From 8cc7b210bef4a453804c0ec55e334c4683300bfe Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> Date: Mon, 21 Sep 2020 12:37:55 +0200 Subject: [PATCH 01/12] Add basic ZAP integration test --- .github/workflows/ci.yaml | 8 ++++++++ tests/integration/scanner/zap.test.js | 25 +++++++++++++++++++++++++ 2 files changed, 33 insertions(+) create mode 100644 tests/integration/scanner/zap.test.js diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index cd500c63..ed189315 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -403,6 +403,9 @@ jobs: run: | # Install dummy-ssh app helm -n demo-apps install dummy-ssh ./demo-apps/dummy-ssh/ --wait + # Install plain nginx server + kubectl create deployment --image nginx:alpine nginx --namespace demo-apps + kubectl expose deployment nginx --port 80 --namespace demo-apps - name: "nmap Integration Tests" run: | helm -n integration-tests install nmap ./scanners/nmap/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" @@ -423,6 +426,11 @@ jobs: helm -n integration-tests install ssh-scan ./scanners/ssh_scan/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" cd tests/integration/ npx jest --ci --color ssh-scan + - name: "ssh-scan Integration Tests" + run: | + helm -n integration-tests install zap ./scanners/zap/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" + cd tests/integration/ + npx jest --ci --color zap - name: Inspect Post Failure if: failure() run: | diff --git a/tests/integration/scanner/zap.test.js b/tests/integration/scanner/zap.test.js new file mode 100644 index 00000000..9d4f601d --- /dev/null +++ b/tests/integration/scanner/zap.test.js @@ -0,0 +1,25 @@ +const { scan } = require("../helpers"); + +test( + "zap baseline scan against a plain nginx container should only find couple findings", + async () => { + const { categories, severities } = await scan( + "zap-nginx-baseline", + "zap-baseline", + ["-t", "http://nginx.demo-apps.svc"], + 60 * 4 + ); + + expect(categories).toMatchObject({ + "Content Security Policy (CSP) Header Not Set": 1, + 'Server Leaks Version Information via "Server" HTTP Response Header Field': 1, + "X-Content-Type-Options Header Missing": 1, + "X-Frame-Options Header Not Set": 1, + }); + expect(severities).toMatchObject({ + low: 3, + medium: 1, + }); + }, + 5 * 60 * 1000 +); From 022157723d0d43ade8a0558981da4bc476118341 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> Date: Mon, 21 Sep 2020 12:52:11 +0200 Subject: [PATCH 02/12] Properly set name on zap scan step --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index ed189315..05bbc340 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -426,7 +426,7 @@ jobs: helm -n integration-tests install ssh-scan ./scanners/ssh_scan/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" cd tests/integration/ npx jest --ci --color ssh-scan - - name: "ssh-scan Integration Tests" + - name: "zap Integration Tests" run: | helm -n integration-tests install zap ./scanners/zap/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" cd tests/integration/ From 2128e54aa81a3b877bd41a2b679ff91eda478d12 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> Date: Mon, 21 Sep 2020 14:52:31 +0200 Subject: [PATCH 03/12] Better debugging of failed scans during ci --- tests/integration/helpers.js | 51 ++++++++++++++++++++++++++++++------ 1 file changed, 43 insertions(+), 8 deletions(-) diff --git a/tests/integration/helpers.js b/tests/integration/helpers.js index 7beba406..aa5da5c1 100644 --- a/tests/integration/helpers.js +++ b/tests/integration/helpers.js @@ -5,6 +5,7 @@ kc.loadFromDefault(); const k8sCRDApi = kc.makeApiClient(k8s.CustomObjectsApi); const k8sBatchApi = kc.makeApiClient(k8s.BatchV1Api); +const k8sPodsApi = kc.makeApiClient(k8s.CoreV1Api); const namespace = "integration-tests"; @@ -33,28 +34,65 @@ async function getScan(name) { return scan; } +async function displayAllLogsForJob(jobName) { + console.log(`Listing logs for Job ${jobName}:`); + const { + body: { items: pods }, + } = await k8sPodsApi.listNamespacedPod( + "default", + true, + undefined, + undefined, + undefined, + `job-name=${jobName}` + ); + + for (const pod of pods) { + for (const container of pod.spec.containers) { + const response = await k8sPodsApi.readNamespacedPodLog( + pod.metadata.name, + "default", + container.name + ); + console.log(`Container ${container.name}:`); + console.log(response.body); + } + } +} + async function logJobs() { try { const { body: jobs } = await k8sBatchApi.listNamespacedJob(namespace); + console.log("Logging spec & status of jobs in namespace"); + for (const job of jobs.items) { console.log(`Job: '${job.metadata.name}' Spec:`); console.dir(job.spec); console.log(`Job: '${job.metadata.name}' Status:`); console.dir(job.status); + + await displayAllLogsForJob(job.metadata.name); } } catch (error) { console.info(`Failed to list Jobs'`); } } +async function disasterRecovery(scanName) { + const scan = await getScan(scanName); + console.error("Last Scan State:"); + console.dir(scan); + await logJobs(); +} + /** * * @param {string} name name of the scan. Actual name will be sufixed with a random number to avoid conflicts * @param {string} scanType type of the scan. Must match the name of a ScanType CRD * @param {string[]} parameters cli argument to be passed to the scanner * @param {number} timeout in seconds - * @returns {scan.findings} returns findings { categories, severities, count } + * @returns {scan.findings} returns findings { categories, severities, count } */ async function scan(name, scanType, parameters = [], timeout = 180) { const scanDefinition = { @@ -88,19 +126,16 @@ async function scan(name, scanType, parameters = [], timeout = 180) { await deleteScan(actualName); return status.findings; } else if (status && status.state === "Errored") { - await deleteScan(actualName); + console.error("Scan Errored"); + await disasterRecovery(actualName); + throw new Error( `Scan failed with description "${status.errorDescription}"` ); } } - console.error("Scan Timed out!"); - - const scan = await getScan(actualName); - console.log("Last Scan State:"); - console.dir(scan); - await logJobs(); + await disasterRecovery(actualName); throw new Error("timed out while waiting for scan results"); } From 30b1cacdf7bfd7c2616b16c2b4f45fdb40a34126 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> Date: Mon, 21 Sep 2020 15:12:58 +0200 Subject: [PATCH 04/12] Try to reduce flaky tests --- tests/integration/helpers.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/integration/helpers.js b/tests/integration/helpers.js index aa5da5c1..06f52172 100644 --- a/tests/integration/helpers.js +++ b/tests/integration/helpers.js @@ -124,6 +124,9 @@ async function scan(name, scanType, parameters = [], timeout = 180) { if (status && status.state === "Done") { await deleteScan(actualName); + // Wait a couple seconds to give kubernetes more time to update the fields + await sleep(2000); + const { status } = await getScan(actualName); return status.findings; } else if (status && status.state === "Errored") { console.error("Scan Errored"); From ead9eb7f43ce1e7e7363138da5d1d8789f2e992f Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> Date: Mon, 21 Sep 2020 15:26:30 +0200 Subject: [PATCH 05/12] =?UTF-8?q?Duration=20is=20in=20sec=20not=20ms=20?