René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"🕸 Extend the Cascading-Scans Hook to generate custom labels or annotations for subsequent scans","articleBody":"## ➹ New Feature request\r\n\u003c!--\r\nThank you for reporting an issue in our documentation 🙌\r\n\r\nBefore opening a new issue, please make sure that we do not have any duplicates already open. You can ensure this by searching the issue list for this repository. If there is a duplicate, please close your issue and add a comment to the existing issue instead.\r\n--\u003e\r\n\r\n### Is your feature request related to a problem?\r\n\u003c!-- Please describe a clear and concise description of what the problem is. Ex. I'm always frustrated when [...] --\u003e\r\nAs a secureCodeBox user i would like to use the [cascading rules](https://docs.securecodebox.io/docs/hooks/cascading-scans) in combination with the [**DefectDojo-Persistence Hook**](https://docs.securecodebox.io/docs/hooks/defectdojo) to examine all results efficiently in [OWASP DefectDojo](https://github.com/DefectDojo/django-DefectDojo) (DD).\r\n\r\nImagine a SCB NMAP `scheduledScan` setup for a company with a large network in combination with cascading rules. This results in hundreds or even thousands of subsequent scans started by the [cascading scans hook](https://docs.securecodebox.io/docs/hooks/cascading-scans). \r\n\r\n```yaml\r\napiVersion: execution.securecodebox.io/v1\r\nkind: ScheduledScan\r\nmetadata:\r\n  name: nmap-large-network-scan\r\n  namespace: demo-scans\r\n  labels:\r\n    organization: \"OWASP\"\r\n    location: barcelona\r\n    vlan: lan\r\nspec:\r\n  interval: 24h\r\n  successfulJobsHistoryLimit: 1\r\n  failedJobsHistoryLimit: 1\r\n  scanSpec:\r\n    scanType: \"nmap\"\r\n    parameters:\r\n      - \"-T4\"\r\n      - \"-sV\"\r\n      - \"--version-intensity\"\r\n      - \"4\"\r\n      - \"192.168.0.1/24\"\r\n    cascades:\r\n      matchLabels:\r\n        # Uses all CascadingRules in the namespace which are labelled as \"non-invasive\" and a intensiveness level of \"light\"\r\n        securecodebox.io/invasive: non-invasive\r\n        securecodebox.io/intensive: light\r\n```\r\n\r\nThis works really nicely in combination with an [elasticsearch backend](https://docs.securecodebox.io/docs/hooks/elasticsearch). \r\n\r\nBut trying to do something similar in OWASP DefectDojo would result in hundreds or even thousands DefectDojo products for _each successful subsequent scan_. The name of each imported DefectDojo `Product` would be the generated `scan` name like `ssh-scan-demo-lan-1616202292-ssh-scan-tc754`. To prevent this it is necessary to add some [DefectDojo-Hook specific annotation](https://docs.securecodebox.io/docs/hooks/defectdojo#complete-example-scan) to each _subsequent scan_ to relate them to the correct DefectDojo `Product` or `Engagement` name.\r\n\r\nProblem is 🧐: currently this is not possible to configure within the `cascading rules` or a `scan`. But it would be very helpful 😆\r\n\r\nThere is already a function implemented in the *cascading hook* which ensures that all `parent scan` labels are copied to all subsequent scans:\r\nhttps://github.com/secureCodeBox/secureCodeBox/blob/0257ddaa07540381d3a056a7cc7b7fc740926f43/hooks/declarative-subsequent-scans/scan-helpers.ts#L79-L90\r\n\r\n### Describe the solution you'd like\r\n\u003c!