diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index f68770b5ef..cb3554617b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -23,7 +23,7 @@ env: KIND_BINARY_VERSION: "v0.20.0" KUBECTL_VERSION: "v1.27.4" HELM_VERSION: "v3.12.2" - HELM_PLUGIN_UNITTEST: "0.3.5" + HELM_PLUGIN_UNITTEST: "0.4.1" jobs: # ---- NVM Setup ---- @@ -54,7 +54,6 @@ jobs: path: ./nvm-node.tar.gz retention-days: 1 - test-nodejs-scanner-test-helpers: name: "Unit Test | Node.js Scanner Test Helpers" needs: @@ -152,7 +151,7 @@ jobs: - name: Install Helm Unit Test Plugin run: | helm plugin install https://github.com/helm-unittest/helm-unittest.git --version ${{ env.HELM_PLUGIN_UNITTEST }} - + - name: Helm-Chart Unit Tests | Operator working-directory: ./operator run: make helm-unit-tests @@ -186,7 +185,7 @@ jobs: steps: - uses: actions/checkout@v4 with: - fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - name: Set up JDK 17 uses: actions/setup-java@v4 with: @@ -208,7 +207,7 @@ jobs: restore-keys: ${{ runner.os }}-gradle - name: Build and analyze env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} working-directory: hooks/${{ matrix.unit }}/hook run: ./gradlew build --info @@ -296,7 +295,7 @@ jobs: auto-discovery-kubernetes-secret-extraction-container: name: "Autodiscovery | Kubernetes | SecretExtractionInitContainer" runs-on: ubuntu-22.04 - needs: + needs: - nvm-setup - k8s-setup steps: @@ -733,7 +732,6 @@ jobs: docker load --input /tmp/hook-sdk.tar docker images | grep sdk - # ---- K8s Cluster Setup ---- # - name: Download Kind diff --git a/operator/config/rbac/role.yaml b/operator/config/rbac/role.yaml index c434d1f422..611aba9d22 100644 --- a/operator/config/rbac/role.yaml +++ b/operator/config/rbac/role.yaml @@ -132,4 +132,5 @@ rules: - create - get - list + - update - watch diff --git a/operator/controllers/execution/scans/scan_controller.go b/operator/controllers/execution/scans/scan_controller.go index 82cb33e750..f91f60c412 100644 --- a/operator/controllers/execution/scans/scan_controller.go +++ b/operator/controllers/execution/scans/scan_controller.go @@ -54,7 +54,7 @@ var s3StorageFinalizer = "s3.storage.securecodebox.io" // Pod permission are required to grant these permission to service accounts // +kubebuilder:rbac:groups=core,resources=pods,verbs=get // +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;watch;list;create -// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;watch;list;create +// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;watch;list;create;update // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;watch;list;create // Reconcile compares the scan object against the state of the cluster and updates both if needed diff --git a/operator/templates/rbac/role.yaml b/operator/templates/rbac/role.yaml index c434d1f422..611aba9d22 100644 --- a/operator/templates/rbac/role.yaml +++ b/operator/templates/rbac/role.yaml @@ -132,4 +132,5 @@ rules: - create - get - list + - update - watch diff --git a/operator/tests/__snapshot__/operator_test.yaml.snap b/operator/tests/__snapshot__/operator_test.yaml.snap index 8dbc677718..5d262182fd 100644 --- a/operator/tests/__snapshot__/operator_test.yaml.snap +++ b/operator/tests/__snapshot__/operator_test.yaml.snap @@ -1,7 +1,41 @@ matches the snapshot: 1: | - raw: "\nsecureCodeBox Operator Deployed \U0001F680\n\nThe operator can orchestrate the execution of various security scanning tools inside of your cluster.\nYou can find a list of all officially supported scanners here: https://www.securecodebox.io/\nThe website also lists other integrations, like persisting scan results to DefectDojo or Elasticsearch.\n\nThe operator send out regular telemetry pings to a central service.\nThis lets us, the secureCodeBox team, get a grasp on how much the secureCodeBox is used.\nThe submitted data is chosen to be as anonymous as possible.\nYou can find a complete report of the data submitted and links to the source-code at: https://www.securecodebox.io/docs/telemetry\nThe first ping is send one hour after the install, you can prevent this by upgrading the chart and setting `telemetryEnabled` to `false`.\n" + raw: | + CHART NAME: minio + CHART VERSION: 13.4.6 + APP VERSION: 2024.2.13 + + ** Please be patient while the chart is being deployed ** + + MinIO® can be accessed via port on the following DNS name from within your cluster: + + RELEASE-NAME-minio.NAMESPACE.svc.cluster.local + + To get your credentials run: + + export ROOT_USER=$(kubectl get secret --namespace NAMESPACE RELEASE-NAME-minio -o jsonpath="{.data.root-user}" | base64 -d) + export ROOT_PASSWORD=$(kubectl get secret --namespace NAMESPACE RELEASE-NAME-minio -o jsonpath="{.data.root-password}" | base64 -d) + + To connect to your MinIO® server using a client: + + - Run a MinIO® Client pod and append the desired command (e.g. 'admin info'): + + kubectl run --namespace NAMESPACE RELEASE-NAME-minio-client \ + --rm --tty -i --restart='Never' \ + --env MINIO_SERVER_ROOT_USER=$ROOT_USER \ + --env MINIO_SERVER_ROOT_PASSWORD=$ROOT_PASSWORD \ + --env MINIO_SERVER_HOST=RELEASE-NAME-minio \ + --image docker.io/bitnami/minio-client:2024.2.9-debian-11-r7 -- admin info minio + + To access the MinIO® web UI: + + - Get the MinIO® URL: + + echo "MinIO® web URL: http://127.0.0.1:9001/minio" + kubectl port-forward --namespace NAMESPACE svc/RELEASE-NAME-minio 9001:9001 2: | + raw: "\nsecureCodeBox Operator Deployed \U0001F680\n\nThe operator can orchestrate the execution of various security scanning tools inside of your cluster.