= =?UTF-8?q?=F0=9F=A4=A6=E2=80=8D=E2=99=82=EF=B8=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- tests/integration/helpers.js | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/integration/helpers.js b/tests/integration/helpers.js index 06f52172..918cab49 100644 --- a/tests/integration/helpers.js +++ b/tests/integration/helpers.js @@ -9,8 +9,7 @@ const k8sPodsApi = kc.makeApiClient(k8s.CoreV1Api); const namespace = "integration-tests"; -const sleep = (duration) => - new Promise((resolve) => setTimeout(resolve, duration * 1000)); +const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms * 1000)); async function deleteScan(name) { await k8sCRDApi.deleteNamespacedCustomObject( @@ -125,7 +124,7 @@ async function scan(name, scanType, parameters = [], timeout = 180) { if (status && status.state === "Done") { await deleteScan(actualName); // Wait a couple seconds to give kubernetes more time to update the fields - await sleep(2000); + await sleep(2); const { status } = await getScan(actualName); return status.findings; } else if (status && status.state === "Errored") { From 77d024466a9a13f5b0f1736761d96626a4e73dfe Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> Date: Mon, 21 Sep 2020 15:40:30 +0200 Subject: [PATCH 06/12] Get scan before deleting it --- tests/integration/helpers.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/integration/helpers.js b/tests/integration/helpers.js index 918cab49..682138da 100644 --- a/tests/integration/helpers.js +++ b/tests/integration/helpers.js @@ -122,10 +122,10 @@ async function scan(name, scanType, parameters = [], timeout = 180) { const { status } = await getScan(actualName); if (status && status.state === "Done") { - await deleteScan(actualName); // Wait a couple seconds to give kubernetes more time to update the fields await sleep(2); const { status } = await getScan(actualName); + await deleteScan(actualName); return status.findings; } else if (status && status.state === "Errored") { console.error("Scan Errored"); From 641a4fa31103dd3facc52e25eb1a8f97b64b0a51 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> Date: Mon, 21 Sep 2020 16:20:20 +0200 Subject: [PATCH 07/12] More debugging --- tests/integration/helpers.js | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/tests/integration/helpers.js b/tests/integration/helpers.js index 682138da..8bdcf5d0 100644 --- a/tests/integration/helpers.js +++ b/tests/integration/helpers.js @@ -34,7 +34,7 @@ async function getScan(name) { } async function displayAllLogsForJob(jobName) { - console.log(`Listing logs for Job ${jobName}:`); + console.log(`Listing logs for Job '${jobName}':`); const { body: { items: pods }, } = await k8sPodsApi.listNamespacedPod( @@ -46,7 +46,15 @@ async function displayAllLogsForJob(jobName) { `job-name=${jobName}` ); + if (pods.length === 0) { + console.log(`No Pods found for Job '${jobName}'`); + } + for (const pod of pods) { + console.log( + `Listing logs for Job '${jobName}' > Pod '${pod.metadata.name}':` + ); + for (const container of pod.spec.containers) { const response = await k8sPodsApi.readNamespacedPodLog( pod.metadata.name, @@ -67,14 +75,14 @@ async function logJobs() { for (const job of jobs.items) { console.log(`Job: '${job.metadata.name}' Spec:`); - console.dir(job.spec); + console.log(JSON.stringify(job.spec, null, 2)); console.log(`Job: '${job.metadata.name}' Status:`); - console.dir(job.status); + console.log(JSON.stringify(job.status, null, 2)); await displayAllLogsForJob(job.metadata.name); } } catch (error) { - console.info(`Failed to list Jobs'`); + console.error(`Failed to list Jobs'`); } } From af3da2adaf824e45db591d694338173070b83ca5 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> Date: Mon, 21 Sep 2020 16:37:06 +0200 Subject: [PATCH 08/12] Fix namespace --- tests/integration/helpers.