secureCodeBox · Ilyesbdlala · Sep 15, 2023 · Aug 18, 2023 · Aug 18, 2023 · Aug 18, 2023
diff --git a/.github/workflows/release-build.yaml b/.github/workflows/release-build.yaml
@@ -491,6 +491,7 @@ jobs:
     strategy:
       matrix:
         scanner:
+          - amass
           - git-repo-scanner
           - screenshooter
           - test-scan

diff --git a/operator/apis/execution/v1/parsedefinition_types.go b/operator/apis/execution/v1/parsedefinition_types.go
@@ -30,6 +30,13 @@ type ParseDefinitionSpec struct {
 	// +nullable
 	TTLSecondsAfterFinished *int32 `json:"ttlSecondsAfterFinished,omitempty"`
 
+	// ContentType specifies the content type of the scan result
+	// Valid values are:
+	// - "Text" (default): the scan result is a text file
+	// - "Binary": the scan result is a binary file
+	//+kubebuilder:default=Text
+	ContentType ContentType `json:"contentType,omitempty"`
+
 	// Env allows to specify environment vars for the parser container.
 	Env []corev1.EnvVar `json:"env,omitempty"`
 	// Volumes allows to specify volumes for the parser container.
@@ -53,6 +60,17 @@ type ParseDefinitionStatus struct {
 	// Important: Run "make" to regenerate code after modifying this file
 }
 
+// ContentType specifies the content type of the scan result
+// +kubebuilder:validation:Enum=Text;Binary
+type ContentType string
+
+const (
+	// Text is the default content type and will be used if no content type is specified
+	Text ContentType = "Text"
+	// Binary is used for binary scan results
+	Binary ContentType = "Binary"
+)
+
 // +kubebuilder:object:root=true
 // +kubebuilder:printcolumn:name="Image",type=string,JSONPath=`.spec.image`,description="Scanner Container Image"
 

diff --git a/operator/config/crd/bases/execution.securecodebox.io_clusterparsedefinitions.yaml b/operator/config/crd/bases/execution.securecodebox.io_clusterparsedefinitions.yaml
@@ -870,6 +870,15 @@ spec:
                         type: array
                     type: object
                 type: object
+              contentType:
+                default: Text
+                description: 'ContentType specifies the content type of the scan result
+                  Valid values are: - "Text" (default): the scan result is a text
+                  file - "Binary": the scan result is a binary file'
+                enum:
+                - Text
+                - Binary
+                type: string
               env:
                 description: Env allows to specify environment vars for the parser
                   container.

diff --git a/operator/config/crd/bases/execution.securecodebox.io_parsedefinitions.yaml b/operator/config/crd/bases/execution.securecodebox.io_parsedefinitions.yaml
@@ -869,6 +869,15 @@ spec:
                         type: array
                     type: object
                 type: object
+              contentType:
+                default: Text
+                description: 'ContentType specifies the content type of the scan result
+                  Valid values are: - "Text" (default): the scan result is a text
+                  file - "Binary": the scan result is a binary file'
+                enum:
+                - Text
+                - Binary
+                type: string
               env:
                 description: Env allows to specify environment vars for the parser
                   container.

diff --git a/operator/controllers/execution/scans/parse_reconciler.go b/operator/controllers/execution/scans/parse_reconciler.go
@@ -100,6 +100,11 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error {
 			Resources: []string{"scans/status"},
 			Verbs:     []string{"get", "patch"},
 		},
+		{
+			APIGroups: []string{"execution.securecodebox.io"},
+			Resources: []string{"parsedefinitions"},
+			Verbs:     []string{"get"},
+		},
 	}
 	r.ensureServiceAccountExists(
 		scan.Namespace,

diff --git a/operator/crds/execution.securecodebox.io_clusterparsedefinitions.yaml b/operator/crds/execution.securecodebox.io_clusterparsedefinitions.yaml
diff --git a/operator/crds/execution.securecodebox.io_parsedefinitions.yaml b/operator/crds/execution.securecodebox.io_parsedefinitions.yaml
diff --git a/parser-sdk/nodejs/findings-schema.json b/parser-sdk/nodejs/findings-schema.json
@@ -18,7 +18,8 @@
         "identified_at": {
           "description": "Date-Time when the Finding was exactly identified according to ISO8601. This information will often not be present.",
           "type": "string",
-          "format": "date-time"
+          "format": "date-time",
+          "nullable": true
         },
         "parsed_at": {
           "description": "Date-Time when the Finding was parsed according to ISO8601. This information will always be present.",

diff --git a/parser-sdk/nodejs/parser-wrapper.js b/parser-sdk/nodejs/parser-wrapper.js
@@ -109,22 +109,49 @@ async function extractScan() {
     console.error(err);
     process.exit(1);
   }
+
+}
+
+async function extractParseDefinition(scan) {
+  try {
+    const { body } = await k8sApi.getNamespacedCustomObject(
+      "execution.securecodebox.io",
+      "v1",
+      namespace,
+      "parsedefinitions",
+      scan.status.rawResultType
+    );
+    return body;
+  } catch (err) {
+    console.error("Failed to get ParseDefinition from the kubernetes api");
+    console.error(err);
+    process.exit(1);
+  }
 }
 
