securecodebox / securecodebox Goto Github PK
View Code? Open in Web Editor NEWsecureCodeBox (SCB) - continuous secure delivery out of the box
Home Page: https://www.secureCodeBox.io
License: Other
secureCodeBox (SCB) - continuous secure delivery out of the box
Home Page: https://www.secureCodeBox.io
License: Other
After successfull launch of scan via CLI I can see the results in job_zap_result.json
file but I am unable to find those in GUI. Are those populated?
Describe the bug
Containers are unhealthy after I've ran docker-compose. Enige container exited.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Containers go up and are functional. SecureCodeBox works like a charm ;-)
System (please complete the following information):
Screenshots / Logs
For engine logs: https://pastebin.com/CiYYU34c
OWASP Glue
DevSecOps Studio
https://www.owasp.org/index.php/OWASP_DevSecOps_Studio_Project
maybe there arre others. Saves perhaps lots of effort and energy !
Is your feature request related to a problem? Please describe.
The CLI is currently very limited to only one usecase.
It would be cool to a a more cli with more functionality, e.g. starting scans, retrieving results.
Describe the solution you'd like
A cli with a similar structure to modern clis like docker or kubernetes, with good help texts.
CLI should be written in a way that is cross plattform and easy to maintain and expand in the future. Go would be nice usecase for it with nice libraries to write clis, e.g:
Additional context
Reworking the CLI has come up in multiple issues.
We were able to start dockerised securecodebox, but how do we get the data fed into Kibana (as seen on the screenshots)?
To test if the repo migration (see: #136) worked correctly, we should perform a test release in the repository to ensure that the workflow and release process still works correctly.
Describe the bug
CLI tries to connect to the deprecated and removed /box/processes
endpoint.
This makes the cli assume that the engine is down and terminate before doing any actual work.
To Reproduce
Start any process via cli.
Expected behavior
Process should be started correctly.
Additional context
To ensure that the error are detected earlier, the integration test could try to start a process via the cli.
When will you release the project?
Dear secureCodeBox team,
I decide to spin your box, but unfortunately I do not seem to be able to initialize secureCodeBox in docker. When running docker ps -a, I noticed that securecodebox/engine:oss exited. References are provided in the log-files. Obviously, port 8080 is not hosting any web application (checked with netstat). Lastly, the log files seem to run in a loop while showing the following output.
scanner-webapplication-arachni_1 | D, [2018-08-06T12:21:25.710779 #7] DEBUG -- : Getting new scans
scanner-webapplication-arachni_1 | D, [2018-08-06T12:21:25.711148 #7] DEBUG -- : fetching task
scanner-webapplication-arachni_1 | D, [2018-08-06T12:21:25.722771 #7] DEBUG -- : Error while connecting to http://engine:8080/box/jobs/lock/arachni_webapplicationscan/ce6d88dc-13fb-4ef5-a801-c897fba09d87
scanner-webapplication-arachni_1 | D, [2018-08-06T12:21:25.723134 #7] DEBUG -- : Failed to open TCP connection to engine:8080 (getaddrinfo: Temporary failure in name resolution)
scanner-webapplication-arachni_1 | D, [2018-08-06T12:21:25.723446 #7] DEBUG -- : Sleeping for 5...
We have checked the script both in a Ubuntu 18.04 box on VMWare and a Ubuntu 16.04 box on AWS. In both instances, we have updated the virtual memory (MAX MAP COUNT variable). Both seem to run into the same problems.
Any suggestions?
KR, JK
Is your feature request related to a problem? Please describe.
As an user i want to use test my ssh-server (or already found ssh port) based on best practices and given security policies with the secureCodeBox.
Some Best Practices on the topic ssh hardening can be found here:
Describe the solution you'd like
There are already some ssh security scanners like:
Especially the mozilla ssh_scan seems to be a good candidate to implement.
It's well documented and has a active community. It supports JSON output and the possibility to add my own ssh check policy.
Additional context
A new ssh scanner could be combined with the existing port scanner (nmap) to check found ssh ports.
A general guide how to implement a new scanner is documented here
Is your feature request related to a problem? Please describe.
Enhance the multi tenancy support of the secureCodeBox API.
This allows Users to restrict access to ability to see and work on securityTests. This enables Users to scan services located in isolated networks, by restricting the access to Scans to the technical users of the scanner services inside these networks. By restricting the access to the securityTest to the isolated worker it is ensured that no other worker outside this network can "steal" this job.
