secureCodeBox · rfelber · Oct 8, 2021 · Sep 2, 2021 · Sep 2, 2021 · Sep 2, 2021
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -483,6 +483,7 @@ jobs:
       matrix:
         parser:
           - angularjs-csti-scanner
+          - cmseek
           - git-repo-scanner
           - gitleaks
           - kube-hunter
@@ -580,6 +581,7 @@ jobs:
       matrix:
         scanner:
           - angularjs-csti-scanner
+          - cmseek
           - gitleaks
           - kube-hunter
           - kubeaudit
@@ -932,12 +934,28 @@ jobs:
           helm -n demo-targets install old-wordpress ./demo-targets/old-wordpress/ --set="fullnameOverride=old-wordpress" --wait
           # Install old-typo3 app
           helm -n demo-targets install old-typo3 ./demo-targets/old-typo3/ --set="fullnameOverride=old-typo3" --wait
+          # Install old-joomla app
+          helm -n demo-targets install old-joomla ./demo-targets/old-joomla/ --set="fullnameOverride=old-joomla" --wait
           # Install juiceshop app
           helm -n demo-targets install juiceshop ./demo-targets/juice-shop/ --set="fullnameOverride=juiceshop" --wait
           # Install plain nginx server
           kubectl create deployment --image nginx:alpine nginx --namespace demo-targets
           kubectl expose deployment nginx --port 80 --namespace demo-targets
 
+
+      # ---- CMSeeK Integration Tests ----
+
+      - name: "cmseek Integration Tests"
+        run: |
+          kubectl -n integration-tests delete scans --all
+          helm -n integration-tests install cmseek ./scanners/cmseek/  \
+            --set="parser.image.tag=sha-$(git rev-parse --short HEAD)" \
+            --set="parser.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-cmseek" \
+            --set="parser.env[0].name=CRASH_ON_FAILED_VALIDATION" \
+            --set-string="parser.env[0].value=true"
+          cd tests/integration/
+          npx jest --ci --color scanner/cmseek.test.js  
+
       # ---- gitleaks Integration Tests ----
 
       - name: "gitleaks Integration Tests"

diff --git a/scanners/cmseek/.helm-docs.gotmpl b/scanners/cmseek/.helm-docs.gotmpl
@@ -0,0 +1,48 @@
+{{- /*
+SPDX-FileCopyrightText: 2021 iteratec GmbH
+
+SPDX-License-Identifier: Apache-2.0
+*/ -}}
+
+{{- define "extra.docsSection" -}}
+---
+title: "CMSeeK"
+category: "scanner"
+type: "CMS"
+state: "released"
+appVersion: "{{ template "chart.appVersion" . }}"
+usecase: "Automation of the process of detecting the Joomla CMS and its core vulnerabilities"
+---
+{{- end }}
+
+{{- define "extra.dockerDeploymentSection" -}}
+## Supported Tags
+- `latest`  (represents the latest stable release build)
+- tagged releases, e.g. `{{ template "chart.appVersion" . }}`
+{{- end }}
+
+{{- define "extra.chartAboutSection" -}}
+## What is CMSeeK?
+CMSeeK is an open source penetration testing tool to automate the process of detecting various types of CMS and it's installed extensions.
+We use it to scan Joomla CMS. It also has a database with known vulnerabilities.
+
+To learn more about the CMSeeK scanner itself visit [https://github.com/Tuhinshubhra/CMSeeK].
+{{- end }}
+
+{{- define "extra.scannerConfigurationSection" -}}
+## Scanner Configuration
+
+The CMSeeK targets are specified with the `-u` parameter. The target should be a hostname or an IP address.
+
+Additional CMSeeK scan features can be configured via the parameter attribute.
+
+Some useful example parameters listed below:
+
+- `-u URL, --url URL` : Target Url.
+- `--follow-redirect` : Follows all/any redirect(s).
+- `--no-redirect` : kips all redirects and tests the input target(s)
+- `-r, --random-agent`: Use a random user agent.
+- `--googlebot`: Use Google bot user agent.
