Skip to content

Commit 0f224fa

Browse files
EndPositiveEndPositive
committed
Cascading Scans: merge volumes and volumeMounts from parent scan and cascading rule
Signed-off-by: Jop Zitman <jop-zitman@hotmail.com>
1 parent 499c077 commit 0f224fa

3 files changed

Lines changed: 219 additions & 1 deletion

File tree

hooks/cascading-scans/hook.test.js

Lines changed: 210 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -101,6 +101,8 @@ test("Should create subsequent scans for open HTTPS ports (NMAP findings)", () =
101101
"scanAnnotations": Object {},
102102
"scanLabels": Object {},
103103
"scanType": "sslyze",
104+
"volumeMounts": Array [],
105+
"volumes": Array [],
104106
},
105107
]
106108
`);
@@ -175,6 +177,8 @@ test("Should not try to do magic to the scan name if its something random", () =
175177
"scanAnnotations": Object {},
176178
"scanLabels": Object {},
177179
"scanType": "sslyze",
180+
"volumeMounts": Array [],
181+
"volumes": Array [],
178182
},
179183
]
180184
`);
@@ -252,6 +256,8 @@ test("Should not crash when the annotations are not set", () => {
252256
"scanAnnotations": Object {},
253257
"scanLabels": Object {},
254258
"scanType": "sslyze",
259+
"volumeMounts": Array [],
260+
"volumes": Array [],
255261
},
256262
]
257263
`);
@@ -318,6 +324,8 @@ test("Should copy ENV fields from cascadingRule to created scan", () => {
318324
"scanAnnotations": Object {},
319325
"scanLabels": Object {},
320326
"scanType": "sslyze",
327+
"volumeMounts": Array [],
328+
"volumes": Array [],
321329
},
322330
]
323331
`);
@@ -394,6 +402,8 @@ test("Should allow wildcards in cascadingRules", () => {
394402
"scanAnnotations": Object {},
395403
"scanLabels": Object {},
396404
"scanType": "sslyze",
405+
"volumeMounts": Array [],
406+
"volumes": Array [],
397407
},
398408
]
399409
`);
@@ -665,6 +675,8 @@ test("should copy scanLabels from CascadingRule to cascading scan", () => {
665675
"k_two": "v_two",
666676
},
667677
"scanType": "sslyze",
678+
"volumeMounts": Array [],
679+
"volumes": Array [],
668680
},
669681
]
670682
`);
@@ -730,6 +742,8 @@ test("should copy scanAnnotations from CascadingRule to cascading scan", () => {
730742
},
731743
"scanLabels": Object {},
732744
"scanType": "sslyze",
745+
"volumeMounts": Array [],
746+
"volumes": Array [],
733747
},
734748
]
735749
`);
@@ -846,6 +860,8 @@ test("should copy proper finding ID into annotations", () => {
846860
"scanAnnotations": Object {},
847861
"scanLabels": Object {},
848862
"scanType": "sslyze",
863+
"volumeMounts": Array [],
864+
"volumes": Array [],
849865
},
850866
]
851867
`);
@@ -946,3 +962,197 @@ test("should merge environment variables into cascaded scan", () => {
946962
]
947963
`);
948964
});
965+
966+
test("should merge volumeMounts into cascaded scan", () => {
967+
const findings = [
968+
{
969+
name: "Port 443 is open",
970+
category: "Open Port",
971+
attributes: {
972+
state: "open",
973+
hostname: "foobar.com",
974+
port: 443,
975+
service: "https"
976+
}
977+
}
978+
];
979+
980+
parentScan.spec.volumeMounts = [
981+
{
982+
"mountPath": "/etc/ssl/certs/ca-cert.cer",
983+
"name": "ca-certificate",
984+
"readOnly": true,
985+
"subPath": "ca-cert.cer"
986+
}
987+
]
988+
989+
sslyzeCascadingRules[0].spec.scanSpec.volumeMounts = [
990+
{
991+
"mountPath": "/etc/ssl/certs/ca-cert-sslyze.cer",
992+
"name": "ca-certificate-sslyze",
993+
"readOnly": true,
994+
"subPath": "ca-cert-sslyze.cer"
995+
}
996+
]
997+
998+
const cascadedScans = getCascadingScans(
999+
parentScan,
1000+
findings,
1001+
sslyzeCascadingRules
1002+
);
1003+
1004+
const cascadedScan = cascadedScans[0]
1005+
1006+
expect(cascadedScans).toMatchInlineSnapshot(`
1007+
Array [
1008+
Object {
1009+
"cascades": Object {},
1010+
"env": Array [],
1011+
"finding": Object {
1012+
"attributes": Object {
1013+
"hostname": "foobar.com",
1014+
"port": 443,
1015+
"service": "https",
1016+
"state": "open",
1017+
},
1018+
"category": "Open Port",
1019+
"name": "Port 443 is open",
1020+
},
1021+
"generatedBy": "tls-scans",
1022+
"name": "sslyze-foobar.com-tls-scans",
1023+
"parameters": Array [
1024+
"--regular",
1025+
"foobar.com:443",
1026+
],
1027+
"scanAnnotations": Object {},
1028+
"scanLabels": Object {},
1029+
"scanType": "sslyze",
1030+
"volumeMounts": Array [
1031+
Object {
1032+
"mountPath": "/etc/ssl/certs/ca-cert-sslyze.cer",
1033+
"name": "ca-certificate-sslyze",
1034+
"readOnly": true,
1035+
"subPath": "ca-cert-sslyze.cer",
1036+
},
1037+
],
1038+
"volumes": Array [],
1039+
},
1040+
]
1041+
`);
1042+
1043+
const cascadingScanDefinition = getCascadingScanDefinition(cascadedScan, parentScan);
1044+
1045+
expect(cascadingScanDefinition.spec.volumeMounts).toMatchInlineSnapshot(`
1046+
Array [
1047+
Object {
1048+
"mountPath": "/etc/ssl/certs/ca-cert-sslyze.cer",
1049+
"name": "ca-certificate-sslyze",
1050+
"readOnly": true,
1051+
"subPath": "ca-cert-sslyze.cer",
1052+
},
1053+
Object {
1054+
"mountPath": "/etc/ssl/certs/ca-cert.cer",
1055+
"name": "ca-certificate",
1056+
"readOnly": true,
1057+
"subPath": "ca-cert.cer",
1058+
},
1059+
]
1060+
`);
1061+
});
1062+
1063+
test("should merge volumes into cascaded scan", () => {
1064+
const findings = [
1065+
{
1066+
name: "Port 443 is open",
1067+
category: "Open Port",
1068+
attributes: {
1069+
state: "open",
1070+
hostname: "foobar.com",
1071+
port: 443,
1072+
service: "https"
1073+
}
1074+
}
1075+
];
1076+
1077+
parentScan.spec.volumes = [
1078+
{
1079+
"name": "ca-certificate",
1080+
"configMap": {
1081+
"name": "ca-certificate"
1082+
}
1083+
}
1084+
]
1085+
1086+
sslyzeCascadingRules[0].spec.scanSpec.volumes = [
1087+
{
1088+
"name": "ca-certificate-sslyze",
1089+
"configMap": {
1090+
"name": "ca-certificate-sslyze"
1091+
}
1092+
}
1093+
]
1094+
1095+
const cascadedScans = getCascadingScans(
1096+
parentScan,
1097+
findings,
1098+
sslyzeCascadingRules
1099+
);
1100+
1101+
const cascadedScan = cascadedScans[0]
1102+
1103+
expect(cascadedScans).toMatchInlineSnapshot(`
1104+
Array [
1105+
Object {
1106+
"cascades": Object {},
1107+
"env": Array [],
1108+
"finding": Object {
1109+
"attributes": Object {
1110+
"hostname": "foobar.com",
1111+
"port": 443,
1112+
"service": "https",
1113+
"state": "open",
1114+
},
1115+
"category": "Open Port",
1116+
"name": "Port 443 is open",
1117+
},
1118+
"generatedBy": "tls-scans",
1119+
"name": "sslyze-foobar.com-tls-scans",
1120+
"parameters": Array [
1121+
"--regular",
1122+
"foobar.com:443",
1123+
],
1124+
"scanAnnotations": Object {},
1125+
"scanLabels": Object {},
1126+
"scanType": "sslyze",
1127+
"volumeMounts": Array [],
1128+
"volumes": Array [
1129+
Object {
1130+
"configMap": Object {
1131+
"name": "ca-certificate-sslyze",
1132+
},
1133+
"name": "ca-certificate-sslyze",
1134+
},
1135+
],
1136+
},
1137+
]
1138+
`);
1139+
1140+
const cascadingScanDefinition = getCascadingScanDefinition(cascadedScan, parentScan);
1141+
1142+
expect(cascadingScanDefinition.spec.volumes).toMatchInlineSnapshot(`
1143+
Array [
1144+
Object {
1145+
"configMap": Object {
1146+
"name": "ca-certificate-sslyze",
1147+
},
1148+
"name": "ca-certificate-sslyze",
1149+
},
1150+
Object {
1151+
"configMap": Object {
1152+
"name": "ca-certificate",
1153+
},
1154+
"name": "ca-certificate",
1155+
},
1156+
]
1157+
`);
1158+
});