+
+
+
 async function main() {
   console.log("Starting Parser");
   let scan = await extractScan();
-
+  let parseDefinition = await extractParseDefinition(scan);
   const resultFileUrl = process.argv[2];
   const resultUploadUrl = process.argv[3];
 
   console.log("Fetching result file");
-  const { data } = await axios.get(resultFileUrl);
+  let response;
+  if(parseDefinition.spec.contentType === "Binary"){
+    response = await axios.get(resultFileUrl, {responseType: 'arraybuffer'});
+  } else {
+    response = await axios.get(resultFileUrl);
+  }
+
   console.log("Fetched result file");
 
   let findings = [];
   try {
-    findings = await parse(data, scan);
+    findings = await parse(response.data, scan);
   } catch (error) {
     console.error("Parser failed with error:");
     console.error(error);

diff --git a/scanners/amass/.helm-docs.gotmpl b/scanners/amass/.helm-docs.gotmpl
@@ -19,6 +19,12 @@ usecase: "Subdomain Enumeration Scanner"
 {{- end }}
 
 {{- define "extra.dockerDeploymentSection" -}}
+
+## Notice
+This image is a workaround for the official Amass docker image, older amass versions are regularly removed from the official docker registry, this is often breaks our builds.
+To prevent this we create a new image based on the official one and push it to our docker registry.
+Copyright 2017 Jeff Foley. All rights reserved.
+
 ## Supported Tags
 - `latest`  (represents the latest stable release build)
 - tagged releases, e.g. `3.0.0`, `2.9.0`, `2.8.0`, `2.7.0`
@@ -39,16 +45,15 @@ The [OWASP Amass Project][owasp_amass_project] has developed a tool to help info
 {{- define "extra.scannerConfigurationSection" -}}
 ## Scanner Configuration
 
-The following security scan configuration example are based on the [Amass User Guide], please take a look at the original documentation for more configuration examples.
+The following security scan configuration example are based on the [Amass User Guide](https://github.com/owasp-amass/amass/blob/master/doc/user_guide.md#the-enum-subcommand), please take a look at the original documentation for more configuration examples.
 
 - The most basic use of the tool for subdomain enumeration: `amass enum -d example.com`
-- Typical parameters for DNS enumeration: `amass enum -v -src -ip -brute -min-for-recursive 2 -d example.com`
+- Typical parameters for DNS enumeration: `amass enum -v -brute -min-for-recursive 2 -d example.com`
 
 Special command line options:
 
-- Disable generation of altered names `amass enum -noalts -d example.com`
+- Enable generation of altered names `amass enum -alts -d example.com`
 - Turn off recursive brute forcing `amass enum -brute -norecursive -d example.com`
-- Disable saving data into a local database `amass enum -nolocaldb -d example.com`
 - Domain names separated by commas (can be used multiple times) `amass enum -d example.com`
 {{- end }}
 

diff --git a/scanners/amass/Chart.yaml b/scanners/amass/Chart.yaml
@@ -8,7 +8,7 @@ description: A Helm chart for the Amass security scanner that integrates with th
 type: application
 # version - gets automatically set to the secureCodeBox release version when the helm charts gets published
 version: v3.1.0-alpha1
-appVersion: "v3.23.3"
+appVersion: "v4.2.0"
 kubeVersion: ">=v1.11.0-0"
 annotations:
   versionApi: https://api.github.com/repos/OWASP/Amass/releases/latest

diff --git a/scanners/amass/Makefile b/scanners/amass/Makefile
@@ -7,5 +7,6 @@
 
 include_guard = set
 scanner = amass
+custom_scanner = set
 
 include ../../scanners.mk
diff --git a/scanners/amass/README.md b/scanners/amass/README.md
@@ -3,7 +3,7 @@ title: "Amass"
 category: "scanner"
 type: "Network"
 state: "released"
-appVersion: "v3.23.3"
+appVersion: "v4.2.0"
 usecase: "Subdomain Enumeration Scanner"
 ---
 
@@ -54,16 +54,15 @@ helm upgrade --install amass secureCodeBox/amass
 
 ## Scanner Configuration
 
-The following security scan configuration example are based on the [Amass User Guide], please take a look at the original documentation for more configuration examples.
+The following security scan configuration example are based on the [Amass User Guide](https://github.com/owasp-amass/amass/blob/master/doc/user_guide.md#the-enum-subcommand), please take a look at the original documentation for more configuration examples.
 