Describe the solution you'd like
The easiest way to configure multi tenancy is to create multiple camunda tenants (secureCodeBox engine) and assign the technical users to the corresponding tenant. To control to which tenant a securityTest should belong you can set the tenant attribute on the securityTest model, when starting a process.
Note: You need to be a member of the tenant to start a process as part of the tenant. When the tenant attribute is set to null or is not set at all the process will be started without a tenant.
Open Todos:
When you start the stack for the first time, you have to add a "simple filter" in the tasklist menu. If you miss this step you couldn't see the result tasks.
We should document this step in the user guide.
It would be nice if as an alternative to Defect Dojo, ThreadFix could also be included as StorageProvider.
ThreadFix has a public API: https://denimgroup.atlassian.net/wiki/spaces/TDOC/pages/22842096/ThreadFix%2BAPI
Unfortunately it is a commercial tool in contrast to DefectDojo, but it can also be found in many corporate environments.
name: "βΉ Feature request"
about: "Suggest an idea for this project"
Is your feature request related to a problem? Please describe.
Describe the solution you'd like
Describe alternatives you've considered
Additional context
Describe the bug
When the user is not authorized to start a specific scan or the engine encounters a error while starting the scan the only related output of the runScanner.sh
script is something like "Failed to identify process ID!"
To Reproduce
Use runScanner.sh
to start a scan you are not authorized for. E.g. for a tenant you are not a member of.
Expected behavior
The script logs a error related to the response status code.
E.g.
4xx: "The user is not authorized to create this securityTest"
404: "The securityTest 'foobar' does not exists"
500: "Encountered unexpected Error in engine. Check the logs of engine for additional details"
System (please complete the following information):
all
As a secureCodeBox user i would like to be able to change / manipulate the nmap findings severity, based on a simple rule pattern. By default all NMAP Port findings are classified with the severity Informational. In some use cases i would like to change the port specific severity classification based on custom rules. For example if some port ranges are prohibited π« to use.
The custom severity configuration should also be applied if the NMAP scan will be started by cascadingScanRules (e.g. as subsequent scan started by AMASS).
Describe the solution you'd like
In the secureCodeBox v1 there is an NMAP specific implementation example how to change some port specific severity classifications, but without any configuration options: secureCodeBox/engine@c40b499
An example configuration could look something like this:
openport:
port: 21
severity: HIGH
port: 22
severity: MEDIUM
port: 389
severity: HIGH
port: 9200
severity: LOW
Describe alternatives you've considered
The updatefield-hook implements a lightweight findings post processing. But currently it is only possible to add new attributes to findings. But it has no feature to manipulate finding attributes based on rules. Extending the updatefield-hook in this way would maybe leed to a more generic solution which could also apply to other scanners and usecases.
For a more generic approach maybe the cascadingRule definition configuration semantic could be a good example how to configure the post processing:
rules:
- rule:
matches:
anyOf:
- category: "Open Port"
attributes:
port: 21
state: open
- category: "Open Port"
attributes:
port: 389
state: open
attribute:
name: "severity"
value: "high"
- rule:
matches:
anyOf:
- category: "Open Port"
attributes:
port: 22
state: open
attribute:
name: "severity"
value: "medium"
- rule:
matches:
anyOf:
- category: "Open Port"
attributes:
port: 9200
state: open
attribute:
name: "severity"
value: "low"
Is your feature request related to a problem? Please describe.
Guys, I saw that some branches are merged in master but no tags are applied.
This is not good for a production environment. I would like to know exactly what revision I've cloned and later to check all changes when i will plan an upgrade.
Describe the solution you'd like
After each merge in master a new git tag needs to be applied
Describe alternatives you've considered
NO
Additional context
Add any other context or screenshots about the feature request here.
Is your feature request related to a problem? Please describe.
As an user i want to use the Burp Security Scanner with the secureCodeBox, to test my WebApplications.
Describe the solution you'd like
Burp is integrated into the secureCodeBox
Is your feature request related to a problem? Please describe.
As a security tester i would like to continuously check a list of git repositories in my project and check if they contain any credentials. This is a common security problem which must be avoided. But even the best developers can make mistakes π€·π»ββοΈ. Finding such problems early can prevent worse.
Describe the solution you'd like
There are alot of different git credential scanner services and tools. The gitleaks (SAST) scanner seems to be a good solution which can be easily integrated with the SCBv2 Project: https://github.com/zricethezav/gitleaks
Describe alternatives you've considered
Additional context
Is your feature request related to a problem? Please describe.