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/integration/helpers.js b/tests/integration/helpers.js index 8bdcf5d0..cf8db805 100644 --- a/tests/integration/helpers.js +++ b/tests/integration/helpers.js @@ -38,7 +38,7 @@ async function displayAllLogsForJob(jobName) { const { body: { items: pods }, } = await k8sPodsApi.listNamespacedPod( - "default", + namespace, true, undefined, undefined, @@ -58,7 +58,7 @@ async function displayAllLogsForJob(jobName) { for (const container of pod.spec.containers) { const response = await k8sPodsApi.readNamespacedPodLog( pod.metadata.name, - "default", + namespace, container.name ); console.log(`Container ${container.name}:`); From f458f5f21c87dc5fa6cef1be784eb4749588a20d Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> Date: Mon, 21 Sep 2020 17:39:08 +0200 Subject: [PATCH 09/12] Only apply `ttlSecondsAfterFinished` when set in values --- scanners/amass/templates/amass-scan-type.yaml | 4 +++- scanners/amass/values.yaml | 1 + .../kube-hunter/templates/kubehunter-scan-type.yaml | 4 +++- scanners/kube-hunter/values.yaml | 1 + scanners/ncrack/templates/ncrack-scan-type.yaml | 4 +++- scanners/ncrack/values.yaml | 2 +- scanners/nikto/templates/nikto-scan-type.yaml | 4 +++- scanners/nikto/values.yaml | 1 + scanners/nmap/templates/nmap-scan-type.yaml | 4 +++- scanners/nmap/values.yaml | 1 + scanners/ssh_scan/templates/ssh-scan-scan-type.yaml | 4 +++- scanners/ssh_scan/values.yaml | 1 + scanners/sslyze/templates/sslyze-scan-type.yaml | 4 +++- scanners/sslyze/values.yaml | 1 + .../test-scan/templates/test-scan-scan-type.yaml | 4 +++- scanners/test-scan/values.yaml | 1 + scanners/trivy/templates/trivy-scan-type.yaml | 4 +++- scanners/trivy/values.yaml | 1 + scanners/wpscan/templates/wpscan-scan-type.yaml | 4 +++- scanners/wpscan/values.yaml | 1 + scanners/zap/templates/zap-scan-type.yaml | 12 +++++++++--- 21 files changed, 49 insertions(+), 14 deletions(-) diff --git a/scanners/amass/templates/amass-scan-type.yaml b/scanners/amass/templates/amass-scan-type.yaml index 6387eb03..a52b7cb7 100644 --- a/scanners/amass/templates/amass-scan-type.yaml +++ b/scanners/amass/templates/amass-scan-type.yaml @@ -10,7 +10,9 @@ spec: location: "/home/securecodebox/amass-results.jsonl" jobTemplate: spec: - ttlSecondsAfterFinished: 10 + {{- if .Values.scannerJob.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- end }} template: spec: restartPolicy: OnFailure diff --git a/scanners/amass/values.yaml b/scanners/amass/values.yaml index 52a79560..5d931ed4 100644 --- a/scanners/amass/values.yaml +++ b/scanners/amass/values.yaml @@ -4,6 +4,7 @@ parserImage: tag: latest scannerJob: + ttlSecondsAfterFinished: null resources: {} # scannerJob: # resources: diff --git a/scanners/kube-hunter/templates/kubehunter-scan-type.yaml b/scanners/kube-hunter/templates/kubehunter-scan-type.yaml index 34ecc29f..dff32f2b 100644 --- a/scanners/kube-hunter/templates/kubehunter-scan-type.yaml +++ b/scanners/kube-hunter/templates/kubehunter-scan-type.yaml @@ -8,7 +8,9 @@ spec: location: '/home/securecodebox/kube-hunter-results.json' jobTemplate: spec: - ttlSecondsAfterFinished: 10 + {{- if .Values.scannerJob.