secureCodeBox · Weltraumschaf · Mar 17, 2022 · Mar 15, 2022 · Mar 15, 2022 · Mar 15, 2022
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -907,8 +907,7 @@ jobs:
             --set="parser.env[0].name=CRASH_ON_FAILED_VALIDATION" \
             --set-string="parser.env[0].value=true"
           kubectl apply -f ./scanners/zap-advanced/integration-tests/scantype-configMap.yaml -n integration-tests
-          cd tests/integration/
-          npx jest --ci --color scanner/zap-advanced.test.js
+          npx jest --ci --color ./scanners/zap-advanced/integration-tests/zap-advanced.test.js
 
       # ---- Debuging Cluster on Failure ----
 

diff --git a/scanners.mk b/scanners.mk
@@ -81,4 +81,4 @@ deploy-with-scanner:
 integration-tests:
 	@echo ".: 🩺 Starting integration test in kind namespace 'integration-tests'."
 	kubectl -n integration-tests delete scans --all
-	cd ../../tests/integration/ && npm ci &&	npx --yes --package jest@$(JEST_VERSION) jest --verbose --ci --colors --coverage --passWithNoTests ${scanner-prefix}/${name}.test.js
+	cd .. && npm ci && cd $(scanner)/integration-tests && npm run test --yes --package jest@$(JEST_VERSION) $(scanner)/integration-tests
diff --git a/scanners/amass/Makefile b/scanners/amass/Makefile
@@ -9,10 +9,3 @@ include_guard = set
 scanner = amass
 
 include ../../scanners.mk
-
-integration-tests:
-	@echo ".: 🩺 Starting integration test in kind namespace 'integration-tests'."
-	kubectl -n integration-tests delete scans --all
-	cd ../../tests/integration/ && npm ci
-	cd ../../scanners/${scanner}
-	npx --yes --package jest@$(JEST_VERSION) jest --verbose --ci --colors --coverage --passWithNoTests ${scanner}/integration-tests
diff --git a/scanners/amass/integration-tests/amass.test.js b/scanners/amass/integration-tests/amass.test.js
@@ -2,8 +2,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-const { scan } = require("../../../tests/integration/helpers.js");
-
+const {scan} = require("../../helpers");
 jest.retryTimes(3);
 
 test(

diff --git a/scanners/cmseek/Makefile b/scanners/cmseek/Makefile
@@ -11,11 +11,4 @@ custom_scanner = set
 
 include ../../scanners.mk
 
-deploy-test-deps: | deploy-test-dep-old-joomla
-
-integration-tests:
-	@echo ".: 🩺 Starting integration test in kind namespace 'integration-tests'."
-	kubectl -n integration-tests delete scans --all
-	cd ../../tests/integration/ && npm ci
-	cd ../../scanners/${scanner}
-	npx --yes --package jest@$(JEST_VERSION) jest --verbose --ci --colors --coverage --passWithNoTests ${scanner}/integration-tests
+deploy-test-deps: | deploy-test-dep-old-joomla
diff --git a/scanners/cmseek/integration-tests/cmseek.test.js b/scanners/cmseek/integration-tests/cmseek.test.js
@@ -2,7 +2,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-const { scan } = require("../../../tests/integration/helpers");
+const {scan} = require("../../helpers");
 
 jest.retryTimes(3);
 

diff --git a/scanners/git-repo-scanner/integration-tests/git-repo-scanner.test.js b/scanners/git-repo-scanner/integration-tests/git-repo-scanner.test.js
@@ -2,7 +2,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-const { scan } = require("../../../tests/integration/helpers");
+const {scan} = require("../../helpers");
 
 jest.retryTimes(3);
 

diff --git a/scanners/gitleaks/integration-tests/gitleaks.test.js b/scanners/gitleaks/integration-tests/gitleaks.test.js
@@ -2,7 +2,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-const { scan } = require("../../../tests/integration/helpers");
+const {scan} = require("../../helpers");
 
 jest.retryTimes(3);
 

