scanner/screenshooter

Paul · Paul · commit b476cbbdfeee · 2020-11-16T11:26:47.000+01:00
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -181,6 +181,16 @@ jobs:
           tag_with_ref: true
           tag_with_sha: true
           build_args: baseImageTag=ci-local
+      - uses: docker/build-push-action@v1
+        name: "Build & Push Screenshooter Parser Image"
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+          repository: securecodebox/parser-screenshooter
+          path: ./scanners/screenshooter/parser/
+          tag_with_ref: true
+          tag_with_sha: true
+          build_args: baseImageTag=ci-local
       - uses: docker/build-push-action@v1
         name: "Build & Push ssh_scan Parser Image"
         with:
@@ -352,6 +362,15 @@ jobs:
           path: ./scanners/nmap/scanner/
           # Note: not prefixed with a "v" as this seems to match nmap versioning standards
           tags: "7.80,7.80-r2,latest"
+      - uses: docker/build-push-action@v1
+        name: "Build & Push Screenshooter Scanner Image"
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+          repository: securecodebox/scanner-screenshooter
+          path: ./scanners/screenshooter/scanner/
+          tags: "latest"
+          tag_with_ref: true
       - uses: docker/build-push-action@v1
         name: "Build & Push kube-hunter Scanner Image"
         with:
diff --git a/parser-sdk/nodejs/parser-wrapper.js b/parser-sdk/nodejs/parser-wrapper.js
@@ -3,6 +3,12 @@ const { parse } = require("./parser/parser");
 const uuid = require("uuid/v4");
 const k8s = require("@kubernetes/client-node");
 
+const kc = new k8s.KubeConfig();
+kc.loadFromCluster();
+const k8sApi = kc.makeApiClient(k8s.CustomObjectsApi);
+const scanName = process.env["SCAN_NAME"];
+const namespace = process.env["NAMESPACE"];
+
 function severityCount(findings, severity) {
   return findings.filter(
     ({ severity: findingSeverity }) =>
@@ -11,11 +17,6 @@ function severityCount(findings, severity) {
 }
 
 async function updateScanStatus(findings) {
-  const kc = new k8s.KubeConfig();
-  kc.loadFromCluster();
-  const k8sApi = kc.makeApiClient(k8s.CustomObjectsApi);
-  const scanName = process.env["SCAN_NAME"];
-  const namespace = process.env["NAMESPACE"];
 
   try {
     const findingCategories = new Map();
@@ -60,8 +61,27 @@ async function updateScanStatus(findings) {
   }
 }
 
+async function extractScan() {
+  try {
+    const { body } = await k8sApi.getNamespacedCustomObject(
+      "execution.securecodebox.io",
+      "v1",
+      namespace,
+      "scans",
+      scanName
+    );
+    return body;
+  } catch (err) {
+    console.error("Failed to get Scan from the kubernetes api");
+    console.error(err);
+    process.exit(1);
+  }
+}
+
 async function main() {
   console.log("Starting Parser");
+  let scan = await extractScan();
+
   const resultFileUrl = process.argv[2];
   const resultUploadUrl = process.argv[3];
 
