secureCodeBox · rfelber · Feb 13, 2019 · Oct 24, 2018 · Oct 25, 2018 · Oct 29, 2018
diff --git a/.travis.yml b/.travis.yml
@@ -8,6 +8,7 @@ cache:
   - "$HOME/.m2"
 install: true
 script:
+  - set -e
   - echo -en "travis_fold:start:Test\r"
   - mvn install -Pdependency-check
   - echo -en "travis_fold:end:Test\r"
@@ -17,14 +18,18 @@ script:
   - docker build -t $REPO:$TAG --build-arg="BUILD_DATE=$(date --rfc-3339=seconds)" --build-arg=VERSION=$TRAVIS_TAG --build-arg=COMMIT_ID=$TRAVIS_COMMIT --build-arg=BRANCH=$TRAVIS_BRANCH --build-arg=REPOSITORY_URL="https://github.com/secureCodeBox/engine" .
   - echo -en "travis_fold:end:Docker_Build\r"
   - docker images
+  - set +e
 
 deploy:
   - provider: script
     skip_cleanup: true
     script: bash .travis/deployDockerHub.sh
     on:
       all_branches: true
+      condition: $TRAVIS_PULL_REQUEST = false
 
 before_install:
-  - openssl aes-256-cbc -K $encrypted_e1e85fb8c151_key -iv $encrypted_e1e85fb8c151_iv
-    -in .travis/security_at_iteratec-signing.key.enc -out .travis/security_at_iteratec-signing.key -d
+  - if [ "$TRAVIS_PULL_REQUEST" = "false" ];
+     then bash -c "openssl aes-256-cbc -K $encrypted_e1e85fb8c151_key -iv $encrypted_e1e85fb8c151_iv
+       -in .travis/security_at_iteratec-signing.key.enc -out .travis/security_at_iteratec-signing.key -d";
+    fi
diff --git a/.travis/deployDockerHub.sh b/.travis/deployDockerHub.sh
@@ -6,11 +6,10 @@ echo "Pushing to Dockerhub"
 
 if [[ $TRAVIS_BRANCH =~ ^develop$ ]]
 then
-    echo "Develop Build: Pushing develop tag"
-
+    echo "Develop Build: Tagging develop image"
     echo $(docker tag $REPO:$TAG $REPO:develop)
     echo $(docker tag $REPO:$TAG $REPO:develop-$TRAVIS_BUILD_NUMBER)
-
+    echo "Develop Build: Pushing develop image"
     echo $(docker push $REPO:develop)
     echo $(docker push $REPO:develop-$TRAVIS_BUILD_NUMBER)
 elif [ "$TRAVIS_BRANCH" = "$TRAVIS_TAG" ]
@@ -23,4 +22,4 @@ then
 else
     echo "Feature Branch: Pushing only branch Tag"
     echo $(docker push $REPO:$TAG)
-fi
+fi
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM maven as builder
+FROM maven:3-jdk-8 as builder
 COPY . .
 RUN mvn clean install -T6 -DskipTests=true -B -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn
 
@@ -14,18 +14,27 @@ ARG VERSION
 COPY --from=builder ./scb-engine/target/engine-0.0.1-SNAPSHOT.jar /scb-engine/app.jar
 COPY --from=builder ./scb-scanprocesses/nikto-process/target/nikto-process-0.0.1-SNAPSHOT.jar /scb-engine/lib/
 COPY --from=builder ./scb-scanprocesses/nmap-process/target/nmap-process-0.0.1-SNAPSHOT.jar /scb-engine/lib/
-COPY --from=builder ./scb-scanprocesses/test-process/target/test-process-0.0.1-SNAPSHOT.jar /scb-engine/lib/
 COPY --from=builder ./scb-scanprocesses/zap-process/target/zap-process-0.0.1-SNAPSHOT.jar /scb-engine/lib/
+COPY --from=builder ./scb-scanprocesses/combined-amass-nmap-process/target/combined-amass-nmap-process-0.0.1-SNAPSHOT.jar /scb-engine/lib/
 COPY --from=builder ./scb-scanprocesses/combined-nmap-nikto-scanprocess/target/combined-nmap-nikto-scanprocess-0.0.1-SNAPSHOT.jar /scb-engine/lib/
 COPY --from=builder ./scb-scanprocesses/sslyze-process/target/sslyze-process-0.0.1-SNAPSHOT.jar /scb-engine/lib/
 COPY --from=builder ./scb-scanprocesses/arachni-process/target/arachni-process-1.0-SNAPSHOT.jar /scb-engine/lib/
 COPY --from=builder ./scb-scanprocesses/subdomain-scanner-process/target/subdomain-scanner-process-1.0-SNAPSHOT.jar /scb-engine/lib/
 
