secureCodeBox
diff --git a/‎hooks/cascading-scans/hook/hook.test.js‎
Lines changed: 80 additions & 16 deletions b/‎hooks/cascading-scans/hook/hook.test.js‎
Lines changed: 80 additions & 16 deletions
diff --git a/‎hooks/cascading-scans/hook/hook.ts‎
Lines changed: 22 additions & 4 deletions b/‎hooks/cascading-scans/hook/hook.ts‎
Lines changed: 22 additions & 4 deletions
diff --git a/‎hooks/cascading-scans/hook/scan-helpers.ts‎
Lines changed: 3 additions & 0 deletions b/‎hooks/cascading-scans/hook/scan-helpers.ts‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎operator/apis/execution/v1/parsedefinition_types.go‎
Lines changed: 5 additions & 0 deletions b/‎operator/apis/execution/v1/parsedefinition_types.go‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎operator/apis/execution/v1/zz_generated.deepcopy.go‎
Lines changed: 12 additions & 0 deletions b/‎operator/apis/execution/v1/zz_generated.deepcopy.go‎
Lines changed: 12 additions & 0 deletions
@@ -103,7 +103,7 @@ test("Should create subsequent scans for open HTTPS ports (NMAP findings)", () =
           ],
         },
         "spec": Object {
-          "affinity": Object {},
+          "affinity": undefined,
           "cascades": Object {},
           "env": Array [],
           "hookSelector": Object {},
@@ -113,7 +113,7 @@ test("Should create subsequent scans for open HTTPS ports (NMAP findings)", () =
             "foobar.com:443",
           ],
           "scanType": "sslyze",
-          "tolerations": Array [],
+          "tolerations": undefined,
           "volumeMounts": Array [],
           "volumes": Array [],
         },
@@ -243,7 +243,7 @@ test("Should not crash when the annotations are not set", () => {
           ],
         },
         "spec": Object {
-          "affinity": Object {},
+          "affinity": undefined,
           "cascades": Object {},
           "env": Array [],
           "hookSelector": Object {},
@@ -253,7 +253,7 @@ test("Should not crash when the annotations are not set", () => {
             "foobar.com:443",
           ],
           "scanType": "sslyze",
-          "tolerations": Array [],
+          "tolerations": undefined,
           "volumeMounts": Array [],
           "volumes": Array [],
         },
@@ -377,7 +377,7 @@ test("Should allow wildcards in cascadingRules", () => {
           ],
         },
         "spec": Object {
-          "affinity": Object {},
+          "affinity": undefined,
           "cascades": Object {},
           "env": Array [],
           "hookSelector": Object {},
@@ -387,7 +387,7 @@ test("Should allow wildcards in cascadingRules", () => {
             "foobar.com:8443",
           ],
           "scanType": "sslyze",
-          "tolerations": Array [],
+          "tolerations": undefined,
           "volumeMounts": Array [],
           "volumes": Array [],
         },
@@ -1129,7 +1129,7 @@ test("Templating should apply to environment variables", () => {
           ],
         },
         "spec": Object {
-          "affinity": Object {},
+          "affinity": undefined,
           "cascades": Object {},
           "env": Array [
             Object {
@@ -1144,7 +1144,7 @@ test("Templating should apply to environment variables", () => {
             "foobar.com:443",
           ],
           "scanType": "sslyze",
-          "tolerations": Array [],
+          "tolerations": undefined,
           "volumeMounts": Array [
             Object {
               "mountPath": "/test",
@@ -1252,7 +1252,7 @@ test("Templating should apply to initContainer commands", () => {
           ],
         },
         "spec": Object {
-          "affinity": Object {},
+          "affinity": undefined,
           "cascades": Object {},
           "env": Array [],
           "hookSelector": Object {},
@@ -1279,7 +1279,7 @@ test("Templating should apply to initContainer commands", () => {
             "foobar.com:443",
           ],
           "scanType": "sslyze",
-          "tolerations": Array [],
+          "tolerations": undefined,
           "volumeMounts": Array [
             Object {
               "mountPath": "/test",
@@ -1388,7 +1388,7 @@ test("Templating should apply to initContainer environment variables", () => {
           ],
         },
         "spec": Object {
-          "affinity": Object {},
+          "affinity": undefined,
           "cascades": Object {},
           "env": Array [],
           "hookSelector": Object {},
@@ -1418,7 +1418,7 @@ test("Templating should apply to initContainer environment variables", () => {
             "foobar.com:443",
           ],
           "scanType": "sslyze",
-          "tolerations": Array [],
+          "tolerations": undefined,
           "volumeMounts": Array [
             Object {
               "mountPath": "/test",
@@ -1526,7 +1526,7 @@ test("Templating should not break special encoding (http://...) when using tripl
           ],
         },
         "spec": Object {
-          "affinity": Object {},
+          "affinity": undefined,
           "cascades": Object {},
           "env": Array [],
           "hookSelector": Object {},
@@ -1553,7 +1553,7 @@ test("Templating should not break special encoding (http://...) when using tripl
             "https://github.com/secureCodeBox/secureCodeBox",
           ],
           "scanType": "sslyze",
-          "tolerations": Array [],
+          "tolerations": undefined,
           "volumeMounts": Array [
             Object {
               "mountPath": "/test",
@@ -1850,9 +1850,9 @@ test("should not copy tolerations and affinity into cascaded scan if label disab
 
