Skip to content

Fix issue with amass parser where the operator isn't able to properly start the parser due to an RBAC issue #2309

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
J12934 merged 3 commits into from
Feb 23, 2024
Merged

Fix issue with amass parser where the operator isn't able to properly start the parser due to an RBAC issue #2309

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e5821e3
#2003 Update helm unit-tests
J12934 Feb 23, 2024
c0f12de
#2003 Re-add missing roles
J12934 Feb 23, 2024
1489da1
#2310 switch to a non vulnerable padding mechanism
J12934 Feb 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 5 additions & 7 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ env:
KIND_BINARY_VERSION: "v0.20.0"
KUBECTL_VERSION: "v1.27.4"
HELM_VERSION: "v3.12.2"
HELM_PLUGIN_UNITTEST: "0.3.5"
HELM_PLUGIN_UNITTEST: "0.4.1"

jobs:
# ---- NVM Setup ----
Expand Down Expand Up @@ -54,7 +54,6 @@ jobs:
path: ./nvm-node.tar.gz
retention-days: 1


test-nodejs-scanner-test-helpers:
name: "Unit Test | Node.js Scanner Test Helpers"
needs:
Expand Down Expand Up @@ -152,7 +151,7 @@ jobs:
- name: Install Helm Unit Test Plugin
run: |
helm plugin install https://github.com/helm-unittest/helm-unittest.git --version ${{ env.HELM_PLUGIN_UNITTEST }}

- name: Helm-Chart Unit Tests | Operator
working-directory: ./operator
run: make helm-unit-tests
Expand Down Expand Up @@ -186,7 +185,7 @@ jobs:
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
Expand All @@ -208,7 +207,7 @@ jobs:
restore-keys: ${{ runner.os }}-gradle
- name: Build and analyze
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
working-directory: hooks/${{ matrix.unit }}/hook
run: ./gradlew build --info
Expand Down Expand Up @@ -296,7 +295,7 @@ jobs:
auto-discovery-kubernetes-secret-extraction-container:
name: "Autodiscovery | Kubernetes | SecretExtractionInitContainer"
runs-on: ubuntu-22.04
needs:
needs:
- nvm-setup
- k8s-setup
steps:
Expand Down Expand Up @@ -733,7 +732,6 @@ jobs:
docker load --input /tmp/hook-sdk.tar
docker images | grep sdk


# ---- K8s Cluster Setup ---- #

- name: Download Kind
Expand Down
1 change: 1 addition & 0 deletions operator/config/rbac/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,4 +132,5 @@ rules:
- create
- get
- list
- update
- watch
2 changes: 1 addition & 1 deletion operator/controllers/execution/scans/scan_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ var s3StorageFinalizer = "s3.storage.securecodebox.io"
// Pod permission are required to grant these permission to service accounts
// +kubebuilder:rbac:groups=core,resources=pods,verbs=get
// +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;watch;list;create
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;watch;list;create
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;watch;list;create;update
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;watch;list;create

// Reconcile compares the scan object against the state of the cluster and updates both if needed
Expand Down
1 change: 1 addition & 0 deletions operator/templates/rbac/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,4 +132,5 @@ rules:
- create
- get
- list
- update
- watch
79 changes: 57 additions & 22 deletions operator/tests/__snapshot__/operator_test.yaml.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,41 @@
matches the snapshot:
1: |
raw: "\nsecureCodeBox Operator Deployed \U0001F680\n\nThe operator can orchestrate the execution of various security scanning tools inside of your cluster.\nYou can find a list of all officially supported scanners here: https://www.securecodebox.io/\nThe website also lists other integrations, like persisting scan results to DefectDojo or Elasticsearch.\n\nThe operator send out regular telemetry pings to a central service.\nThis lets us, the secureCodeBox team, get a grasp on how much the secureCodeBox is used.\nThe submitted data is chosen to be as anonymous as possible.\nYou can find a complete report of the data submitted and links to the source-code at: https://www.securecodebox.io/docs/telemetry\nThe first ping is send one hour after the install, you can prevent this by upgrading the chart and setting `telemetryEnabled` to `false`.\n"
raw: |
CHART NAME: minio
CHART VERSION: 13.4.6
APP VERSION: 2024.2.13

** Please be patient while the chart is being deployed **

MinIO® can be accessed via port on the following DNS name from within your cluster:

RELEASE-NAME-minio.NAMESPACE.svc.cluster.local

To get your credentials run:

export ROOT_USER=$(kubectl get secret --namespace NAMESPACE RELEASE-NAME-minio -o jsonpath="{.data.root-user}" | base64 -d)
export ROOT_PASSWORD=$(kubectl get secret --namespace NAMESPACE RELEASE-NAME-minio -o jsonpath="{.data.root-password}" | base64 -d)

To connect to your MinIO® server using a client:

- Run a MinIO® Client pod and append the desired command (e.g. 'admin info'):

kubectl run --namespace NAMESPACE RELEASE-NAME-minio-client \
--rm --tty -i --restart='Never' \
--env MINIO_SERVER_ROOT_USER=$ROOT_USER \
--env MINIO_SERVER_ROOT_PASSWORD=$ROOT_PASSWORD \
--env MINIO_SERVER_HOST=RELEASE-NAME-minio \
--image docker.io/bitnami/minio-client:2024.2.9-debian-11-r7 -- admin info minio