diff --git a/scanners/helpers.js b/scanners/helpers.js
@@ -0,0 +1,284 @@
+// SPDX-FileCopyrightText: the secureCodeBox authors
+//
+// SPDX-License-Identifier: Apache-2.0
+
+const k8s = require("@kubernetes/client-node");
+
+const kc = new k8s.KubeConfig();
+kc.loadFromDefault();
+
+const k8sCRDApi = kc.makeApiClient(k8s.CustomObjectsApi);
+const k8sBatchApi = kc.makeApiClient(k8s.BatchV1Api);
+const k8sPodsApi = kc.makeApiClient(k8s.CoreV1Api);
+
+let namespace = "integration-tests";
+
+const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms * 1000));
+
+async function deleteScan(name) {
+  await k8sCRDApi.deleteNamespacedCustomObject(
+    "execution.securecodebox.io",
+    "v1",
+    namespace,
+    "scans",
+    name,
+    {}
+  );
+}
+
+async function getScan(name) {
+  const { body: scan } = await k8sCRDApi.getNamespacedCustomObjectStatus(
+    "execution.securecodebox.io",
+    "v1",
+    namespace,
+    "scans",
+    name
+  );
+  return scan;
+}
+
+async function displayAllLogsForJob(jobName) {
+  console.log(`Listing logs for Job '${jobName}':`);
+  const {
+    body: { items: pods },
+  } = await k8sPodsApi.listNamespacedPod(
+    namespace,
+    true,
+    undefined,
+    undefined,
+    undefined,
+    `job-name=${jobName}`
+  );
+
+  if (pods.length === 0) {
+    console.log(`No Pods found for Job '${jobName}'`);
+  }
+
+  for (const pod of pods) {
+    console.log(
+      `Listing logs for Job '${jobName}' > Pod '${pod.metadata.name}':`
+    );
+
+    for (const container of pod.spec.containers) {
+      try {
+        const response = await k8sPodsApi.readNamespacedPodLog(
+          pod.metadata.name,
+          namespace,
+          container.name
+        );
+        console.log(`Container ${container.name}:`);
+        console.log(response.body);
+      } catch (exception) {
+        console.error(
+          `Failed to display logs of container ${container.name}: ${exception.body.message}`
+        );
+      }
+    }
+  }
+}
+
+async function logJobs() {
+  try {
+    const { body: jobs } = await k8sBatchApi.listNamespacedJob(namespace);
+
+    console.log("Logging spec & status of jobs in namespace");
+
+    for (const job of jobs.items) {
+      console.log(`Job: '${job.metadata.name}' Spec:`);
+      console.log(JSON.stringify(job.spec, null, 2));
+      console.log(`Job: '${job.metadata.name}' Status:`);
+      console.log(JSON.stringify(job.status, null, 2));
+
+      await displayAllLogsForJob(job.metadata.name);
+    }
+  } catch (error) {
+    console.error("Failed to list Jobs");
+    console.error(error);
+  }
+}
+
+async function disasterRecovery(scanName) {
+  const scan = await getScan(scanName);
+  console.error("Last Scan State:");
+  console.dir(scan);
+  await logJobs();
+}
+
+/**
+ *
+ * @param {string} name name of the scan. Actual name will be suffixed with a random number to avoid conflicts
+ * @param {string} scanType type of the scan. Must match the name of a ScanType CRD
+ * @param {string[]} parameters cli argument to be passed to the scanner
+ * @param {number} timeout in seconds
+ * @param {object[]} volumes definitions for kubernetes volumes that should be used. Optional, useful for initContainers (see below)
+ * @param {object[]} volumeMounts definitions for kubernetes volume mounts that should be used. Optional, useful for initContainers (see below)
+ * @param {object[]} initContainers definitions for initContainers that should be added to the scan job to provision files for the scanner. Optional.
+ * @returns {scan.findings} returns findings { categories, severities, count }
+ */
+async function scan(name, scanType, parameters = [], timeout = 180, volumes = [], volumeMounts = [], initContainers = []) {
+  namespace ="integration-tests"
+  const scanDefinition = {
+    apiVersion: "execution.securecodebox.io/v1",
+    kind: "Scan",
+    metadata: {
+      // Use `generateName` instead of name to generate a random suffix and avoid name clashes
+      generateName: `${name}-`,
+    },
+    spec: {
+      scanType,
+      parameters,
+      volumes,
+      volumeMounts,
+      initContainers,
+    },
+  };
+
+  const { body } = await k8sCRDApi.createNamespacedCustomObject(
+    "execution.securecodebox.io",
+    "v1",
+    namespace,
+    "scans",
+    scanDefinition
+  );
+
+  const actualName = body.metadata.name;
+
+  for (let i = 0; i < timeout; i++) {
+    await sleep(1);
+    const { status } = await getScan(actualName);
+
+    if (status && status.state === "Done") {
+      // Wait a couple seconds to give kubernetes more time to update the fields
+      await sleep(2);
+      const { status } = await getScan(actualName);
+      await deleteScan(actualName);
+      return status.findings;
+    } else if (status && status.state === "Errored") {
+      console.error("Scan Errored");
+      await disasterRecovery(actualName);
+
+      throw new Error(
+        `Scan failed with description "${status.errorDescription}"`
+      );
+    }
+  }
+  console.error("Scan Timed out!");
+  await disasterRecovery(actualName);
+
+  throw new Error("timed out while waiting for scan results");
+}
+
+/**
+ *
+ * @param {string} name name of the scan. Actual name will be sufixed with a random number to avoid conflicts
+ * @param {string} scanType type of the scan. Must match the name of a ScanType CRD
+ * @param {string[]} parameters cli argument to be passed to the scanner
+ * @param {string} nameCascade name of cascading scan
+ * @param {object} matchLabels set invasive and intensive of cascading scan
+ * @param {number} timeout in seconds
+ * @returns {scan.findings} returns findings { categories, severities, count }
+ */
+async function cascadingScan(name, scanType, parameters = [], { nameCascade, matchLabels }, timeout = 180) {
+  const scanDefinition = {
+    apiVersion: "execution.securecodebox.io/v1",
+    kind: "Scan",
+    metadata: {
+      // Use `generateName` instead of name to generate a random suffix and avoid name clashes
+      generateName: `${name}-`,
+    },
+    spec: {
+      scanType,
+      parameters,
+      cascades: {
+        matchLabels,
+      }
+    },
+  };
+
+  const { body } = await k8sCRDApi.createNamespacedCustomObject(
+    "execution.securecodebox.io",
+    "v1",
+    namespace,
+    "scans",
+    scanDefinition
+  );
+
+  const actualName = body.metadata.name;
+
+  for (let i = 0; i < timeout; i++) {
+    await sleep(1);
+    const { status } = await getScan(actualName);
+
+    if (status && status.state === "Done") {
+      // Wait a couple seconds to give kubernetes more time to update the fields
+      await sleep(5);
+      console.log("First Scan finished")
+      console.log(`First Scan Status: ${JSON.stringify(status, undefined, 2)}`)
+
+      break;
+    } else if (status && status.state === "Errored") {
+      console.error("Scan Errored");
+      await disasterRecovery(actualName);
+      throw new Error(
+        `Initial Scan failed with description "${status.errorDescription}"`
+      );
+    }
+
+    if (i === (timeout - 1)) {
+      throw new Error(
+        `Initial Scan timed out failed`
+      );
+    }
+  }
+
+  const { body: scans } = await k8sCRDApi.listNamespacedCustomObject(
+    "execution.securecodebox.io",
+    "v1",
+    namespace,
+    "scans"
+  );
+
+  let cascadedScan = null;
+
+  for (const scan of scans.items) {
+    if (scan.metadata.annotations && scan.metadata.annotations["cascading.securecodebox.io/chain"] === nameCascade) {
+      cascadedScan = scan;
+      break;
+    }
+  }
+
+  if (cascadedScan === null) {
+    console.warn(`Didn't find matching cascaded scan in available scans: ${JSON.stringify(scans.items, undefined, 2)}`)
+    throw new Error(`Didn't find cascaded Scan for ${nameCascade}`)
+  }
+  const actualNameCascade = cascadedScan.metadata.name;
+
+  for (let j = 0; j < timeout; j++) {
+    await sleep(1)
+    const { status: statusCascade } = await getScan(actualNameCascade);
+
+    if (statusCascade && statusCascade.state === "Done") {
+      await sleep(2);
+      const { status: statusCascade } = await getScan(actualNameCascade);
+
+      await deleteScan(actualName);
+      await deleteScan(actualNameCascade);
+      return statusCascade.findings;
+    } else if (statusCascade && statusCascade.state === "Errored") {
+      console.error("Scan Errored");
+      await disasterRecovery(actualName);
+      await disasterRecovery(actualNameCascade);
+      throw new Error(
+        `Cascade Scan failed with description "${statusCascade.errorDescription}"`
+      );
+    }
+  }
+  console.error("Cascade Scan Timed out!");
+  await disasterRecovery(actualName);
+  await disasterRecovery(actualNameCascade);
+
+  throw new Error("timed out while waiting for scan results");
+}
+
+module.exports.scan = scan;
+module.exports.cascadingScan = cascadingScan;
diff --git a/scanners/kube-hunter/Makefile b/scanners/kube-hunter/Makefile
@@ -10,10 +10,3 @@ scanner = kube-hunter
 custom_scanner = set
 