@@ -71,7 +91,7 @@ async function main() {
 
   let findings = [];
   try {
-    findings = await parse(data);
+    findings = await parse(data, scan);
   } catch (error) {
     console.error("Parser failed with error:");
     console.error(error);
diff --git a/scanners/screenshooter/README.md b/scanners/screenshooter/README.md
@@ -1,42 +0,0 @@
----
-title: "Screenshooter"
-category: "scanner"
-type: "Application"
-state: "not released"
-usecase: "Takes Screenshots of websites"
----
-![firefox logo](https://3u26hb1g25wn1xwo8g186fnd-wpengine.netdna-ssl.com/files/2019/10/logo-firefox.svg)
-
-This integration takes screenshots of websites. This can be extremely helpful when you are using the secureCodeBox to scan a large number of services and want to get a quick visual overview of each service.
-
-<!-- end -->
-
-## Deployment
-
-The scanType can be deployed via helm.
-
-```bash
-helm upgrade --install screenshooter ./scanners/screenshooter/
-```
-
-## Examples
-
-A set of examples can be found in the [examples](./examples) folder.
-
-- Example _secureCodeBox.io_ [scan](./examples/secureCodeBox.io/scan.yaml) and [findings](./examples/secureCodeBox.io/findings.yaml)
-- Example _example.com_ [scan](./examples/secureCodeBox.io/scan.yaml) and [findings](./examples/secureCodeBox.io/findings.yaml)
-
-## Development
-
-### Local setup
-
-1. Clone the repository `git clone git@github.com:secureCodeBox/secureCodeBox-v2-alpha.git`
-2. Ensure you have node.js installed
-   - On MacOs with brew package manager: `brew install node`
-
-### Parser Development
-
-1. Install the dependencies `npm install`
-2. Update the parser function here: `./parser/parser.js`
-3. Update the parser tests here: `./parser/parser.test.js`
-4. Run the testsuite: `npm test`
diff --git a/scanners/screenshooter/README.md.gotmpl b/scanners/screenshooter/README.md.gotmpl
@@ -9,8 +9,6 @@ usecase: "Takes Screenshots of websites"
 
 This integration takes screenshots of websites. This can be extremely helpful when you are using the secureCodeBox to scan a large number of services and want to get a quick visual overview of each service.
 
