add jmx exporter for scanner

portswigger-cloud · Jan 18, 2024 · 6836d63 · 6836d63
1 parent c38d431
commit 6836d63
Show file tree

Hide file tree

Showing 3 changed files with 84 additions and 4 deletions.
diff --git a/charts/scan-controller/Chart.yaml b/charts/scan-controller/Chart.yaml
@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.4
+version: 0.1.0-alpha-1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "2023.11.1-14660"
+appVersion: "2024.1-15620"
diff --git a/charts/scan-controller/templates/burpscanner-jmx-config.yaml b/charts/scan-controller/templates/burpscanner-jmx-config.yaml
@@ -0,0 +1,27 @@
+{{- if .Values.scanner.jmxMetrics.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: burpscanner-jmx-conf
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "scan-controller.labels" . | nindent 4 }}
+data:
+  burpscanner-prometheus.yaml: |-
+    jmxUrl: service:jmx:rmi:///jndi/rmi://127.0.0.1:{{ .Values.scanner.jmxMetrics.jmxPort }}/jmxrmi
+    lowercaseOutputName: true
+    lowercaseOutputLabelNames: true
+    ssl: false
+    # whitelistObjectNames: ["java.lang:*","SonarQube:*","Tomcat:*"]
+    rules:
+    - pattern: ".*"
+    #- pattern: java.lang<type=(.+), name=(.+)><(.+)>(\w+)
+    #  name: java_lang_$1_$4_$3_$2
+    #- pattern: java.lang<type=(.+), name=(.+)><>(\w+)
+    #  name: java_lang_$1_$3_$2
+    #- pattern: java.lang<type=(.*)>
+    #- pattern: SonarQube<name=(.+)><>(\w+)
+    #  name: sonarqube_$1_$2
+    #- pattern: Tomcat<type=(.+), name=(.+)><>(\w+)
+    #  name: tomcat_$1_$3_$2
+{{- end }}
diff --git a/charts/scan-controller/values.yaml b/charts/scan-controller/values.yaml
@@ -58,6 +58,13 @@ scanner:
   podLogs: false
   podMonitor: false
 
+  jmxMetrics:
+    enabled: true
+    image: docker.io/bitnami/jmx-exporter:0.20.0-debian-11-r2
+    jmxPort: 10443
+    rmiPort: 10444
+    prometheusExporterPort: 10445
+
   resources:
     limits:
       memory: 14Gi
@@ -91,9 +98,18 @@ scanner:
             - name: scan-container
               env:
                 - name: JAVA_OPTS
-                  value: -Xms2048m -Xmx2048m
+                  value: -Xms512m -Xmx512m
                 - name: BSEE_BURP_JAVA_OPTS
-                  value: -XX:InitialRAMPercentage=75 -XX:MaxRAMPercentage=75
+                  value: >-
+                    -XX:InitialRAMPercentage=60
+                    -XX:MaxRAMPercentage=60
+                    {{- if .Values.scanner.jmxMetrics.enabled }}
+                    -Dcom.sun.management.jmxremote=true
+                    -Dcom.sun.management.jmxremote.ssl=false
+                    -Dcom.sun.management.jmxremote.authenticate=false
+                    -Dcom.sun.management.jmxremote.port={{ .Values.scanner.jmxMetrics.jmxPort }}
+                    -Dcom.sun.management.jmxremote.rmi.port={{ .Values.scanner.jmxMetrics.rmiPort }}
+                    {{- end }}
               envFrom:
                 - secretRef:
                     name: {{ include "scan-controller.fullname" . }}-scanner-env
@@ -116,13 +132,50 @@ scanner:
                   name: home-burpsuite
                 - mountPath: /tmp
                   name: tmp
+            {{- if .Values.scanner.jmxMetrics.enabled }}
+            - name: jmx-exporter
+              image: {{ .Values.scanner.jmxMetrics.image }}
+              imagePullPolicy: Always
+              command:
+                - java
+                - -XX:MaxRAMPercentage=90
+                - -XshowSettings:vm
+                - -jar
+                - jmx_prometheus_httpserver.jar
+                - "10445"
+                - /etc/jmx/burpscanner-prometheus.yaml
+              ports:
+                - containerPort: {{ .Values.scanner.jmxMetrics.prometheusExporterPort }}
+                  name: metrics
+                  protocol: TCP
+                resources:
+                  limits:
+                    memory: 128Mi
+                  requests:
+                    cpu: 100m
+                    memory: 128Mi
+                securityContext:
+                  runAsNonRoot: true
+                  runAsUser: 1001
+                terminationMessagePath: /dev/termination-log
+                terminationMessagePolicy: File
+                volumeMounts:
+                  - mountPath: /etc/jmx
+                    name: jmx-config
+            {{- end }}
           volumes:
             - name: home-burpsuite
               emptyDir:
                 sizeLimit: 10Gi
             - name: tmp
               emptyDir:
                 sizeLimit: 512Mi
+            {{- if .Values.scanner.jmxMetrics.enabled }}
+            - configMap:
+                defaultMode: 420
+                name: burpscanner-jmx-conf
+              name: jmx-config
+            {{- end }}
           restartPolicy: Never
           terminationGracePeriodSeconds: 30
           {{- with .Values.scanner.dnsPolicy }}