 include ../../scanners.mk
-
-integration-tests:
-	@echo ".: 🩺 Starting integration test in kind namespace 'integration-tests'."
-	kubectl -n integration-tests delete scans --all
-	cd ../../tests/integration/ && npm ci
-	cd ../../scanners/${scanner}
-	npx --yes --package jest@$(JEST_VERSION) jest --verbose --ci --colors --coverage --passWithNoTests ${scanner}/integration-tests
diff --git a/scanners/kube-hunter/integration-tests/kube-hunter.test.js b/scanners/kube-hunter/integration-tests/kube-hunter.test.js
@@ -2,7 +2,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-const { scan } = require("../../../tests/integration/helpers");
+const {scan} = require("../../helpers");
 
 jest.retryTimes(3);
 

diff --git a/scanners/kubeaudit/Makefile b/scanners/kubeaudit/Makefile
@@ -25,10 +25,3 @@ deploy-test-deps:
 	kubectl create namespace kubeaudit-tests --dry-run=client -o yaml | kubectl apply -f -
 	# Install jshop in kubeaudit-tests namespace
 	helm -n kubeaudit-tests upgrade --install juice-shop ../../demo-targets/juice-shop/ --wait
-
-integration-tests:
-	@echo ".: 🩺 Starting integration test in kind namespace 'integration-tests'."
-	kubectl -n integration-tests delete scans --all
-	cd ../../tests/integration/ && npm ci
-	cd ../../scanners/${scanner}
-	npx --yes --package jest@$(JEST_VERSION) jest --verbose --ci --colors --coverage --passWithNoTests ${scanner}/integration-tests