 COPY --from=builder ./scb-persistenceproviders/elasticsearch-persistenceprovider/target/elasticsearch-persistenceprovider-0.0.1-SNAPSHOT-jar-with-dependencies.jar /scb-engine/lib/
+COPY --from=builder ./scb-persistenceproviders/s3-persistenceprovider/target/s3-persistenceprovider-0.0.1-SNAPSHOT-jar-with-dependencies.jar /scb-engine/lib/
+COPY --from=builder ./scb-persistenceproviders/defectdojo-persistenceprovider/target/defectdojo-persistenceprovider-0.0.1-SNAPSHOT-jar-with-dependencies.jar /scb-engine/lib/
 
 WORKDIR /scb-engine
 
+COPY dockerfiles/init.sh .
+RUN chmod +x ./init.sh
+
 EXPOSE 8080
+EXPOSE 8443
+
+RUN apk add --update curl
+HEALTHCHECK --interval=30s --timeout=5s --start-period=120s --retries=3 CMD curl --fail http://localhost:8080/status || exit 1
 
 LABEL org.opencontainers.image.title="secureCodeBox Engine" \
     org.opencontainers.image.description="Orchestrating various security scans." \
@@ -39,4 +48,4 @@ LABEL org.opencontainers.image.title="secureCodeBox Engine" \
     org.opencontainers.image.revision=$COMMIT_ID \
     org.opencontainers.image.created=$BUILD_DATE
 
-ENTRYPOINT ["java", "-Dloader.path=./lib/,./plugins/", "-jar", "app.jar"]
+ENTRYPOINT ["./init.sh"]
diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
-  ![Build Status](https://travis-ci.com/secureCodeBox/engine.svg?token=N5PJUt4SAUxNTYFZNtLj&branch=develop)
-  [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
-  [![Known Vulnerabilities](https://snyk.io/test/github/secureCodeBox/engine/badge.svg)](https://snyk.io/test/github/secureCodeBox/engine)
-  [![GitHub release](https://img.shields.io/github/release/secureCodeBox/engine.svg)](https://github.com/secureCodeBox/engine/releases/latest)
+[![Build Status](https://travis-ci.com/secureCodeBox/engine.svg?branch=develop)](https://travis-ci.com/secureCodeBox/engine)
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+[![Known Vulnerabilities](https://snyk.io/test/github/secureCodeBox/engine/badge.svg)](https://snyk.io/test/github/secureCodeBox/engine)
+[![GitHub release](https://img.shields.io/github/release/secureCodeBox/engine.svg)](https://github.com/secureCodeBox/engine/releases/latest)
 
  # SecureCodeBox Engine – the Core
 
@@ -17,12 +17,24 @@ This is the main component of the _secureCodeBox_ it's a [Camunda][camunda] [BPM
 # Configuration Options
 To configure the SCB engine specify the following environment variables:
 
-| Environment Variable                  | Description                        | Example Value               |
-| ------------------------------------- | ---------------------------------- | --------------------------- |
-| SECURECODEBOX_DEFAULT_TARGET_NAME     | Default target identifier          | BodgeIT Public Host         |
-| SECURECODEBOX_DEFAULT_TARGET_LOCATION | Default target hostname/ip address | bodgeit                     |
-| SECURECODEBOX_DEFAULT_TARGET_URI      | Default target URI/URL             | http://bodgeit:8080/bodgeit |
-| SECURECODEBOX_DEFAULT_CONTEXT         | Default business context           | BodgeIT                     |
+| Environment Variable                  | Description                           | Example Value               |
+| ------------------------------------- | ------------------------------------- | --------------------------- |
+| SECURECODEBOX_DEFAULT_TARGET_NAME     | Default target identifier             | BodgeIT Public Host         |
+| SECURECODEBOX_DEFAULT_TARGET_LOCATION | Default target hostname/ip address    | bodgeit                     |
+| SECURECODEBOX_DEFAULT_TARGET_URI      | Default target URI/URL                | http://bodgeit:8080/bodgeit |
+| SECURECODEBOX_DEFAULT_CONTEXT         | Default business context              | BodgeIT                     |
+| SECURECODEBOX_USER_SCANNER            | Default user for scanner services     | default-scanner             |
+| SECURECODEBOX_USER_SCANNER_PW         | Default password for scanner services | AStrongPassword-NotThisOne! |
+
+## Server Configuration
+Additionally all properties defined in scb-engine/src/main/resources/application.yaml can be overwritten via environment variables.
+This allows you to e.g. enable https using:
+
+| Environment Variable                  | Description                           | Example Value               |
+| ------------------------------------- | ------------------------------------- | --------------------------- |
+| SERVER_PORT                           | Defines the server port               | 8443                        |
+| SERVER_SSL_ENABLED                    | Enables http over ssl                 | true                        |
+| SERVER_SSL_KEY_STORE_PASSWORD         | Password to the java keystore         | AStrongPassword-NotThisOne! |
 