+- `--user-agent USER_AGENT`:  Specify a custom user agent
+
+{{- end }}
diff --git a/scanners/cmseek/.helmignore b/scanners/cmseek/.helmignore
@@ -0,0 +1,40 @@
+# SPDX-FileCopyrightText: 2021 iteratec GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+# Node.js files
+node_modules/*
+package.json
+package-lock.json
+src/*
+config/*
+Dockerfile
+.dockerignore
+*.tar
+parser/*
+scanner/*
+integration-tests/*
+examples/*
+docs/*
+Makefile
diff --git a/scanners/cmseek/Chart.yaml b/scanners/cmseek/Chart.yaml
@@ -0,0 +1,40 @@
+# SPDX-FileCopyrightText: 2021 iteratec GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+apiVersion: v2
+name: cmseek
+description: A Helm chart for the Joomla security scanner that integrates with the secureCodeBox
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+# version - gets automatically set to the secureCodeBox release version when the helm charts gets published
+version: v3.1.0-alpha1
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.1.3"
+kubeVersion: ">=v1.11.0-0"
+keywords:  
+  - security
+  - cmseek
+  - Joomla
+  - scanner
+  - secureCodeBox
+
+home: https://docs.securecodebox.io/docs/scanners/cmseek
+icon: https://docs.securecodebox.io/img/integrationIcons/Default.svg
+
+sources:
+  - https://github.com/secureCodeBox/secureCodeBox
+
+maintainers:
+  - name: iteratec GmbH
+  - email: [email protected]  
diff --git a/scanners/cmseek/Makefile b/scanners/cmseek/Makefile
@@ -0,0 +1,12 @@
+#!/usr/bin/make -f
+#
+# SPDX-FileCopyrightText: 2021 iteratec GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+include_guard = set
+scanner = cmseek
+custom_scanner = set
+
+include ../../scanners.mk
diff --git a/scanners/cmseek/README.md b/scanners/cmseek/README.md
@@ -0,0 +1,68 @@
+---
+title: "CMSeeK"
+category: "scanner"
+type: "CMS"
+state: "released"
+appVersion: "1.1.3"
+usecase: "Automation of the process of detecting the Joomla CMS and its core vulnerabilities"
+---
+
+<!--
+SPDX-FileCopyrightText: 2021 iteratec GmbH
+
+SPDX-License-Identifier: Apache-2.0
+-->
+<!--
+.: IMPORTANT! :.
+--------------------------
+This file is generated automatically with `helm-docs` based on the following template files:
+- ./.helm-docs/templates.gotmpl (general template data for all charts)
+- ./chart-folder/.helm-docs.gotmpl (chart specific template data)
+
+Please be aware of that and apply your changes only within those template files instead of this file.
+Otherwise your changes will be reverted/overwritten automatically due to the build process `./.github/workflows/helm-docs.yaml`
+--------------------------
+-->
+
+<p align="center">
+  <a href="https://opensource.org/licenses/Apache-2.0"><img alt="License Apache-2.0" src="https://img.shields.io/badge/License-Apache%202.0-blue.svg"/></a>
+  <a href="https://github.com/secureCodeBox/secureCodeBox/releases/latest"><img alt="GitHub release (latest SemVer)" src="https://img.shields.io/github/v/release/secureCodeBox/secureCodeBox?sort=semver"/></a>
+  <a href="https://owasp.org/www-project-securecodebox/"><img alt="OWASP Incubator Project" src="https://img.shields.io/badge/OWASP-Incubator%20Project-365EAA"/></a>
+  <a href="https://artifacthub.io/packages/search?repo=securecodebox"><img alt="Artifact HUB" src="https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/securecodebox"/></a>
+  <a href="https://github.com/secureCodeBox/secureCodeBox/"><img alt="GitHub Repo stars" src="https://img.shields.io/github/stars/secureCodeBox/secureCodeBox?logo=GitHub"/></a>
+  <a href="https://twitter.com/securecodebox"><img alt="Twitter Follower" src="https://img.shields.io/twitter/follow/securecodebox?style=flat&color=blue&logo=twitter"/></a>
+</p>
+
+## What is CMSeeK?
+CMSeeK is an open source penetration testing tool to automate the process of detecting various types of CMS and it's installed extensions.
+We use it to scan Joomla CMS. It also has a database with known vulnerabilities.
+
+To learn more about the CMSeeK scanner itself visit [https://github.com/Tuhinshubhra/CMSeeK].
+
+## Deployment
+The cmseek chart can be deployed via helm:
+
+```bash
+# Install HelmChart (use -n to configure another namespace)
+helm upgrade --install cmseek secureCodeBox/cmseek
+```
+
+## Scanner Configuration
+
+The CMSeeK targets are specified with the `-u` parameter. The target should be a hostname or an IP address.
+
+Additional CMSeeK scan features can be configured via the parameter attribute.
+
+Some useful example parameters listed below:
+
+- `-u URL, --url URL` : Target Url.
+- `--follow-redirect` : Follows all/any redirect(s).
+- `--no-redirect` : kips all redirects and tests the input target(s)
+- `-r, --random-agent`: Use a random user agent.
+- `--googlebot`: Use Google bot user agent.
+- `--user-agent USER_AGENT`:  Specify a custom user agent
+
+## Requirements
+
+Kubernetes: `>=v1.11.0-0`
+
diff --git a/scanners/cmseek/cascading-rules/scan-joomla.yaml b/scanners/cmseek/cascading-rules/scan-joomla.yaml
@@ -0,0 +1,22 @@
+# SPDX-FileCopyrightText: 2021 iteratec GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: "cascading.securecodebox.io/v1"
+kind: CascadingRule
+metadata:
+  name: "cmseek-cascade"
+  labels:
+    securecodebox.io/invasive: non-invasive
+    securecodebox.io/intensive: medium
+spec:
+  matches:
+    anyOf:
+      - category: "WEB APPLICATION"
+        attributes:
+         MetaGenerator: "Joomla! - Open Source Content Management" 
+  scanSpec:
+    scanType: "cmseek"
+    parameters:
+      - "-u"
+      - "{{{location}}}" # Runs a cmseek scan upon the 'location' parameter in whatweb findings
diff --git a/scanners/cmseek/docs/.gitkeep b/scanners/cmseek/docs/.gitkeep
@@ -0,0 +1 @@
+# only here to enable the creation of the docs folder and it's files.
diff --git a/scanners/cmseek/docs/README.ArtifactHub.md b/scanners/cmseek/docs/README.ArtifactHub.md
@@ -0,0 +1,75 @@
+<!--
+SPDX-FileCopyrightText: 2021 iteratec GmbH
+
+SPDX-License-Identifier: Apache-2.0
+-->
+<!--
+.: IMPORTANT! :.