The secureCodeBox already supports to define custom securityContext for the scanners.
It would be nice to have default securityContexts set for every scanner which are pre-configured individually for each scanner, so that this doesn't have to be done by the users.
Describe the solution you'd like
The value files of the scanner should include a default configured scanType which restricts the container from features it doesn't really require to improve the security stance of the secureCodeBox.
This has already been implemented for Nmap, see: https://github.com/secureCodeBox/secureCodeBox-v2/blob/7596d3f4d9c272ba98c29aa639160bbd27e45c9a/scanners/nmap/values.yaml#L39-L52
As a User i would like to use the OWASP DefectDojo Projekt to analyse my findings (instead or in parallel to my kibana dashboard). While the secureCodeBox has its major focus on the automation part of the security scanner execution, defectDojo is good in visualising, deduplication and analysing the findings.
To integrate OWASP DefectDojo it's necessary to implement a new persistenceProvider which pushes the raw finding results of each scanner to the new DefectDojo API: ImportScan. DefectDojo can be started as a separate Docker Container within the secureCodeBox Stack.
Possible Scanner Integrations:
Is your feature request related to a problem? Please describe.
It would be great if the travis build would be extended to run the docker-image and test it with given default env values. The smoke test can be done by checking the healthcheck.
This test should be done before the image will be published to dockerHub.
Describe the bug
The API methods and Objects are referencing the pre 1.0 Api.
Steps To Reproduce
Expected behavior
The documentation should reflect the current state of the api.
Additional context
Initially reported in Slack: https://securecodebox.slack.com/archives/C42NYDT46/p1551275864002700
Describe the bug
The installation from https://docs.securecodebox.io/docs/getting-started/installation/ does not succed.
To Reproduce
Expected behavior
System (please complete the following information):
Additional context
Minio requires by default 4 GB RAM but Docker Desktop for macOS has its resource setting to 2 GB.
Is your feature request related to a problem?
As a ruby developer it would be very helpful to be able to use a ruby gem which encapsulates some of the basic scanner integration stuff, like the integration of the scanner with the SCB Engine.
There is already a nodejs scaffolding package implemented which nearly does the same, based on node: https://github.com/secureCodeBox/nodejs-scanner-scaffolding
Describe the solution you'd like
There is already a good guide how to do this:
The following SCB repository should be migrated to the new ruby gem:
Hi,
I installed scb via docker-compose, added a user, granted it all permissions and roles and spun up instances of dvwa and juice-shop to test on.
When I try to initiate an advanced scan I get a ticket and claim it, but when I try to set anything in the advanced parameters field (i.e. nmap -A localhost or nikto -host localhost -port 3000) the "Complete" Button is disabled, same goes for the "Save" button. I can click it once, but when I refresh the ticket no changes are actually saved.
Is this a known bug or am I doing something wrong?
Thanks in advance, Cheers!
The secureCodeBox V2 generates a generic findings JSON format in addition to the rawResults by each security scanner. This format should be documented within the documentation contribution section https://docs.securecodebox.io/docs/contributing/conventions to help developers understanding the finding generation and post processing process.
Maybe the json-schema standard https://json-schema.org/ could help to document the findings format in a more general way. The json-schema can also be used for validation of given findings.json files.
Hi there,
I am getting the following error with the docker-compose up:
persistence-kibana_1 | {"type":"log","@timestamp":"2018-07-05T12:44:52Z","tags":["warning","elasticsearch","admin"],"pid":1,"message":"Unable to revive connection: http://persistence-elasticsearch:9200/"}
My environment:
Ubuntu server 18.04 amd64
Docker version: 18.03.1-ce
Docker-compose version: 1.21.2
I also cannot ping http://persistence-elasticsearch:9200.
Did the address to the elastic search change perhaps?
Regards,
The secureCodeBox API should be secured with an authentication method like Basic Auth to ensure that only authenticated scanners are allowed to pull and push scan jobs. This is important if you deploy the scanner and engine in different networks.
Therefore the Engine API needs an configurable Authentication and all scanners must be able to authenticate. This feature must be configurable via environment variables.
Is your feature request related to a problem? Please describe.
As user, I would like to use VEGA with the secureCodeBox
Describe the solution you'd like
VEGA is integrated into the secureCodeBox
Add an authentication Mechanism to the SCB engine api directly and don't rely on reverse proxys like ngnix.
