Skip to content

Add matchedRule to cascading scans #493

New issue
New issue
Closed
#514
Closed
Add matchedRule to cascading scans#493
#514
Labels
enhancementNew feature or request
@EndPositive

Description

@EndPositive
EndPositive
opened on Jun 12, 2021

➹ New Feature implementation request

Is your feature request related to a problem?

As a secureCodeBox user, with cascading scans enabled, I would like to know on what CascadingRule a scan has been triggered.

Current situation

Cascading scans are triggered by checking if a CascadingRule matches one of the findings:

secureCodeBox/hooks/declarative-subsequent-scans/hook.ts

Lines 94 to 103 in 89570b3

for (const finding of findings) {
// Check if one (ore more) of the CascadingRule matchers apply to the finding
const matches = cascadingRule.spec.matches.anyOf.some(matchesRule =>
isMatch(finding, matchesRule) || isMatchWith(finding, matchesRule, wildcardMatcher)
);
if (matches) {
cascadingScans.push(getCascadingScan(parentScan, finding, cascadingRule))
}
}

An example CascadingRule:

secureCodeBox/scanners/nmap/cascading-rules/hostscan.yaml

Lines 6 to 16 in 89570b3

kind: CascadingRule
metadata:
name: "nmap-hostscan"
labels:
securecodebox.io/invasive: non-invasive
securecodebox.io/intensive: light
spec:
matches:
anyOf:
- category: "Subdomain"
osi_layer: "NETWORK"

The generated scan only contains ownerReferences, but no information on why it was triggered.

Describe the solution you'd like

We could copy the match onto the cascading scan's metadata:

apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
  name: "amass-example.com-nmap-hostscan"
  labels: [...]
  annotations: [...]
  ownerReferences: [...]
  matchedRule:
    category: "Subdomain"
    osi_layer: "NETWORK" 
spec:
  scanType: "nmap"
  parameters:
    # Treat all hosts as online -- skip host discovery
    - "-Pn"
    # Target Port of the finding
    - "example.com"
  cascades: true

Describe alternatives you've considered

We could also move the metadata.matchedRule to spec.matchedRule. Probably easier to implement with the types.

Additional context

Should be pretty simple to implement. If you like the format I can create a PR myself. Main or V3 as a base?

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions