Skip to content

Configure Hooks to run per scan #728

New issue
New issue
Closed
#757
Closed
Configure Hooks to run per scan#728
#757
Labels
enhancementNew feature or request
@EndPositive

Description

@EndPositive
EndPositive
opened on Oct 14, 2021

➹ New Feature implementation request

It would be extremely helpful if you can decide on a per-scan basis which hooks to run.

Example use case

Installed hooks: Cascading Scans, DefectDojo persistence provider

Started scan:

apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
  name: "nmap-open-ports"
spec:
  scanType: "nmap"
  parameters:
    - "-p-"
    # Against Host
    - "example.com"

The initial scan would create this finding:

 {
    "name":"Open Port: 443 (http)",
    "category":"Open Port",
    "attributes":{
       "port":443,
       "state":"open",
       "service":"http",
       "serviceProduct":"nginx",
       "serviceVersion":null,
       "tunnel":"ssl"
    },
 },

Cascading Rule:

apiVersion: "cascading.securecodebox.io/v1"
kind: CascadingRule
metadata:
  name: "nmap-service-detection"
spec:
  matches:
    anyOf:
      - category: "Open Port"
        attributes:
          state: open
  scanSpec:
    scanType: "nmap"
    parameters:
      - "-p{{attributes.port}}"
      - "-sV"
      - "--service-all"
      # Against Host
      - "{{$.hostOrIP}}"

When triggered, the Cascading Scan would create the following finding with more service information:

 {
    "name":"Open Port: 443 (http)",
    "category":"Open Port",
    "attributes":{
       "port":443,
       "state":"open",
       "service":"http",
       "serviceProduct":"nginx",
       "serviceVersion":"1.20.1",
       "tunnel":"ssl"
    },
 },

In this case, I would like to not import the initial scan results into DefectDojo but still run the Cascading Scan hook.

Describe the solution you'd like

Once #695 is merged, we could use Hook Priorities to solve this problem. One could deploy Cascading Scans with a priority of 1 and DefectDojo with 0. Then on a per-scan basis one may define what hook ranges to execute.

apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
  name: "nmap-open-ports"
spec:
  hookRanges:
    - "1"
  scanType: "nmap"
  parameters:
    - "-p-"
    # Against Host
    - "example.com"

hookRanges would be a list of ranges to execute. A range could have the following formats:

  • 0-1: Execute hooks with priority between 0 and 1 (inclusive)
  • 0: Execute hooks with priority 0.

The orderedHookStatusses status field would still include the skipped hooks but marks them with state Skipped.

Describe alternatives you've considered

Proposed workarounds involved setting up multiple namespaces with different hooks installed and then running the scan in that namespace.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions