScanner: |
12+
--set="scanner.image.pullPolicy=IfNotPresent" \
13+
--set="nucleiTemplateCache.enabled=false" \
14+
15+
tasks:
16+
predeploy:
17+
deps:
18+
- demo-targets:deploy:dummy-ssh
19+
cmds:
20+
- |
21+
# install nmap
22+
helm -n integration-tests upgrade --install nmap oci://ghcr.io/securecodebox/helm/nmap \
23+
--set="cascadingRules.enabled=true"
24+
- |
25+
# install ncrack
26+
printf "root\nadmin\n" > users.txt
27+
printf "THEPASSWORDYOUCREATED\n123456\npassword\n" > passwords.txt
28+
kubectl create secret generic --from-file users.txt --from-file passwords.txt ncrack-lists -n integration-tests --dry-run=client -o yaml | kubectl apply -f -
29+
30+
helm -n integration-tests upgrade --install ncrack oci://ghcr.io/securecodebox/helm/ncrack \
31+
--set="scanner.extraVolumes[0].name=ncrack-lists" \
32+
--set="scanner.extraVolumes[0].secret.secretName=ncrack-lists" \
33+
--set="scanner.extraVolumeMounts[0].name=ncrack-lists" \
34+
--set="scanner.extraVolumeMounts[0].mountPath=/ncrack/" \
35+
--set="cascadingRules.enabled=true"

hooks/cascading-scans/hook/hook.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ import {
1313
isArray,
1414
} from "lodash";
1515
import {isMatch as wildcardIsMatch} from "matcher";
16-
import * as Mustache from "mustache";
16+
import Mustache from "mustache";
1717

1818
import {
1919
startSubsequentSecureCodeBoxScan,

hooks/cascading-scans/hook/package-lock.json

Lines changed: 14 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

hooks/cascading-scans/hook/package.json

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -47,11 +47,9 @@
4747
},
4848
"devDependencies": {
4949
"@types/ip-address": "^7.0.0",
50-
"@types/jest": "^29.4.0",
5150
"@types/lodash": "^4.14.171",
51+
"@types/mustache": "^4.2.6",
5252
"@types/node": "^16.0.0",
53-
"jest": "^29.3.1",
54-
"ts-jest": "^29.0.5",
5553
"typescript": "^4.3.5"
5654
}
57-
}
55+
}

hooks/cascading-scans/hook/scope-limiter.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44

55
import {Finding, ScopeLimiter, ScopeLimiterAliases} from "./scan-helpers";
66
import {V1ObjectMeta} from "@kubernetes/client-node/dist/gen/model/v1ObjectMeta";
7-
import * as Mustache from "mustache";
7+
import Mustache from "mustache";
88
import {Address4, Address6} from "ip-address";
99
import {fromUrl, parseDomain, ParseResultType} from "parse-domain";
1010
import {flatten, isEqual, takeRight} from "lodash";

hooks/cascading-scans/hook/integration-tests/cascade-nmap-ncrack.test.js renamed to hooks/cascading-scans/integration-tests/cascade-nmap-ncrack.test.js

Lines changed: 5 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -2,26 +2,23 @@
22
//
33
// SPDX-License-Identifier: Apache-2.0
44

5-
const {cascadingScan} = require("../../../../tests/integration/helpers");
6-
var {jest} = require("@jest/globals");
7-
8-
jest.retryTimes(3);
5+
import { cascadingScan } from "../../../tests/integration/helpers";
96

107
test(
118
"Cascading Scan nmap -> ncrack on dummy-ssh",
129
async () => {
13-
const {categories, severities, count} = await cascadingScan(
10+
const { categories, severities, count } = await cascadingScan(
1411
"nmap-dummy-ssh",
1512
"nmap",
16-
["-Pn", "-sV", "dummy-ssh.demo-targets.svc"],
13+
["-Pn", "-p22", "-sV", "dummy-ssh.demo-targets.svc"],
1714
{
1815
nameCascade: "ncrack-ssh",
1916
matchLabels: {
2017
"securecodebox.io/invasive": "invasive",
2118
"securecodebox.io/intensive": "high",
2219
},
2320
},
24-
120
21+
120,
2522
);
2623

2724
expect(count).toBe(1);
@@ -32,5 +29,5 @@ test(
3229
high: 1,
3330
});
3431
},
35-
3 * 60 * 1000
32+
{ timeout: 3 * 60 * 1000 },
3633
);

hooks/cascading-scans/hook/integration-tests/cascade-nmap-sslyze.test.js.disabled renamed to hooks/cascading-scans/integration-tests/cascade-nmap-sslyze.test.js.disabled

File renamed without changes.

hooks/jest.config.js

Lines changed: 0 additions & 11 deletions
This file was deleted.

0 commit comments

Comments
 (0)