   const cascadedScan = cascadedScans[0];
 
-  expect(cascadedScan.spec.affinity).toMatchInlineSnapshot(`Object {}`);
+  expect(cascadedScan.spec.affinity).toMatchInlineSnapshot(`undefined`);
 
-  expect(cascadedScan.spec.tolerations).toMatchInlineSnapshot(`Array []`);
+  expect(cascadedScan.spec.tolerations).toMatchInlineSnapshot(`undefined`);
 });
 
 test("should merge tolerations and replace affinity in cascaded scan if cascading spec sets new ones", () => {
@@ -1976,6 +1976,70 @@ test("should merge tolerations and replace affinity in cascaded scan if cascadin
   `);
 });
 
+test("should not set affinity or tolerations to undefined if they are defined to be an empty map / list in upstream scan", () => {
+  const findings = [
+    {
+      name: "Port 443 is open",
+      category: "Open Port",
+      attributes: {
+        state: "open",
+        hostname: "foobar.com",
+        port: 443,
+        service: "https"
+      }
+    }
+  ];
+
+  parentScan.spec.affinity = {}
+
+  parentScan.spec.tolerations = []
+
+  const cascadedScans = getCascadingScans(
+    parentScan,
+    findings,
+    sslyzeCascadingRules
+  );
+
+  const cascadedScan = cascadedScans[0];
+
+  // New values will completely replace the old values, not be merged
+  expect(cascadedScan.spec.affinity).toMatchInlineSnapshot(`Object {}`);
+
+  expect(cascadedScan.spec.tolerations).toMatchInlineSnapshot(`Array []`);
+});
+
+test("Should not set affinity or tolerations to undefined if they are defined to be an empty map / list in cascading ScanSpec", () => {
+  const findings = [
+    {
+      name: "Port 443 is open",
+      category: "Open Port",
+      attributes: {
+        state: "open",
+        hostname: "foobar.com",
+        port: 443,
+        service: "https"
+      }
+    }
+  ];
+
+  sslyzeCascadingRules[0].spec.scanSpec.tolerations = [];
+
+  sslyzeCascadingRules[0].spec.scanSpec.affinity = {};
+
+  const cascadedScans = getCascadingScans(
+    parentScan,
+    findings,
+    sslyzeCascadingRules
+  );
+
+  const cascadedScan = cascadedScans[0];
+
+  // New values will completely replace the old values, not be merged
+  expect(cascadedScan.spec.affinity).toMatchInlineSnapshot(`Object {}`);
+
+  expect(cascadedScan.spec.tolerations).toMatchInlineSnapshot(`Array []`);
+});
+
 test("should only use tolerations and affinity of cascaded scan if inheritance is disabled", () => {
   parentScan.spec.cascades.inheritAffinity = false;
   parentScan.spec.cascades.inheritTolerations = false;
 