 # Development
 
@@ -40,9 +52,9 @@ To run the testsuite run:
 
 ## Build
 
-To build the docker container run:
+To build the docker image run:
 
-`docker build -t CONTAINER_NAME .`
+`docker build -t IMAGE_NAME .`
 
 # Guidelines & Standards
 Well boring yes - but please read our [guidelines and naming standards][scb-developer-guidelines].

diff --git a/dockerfiles/init.sh b/dockerfiles/init.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+cd /scb-engine
+
+create_self_signed_certificate()
+{
+    echo "Creating self signed certificate..."
+    keytool -genkey -alias scb-engine -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650 \
+    -dname "CN=secureCodeBoxEngine, OU=secureCodeBox.io, O=secureCodeBox.io, C=DE, ST=HH, L=Hamburg" \
+    -storepass "${SERVER_SSL_KEY_STORE_PASSWORD}"
+}
+
+create_certificate_if_not_available()
+{
+    echo "Check if keystore already exists"
+    if [ ! -f ./keystore.p12 ]
+    then
+        echo "Keystore not found."
+        create_self_signed_certificate
+    else
+        echo "Keystore already exists"
+    fi
+}
+
+echo "Check if HTTPS is enabled..."
+if [ "${SERVER_SSL_ENABLED}" == "true" ]
+then
+    echo "Https enabled"
+    create_certificate_if_not_available
+else
+    echo "No HTTPS enabled. You can use environment variables to enable HTTPS."
+fi
+
+# required for using taskrole in aws fargate service, because default its only available for pid 1
+export AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
+
+echo "Starting secureCodeBox engine..."
+java -Dloader.path="./lib/,./plugins/" -jar ./app.jar
diff --git a/pom.xml b/pom.xml
@@ -25,8 +25,8 @@
         </developer>
 
         <developer>
-            <id>rseedorf</id>
-            <name>Robert Seedorf</name>
+            <id>rseedorff</id>
+            <name>Robert Seedorff</name>
             <organization>iteratec GmbH</organization>
             <organizationUrl>https://www.iteratec.com</organizationUrl>
         </developer>
@@ -56,12 +56,13 @@
             IMPORTANT: camunda.version and camunda.spring.boot.starter.version must be compatible
             please see org.camunda.bpm.springboot.project:camunda-bpm-spring-boot-starter-root
          -->
-        <camunda.version>7.8.0</camunda.version>
-        <camunda.spring.boot.starter.version>2.3.0</camunda.spring.boot.starter.version>
+        <camunda.version>7.10.0</camunda.version>
+        <camunda.spring.boot.starter.version>3.2.0</camunda.spring.boot.starter.version>
         <!-- END IMPORTANT -->
 
-        <spring-boot.version>1.5.13.RELEASE</spring-boot.version>
+        <spring-boot.version>2.1.1.RELEASE</spring-boot.version>
         <swagger-version>2.9.0</swagger-version>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>
 
     <modules>
@@ -97,7 +98,13 @@
                 <type>pom</type>
             </dependency>
 
-            <!-- Add camunda spring boot stater classes -->
+            <dependency>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-properties-migrator</artifactId>
+                <scope>runtime</scope>
+            </dependency>
+
+            <!-- Add camunda spring boot starter classes -->
             <dependency>
                 <groupId>org.camunda.bpm.springboot</groupId>
                 <artifactId>camunda-bpm-spring-boot-starter</artifactId>
@@ -117,7 +124,16 @@
                 <artifactId>camunda-bpm-spring-boot-starter-rest</artifactId>
                 <version>${camunda.spring.boot.starter.version}</version>
             </dependency>
-
+            <dependency>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-starter-security</artifactId>
+                <version>${spring-boot.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-starter-actuator</artifactId>
+                <version>${spring-boot.version}</version>
+            </dependency>
             <dependency>
                 <groupId>org.camunda.bpm.springboot</groupId>
                 <artifactId>camunda-bpm-spring-boot-starter-test</artifactId>
@@ -128,7 +144,13 @@
                 <groupId>org.camunda.bpm.extension.mockito</groupId>
                 <artifactId>camunda-bpm-mockito</artifactId>
                 <scope>test</scope>
-                <version>3.1.0</version>
+                <version>3.2.1</version>
+            </dependency>
+            <dependency>
+                <groupId>org.camunda.bpm.extension</groupId>
+                <artifactId>camunda-bpm-assert</artifactId>
+                <version>1.2</version> <!-- Use 2.0-alpha2 for the CMMN assertions preview! -->
+                <scope>test</scope>
             </dependency>
             <dependency>
                 <groupId>org.camunda.bpm.extension</groupId>

