René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Configure Hooks to run per scan","articleBody":"## ➹ New Feature implementation request\r\n\r\nIt would be extremely helpful if you can decide on a per-scan basis which hooks to run.\r\n\r\n### Example use case\r\n\r\nInstalled hooks: Cascading Scans, DefectDojo persistence provider\r\n\r\nStarted scan:\r\n\r\n```yaml\r\napiVersion: \"execution.securecodebox.io/v1\"\r\nkind: Scan\r\nmetadata:\r\n  name: \"nmap-open-ports\"\r\nspec:\r\n  scanType: \"nmap\"\r\n  parameters:\r\n    - \"-p-\"\r\n    # Against Host\r\n    - \"example.com\"\r\n```\r\n\r\nThe initial scan would create this finding:\r\n\r\n```json\r\n {\r\n    \"name\":\"Open Port: 443 (http)\",\r\n    \"category\":\"Open Port\",\r\n    \"attributes\":{\r\n       \"port\":443,\r\n       \"state\":\"open\",\r\n       \"service\":\"http\",\r\n       \"serviceProduct\":\"nginx\",\r\n       \"serviceVersion\":null,\r\n       \"tunnel\":\"ssl\"\r\n    },\r\n },\r\n```\r\n\r\nCascading Rule:\r\n\r\n```yaml\r\napiVersion: \"cascading.securecodebox.io/v1\"\r\nkind: CascadingRule\r\nmetadata:\r\n  name: \"nmap-service-detection\"\r\nspec:\r\n  matches:\r\n    anyOf:\r\n      - category: \"Open Port\"\r\n        attributes:\r\n          state: open\r\n  scanSpec:\r\n    scanType: \"nmap\"\r\n    parameters:\r\n      - \"-p{{attributes.port}}\"\r\n      - \"-sV\"\r\n      - \"--service-all\"\r\n      # Against Host\r\n      - \"{{$.hostOrIP}}\"\r\n```\r\n\r\nWhen triggered, the Cascading Scan would create the following finding with **more service information**:\r\n\r\n```json\r\n {\r\n    \"name\":\"Open Port: 443 (http)\",\r\n    \"category\":\"Open Port\",\r\n    \"attributes\":{\r\n       \"port\":443,\r\n       \"state\":\"open\",\r\n       \"service\":\"http\",\r\n       \"serviceProduct\":\"nginx\",\r\n       \"serviceVersion\":\"1.20.1\",\r\n       \"tunnel\":\"ssl\"\r\n    },\r\n },\r\n```\r\n\r\nIn this case, I would like to **not import** the initial scan results into DefectDojo but still run the Cascading Scan hook.\r\n\r\n### Describe the solution you'd like\r\nOnce #695 is merged, we could use Hook Priorities to solve this problem. One could deploy Cascading Scans with a priority of `1` and DefectDojo with `0`. Then on a per-scan basis one may define what hook ranges to execute.\r\n\r\n```yaml\r\napiVersion: \"execution.securecodebox.io/v1\"\r\nkind: Scan\r\nmetadata:\r\n  name: \"nmap-open-ports\"\r\nspec:\r\n  hookRanges:\r\n    - \"1\"\r\n  scanType: \"nmap\"\r\n  parameters:\r\n    - \"-p-\"\r\n    # Against Host\r\n    - \"example.com\"\r\n```\r\n\r\n`hookRanges` would be a list of ranges to execute. A range could have the following formats:\r\n\r\n* `0-1`: Execute hooks with priority between `0` and `1` (inclusive)\r\n* `0`: Execute hooks with priority `0`.\r\n\r\nThe `orderedHookStatusses` status field would still include the skipped hooks but marks them with state `Skipped`.\r\n\r\n### Describe alternatives you've considered\r\nProposed workarounds involved setting up multiple namespaces with different hooks installed and then running the scan in that namespace.\r\n","author":{"url":"https://github.com/EndPositive","@type":"Person","name":"EndPositive"},"datePublished":"2021-10-14T08:58:11.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":4},"url":"https://github.com/728/secureCodeBox/issues/728"}