-- A clear and concise description of what you want to happen. --\u003e\r\nIt should be possible to define and copy custom labels and annotations for each subsequent scan. There are different scenarios to take into account:\r\n1) Copy all `labels` and `annotations` from the `parent scan` to every `subsequent scan`\r\n2) Generate new labels and annotations based on a lightweight template syntax and the given `parent scan` or `findings` data.\r\n\r\n#### Examples\r\n`ScheduledScan` NMAP Definition Example:\r\n```yaml\r\napiVersion: execution.securecodebox.io/v1\r\nkind: ScheduledScan\r\nmetadata:\r\n  name: nmap-large-network-scan\r\n  namespace: demo-scans\r\n  annotations:\r\n    defectdojo.securecodebox.io/product-name: \"barcelona-network-scan\"\r\n    defectdojo.securecodebox.io/product-type-name: \"OWASP\"\r\n    defectdojo.securecodebox.io/product-tags: vulnerable,appsec,network\r\n    defectdojo.securecodebox.io/engagement-name: \"scb-automated-scan\"\r\n    defectdojo.securecodebox.io/engagement-tags: \"automated,daily\"\r\n  labels:\r\n    organization: \"OWASP\"\r\n    location: barcelona\r\n    vlan: lan\r\nspec:\r\n  interval: 24h\r\n  successfulJobsHistoryLimit: 1\r\n  failedJobsHistoryLimit: 1\r\n  scanSpec:\r\n    scanType: \"nmap\"\r\n    parameters:\r\n      - \"-T4\"\r\n      - \"-sV\"\r\n      - \"192.168.0.1/24\"\r\n    cascades:\r\n      # True if all scan (parent) labels are copied to each subsequent scan (child), otherwise false. Default: true\r\n      inheritLabels: true\r\n      # True if all scan (parent) annotations are copied to each subsequent scan (child), otherwise false. Default: true\r\n      inheritAnnotations: true\r\n      # Uses all CascadingRules in the namespace which are labelled as \"non-invasive\" and a intensiveness level of \"light\"\r\n      matchLabels:\r\n        securecodebox.io/invasive: non-invasive\r\n        securecodebox.io/intensive: light\r\n```\r\n\r\nOWASP ZAP Cascading Rule Example\r\n\r\n```yaml\r\napiVersion: \"cascading.securecodebox.io/v1\"\r\nkind: CascadingRule\r\nmetadata:\r\n  name: \"zap-http\"\r\n  labels:\r\n    securecodebox.io/invasive: non-invasive\r\n    securecodebox.io/intensive: medium\r\nspec:\r\n  matches:\r\n    anyOf:\r\n      - category: \"Open Port\"\r\n        attributes:\r\n          service: http\r\n          state: open\r\n      - category: \"Open Port\"\r\n        attributes:\r\n          service: https\r\n          state: open\r\n  # Configures additional label added to each subsequent scan (child)\r\n  scanLabels:\r\n    mynewlabel: {{$.metadata.name}}\r\n  # Configures additional annotation added to each subsequent scan (child)\r\n  scanAnnotations:\r\n    defectdojo.securecodebox.io/product-name: \"{{$.hostOrIP}}\"\r\n    defectdojo.securecodebox.io/product-type-name: \"{{$.metadata.labels.organization}}\"\r\n    defectdojo.securecodebox.io/product-tags: vulnerable,appsec,owasp-top-ten,vulnapp\r\n    defectdojo.securecodebox.io/engagement-name: \"{{$.hostOrIP}}\"\r\n  scanSpec:\r\n    scanType: \"zap-baseline\"\r\n    parameters: [\"-t\", \"{{attributes.service}}://{{$.hostOrIP}}\"]\r\n```\r\n\r\n### Describe alternatives you've considered\r\n\u003c!-- A clear and concise description of any alternative solutions or features you've considered. --\u003e\r\n\r\n### Additional context\r\n\u003c!-- Add any other context or screenshots about the feature request here. --\u003e\r\n","author":{"url":"https://github.com/rfelber","@type":"Person","name":"rfelber"},"datePublished":"2021-03-20T21:16:23.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/334/secureCodeBox/issues/334"}