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- end }} template: spec: restartPolicy: Never diff --git a/scanners/kube-hunter/values.yaml b/scanners/kube-hunter/values.yaml index b19fabbe..44f63a4f 100644 --- a/scanners/kube-hunter/values.yaml +++ b/scanners/kube-hunter/values.yaml @@ -4,4 +4,5 @@ parserImage: tag: latest scannerJob: + ttlSecondsAfterFinished: null resources: {} diff --git a/scanners/ncrack/templates/ncrack-scan-type.yaml b/scanners/ncrack/templates/ncrack-scan-type.yaml index a0233b72..df2899cc 100644 --- a/scanners/ncrack/templates/ncrack-scan-type.yaml +++ b/scanners/ncrack/templates/ncrack-scan-type.yaml @@ -8,7 +8,9 @@ spec: location: "/home/securecodebox/ncrack-results.xml" jobTemplate: spec: - ttlSecondsAfterFinished: 10 + {{- if .Values.scannerJob.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- end }} backoffLimit: 3 template: spec: diff --git a/scanners/ncrack/values.yaml b/scanners/ncrack/values.yaml index 86b8e29d..07c693ab 100644 --- a/scanners/ncrack/values.yaml +++ b/scanners/ncrack/values.yaml @@ -4,5 +4,5 @@ parserImage: tag: latest scannerJob: + ttlSecondsAfterFinished: null resources: {} - diff --git a/scanners/nikto/templates/nikto-scan-type.yaml b/scanners/nikto/templates/nikto-scan-type.yaml index f6d0066d..e59604bb 100644 --- a/scanners/nikto/templates/nikto-scan-type.yaml +++ b/scanners/nikto/templates/nikto-scan-type.yaml @@ -8,7 +8,9 @@ spec: location: '/home/securecodebox/nikto-results.json' jobTemplate: spec: - ttlSecondsAfterFinished: 10 + {{- if .Values.scannerJob.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- end }} template: spec: restartPolicy: Never diff --git a/scanners/nikto/values.yaml b/scanners/nikto/values.yaml index 55cfaa64..3a006551 100644 --- a/scanners/nikto/values.yaml +++ b/scanners/nikto/values.yaml @@ -4,6 +4,7 @@ parserImage: tag: latest scannerJob: + ttlSecondsAfterFinished: null resources: {} # scannerJob: # resources: diff --git a/scanners/nmap/templates/nmap-scan-type.yaml b/scanners/nmap/templates/nmap-scan-type.yaml index e273234b..9be99c02 100644 --- a/scanners/nmap/templates/nmap-scan-type.yaml +++ b/scanners/nmap/templates/nmap-scan-type.yaml @@ -8,7 +8,9 @@ spec: location: "/home/securecodebox/nmap-results.xml" jobTemplate: spec: - ttlSecondsAfterFinished: 10 + {{- if .Values.scannerJob.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- end }} backoffLimit: 3 template: spec: diff --git a/scanners/nmap/values.yaml b/scanners/nmap/values.yaml index 069241bb..19619b94 100644 --- a/scanners/nmap/values.yaml +++ b/scanners/nmap/values.yaml @@ -4,6 +4,7 @@ parserImage: tag: latest scannerJob: + ttlSecondsAfterFinished: null resources: {} # scannerJob: # resources: diff --git a/scanners/ssh_scan/templates/ssh-scan-scan-type.yaml b/scanners/ssh_scan/templates/ssh-scan-scan-type.yaml index 787c16cd..f06cf0c6 100644 --- a/scanners/ssh_scan/templates/ssh-scan-scan-type.yaml +++ b/scanners/ssh_scan/templates/ssh-scan-scan-type.yaml @@ -9,7 +9,9 @@ spec: location: "/home/securecodebox/ssh-scan-results.json" jobTemplate: spec: - ttlSecondsAfterFinished: 10 + {{- if .Values.scannerJob.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- end }} template: spec: restartPolicy: OnFailure diff --git a/scanners/ssh_scan/values.yaml b/scanners/ssh_scan/values.yaml index 34f1a41b..dbcd18ab 100644 --- a/scanners/ssh_scan/values.yaml +++ b/scanners/ssh_scan/values.yaml @@ -4,6 +4,7 @@ parserImage: tag: latest scannerJob: + ttlSecondsAfterFinished: null resources: {} # scannerJob: # resources: diff --git a/scanners/sslyze/templates/sslyze-scan-type.yaml b/scanners/sslyze/templates/sslyze-scan-type.yaml index a5d48cce..4536159c 100644 --- a/scanners/sslyze/templates/sslyze-scan-type.yaml +++ b/scanners/sslyze/templates/sslyze-scan-type.yaml @@ -8,7 +8,9 @@ spec: location: '/home/securecodebox/sslyze-results.json' jobTemplate: spec: - ttlSecondsAfterFinished: 10 + {{- if .Values.scannerJob.