-<!-- end -->
-
 ## Deployment
 
 The scanType can be deployed via helm.
@@ -19,24 +17,8 @@ The scanType can be deployed via helm.
 helm upgrade --install screenshooter ./scanners/screenshooter/
 ```
 
-## Examples
-
-A set of examples can be found in the [examples](./examples) folder.
-
-- Example _secureCodeBox.io_ [scan](./examples/secureCodeBox.io/scan.yaml) and [findings](./examples/secureCodeBox.io/findings.yaml)
-- Example _example.com_ [scan](./examples/secureCodeBox.io/scan.yaml) and [findings](./examples/secureCodeBox.io/findings.yaml)
-
-## Development
-
-### Local setup
-
-1. Clone the repository `git clone git@github.com:secureCodeBox/secureCodeBox-v2-alpha.git`
-2. Ensure you have node.js installed
-   - On MacOs with brew package manager: `brew install node`
-
-### Parser Development
+### Configuration
 
-1. Install the dependencies `npm install`
-2. Update the parser function here: `./parser/parser.js`
-3. Update the parser tests here: `./parser/parser.test.js`
-4. Run the testsuite: `npm test`
+You have to provide only the URL to the screenshooter. Be careful, the protocol is mandatory:
+* `https://secureCodeBox.io` 
+* **not** `secureCodeBox.io` or `www.secureCodeBox.io`
diff --git a/scanners/screenshooter/cascading-rules/http.yaml b/scanners/screenshooter/cascading-rules/http.yaml
@@ -0,0 +1,21 @@
+apiVersion: "cascading.securecodebox.io/v1"
+kind: CascadingRule
+metadata:
+  name: "screenshooter-http"
+  labels:
+    securecodebox.io/invasive: non-invasive
+    securecodebox.io/intensive: light
+spec:
+  matches:
+    anyOf:
+      - category: "Open Port"
+        attributes:
+          service: http
+          state: open
+      - category: "Open Port"
+        attributes:
+          service: https
+          state: open
+  scanSpec:
+    scanType: "screenshooter"
+    parameters: ["{{attributes.service}}://{{$.hostOrIP}}"]
diff --git a/scanners/screenshooter/examples/securecodebox.io/README.md b/scanners/screenshooter/examples/securecodebox.io/README.md
@@ -0,0 +1 @@
+This scan screenshots https://github.com/secureCodeBox
diff --git a/scanners/screenshooter/examples/securecodebox.io/scan.yaml b/scanners/screenshooter/examples/securecodebox.io/scan.yaml
@@ -1,8 +1,8 @@
 apiVersion: "execution.securecodebox.io/v1"
 kind: Scan
 metadata:
-  name: "screenshot-securecodebox.io"
+  name: "screenshot-github-securecodebox.io"
 spec:
   scanType: "screenshooter"
   parameters:
-    - "https://fjoel3.dje"
+    - "https://github.com/secureCodeBox"
diff --git a/scanners/screenshooter/parser/parser.js b/scanners/screenshooter/parser/parser.js
@@ -1,6 +1,4 @@
-const arg = require("arg");
-
-async function parse(image) {
+async function parse(image, scan) {
 
   if (image.length === 0) {
     return []
diff --git a/scanners/screenshooter/parser/parser.test.js b/scanners/screenshooter/parser/parser.test.js
@@ -19,7 +19,7 @@ beforeEach(() => {
 });
 
 test("should create finding correctly", async () => {
-  expect(await parse(undefined, { scan })).toMatchInlineSnapshot(`
+  expect(await parse("thisisabinarystringformatedimage", scan )).toMatchInlineSnapshot(`
     Array [
       Object {
         "attributes": Object {
@@ -36,21 +36,7 @@ test("should create finding correctly", async () => {
   `);
 });
 
-test("should also create finding correctly when using short flag '-u' instead of full '--url' flag", async () => {
+test("should not create finding if image is empty", async () => {
   (scan.spec.parameters = ["https://www.iteratec.de"]),
-    expect(await parse(undefined, { scan })).toMatchInlineSnapshot(`
-      Array [
-        Object {
-          "attributes": Object {
-            "downloadLink": "https://s3.example.com/foobar.png",
-          },
-          "category": "Screenshot",
-          "description": "Took a Screenshot for website: 'https://www.iteratec.de'",
-          "location": "https://www.iteratec.de",
-          "name": "Screenshot for https://www.iteratec.de",
-          "osi_layer": "APPLICATION",
-          "severity": "INFORMATIONAL",
-        },
-      ]
-    `);
+    expect(await parse("", scan )).toMatchInlineSnapshot(`Array []`);
 });
diff --git a/scanners/screenshooter/scanner/wrapper.sh b/scanners/screenshooter/scanner/wrapper.sh
@@ -1,7 +1,8 @@
 # Screnshooter entrypoint script to change the result file linux permission after completion.
 # Firefox will set the permission in a way which makes it inaccessible to the lurcher otherwise
-timeout 60 firefox $@
-timeout 60 firefox $@
+# Gets executed two times because it happend to produce better results for long loading sites
+timeout 30 firefox $@
+timeout 30 firefox $@
 if [ ! -f /home/securecodebox/screenshot.png ]; then
     touch /home/securecodebox/screenshot.png
 fi
diff --git a/scanners/screenshooter/templates/cascading-rules.yaml b/scanners/screenshooter/templates/cascading-rules.yaml
@@ -0,0 +1,8 @@
+# The CascadingRules are not directly in the /templates directory as their curly bracket syntax clashes with helms templates ... :( 
+# We import them as raw files to avoid these clashes as escaping them is even more messy
+{{ range $path, $_ :=  .Files.Glob  "cascading-rules/*" }}
+# Include File
+{{ $.Files.Get $path }}
+# Separate multiple files
+---
+{{ end }}
diff --git a/scanners/screenshooter/values.yaml b/scanners/screenshooter/values.yaml
@@ -1,12 +1,12 @@
 image:
   # image.repository -- Container Image to run the scan
-  repository: docker.io/paulschmelzer/scanner-screenshooter
+  repository: docker.io/securecodebox/scanner-screenshooter
   # image.tag -- defaults to the charts version
   tag: null
 
 parserImage:
   # parserImage.repository -- Parser image repository
-  repository: docker.io/paulschmelzer/parser-screenshooter
+  repository: docker.io/securecodebox/parser-screenshooter
   # parserImage.tag -- Parser image tag
   # @default -- defaults to the charts appVersion
   tag: null

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+This scan screenshots https://github.com/secureCodeBox`