diff --git a/scb-engine/pom.xml b/scb-engine/pom.xml
@@ -28,12 +28,13 @@
             <groupId>org.camunda.bpm.springboot</groupId>
             <artifactId>camunda-bpm-spring-boot-starter-webapp</artifactId>
         </dependency>
-
-        <!-- Enable the camunda rest API -->
         <dependency>
-            <groupId>org.camunda.bpm.springboot</groupId>
-            <artifactId>camunda-bpm-spring-boot-starter-rest</artifactId>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-properties-migrator</artifactId>
+            <scope>runtime</scope>
+            <version>2.0.2.RELEASE</version>
         </dependency>
+
         <dependency>
             <groupId>io.springfox</groupId>
             <artifactId>springfox-swagger2</artifactId>
@@ -42,6 +43,14 @@
             <groupId>io.springfox</groupId>
             <artifactId>springfox-swagger-ui</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-actuator</artifactId>
+        </dependency>
 
         <!-- Camunda Spin lib -->
         <dependency>
@@ -69,6 +78,11 @@
             <scope>runtime</scope>
         </dependency>
 
+        <dependency>
+            <groupId>org.apache.tomcat</groupId>
+            <artifactId>tomcat-jdbc</artifactId>
+        </dependency>
+
         <dependency>
             <groupId>io.securecodebox.persistenceproviders</groupId>
             <artifactId>empty-persistenceprovider</artifactId>
@@ -159,13 +173,19 @@
                 </dependency>
                 <dependency>
                     <groupId>io.securecodebox.scanprocesses</groupId>
-                    <artifactId>combined-nmap-nikto-scanprocess</artifactId>
+                    <artifactId>combined-amass-nmap-process</artifactId>
                     <version>0.0.1-SNAPSHOT</version>
                     <scope>runtime</scope>
                 </dependency>
                 <dependency>
                     <groupId>io.securecodebox.scanprocesses</groupId>
-                    <artifactId>test-process</artifactId>
+                    <artifactId>subdomain-scanner-process</artifactId>
+                    <version>1.0-SNAPSHOT</version>
+                    <scope>runtime</scope>
+                </dependency>
+                <dependency>
+                    <groupId>io.securecodebox.scanprocesses</groupId>
+                    <artifactId>combined-nmap-nikto-scanprocess</artifactId>
                     <version>0.0.1-SNAPSHOT</version>
                     <scope>runtime</scope>
                 </dependency>
@@ -175,7 +195,38 @@
                     <version>0.0.1-SNAPSHOT</version>
                     <scope>runtime</scope>
                 </dependency>
+                <dependency>
+                    <groupId>io.securecodebox.persistenceproviders</groupId>
+                    <artifactId>s3-persistenceprovider</artifactId>
+                    <version>0.0.1-SNAPSHOT</version>
+                    <scope>runtime</scope>
+                </dependency>
+                <dependency>
+                    <groupId>io.securecodebox.persistenceproviders</groupId>
+                    <artifactId>defectdojo-persistenceprovider</artifactId>
+                    <version>0.0.1-SNAPSHOT</version>
+                    <scope>runtime</scope>
+                </dependency>
             </dependencies>
+            <dependencyManagement>
+                <!-- This will overwrite spring boot dependency management version for elastic search-->
+                <dependencies>
+                    <dependency>
+                        <groupId>org.elasticsearch</groupId>
+                        <artifactId>elasticsearch</artifactId>
+                        <version>6.4.3</version>
+                    </dependency>
+                </dependencies>
+            </dependencyManagement>
+        </profile>
+        <profile>
+            <id>test</id>
+            <activation>
+                <activeByDefault>false</activeByDefault>
+            </activation>
+            <properties>
+                <activatedProfiles>test</activatedProfiles>
+            </properties>
         </profile>
         <profile>
             <id>docs</id>