The v2.0.0 release is close π±π
For the release we should prepare some release notes which could link to @Weltraumschaf up and coming v2 announcement blog posts.
As a SCB User i would like to configure the elasticsearch index pattern more precisely when i install the elasticsearch persistence hook. This feature will be useful to optimize the elasticsearch result index size, rollover strategie and performance.
As for now it is already possible to configure the index prefix via the helm chart config:
# Define a specific index prefix
indexPrefix: "scbv2"
Additionally it should be possible to configure a date pattern as suffix to change the index aggregation level:
# Define a specific index prefix
indexPrefix: "scbv2"
# Define a specific index suffix based on date pattern (YEAR, MONTH, WEEK, DATE)
indexSuffix: βYYYY-MM-DDβ
# Define if the name of the namespace where this hook is deployed to must be added to the index name. The namespace can be used to separate index by tenants (namespaces).
indexAppendNamespace: true
Example index names that should be possible to configure:
scbv2-team-2020-10-05
(daily rollover pattern, append namespace: true)
scbv2-team-2020-10
(monthly rollover pattern, append namespace: true)
scbv2-team-2020
(yearly rollover pattern, append namespace: true)
scbv2-team-2020-45
(weekly rollover pattern, append namespace: true)
scbv2-team
(no rollover pattern, append namespace: true)
scbv2-2020-10-05
(daily rollover pattern, append namespace: false)
scbv2-2020-10
(monthly rollover pattern, append namespace: false)
scbv2-2020
(yearly rollover pattern, append namespace: false)
scbv2-2020-45
(weekly rollover pattern, append namespace: false)
scbv2
(no rollover pattern, append namespace: false)
As a starting point here a pointer to the current implementation:
Describe the bug
When the cluster has istio sidecar injection enabled the secureCodeBox cannot properly run its scans in the namespace as the jobs never terminate as the sidecar is still running even hours after the scan has completed.
Depending on the istio config this can also mess with the ability of the operator / lurcher / parsers to talk to the kubernetes API.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Scans should work normally in istio enabled namespaces.
As a temporary workaround, or to wait untill proper sidecar support is added to kubernetes, it would be best to disable the injection via a "sidecar.istio.io/inject": "false"
pod label on scan, parse and hook pods, see: https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection
Ideally the secureCodeBox Operator could support istio and other service meshes directly and proxy scanner traffic thought the sidecar.
System (please complete the following information):
Hello everyone,
I want to start a Scan-Process using the REST-API, but if if do that, i donΒ΄t get results.
If I send an HTTP PUT Request, for example:
URL:
http://localhost:8080/box/processes/nmap-process
Header:
Content-Type:application/json
Body:
[
{
"attributes": {
"NMAP_START_PORT": 34,
"NMAP_IP": "localhost",
"NMAP_END_PORT": 125
},
"location": "juice-shop",
"name": "JuiceShop Test Host"
}
]
I get the process-id as response. But where can I find the scan results?
Thank you!
Is it possible to interact with the different scanner through cli?
Also is it possible to schedule a scan?
Is it possible to publish an alert to a ticketing tool like Jira for example?
Thanks in advance.
Is your feature request related to a problem? Please describe.
Add a scanner to test ssh servers for common username / password combos.
Describe the solution you'd like
Integrate a ssh brute-forcing tools:
Potential Tools:
If you now any other potential tools please add a comment with a link to it.
Hint: A general guide how to implement a new scanner is documented here
To test for common API vulnerabilities like rate limiting, the scanner Astra (https://github.com/flipkart-incubator/Astra) looks promissing.
The deployment of the SCBv2 Operator and CRDs, ClusterRoles, ClusterRoleBindings requires a ClusterAdmin Role or a well defined RBAC definition for the service account which is used for installation. This must be documented more precisely in our User Guide (Installation).
https://docs.securecodebox.io/docs/getting-started/installation
Is your feature request related to a problem? Please describe.
As a security tester i would like to test security aspects of my kubernetes cluster because there is alot stuff that can be missconfigured. The secureCodeBox v2 is already based on kubernetes so this should fit perfectly.