To access the MinIO® web UI:

- Get the MinIO® URL:

echo "MinIO® web URL: http://127.0.0.1:9001/minio"
kubectl port-forward --namespace NAMESPACE svc/RELEASE-NAME-minio 9001:9001
2: |
raw: "\nsecureCodeBox Operator Deployed \U0001F680\n\nThe operator can orchestrate the execution of various security scanning tools inside of your cluster.\nYou can find a list of all officially supported scanners here: https://www.securecodebox.io/\nThe website also lists other integrations, like persisting scan results to DefectDojo or Elasticsearch.\n\nThe operator send out regular telemetry pings to a central service.\nThis lets us, the secureCodeBox team, get a grasp on how much the secureCodeBox is used.\nThe submitted data is chosen to be as anonymous as possible.\nYou can find a complete report of the data submitted and links to the source-code at: https://www.securecodebox.io/docs/telemetry\nThe first ping is send one hour after the install, you can prevent this by upgrading the chart and setting `telemetryEnabled` to `false`.\n"
3: |
apiVersion: apps/v1
kind: Deployment
metadata:
Expand Down Expand Up @@ -105,7 +139,7 @@ matches the snapshot:
- configMap:
name: foo
name: ca-certificate
3: |
4: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand All @@ -115,7 +149,7 @@ matches the snapshot:
- /metrics
verbs:
- get
4: |
5: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand All @@ -133,7 +167,7 @@ matches the snapshot:
- subjectaccessreviews
verbs:
- create
5: |
6: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
Expand All @@ -146,7 +180,7 @@ matches the snapshot:
- kind: ServiceAccount
name: securecodebox-operator
namespace: NAMESPACE
6: |
7: |
apiVersion: v1
kind: Service
metadata:
Expand All @@ -161,7 +195,7 @@ matches the snapshot:
targetPort: https
selector:
control-plane: controller-manager
7: |
8: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand All @@ -185,7 +219,7 @@ matches the snapshot:
- cascadingrules/status
verbs:
- get
8: |
9: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand All @@ -205,7 +239,7 @@ matches the snapshot:
- cascadingrules/status
verbs:
- get
9: |
10: |
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
Expand Down Expand Up @@ -242,7 +276,7 @@ matches the snapshot:
verbs:
- create
- patch
10: |
11: |
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
Expand All @@ -255,7 +289,7 @@ matches the snapshot:
- kind: ServiceAccount
name: securecodebox-operator
namespace: NAMESPACE
11: |
12: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand All @@ -279,7 +313,7 @@ matches the snapshot:
- parsedefinitions/status
verbs:
- get
12: |
13: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand All @@ -299,7 +333,7 @@ matches the snapshot:
- parsedefinitions/status
verbs:
- get
13: |
14: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand Down Expand Up @@ -429,8 +463,9 @@ matches the snapshot:
- create
- get
- list
- update
- watch
14: |
15: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
Expand All @@ -443,7 +478,7 @@ matches the snapshot:
- kind: ServiceAccount
name: securecodebox-operator
namespace: NAMESPACE
15: |
16: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand All @@ -467,7 +502,7 @@ matches the snapshot:
- scans/status
verbs:
- get
16: |
17: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand All @@ -487,7 +522,7 @@ matches the snapshot:
- scans/status
verbs:
- get
17: |
18: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand All @@ -511,7 +546,7 @@ matches the snapshot:
- scancompletionhooks/status
verbs:
- get
18: |
19: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand All @@ -531,7 +566,7 @@ matches the snapshot:
- scancompletionhooks/status
verbs:
- get
19: |
20: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand All @@ -555,7 +590,7 @@ matches the snapshot:
- scantypes/status
verbs:
- get
20: |
21: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand All @@ -575,7 +610,7 @@ matches the snapshot:
- scantypes/status
verbs:
- get
21: |
22: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand All @@ -599,7 +634,7 @@ matches the snapshot:
- scheduledscans/status
verbs:
- get
22: |
23: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand All @@ -619,7 +654,7 @@ matches the snapshot:
- scheduledscans/status
verbs:
- get
23: |
24: |
apiVersion: v1
kind: ServiceAccount
metadata:
Expand Down
4 changes: 2 additions & 2 deletions scanners/ncrack/parser/parser.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

const xml2js = require("xml2js");
const crypto = require("crypto");
const { readFile } = require("fs/promises");
const {readFile} = require("fs/promises");

async function parse(
fileContent,
Expand Down Expand Up @@ -37,7 +37,7 @@ function transformToFindings(ncrackrun, publicKey) {
.publicEncrypt(
{
key: publicKey,
padding: crypto.constants.RSA_PKCS1_PADDING,
padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
},
Buffer.from(password)
)
Expand Down
2 changes: 1 addition & 1 deletion scanners/ncrack/parser/parser.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ it("should encrypt findings when a public key is set", async () => {
let decryptedData = crypto.privateDecrypt(
{
key: privateKey,
padding: crypto.constants.RSA_PKCS1_PADDING,
padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
},
Buffer.from(finding.attributes.password, "base64")
);
Expand Down