hooks/cascading-scans/hook.ts

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -100,7 +100,7 @@ function getCascadingScan(
100100
finding: Finding,
101101
cascadingRule: CascadingRule
102102
) {
103-
const { scanType, parameters, env = [] } = cascadingRule.spec.scanSpec;
103+
const { scanType, parameters, env = [], volumes = [], volumeMounts = [] } = cascadingRule.spec.scanSpec;
104104

105105
const templateArgs = {
106106
...finding,
@@ -121,6 +121,8 @@ function getCascadingScan(
121121
cascades: parentScan.spec.cascades,
122122
generatedBy: cascadingRule.metadata.name,
123123
env,
124+
volumes,
125+
volumeMounts,
124126
scanLabels: cascadingRule.spec.scanLabels === undefined ? {} :
125127
mapValues(cascadingRule.spec.scanLabels, value => Mustache.render(value, templateArgs)),
126128
scanAnnotations: cascadingRule.spec.scanAnnotations === undefined ? {} :

hooks/cascading-scans/scan-helpers.ts

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,8 @@ export interface ScanSpec {
5757
parameters: Array<string>;
5858
cascades: LabelSelector & CascadingInheritance;
5959
env?: Array<k8s.V1EnvVar>;
60+
volumes?: Array<k8s.V1Volume>;
61+
volumeMounts?: Array<k8s.V1VolumeMount>;
6062
}
6163

6264
export interface CascadingInheritance {
@@ -92,6 +94,8 @@ export function getCascadingScanDefinition({
9294
parameters,
9395
generatedBy,
9496
env,
97+
volumes,
98+
volumeMounts,
9599
cascades,
96100
scanLabels,
97101
scanAnnotations,
@@ -154,6 +158,8 @@ export function getCascadingScanDefinition({
154158
parameters,
155159
cascades,
156160
env: env.concat(parentScan.spec.env || []),
161+
volumes: volumes.concat(parentScan.spec.volumes || []),
162+
volumeMounts: volumeMounts.concat(parentScan.spec.volumeMounts || []),
157163
}
158164
};
159165
}

0 commit comments

Comments
 (0)