\nYou can find a list of all officially supported scanners here: https://www.securecodebox.io/\nThe website also lists other integrations, like persisting scan results to DefectDojo or Elasticsearch.\n\nThe operator send out regular telemetry pings to a central service.\nThis lets us, the secureCodeBox team, get a grasp on how much the secureCodeBox is used.\nThe submitted data is chosen to be as anonymous as possible.\nYou can find a complete report of the data submitted and links to the source-code at: https://www.securecodebox.io/docs/telemetry\nThe first ping is send one hour after the install, you can prevent this by upgrading the chart and setting `telemetryEnabled` to `false`.\n" + 3: | apiVersion: apps/v1 kind: Deployment metadata: @@ -105,7 +139,7 @@ matches the snapshot: - configMap: name: foo name: ca-certificate - 3: | + 4: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -115,7 +149,7 @@ matches the snapshot: - /metrics verbs: - get - 4: | + 5: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -133,7 +167,7 @@ matches the snapshot: - subjectaccessreviews verbs: - create - 5: | + 6: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -146,7 +180,7 @@ matches the snapshot: - kind: ServiceAccount name: securecodebox-operator namespace: NAMESPACE - 6: | + 7: | apiVersion: v1 kind: Service metadata: @@ -161,7 +195,7 @@ matches the snapshot: targetPort: https selector: control-plane: controller-manager - 7: | + 8: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -185,7 +219,7 @@ matches the snapshot: - cascadingrules/status verbs: - get - 8: | + 9: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -205,7 +239,7 @@ matches the snapshot: - cascadingrules/status verbs: - get - 9: | + 10: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -242,7 +276,7 @@ matches the snapshot: verbs: - create - patch - 10: | + 11: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -255,7 +289,7 @@ matches the snapshot: - kind: ServiceAccount name: securecodebox-operator namespace: NAMESPACE - 11: | + 12: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -279,7 +313,7 @@ matches the snapshot: - parsedefinitions/status verbs: - get - 12: | + 13: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -299,7 +333,7 @@ matches the snapshot: - parsedefinitions/status verbs: - get - 13: | + 14: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -429,8 +463,9 @@ matches the snapshot: - create - get - list + - update - watch - 14: | + 15: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -443,7 +478,7 @@ matches the snapshot: - kind: ServiceAccount name: securecodebox-operator namespace: NAMESPACE - 15: | + 16: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -467,7 +502,7 @@ matches the snapshot: - scans/status verbs: - get - 16: | + 17: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -487,7 +522,7 @@ matches the snapshot: - scans/status verbs: - get - 17: | + 18: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -511,7 +546,7 @@ matches the snapshot: - scancompletionhooks/status verbs: - get - 18: | + 19: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -531,7 +566,7 @@ matches the snapshot: - scancompletionhooks/status verbs: - get - 19: | + 20: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -555,7 +590,7 @@ matches the snapshot: - scantypes/status verbs: - get - 20: | + 21: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -575,7 +610,7 @@ matches the snapshot: - scantypes/status verbs: - get - 21: | + 22: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -599,7 +634,7 @@ matches the snapshot: - scheduledscans/status verbs: - get - 22: | + 23: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -619,7 +654,7 @@ matches the snapshot: - scheduledscans/status verbs: - get - 23: | + 24: | apiVersion: v1 kind: ServiceAccount metadata: diff --git a/scanners/ncrack/parser/parser.js b/scanners/ncrack/parser/parser.js index 7fd4212b02..c7fb7f0fa6 100644 --- a/scanners/ncrack/parser/parser.js +++ b/scanners/ncrack/parser/parser.js @@ -4,7 +4,7 @@ const xml2js = require("xml2js"); const crypto = require("crypto"); -const { readFile } = require("fs/promises"); +const {readFile} = require("fs/promises"); async function parse( fileContent, @@ -37,7 +37,7 @@ function transformToFindings(ncrackrun, publicKey) { .publicEncrypt( { key: publicKey, - padding: crypto.constants.RSA_PKCS1_PADDING, + padding: crypto.constants.RSA_PKCS1_OAEP_PADDING, }, Buffer.from(password) ) diff --git a/scanners/ncrack/parser/parser.test.js b/scanners/ncrack/parser/parser.test.js index 245f56bf68..e2b1af8dcb 100644 --- a/scanners/ncrack/parser/parser.test.js +++ b/scanners/ncrack/parser/parser.test.js @@ -142,7 +142,7 @@ it("should encrypt findings when a public key is set", async () => { let decryptedData = crypto.privateDecrypt( { key: privateKey, - padding: crypto.constants.RSA_PKCS1_PADDING, + padding: crypto.constants.RSA_PKCS1_OAEP_PADDING, }, Buffer.from(finding.attributes.password, "base64") );