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- end }} template: spec: restartPolicy: OnFailure diff --git a/scanners/sslyze/values.yaml b/scanners/sslyze/values.yaml index 0b8985f7..72ad5f45 100644 --- a/scanners/sslyze/values.yaml +++ b/scanners/sslyze/values.yaml @@ -4,6 +4,7 @@ parserImage: tag: latest scannerJob: + ttlSecondsAfterFinished: null resources: {} # scannerJob: # resources: diff --git a/scanners/test-scan/templates/test-scan-scan-type.yaml b/scanners/test-scan/templates/test-scan-scan-type.yaml index 9cc0b25d..72053da3 100644 --- a/scanners/test-scan/templates/test-scan-scan-type.yaml +++ b/scanners/test-scan/templates/test-scan-scan-type.yaml @@ -8,7 +8,9 @@ spec: location: "/home/securecodebox/hello-world.txt" jobTemplate: spec: - ttlSecondsAfterFinished: 10 + {{- if .Values.scannerJob.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- end }} backoffLimit: 3 template: spec: diff --git a/scanners/test-scan/values.yaml b/scanners/test-scan/values.yaml index f5ea0688..735ddd89 100644 --- a/scanners/test-scan/values.yaml +++ b/scanners/test-scan/values.yaml @@ -4,6 +4,7 @@ parserImage: tag: latest scannerJob: + ttlSecondsAfterFinished: null resources: {} # scannerJob: # resources: diff --git a/scanners/trivy/templates/trivy-scan-type.yaml b/scanners/trivy/templates/trivy-scan-type.yaml index 200318f1..854ec819 100644 --- a/scanners/trivy/templates/trivy-scan-type.yaml +++ b/scanners/trivy/templates/trivy-scan-type.yaml @@ -9,7 +9,9 @@ spec: location: "/home/securecodebox/trivy-results.json" jobTemplate: spec: - ttlSecondsAfterFinished: 10 + {{- if .Values.scannerJob.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- end }} template: spec: restartPolicy: OnFailure diff --git a/scanners/trivy/values.yaml b/scanners/trivy/values.yaml index 4aa12943..47e292d0 100644 --- a/scanners/trivy/values.yaml +++ b/scanners/trivy/values.yaml @@ -4,6 +4,7 @@ parserImage: tag: latest scannerJob: + ttlSecondsAfterFinished: null resources: {} # scannerJob: # resources: diff --git a/scanners/wpscan/templates/wpscan-scan-type.yaml b/scanners/wpscan/templates/wpscan-scan-type.yaml index 9da6b8f0..530f9d03 100644 --- a/scanners/wpscan/templates/wpscan-scan-type.yaml +++ b/scanners/wpscan/templates/wpscan-scan-type.yaml @@ -9,7 +9,9 @@ spec: location: "/home/securecodebox/wpscan-results.json" jobTemplate: spec: - ttlSecondsAfterFinished: 10 + {{- if .Values.scannerJob.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- end }} template: spec: restartPolicy: OnFailure diff --git a/scanners/wpscan/values.yaml b/scanners/wpscan/values.yaml index 6f83e2b4..abdadb7c 100644 --- a/scanners/wpscan/values.yaml +++ b/scanners/wpscan/values.yaml @@ -4,6 +4,7 @@ parserImage: tag: latest scannerJob: + ttlSecondsAfterFinished: null resources: {} # scannerJob: # resources: diff --git a/scanners/zap/templates/zap-scan-type.yaml b/scanners/zap/templates/zap-scan-type.yaml index 12d77aae..a108594d 100644 --- a/scanners/zap/templates/zap-scan-type.yaml +++ b/scanners/zap/templates/zap-scan-type.yaml @@ -8,7 +8,9 @@ spec: location: "/home/securecodebox/zap-results.json" jobTemplate: spec: - ttlSecondsAfterFinished: 10 + {{- if .Values.scannerJob.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- end }} template: spec: restartPolicy: Never @@ -42,7 +44,9 @@ spec: location: "/home/securecodebox/zap-results.json" jobTemplate: spec: - ttlSecondsAfterFinished: 10 + {{- if .Values.scannerJob.