Describe the solution you'd like
As a security tester i would like to test the security of my kubernetes cluster based on the kubeaudit scanner: https://github.com/Shopify/kubeaudit
Describe alternatives you've considered
none
Additional context
There is already a scanner folder for this feature request: https://github.com/secureCodeBox/secureCodeBox-v2/tree/master/scanners/kubeaudit
Before we can properly release the v2.0.0 we have to merge over the code of this repository into the regular secureCodeBox Repository.
Things that should be thought of (list probably incomplete):
Is your feature request related to a problem? Please describe.
As a security tester i would like to configure the start time pattern for scheduledScans more precisely. For now it is possible to configure the time interval (hours) between to scans but the starting point relates to the installation time of the scheduledScan.
Describe the solution you'd like
To be able to configure a more complex schedule for my security scan it would be great to support a crontab
syntax as an alternative option.
apiVersion: "execution.securecodebox.io/v1"
kind: ScheduledScan
metadata:
name: "nmap-scanme.nmap.org-daily"
spec:
crontab: "0 12 * * *"
scanSpec:
scanType: "nmap"
parameters:
# Use nmaps service detection feature
- "-sV"
- scanme.nmap.org
historyLimit: 3
Describe alternatives you've considered
none
Additional context
Describe the bug
All SCB HelmCharts contain the kubeVersion field to ensure the K8S version meets the SCB requirements.
apiVersion: v2
name: operator
description: secureCodeBox Operator to automate the execution of security scans on kubernetes
type: application
# version - gets automatically set to the secureCodeBox release version when the helm charts gets published
version: latest
kubeVersion: ">=v1.11.0"
The current definition results in an error if the K8S is using a pre-release version, even if its never than the kubeVersion semversion:
helm --namespace securecodebox-system upgrade --install securecodebox-operator secureCodeBox/operator --version v2.0.0-rc.12
Error: UPGRADE FAILED: chart requires kubeVersion: >=v1.11.0 which is incompatible with Kubernetes v1.16.6-beta.0
Expected behavior
It would be great to support Kubernetes pre-release versions. As explained in the helm issue helm/helm#3810 this could be done by adding a pre-release extension to the kube version field:
apiVersion: v2
name: operator
description: secureCodeBox Operator to automate the execution of security scans on kubernetes
type: application
# version - gets automatically set to the secureCodeBox release version when the helm charts gets published
version: latest
kubeVersion: ">=v1.11.0-0"
Describe the bug
After running a nikto scan, the findings cannot be imported into elasticsearch. Instead the RestHighLevelClient raises the following error:
{
"error": {
"root_cause": [
{
"type": "illegal_argument_exception",
"reason": "request [/securecodebox_services_2020-02-12] contains unrecognized parameter: [include_type_name]"
}
],
"type": "illegal_argument_exception",
"reason": "request [/securecodebox_services_2020-02-12] contains unrecognized parameter: [include_type_name]"
},
"status": 400
}
I have tested 2 scanners nikto and sslyze and both resulted in the same error. I assume maybe my elasticsearch configuration is wrong.
To Reproduce
Steps to reproduce the behavior:
System (please complete the following information):
EDIT: In case anyone else has this issue, make sure you have the elasticsearch-oss version 6.8.1 or higher.
The current install guide (https://docs.securecodebox.io/docs/getting-started/installation) doesn't include instructions how to properly uninstall the secureCodeBox.
Most parts of the uninstallation are pretty self explanatory.
One thing that isn't is that the operator creates ServiceAccounts, Roles & RoleBindings in every Namespace in which scans are running which are used by the lurcher, parser and hooks to get access to certain types of resources in their namespace.
These can't be cleanly uninstalled as they are not linked to the operator, as they live in their own namespaces and can't be referenced via Kubernetes OwnerReferences.
The Install Docs should include a section detailing users how they can cleanly uninstall the secureCodeBox.
As a user I would like to have a lightweight false-/positive-handling which helps me to label/mark and filter findings which are not relevant or false-/positive.
I would like to file all findings in my security dashboard (kibana).
See #225
Is your feature request related to a problem? Please describe.
As an user i want to use test my REST APIs based on best practices with the secureCodeBox.
Therefore, the ASTRA Tool could be helpful:
Describe the solution you'd like
ASTRA is integrated into the secureCodeBox
Is your feature request related to a problem?
As an DevSecOps developer i want to use the Wordpress Security Scanner with the secureCodeBox, to test my Wordpress instance, if there are some old plugin versions installed.
Hint: If you are new and need some help implementing a new security for the secureCodeBox, please have a look at our documentation.
A general guide how to implement a new scanner is documented here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.