Is your feature request related to a problem?
As a ruby developer it would be very helpful to be able to use a ruby gem which encapsulates some of the basic scanner integration stuff, like the integration of the scanner with the SCB Engine.

There is already a nodejs scaffolding package implemented which nearly does the same, based on node: https://github.com/secureCodeBox/nodejs-scanner-scaffolding

Describe the solution you'd like
There is already a good guide how to do this:

• https://guides.rubygems.org/make-your-own-gem/
• https://guides.rubygems.org/publishing/

The following SCB repository should be migrated to the new ruby gem:

• https://github.com/secureCodeBox/scanner-webserver-nikto
• https://github.com/secureCodeBox/scanner-webapplication-arachni
• https://github.com/secureCodeBox/scanner-cms-wpscan

Describe the bug
The API methods and Objects are referencing the pre 1.0 Api.

Steps To Reproduce

• https://github.com/secureCodeBox/secureCodeBox/tree/master/docs/user-guide#starting-scan-processes-using-the-rest-api
• https://github.com/secureCodeBox/secureCodeBox/blob/master/docs/developer-guide/api-doc.md

Expected behavior
The documentation should reflect the current state of the api.

Additional context
Initially reported in Slack: https://securecodebox.slack.com/archives/C42NYDT46/p1551275864002700

It would be nice if as an alternative to Defect Dojo, ThreadFix could also be included as StorageProvider.

ThreadFix has a public API: https://denimgroup.atlassian.net/wiki/spaces/TDOC/pages/22842096/ThreadFix%2BAPI

Unfortunately it is a commercial tool in contrast to DefectDojo, but it can also be found in many corporate environments.

Add an authentication Mechanism to the SCB engine api directly and don't rely on reverse proxys like ngnix.

As a user I would like to have a lightweight false-/positive-handling which helps me to label/mark and filter findings which are not relevant or false-/positive.

I would like to file all findings in my security dashboard (kibana).

See #225

Describe the bug
All SCB HelmCharts contain the kubeVersion field to ensure the K8S version meets the SCB requirements.

Example Operator Chart

apiVersion: v2
name: operator
description: secureCodeBox Operator to automate the execution of security scans on kubernetes

type: application

# version - gets automatically set to the secureCodeBox release version when the helm charts gets published
version: latest
kubeVersion: ">=v1.11.0"

The current definition results in an error if the K8S is using a pre-release version, even if its never than the kubeVersion semversion:

helm --namespace securecodebox-system upgrade --install securecodebox-operator secureCodeBox/operator --version v2.0.0-rc.12
Error: UPGRADE FAILED: chart requires kubeVersion: >=v1.11.0 which is incompatible with Kubernetes v1.16.6-beta.0

Expected behavior
It would be great to support Kubernetes pre-release versions. As explained in the helm issue helm/helm#3810 this could be done by adding a pre-release extension to the kube version field:

Solution

apiVersion: v2
name: operator
description: secureCodeBox Operator to automate the execution of security scans on kubernetes

type: application

# version - gets automatically set to the secureCodeBox release version when the helm charts gets published
version: latest
kubeVersion: ">=v1.11.0-0"

Is it possible to interact with the different scanner through cli?
Also is it possible to schedule a scan?
Is it possible to publish an alert to a ticketing tool like Jira for example?

Thanks in advance.

Is your feature request related to a problem? Please describe.

The secureCodeBox already supports to define custom securityContext for the scanners.
It would be nice to have default securityContexts set for every scanner which are pre-configured individually for each scanner, so that this doesn't have to be done by the users.

Describe the solution you'd like

The value files of the scanner should include a default configured scanType which restricts the container from features it doesn't really require to improve the security stance of the secureCodeBox.

This has already been implemented for Nmap, see: https://github.com/secureCodeBox/secureCodeBox-v2/blob/7596d3f4d9c272ba98c29aa639160bbd27e45c9a/scanners/nmap/values.yaml#L39-L52

Where to find the issue

The current install guide (https://docs.securecodebox.io/docs/getting-started/installation) doesn't include instructions how to properly uninstall the secureCodeBox.

Describe the issue

Most parts of the uninstallation are pretty self explanatory.

One thing that isn't is that the operator creates ServiceAccounts, Roles & RoleBindings in every Namespace in which scans are running which are used by the lurcher, parser and hooks to get access to certain types of resources in their namespace.

These can't be cleanly uninstalled as they are not linked to the operator, as they live in their own namespaces and can't be referenced via Kubernetes OwnerReferences.

Suggested change

The Install Docs should include a section detailing users how they can cleanly uninstall the secureCodeBox.

New Scanner implementation request

Is your feature request related to a problem? Please describe.

As a security tester i would like to test security aspects of my kubernetes cluster because there is alot stuff that can be missconfigured. The secureCodeBox v2 is already based on kubernetes so this should fit perfectly.