+--------------------------
+This file is generated automatically with `helm-docs` based on the following template files:
+- ./.helm-docs/templates.gotmpl (general template data for all charts)
+- ./chart-folder/.helm-docs.gotmpl (chart specific template data)
+
+Please be aware of that and apply your changes only within those template files instead of this file.
+Otherwise your changes will be reverted/overwritten automatically due to the build process `./.github/workflows/helm-docs.yaml`
+--------------------------
+-->
+
+<p align="center">
+  <a href="https://opensource.org/licenses/Apache-2.0"><img alt="License Apache-2.0" src="https://img.shields.io/badge/License-Apache%202.0-blue.svg"/></a>
+  <a href="https://github.com/secureCodeBox/secureCodeBox/releases/latest"><img alt="GitHub release (latest SemVer)" src="https://img.shields.io/github/v/release/secureCodeBox/secureCodeBox?sort=semver"/></a>
+  <a href="https://owasp.org/www-project-securecodebox/"><img alt="OWASP Incubator Project" src="https://img.shields.io/badge/OWASP-Incubator%20Project-365EAA"/></a>
+  <a href="https://artifacthub.io/packages/search?repo=securecodebox"><img alt="Artifact HUB" src="https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/securecodebox"/></a>
+  <a href="https://github.com/secureCodeBox/secureCodeBox/"><img alt="GitHub Repo stars" src="https://img.shields.io/github/stars/secureCodeBox/secureCodeBox?logo=GitHub"/></a>
+  <a href="https://twitter.com/securecodebox"><img alt="Twitter Follower" src="https://img.shields.io/twitter/follow/securecodebox?style=flat&color=blue&logo=twitter"/></a>
+</p>
+
+## What is OWASP secureCodeBox?
+
+<p align="center">
+  <img alt="secureCodeBox Logo" src="https://docs.securecodebox.io/img/Logo_Color.svg" width="250px"/>
+</p>
+
+_[OWASP secureCodeBox][scb-github]_ is an automated and scalable open source solution that can be used to integrate various *security vulnerability scanners* with a simple and lightweight interface. The _secureCodeBox_ mission is to support *DevSecOps* Teams to make it easy to automate security vulnerability testing in different scenarios.
+
+With the _secureCodeBox_ we provide a toolchain for continuous scanning of applications to find the low-hanging fruit issues early in the development process and free the resources of the penetration tester to concentrate on the major security issues.
+
+The secureCodeBox project is running on [Kubernetes](https://kubernetes.io/). To install it you need [Helm](https://helm.sh), a package manager for Kubernetes. It is also possible to start the different integrated security vulnerability scanners based on a docker infrastructure.
+
+### Quickstart with secureCodeBox on kubernetes
+
+You can find resources to help you get started on our [documentation website](https://docs.securecodebox.io) including instruction on how to [install the secureCodeBox project](https://docs.securecodebox.io/docs/getting-started/installation) and guides to help you [run your first scans](https://docs.securecodebox.io/docs/getting-started/first-scans) with it.
+
+## What is CMSeeK?
+CMSeeK is an open source penetration testing tool to automate the process of detecting various types of CMS and it's installed extensions.
+We use it to scan Joomla CMS. It also has a database with known vulnerabilities.
+
+To learn more about the CMSeeK scanner itself visit [https://github.com/Tuhinshubhra/CMSeeK].
+
+## Deployment
+The cmseek chart can be deployed via helm:
+
+```bash
+# Install HelmChart (use -n to configure another namespace)
+helm upgrade --install cmseek secureCodeBox/cmseek
+```
+
+## Scanner Configuration
+
+The CMSeeK targets are specified with the `-u` parameter. The target should be a hostname or an IP address.
+
+Additional CMSeeK scan features can be configured via the parameter attribute.
+
+Some useful example parameters listed below:
+
+- `-u URL, --url URL` : Target Url.
+- `--follow-redirect` : Follows all/any redirect(s).
+- `--no-redirect` : kips all redirects and tests the input target(s)
+- `-r, --random-agent`: Use a random user agent.
+- `--googlebot`: Use Google bot user agent.
+- `--user-agent USER_AGENT`:  Specify a custom user agent
+
+## Requirements
+
+Kubernetes: `>=v1.11.0-0`
+
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		# only here to enable the creation of the docs folder and it's files.