 - The most basic use of the tool for subdomain enumeration: `amass enum -d example.com`
-- Typical parameters for DNS enumeration: `amass enum -v -src -ip -brute -min-for-recursive 2 -d example.com`
+- Typical parameters for DNS enumeration: `amass enum -v -brute -min-for-recursive 2 -d example.com`
 
 Special command line options:
 
-- Disable generation of altered names `amass enum -noalts -d example.com`
+- Enable generation of altered names `amass enum -alts -d example.com`
 - Turn off recursive brute forcing `amass enum -brute -norecursive -d example.com`
-- Disable saving data into a local database `amass enum -nolocaldb -d example.com`
 - Domain names separated by commas (can be used multiple times) `amass enum -d example.com`
 
 ## Requirements
@@ -93,17 +92,17 @@ Kubernetes: `>=v1.11.0-0`
 | scanner.extraVolumeMounts | list | `[{"mountPath":"/amass/output/config.ini","name":"amass-config","subPath":"config.ini"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
 | scanner.extraVolumes | list | `[{"configMap":{"name":"amass-config"},"name":"amass-config"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
 | scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
-| scanner.image.repository | string | `"caffix/amass"` | Container Image to run the scan |
+| scanner.image.repository | string | `"docker.io/securecodebox/scanner-amass"` | Container Image to run the scan |
 | scanner.image.tag | string | `nil` | defaults to the charts appVersion |
 | scanner.nameAppend | string | `nil` | append a string to the default scantype name. |
 | scanner.podSecurityContext | object | `{}` | Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
 | scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
-| scanner.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":false}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
+| scanner.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":true}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
 | scanner.securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated |
 | scanner.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the container. |
 | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode |
 | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system |
-| scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user |
+| scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user |
 | scanner.suspend | bool | `false` | if set to true the scan job will be suspended after creation. You can then resume the job using `kubectl resume <jobname>` or using a job scheduler like kueue |
 | scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
 | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |

diff --git a/scanners/amass/docs/README.ArtifactHub.md b/scanners/amass/docs/README.ArtifactHub.md
@@ -59,16 +59,15 @@ helm upgrade --install amass secureCodeBox/amass
 
 ## Scanner Configuration
 
-The following security scan configuration example are based on the [Amass User Guide], please take a look at the original documentation for more configuration examples.
+The following security scan configuration example are based on the [Amass User Guide](https://github.com/owasp-amass/amass/blob/master/doc/user_guide.md#the-enum-subcommand), please take a look at the original documentation for more configuration examples.
 
 - The most basic use of the tool for subdomain enumeration: `amass enum -d example.com`
-- Typical parameters for DNS enumeration: `amass enum -v -src -ip -brute -min-for-recursive 2 -d example.com`
+- Typical parameters for DNS enumeration: `amass enum -v -brute -min-for-recursive 2 -d example.com`
 
 Special command line options:
 
-- Disable generation of altered names `amass enum -noalts -d example.com`
+- Enable generation of altered names `amass enum -alts -d example.com`
 - Turn off recursive brute forcing `amass enum -brute -norecursive -d example.com`
-- Disable saving data into a local database `amass enum -nolocaldb -d example.com`
 - Domain names separated by commas (can be used multiple times) `amass enum -d example.com`
 
 ## Requirements
@@ -98,17 +97,17 @@ Kubernetes: `>=v1.11.0-0`
 | scanner.extraVolumeMounts | list | `[{"mountPath":"/amass/output/config.ini","name":"amass-config","subPath":"config.ini"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
 | scanner.extraVolumes | list | `[{"configMap":{"name":"amass-config"},"name":"amass-config"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
 | scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
-| scanner.image.repository | string | `"caffix/amass"` | Container Image to run the scan |
+| scanner.image.repository | string | `"docker.io/securecodebox/scanner-amass"` | Container Image to run the scan |
 | scanner.image.tag | string | `nil` | defaults to the charts appVersion |
 | scanner.nameAppend | string | `nil` | append a string to the default scantype name. |
 | scanner.podSecurityContext | object | `{}` | Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
 | scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
-| scanner.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":false}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
+| scanner.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":true}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
 | scanner.securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated |
 | scanner.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the container. |
 | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode |
 | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system |
-| scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user |
+| scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user |
 | scanner.suspend | bool | `false` | if set to true the scan job will be suspended after creation. You can then resume the job using `kubectl resume <jobname>` or using a job scheduler like kueue |
 | scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
 | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |

diff --git a/scanners/amass/docs/README.DockerHub-Parser.md b/scanners/amass/docs/README.DockerHub-Parser.md
@@ -40,6 +40,11 @@ The secureCodeBox project is running on [Kubernetes](https://kubernetes.io/). To
 
 You can find resources to help you get started on our [documentation website](https://www.securecodebox.io) including instruction on how to [install the secureCodeBox project](https://www.securecodebox.io/docs/getting-started/installation) and guides to help you [run your first scans](https://www.securecodebox.io/docs/getting-started/first-scans) with it.
 
+## Notice
+This image is a workaround for the official Amass docker image, older amass versions are regularly removed from the official docker registry, this is often breaks our builds.
+To prevent this we create a new image based on the official one and push it to our docker registry.
+Copyright 2017 Jeff Foley. All rights reserved.
+
 ## Supported Tags
 - `latest`  (represents the latest stable release build)
 - tagged releases, e.g. `3.0.0`, `2.9.0`, `2.8.0`, `2.7.0`