@@ -162,9 +162,28 @@ function mergeCascadingRuleWithScan(
   cascadingRule: CascadingRule
 ) {
   const { scanAnnotations, scanLabels } = cascadingRule.spec;
-  let { env = [], volumes = [], volumeMounts = [], initContainers = [], hookSelector = {}, affinity = {}, tolerations = [] } = cascadingRule.spec.scanSpec;
+  let { env = [], volumes = [], volumeMounts = [], initContainers = [], hookSelector = {}, affinity, tolerations } = cascadingRule.spec.scanSpec;
   let { inheritAnnotations, inheritLabels, inheritEnv, inheritVolumes, inheritInitContainers, inheritHookSelector, inheritAffinity = true, inheritTolerations = true} = scan.spec.cascades;
 
+  // We have to use a slightly complicated logic for inheriting / setting the tolerations and affinity to work around some
+  // limitations in the operator. The goal is to avoid setting anything to an empty list [] or empty map {} if the keys are actually
+  // missing in the specification, as this will lead to issues in the operator when pulling in default values from the templates of the
+  // scanners. So, we are taking a bit more care to make sure that the value stays undefined (and thus nil in Go) unless someone explicitly
+  // specified an empty list or map.
+  let selectedTolerations = undefined;
+  if (tolerations !== undefined) {
+    selectedTolerations = mergeInheritedArray(scan.spec.tolerations, tolerations, inheritTolerations);
+  } else if (inheritTolerations) {
+    selectedTolerations = scan.spec.tolerations;
+  }
+
+  let selectedAffinity = undefined;
+  if (affinity !== undefined) {
+    selectedAffinity = affinity
+  } else if (inheritAffinity) {
+    selectedAffinity = scan.spec.affinity;
+  }
+  
   return {
     annotations: mergeInheritedMap(scan.metadata.annotations, scanAnnotations, inheritAnnotations),
     labels: mergeInheritedMap(scan.metadata.labels, scanLabels, inheritLabels),
@@ -173,9 +192,8 @@ function mergeCascadingRuleWithScan(
     volumeMounts: mergeInheritedArray(scan.spec.volumeMounts, volumeMounts, inheritVolumes),
     initContainers: mergeInheritedArray(scan.spec.initContainers, initContainers, inheritInitContainers),
     hookSelector: mergeInheritedSelector(scan.spec.hookSelector, hookSelector, inheritHookSelector),
-    // Affinity and tolerations are always inherited
-    affinity: mergeInheritedMap(scan.spec.affinity, affinity, inheritAffinity),
-    tolerations: mergeInheritedArray(scan.spec.tolerations, tolerations, inheritTolerations),
+    affinity: selectedAffinity,
+    tolerations: selectedTolerations
   }
 }
 
 
@@ -82,6 +82,9 @@ export function mergeInheritedMap(parentProps, ruleProps, inherit: boolean = tru
   if (!inherit) {
     parentProps = {};
   }
+  if (ruleProps === undefined) {
+    return parentProps;
+  }
   return {
     ...parentProps,
     ...ruleProps // ruleProps overwrites any duplicate keys from parentProps
 
@@ -34,6 +34,11 @@ type ParseDefinitionSpec struct {
 	Volumes []corev1.Volume `json:"volumes,omitempty"`
 	// VolumeMounts allows to specify volume mounts for the parser container.
 	VolumeMounts []corev1.VolumeMount `json:"volumeMounts,omitempty"`
+
+	// Affinity allows to specify a node affinity, to control on which nodes you want a parser to run. See: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/
+	Affinity *corev1.Affinity `json:"affinity,omitempty"`
+	// Tolerations are a different way to control on which nodes your parser is executed. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
 }
 
 // ParseDefinitionStatus defines the observed state of ParseDefinition