Describe the solution you'd like

As a security tester i would like to test the security of my kubernetes cluster based on the kubeaudit scanner: https://github.com/Shopify/kubeaudit

Describe alternatives you've considered

none

Additional context

There is already a scanner folder for this feature request: https://github.com/secureCodeBox/secureCodeBox-v2/tree/master/scanners/kubeaudit

Steps to implement a new scanner

• Create a new folder with the name of the scanner here
• Add a README.md and give a brief overview of the scanner and its configuration options.
• Implement a new scanner specific scan-type.yaml
• Implement a new scanner specific parse-definition.yaml
• Add (optional) some cascading-rules.yaml
• Add (optional) a Dockerfile for the scanner if there is no existing one publicly available on dockerHub
• Use the parser-SDK to implement a new findings parser (currently based on NodeJS)
• Add unit tests with at minimum 80% test coverage

Describe the bug

When the cluster has istio sidecar injection enabled the secureCodeBox cannot properly run its scans in the namespace as the jobs never terminate as the sidecar is still running even hours after the scan has completed.

Depending on the istio config this can also mess with the ability of the operator / lurcher / parsers to talk to the kubernetes API.

To Reproduce
Steps to reproduce the behavior:

1. Start any scan in a istio injection enabled namespace
2. Scan will never terminate

Expected behavior

Scans should work normally in istio enabled namespaces.

As a temporary workaround, or to wait untill proper sidecar support is added to kubernetes, it would be best to disable the injection via a "sidecar.istio.io/inject": "false"pod label on scan, parse and hook pods, see: https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection

Ideally the secureCodeBox Operator could support istio and other service meshes directly and proxy scanner traffic thought the sidecar.

System (please complete the following information):

• Kubernetes: any version
• Istio: any version

Where to find the issue

The secureCodeBox V2 generates a generic findings JSON format in addition to the rawResults by each security scanner. This format should be documented within the documentation contribution section https://docs.securecodebox.io/docs/contributing/conventions to help developers understanding the finding generation and post processing process.

Suggested change

Maybe the json-schema standard https://json-schema.org/ could help to document the findings format in a more general way. The json-schema can also be used for validation of given findings.json files.

Is your feature request related to a problem? Please describe.
The CLI is currently very limited to only one usecase.
It would be cool to a a more cli with more functionality, e.g. starting scans, retrieving results.

Describe the solution you'd like
A cli with a similar structure to modern clis like docker or kubernetes, with good help texts.

CLI should be written in a way that is cross plattform and easy to maintain and expand in the future. Go would be nice usecase for it with nice libraries to write clis, e.g:

• https://github.com/spf13/cobra
• https://github.com/urfave/cli

Additional context
Reworking the CLI has come up in multiple issues.

• #82
• #81

After successfull launch of scan via CLI I can see the results in job_zap_result.json file but I am unable to find those in GUI. Are those populated?

The deployment of the SCBv2 Operator and CRDs, ClusterRoles, ClusterRoleBindings requires a ClusterAdmin Role or a well defined RBAC definition for the service account which is used for installation. This must be documented more precisely in our User Guide (Installation).

https://docs.securecodebox.io/docs/getting-started/installation

Hello everyone,

I want to start a Scan-Process using the REST-API, but if if do that, i don´t get results.

If I send an HTTP PUT Request, for example:

URL:
http://localhost:8080/box/processes/nmap-process

Header:
Content-Type:application/json

Body:
[
{
"attributes": {
"NMAP_START_PORT": 34,
"NMAP_IP": "localhost",
"NMAP_END_PORT": 125
},
"location": "juice-shop",
"name": "JuiceShop Test Host"
}
]

I get the process-id as response. But where can I find the scan results?

Thank you!

error 500
After running the zap scanner using CLI, curl comes back with error 500.

To Reproduce
Steps to reproduce the behavior:

1. issue scan as shown on the screenshot

Screenshots / Logs

As a SCB User i would like to configure the elasticsearch index pattern more precisely when i install the elasticsearch persistence hook. This feature will be useful to optimize the elasticsearch result index size, rollover strategie and performance.

As for now it is already possible to configure the index prefix via the helm chart config:

# Define a specific index prefix
indexPrefix: "scbv2" 

Additionally it should be possible to configure a date pattern as suffix to change the index aggregation level:

# Define a specific index prefix
indexPrefix: "scbv2"
# Define a specific index suffix based on date pattern (YEAR, MONTH, WEEK, DATE)
indexSuffix: “YYYY-MM-DD”
# Define if the name of the namespace where this hook is deployed to must be added to the index name. The namespace can be used to separate index by tenants (namespaces).
indexAppendNamespace: true

Examples

Example index names that should be possible to configure:

• scbv2-team-2020-10-05 (daily rollover pattern, append namespace: true)

• scbv2-team-2020-10 (monthly rollover pattern, append namespace: true)

• scbv2-team-2020 (yearly rollover pattern, append namespace: true)

• scbv2-team-2020-45 (weekly rollover pattern, append namespace: true)

• scbv2-team (no rollover pattern, append namespace: true)

• scbv2-2020-10-05 (daily rollover pattern, append namespace: false)

• scbv2-2020-10 (monthly rollover pattern, append namespace: false)

• scbv2-2020 (yearly rollover pattern, append namespace: false)

• scbv2-2020-45 (weekly rollover pattern, append namespace: false)

• scbv2 (no rollover pattern, append namespace: false)

Where to start?