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- end }} template: spec: restartPolicy: Never @@ -76,7 +80,9 @@ spec: location: "/home/securecodebox/zap-results.json" jobTemplate: spec: - ttlSecondsAfterFinished: 10 + {{- if .Values.scannerJob.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- end }} template: spec: restartPolicy: Never From 971eee5bf7e03e9c99d103c0849aeddca6cf77bb Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> Date: Mon, 21 Sep 2020 18:07:55 +0200 Subject: [PATCH 10/12] Print out error --- tests/integration/helpers.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/integration/helpers.js b/tests/integration/helpers.js index cf8db805..2e604295 100644 --- a/tests/integration/helpers.js +++ b/tests/integration/helpers.js @@ -82,7 +82,8 @@ async function logJobs() { await displayAllLogsForJob(job.metadata.name); } } catch (error) { - console.error(`Failed to list Jobs'`); + console.error("Failed to list Jobs"); + console.error(error); } } From d4260d80a75444e0f1c588ddc38c547af2b7c8a3 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> Date: Mon, 21 Sep 2020 18:26:37 +0200 Subject: [PATCH 11/12] Echo out logging exception error --- tests/integration/helpers.js | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/tests/integration/helpers.js b/tests/integration/helpers.js index 2e604295..7781a7cd 100644 --- a/tests/integration/helpers.js +++ b/tests/integration/helpers.js @@ -56,13 +56,19 @@ async function displayAllLogsForJob(jobName) { ); for (const container of pod.spec.containers) { - const response = await k8sPodsApi.readNamespacedPodLog( - pod.metadata.name, - namespace, - container.name - ); - console.log(`Container ${container.name}:`); - console.log(response.body); + try { + const response = await k8sPodsApi.readNamespacedPodLog( + pod.metadata.name, + namespace, + container.name + ); + console.log(`Container ${container.name}:`); + console.log(response.body); + } catch (exception) { + console.error( + `Failed to display logs of container ${container.name}: ${exception.body.message}` + ); + } } } } From 0b228ce5217601f46e7f1204661c2af92f83399e Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> Date: Mon, 21 Sep 2020 20:38:27 +0200 Subject: [PATCH 12/12] Also switch zap baseline image to wekly Required to run zap on non docker (e.g. containerd clusters) Also updated the used zap image --- scanners/zap/templates/zap-scan-type.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scanners/zap/templates/zap-scan-type.yaml b/scanners/zap/templates/zap-scan-type.yaml index a108594d..b04a1210 100644 --- a/scanners/zap/templates/zap-scan-type.yaml +++ b/scanners/zap/templates/zap-scan-type.yaml @@ -16,7 +16,7 @@ spec: restartPolicy: Never containers: - name: zap-baseline - image: owasp/zap2docker-stable:2.9.0 + image: owasp/zap2docker-weekly:w2020-09-15 command: - "zap-baseline.py" # Force Zap to always return a zero exit code. k8s would otherwise try to restart zap. @@ -52,7 +52,7 @@ spec: restartPolicy: Never containers: - name: zap-api-scan - image: owasp/zap2docker-weekly:w2020-09-08 + image: owasp/zap2docker-weekly:w2020-09-15 command: - "zap-api-scan.py" # Force Zap to always return a zero exit code. k8s would otherwise try to restart zap. @@ -88,7 +88,7 @@ spec: restartPolicy: Never containers: - name: zap-full-scan - image: owasp/zap2docker-weekly:w2020-09-08 + image: owasp/zap2docker-weekly:w2020-09-15 command: - "zap-full-scan.py" # Force Zap to always return a zero exit code. k8s would otherwise try to restart zap.