-
Notifications
You must be signed in to change notification settings - Fork 179
Description
➹ New Feature implementation request
It would be extremely helpful if you can decide on a per-scan basis which hooks to run.
Example use case
Installed hooks: Cascading Scans, DefectDojo persistence provider
Started scan:
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "nmap-open-ports"
spec:
scanType: "nmap"
parameters:
- "-p-"
# Against Host
- "example.com"The initial scan would create this finding:
{
"name":"Open Port: 443 (http)",
"category":"Open Port",
"attributes":{
"port":443,
"state":"open",
"service":"http",
"serviceProduct":"nginx",
"serviceVersion":null,
"tunnel":"ssl"
},
},Cascading Rule:
apiVersion: "cascading.securecodebox.io/v1"
kind: CascadingRule
metadata:
name: "nmap-service-detection"
spec:
matches:
anyOf:
- category: "Open Port"
attributes:
state: open
scanSpec:
scanType: "nmap"
parameters:
- "-p{{attributes.port}}"
- "-sV"
- "--service-all"
# Against Host
- "{{$.hostOrIP}}"When triggered, the Cascading Scan would create the following finding with more service information:
{
"name":"Open Port: 443 (http)",
"category":"Open Port",
"attributes":{
"port":443,
"state":"open",
"service":"http",
"serviceProduct":"nginx",
"serviceVersion":"1.20.1",
"tunnel":"ssl"
},
},In this case, I would like to not import the initial scan results into DefectDojo but still run the Cascading Scan hook.
Describe the solution you'd like
Once #695 is merged, we could use Hook Priorities to solve this problem. One could deploy Cascading Scans with a priority of 1 and DefectDojo with 0. Then on a per-scan basis one may define what hook ranges to execute.
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "nmap-open-ports"
spec:
hookRanges:
- "1"
scanType: "nmap"
parameters:
- "-p-"
# Against Host
- "example.com"hookRanges would be a list of ranges to execute. A range could have the following formats:
0-1: Execute hooks with priority between0and1(inclusive)0: Execute hooks with priority0.
The orderedHookStatusses status field would still include the skipped hooks but marks them with state Skipped.
Describe alternatives you've considered
Proposed workarounds involved setting up multiple namespaces with different hooks installed and then running the scan in that namespace.