#1454 Clean up code

Reet00 · sofi0071 · commit 3cf0bf1201fd · 2023-05-11T12:49:38.000+02:00
Signed-off-by: Samreet Singh &lt;samreet.singh@iteratec.com&gt;
diff --git a/scanners/ssh-audit/.helmignore b/scanners/ssh-audit/.helmignore
@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: the secureCodeBox authors
+#
+# SPDX-License-Identifier: Apache-2.0
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and
 # negation (prefixed with !). Only one pattern per line.
@@ -21,3 +24,18 @@
 .idea/
 *.tmproj
 .vscode/
+# Node.js files
+node_modules/*
+package.json
+package-lock.json
+src/*
+config/*
+Dockerfile
+.dockerignore
+*.tar
+parser/*
+scanner/*
+integration-tests/*
+examples/*
+docs/*
+Makefile
diff --git a/scanners/ssh-audit/Chart.yaml b/scanners/ssh-audit/Chart.yaml
@@ -1,3 +1,7 @@
+# SPDX-FileCopyrightText: the secureCodeBox authors
+#
+# SPDX-License-Identifier: Apache-2.0
+
 apiVersion: v2
 name: ssh-audit
 description: A Helm chart for Kubernetes
diff --git a/scanners/ssh-audit/parser/Dockerfile b/scanners/ssh-audit/parser/Dockerfile
@@ -1,12 +1,11 @@
+# SPDX-FileCopyrightText: the secureCodeBox authors
+#
+# SPDX-License-Identifier: Apache-2.0
+
 ARG namespace
 ARG baseImageTag
-#FROM node:14-alpine as build
-#RUN mkdir -p /home/app
-#WORKDIR /home/app
-#COPY package.json package-lock.json ./
-#RUN npm ci --production
 
 FROM securecodebox/parser-sdk-nodejs:${baseImageTag:-latest}
 WORKDIR /home/app/parser-wrapper/parser/
-#COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/
+
 COPY --chown=app:app ./parser.js ./parser.js
diff --git a/scanners/ssh-audit/parser/parser.js b/scanners/ssh-audit/parser/parser.js
@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: the secureCodeBox authors
+//
+// SPDX-License-Identifier: Apache-2.0
+
 const templates = {
     delCritical: {
         kex: {
@@ -85,14 +89,60 @@ const templates = {
             name: "SSH Encryption Algorithms must be changed",
             description: "Weak SSH encryption algorithms in use",
             hint: "Change these encryption algorithms"
+        },
+
+        addCritical: {
+            kex: {
+                name: "SSH KEX Algorithms must be added",
+                description: "SSH key exchange algorithms missing",
+                hint: "Add these KEX algorithms"
+            },
+            key: {
+                name: "SSH Key Algorithms must be added",
+                description: "SSH key algorithms missing",
+                hint: "Add these key algorithms"
+            },
+            mac: {
+                name: "SSH MAC Algorithms must be added",
+                description: "SSH message authentication code algorithms missing",
+                hint: "Add these MAC algorithms"
+            },
+            enc: {
+                name: "SSH Encryption Algorithms must be added",
+                description: "SSH encryption algorithms missing",
+                hint: "Add these encryption algorithms"
+            }
+        },
+        addWarning: {
+            kex: {
+                name: "SSH KEX Algorithms must be added",
+                description: "SSH key exchange algorithms missing",
+                hint: "Add these KEX algorithms"
+            },
+            key: {
+                name: "SSH Key Algorithms must be added",
+                description: "SSH key algorithms missing",
+                hint: "Add these key algorithms"
+            },
+            mac: {
+                name: "SSH MAC Algorithms must be added",
+                description: "SSH message authentication code algorithms missing",
+                hint: "Add these MAC algorithms"
+            },
+            enc: {
+                name: "SSH Encryption Algorithms must be added",
+                description: "SSH encryption algorithms missing",
+                hint: "Add these encryption algorithms"
+            }
         }
     }
 }
 
 
 /**
- * Transforms a recommendation string from thessh-audit Tools into a SSH Policy Violation Findings
- * 
+ * Transforms recommendations from the ssh-audit scanner into SSH Policy Violation Findings
+ * @param {String} recommendationSeverityLevel 
+ * @param {{}} value 
  */
 function transformRecommendationToFinding(recommendationSeverityLevel, value) {
     // SSH audit has critical and warnings as recommendations. 
@@ -102,19 +152,19 @@ function transformRecommendationToFinding(recommendationSeverityLevel, value) {
     if (recommendationSeverityLevel == "critical") severity = 'HIGH'
     if (recommendationSeverityLevel == "warning") severity = 'MEDIUM'
     const findingTemplate = null;
-    // recommendationAction = del
+    // recommendationAction = del/chg/add
     Object.entries(value).map(([recommendationAction, algorithms]) => {
         //algorithmType = kex/ key/ mac, , algorithmNames = {name+note}
         Object.entries(algorithms).map(([algorithmType, algorithmData]) => {
             const algorithmNames = []
             Object.entries(algorithmData).flatMap(([keyNames, content]) => { algorithmNames.push(Object.values(content)) })
-            //console.log(algorithmNames)
-            //console.log(algorithmData)
             var action = "";
             if (recommendationAction == "del" && recommendationSeverityLevel == "critical") action = "delCritical"
             else if (recommendationAction == "del" && recommendationSeverityLevel == "warning") action = "delWarning"
             else if (recommendationAction == "chg" && recommendationSeverityLevel == "critical") action = "chgCritical"
             else if (recommendationAction == "chg" && recommendationSeverityLevel == "warning") action = "chgWarning"
+            else if (recommendationAction == "add" && recommendationSeverityLevel == "critical") action = "addCritical"
+            else if (recommendationAction == "add" && recommendationSeverityLevel == "warning") action = "addWarning"
             const findingTemplate = templates[action][algorithmType] || null;
 
             if (findingTemplate != null && typeof (findingTemplate) != "undefined") {
@@ -127,26 +177,25 @@ function transformRecommendationToFinding(recommendationSeverityLevel, value) {
                     else combinedAlgorithmNames.push((algName + " (Note: " + note + ")"))
                 })
 
-                //console.log(combinedAlgorithmNames)
                 findingTemplate['algorithms'] = combinedAlgorithmNames.flat()
-                //console.log("algorithmType\n\n\n",algorithmType)
-                //console.log("algorithmNames\n\n\n",algorithmNames)
                 policyViolationFindings.push(findingTemplate)
-                //console.log(findingTemplate)
             }
         })
     })
 
     return policyViolationFindings;
 }
 
+/**
+ * Transforms cves's from the ssh-audit scanner into SSH Violation Findings
+ * @param {{}} cves 
+ */
 function transformCVEtoFinding(cves) {
-    //console.log(Object.values(cves))
+
     const cvesArray = Object.values(cves)
     const cvesFindings = []
     var severity = ''
     Object.values(cvesArray).flatMap(({cvssv2, description, name}) => {
-        //console.log(cvssv2, description, name )
         const findingTemplate = {}
         if (cvssv2 < 4) severity = "LOW"
         else if (cvssv2 < 7) severity = "MEDIUM"
@@ -156,30 +205,35 @@ function transformCVEtoFinding(cves) {
         findingTemplate['category'] = "SSH Violation"
         findingTemplate['severity'] = severity
         findingTemplate['cvssv2'] = cvssv2
+
         findingTemplate['references'] = []
         findingTemplate['references'].push({'type':'CVE', 'value':`${name}`})
         findingTemplate['references'].push({'type':'URL', 'value':`https://nvd.nist.gov/vuln/detail/${name}`})
-        //findingTemplate['references']['type'] = `URL`
-        //findingTemplate['references']['value'] = `https://nvd.nist.gov/vuln/detail/${name}`
         cvesFindings.push(findingTemplate)
     })
     return cvesFindings;
 }
 
+/**
+ * 
+ * Parses the raw results from the ssh-audit scanner into Findings
+ */
 async function parse(fileContent) {
-    //{ target, banner, enc, kex, key, mac, compression, fingerprints, recommendations, cves}
+
     const host = fileContent;
     if (typeof(host) === "string") return []
+
     const recommendationsArray = Object.entries(host.recommendations)
     const policyViolationFindings = [];
+
     recommendationsArray.map(([recommendationSeverityLevel, value]) => {
         policyViolationFindings.push(transformRecommendationToFinding(recommendationSeverityLevel, value))
     })
+    
     const policyViolationFinding = policyViolationFindings.flat()
-
     const cvesFindings = transformCVEtoFinding(host.cves)
 
-
+    // informational findings
     const destination = host.target.split(":")
     const serviceFinding = {
         name: "SSH Service",
@@ -202,11 +256,7 @@ async function parse(fileContent) {
         }
     };
     return [serviceFinding, ...policyViolationFinding, ...cvesFindings];
-    //return [serviceFinding];
 
 }
-const test = { "banner": { "comments": "Ubuntu-4ubuntu2.8", "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8", "software": "OpenSSH_7.2p2" }, "compression": ["none", "zlib@openssh.com"], "cves": [{ "cvssv2": 7.0, "description": "privilege escalation via supplemental groups", "name": "CVE-2021-41617" }, { "cvssv2": 7.8, "description": "command injection via anomalous argument transfers", "name": "CVE-2020-15778" }, { "cvssv2": 5.3, "description": "username enumeration via GS2", "name": "CVE-2018-15919" }, { "cvssv2": 5.3, "description": "enumerate usernames due to timing discrepancies", "name": "CVE-2018-15473" }, { "cvssv2": 5.3, "description": "enumerate usernames via challenge response", "name": "CVE-2016-20012" }, { "cvssv2": 7.8, "description": "cause DoS via long password string (crypt CPU consumption)", "name": "CVE-2016-6515" }, { "cvssv2": 7.2, "description": "privilege escalation via triggering crafted environment", "name": "CVE-2015-8325" }], "enc": ["chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com"], "fingerprints": [{ "hash": "eLwgzyjvrpwDbDr+pDbIfUhlNANB4DPH9/0w1vGa87E", "hash_alg": "SHA256", "hostkey": "ssh-ed25519" }, { "hash": "c8:65:6b:d1:59:03:56:21:d9:0f:84:83:ce:ac:40:86", "hash_alg": "MD5", "hostkey": "ssh-ed25519" }, { "hash": "MbRX/CgQyN6/p8/ZjORurfaJqDhu4VEIWfXo0BnxaCE", "hash_alg": "SHA256", "hostkey": "ssh-rsa" }, { "hash": "a5:6f:62:26:81:03:b7:5e:06:48:10:04:79:4b:ac:32", "hash_alg": "MD5", "hostkey": "ssh-rsa" }], "kex": [{ "algorithm": "curve25519-sha256@libssh.org" }, { "algorithm": "ecdh-sha2-nistp256" }, { "algorithm": "ecdh-sha2-nistp384" }, { "algorithm": "ecdh-sha2-nistp521" }, { "algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 2048 }, { "algorithm": "diffie-hellman-group14-sha1" }], "key": [{ "algorithm": "ssh-rsa", "keysize": 2048 }, { "algorithm": "rsa-sha2-512", "keysize": 2048 }, { "algorithm": "rsa-sha2-256", "keysize": 2048 }, { "algorithm": "ecdsa-sha2-nistp256" }, { "algorithm": "ssh-ed25519" }], "mac": ["umac-64-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com", "umac-64@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1"], "recommendations": { "critical": { "del": { "kex": [{ "name": "diffie-hellman-group14-sha1", "notes": "" }, { "name": "ecdh-sha2-nistp256", "notes": "" }, { "name": "ecdh-sha2-nistp384", "notes": "" }, { "name": "ecdh-sha2-nistp521", "notes": "" }], "key": [{ "name": "ecdsa-sha2-nistp256", "notes": "" }, { "name": "ssh-rsa", "notes": "" }], "mac": [{ "name": "hmac-sha1", "notes": "" }, { "name": "hmac-sha1-etm@openssh.com", "notes": "" }] } }, "warning": { "chg": { "key": [{ "name": "rsa-sha2-256", "notes": "increase modulus size to 3072 bits or larger" }, { "name": "rsa-sha2-512", "notes": "increase modulus size to 3072 bits or larger" }] }, "del": { "mac": [{ "name": "hmac-sha2-256", "notes": "" }, { "name": "hmac-sha2-512", "notes": "" }, { "name": "umac-128@openssh.com", "notes": "" }, { "name": "umac-64-etm@openssh.com", "notes": "" }, { "name": "umac-64@openssh.com", "notes": "" }] } } }, "target": "dummy-ssh.default.svc:22" }
 
-//console.log(parse(test))
-//parse(test)
 module.exports.parse = parse;
diff --git a/scanners/ssh-audit/parser/parser.test.js b/scanners/ssh-audit/parser/parser.test.js
@@ -8,12 +8,12 @@ const {
   validateParser,
 } = require("@securecodebox/parser-sdk-nodejs/parser-utils");
 
-// eslint-disable-next-line security/detect-non-literal-fs-filename
+
 const readFile = util.promisify(fs.readFile);
 
 const {parse} = require("./parser");
 
-test("ssh-audit parser parses a result into proper findings", async () => {
+test("ssh-audit parser parses a result into proper findings for dummy-ssh", async () => {
     const hosts = JSON.parse(
         await readFile(__dirname + "/__testFiles__/dummy-ssh.json", {
           encoding: "utf8",
@@ -321,7 +321,7 @@ test("should properly parse empty json file", async () => {
 
 
 
-test("ssh-audit parser parses a result into proper findings dfdg", async () => {
+test("ssh-audit parser parses a result into proper findings for an example", async () => {
   const hosts = JSON.parse(
       await readFile(__dirname + "/__testFiles__/example.json", {
         encoding: "utf8",
diff --git a/scanners/ssh-audit/templates/ssh-audit-parse-definition.yaml b/scanners/ssh-audit/templates/ssh-audit-parse-definition.yaml
@@ -1,3 +1,7 @@
+# SPDX-FileCopyrightText: the secureCodeBox authors
+#
+# SPDX-License-Identifier: Apache-2.0
+
 apiVersion: execution.securecodebox.io/v1
 kind: ParseDefinition
 metadata:
diff --git a/scanners/ssh-audit/templates/ssh-audit-scan-type.yaml b/scanners/ssh-audit/templates/ssh-audit-scan-type.yaml
@@ -1,3 +1,7 @@
+# SPDX-FileCopyrightText: the secureCodeBox authors
+#
+# SPDX-License-Identifier: Apache-2.0
+
 apiVersion: "execution.securecodebox.io/v1"
 kind: ScanType
 metadata:
@@ -21,12 +25,6 @@ spec:
               command:
                 - "sh"
                 - "/wrapper.sh"
-                #- "python3"
-                #- "ssh-audit/ssh-audit.py"
-                # Remove any user-interation
-                #- "--no-interaction"
-                # Output in json format
-                #- "-j"
 
               resources:
                 {{- toYaml .Values.scanner.resources | nindent 16 }}