As a starting point here a pointer to the current implementation:

https://github.com/secureCodeBox/secureCodeBox-v2/blob/25b548d47795dba2891f45c7d11381ab69275ac5/hooks/persistence-elastic/hook.js#L50

Todos:

• Update HelmChart config defaults
• Implement feature within hook.js
• Add additional unit tests for the different configuration options/combinations.

Is your feature request related to a problem? Please describe.
Guys, I saw that some branches are merged in master but no tags are applied.
This is not good for a production environment. I would like to know exactly what revision I've cloned and later to check all changes when i will plan an upgrade.

Describe the solution you'd like
After each merge in master a new git tag needs to be applied

Describe alternatives you've considered
NO

Additional context
Add any other context or screenshots about the feature request here.

Hi there,

I am getting the following error with the docker-compose up:

persistence-kibana_1 | {"type":"log","@timestamp":"2018-07-05T12:44:52Z","tags":["warning","elasticsearch","admin"],"pid":1,"message":"Unable to revive connection: http://persistence-elasticsearch:9200/"}

My environment:
Ubuntu server 18.04 amd64
Docker version: 18.03.1-ce
Docker-compose version: 1.21.2

I also cannot ping http://persistence-elasticsearch:9200.
Did the address to the elastic search change perhaps?

Regards,

Is your feature request related to a problem? Please describe.
It would be great if the travis build would be extended to run the docker-image and test it with given default env values. The smoke test can be done by checking the healthcheck.
This test should be done before the image will be published to dockerHub.

Describe the bug

The installation from https://docs.securecodebox.io/docs/getting-started/installation/ does not succed.

To Reproduce

1. install Docker Desktop
2. execute the steps from https://docs.securecodebox.io/docs/getting-started/installation/

Expected behavior

• Installation does notfail

System (please complete the following information):

• secureCodeBox 2.0.0
• OS: macOS
• Kubernetes Version v1.18.8
• Docker Version Docker version 19.03.13, build 4484c46d9d

Additional context

Minio requires by default 4 GB RAM but Docker Desktop for macOS has its resource setting to 2 GB.

name: '🚓 New Security Scanner request'
about: 'Suggest an idea for a new security scanner to integrate in this project.'
labels: 'scanner'

New Scanner implementation request

Is your feature request related to a problem? Please describe.
As an user i want to use test my REST APIs based on best practices with the secureCodeBox.

Therefore, the ASTRA Tool could be helpful:

• https://github.com/flipkart-incubator/Astra

Describe the solution you'd like
ASTRA is integrated into the secureCodeBox

Steps to implement a new scanner

• Create a new folder with the name of the scanner here
• Add a README.md and give a brief overview of the scanner and its configuration options.
• Implement a new scanner specific scan-type.yaml
• Implement a new scanner specific parse-definition.yaml
• Add (optional) some cascading-rules.yaml
• Add (optional) a Dockerfile for the scanner if there is no existing one publicly available on dockerHub
• Use the parser-SDK to implement a new findings parser (currently based on NodeJS)
• Add unit tests with at minimum 80% test coverage

Is your feature request related to a problem? Please describe.
As an user i want to use test my ssh-server (or already found ssh port) based on best practices and given security policies with the secureCodeBox.

Some Best Practices on the topic ssh hardening can be found here:

• https://linux-audit.com/audit-and-harden-your-ssh-configuration/
• https://infosec.mozilla.org/guidelines/openssh

Describe the solution you'd like
There are already some ssh security scanners like:

• https://github.com/arthepsy/ssh-audit
• https://github.com/mozilla/ssh_scan

Especially the mozilla ssh_scan seems to be a good candidate to implement.
It's well documented and has a active community. It supports JSON output and the possibility to add my own ssh check policy.

• See here for example video
• See here for example output
• See here for example policies

Additional context
A new ssh scanner could be combined with the existing port scanner (nmap) to check found ssh ports.

Steps to implement a new scanner

A general guide how to implement a new scanner is documented here

Must have

• Create a new public secureCodeBox repository for the scanner implementation
• Implement a new scanner microservice an reuse some of the existing stuff, if possible
• Check if there is a healthcheck for the microservice implemented
• Implement a new basic security process for the scanner
• Update the docker-compose files and integrate your new scanner there
• Update the user guide and developer guide
• Implement a integration test for the scanner here

Should have

• Update the CLI examples
• Update the Jenkins Pipeline examples
• Update the OpenShift Container Setup

New Scanner implementation request

Is your feature request related to a problem? Please describe.
As a security tester i would like to continuously check a list of git repositories in my project and check if they contain any credentials. This is a common security problem which must be avoided. But even the best developers can make mistakes 🤷🏻‍♂️. Finding such problems early can prevent worse.

Describe the solution you'd like
There are alot of different git credential scanner services and tools. The gitleaks (SAST) scanner seems to be a good solution which can be easily integrated with the SCBv2 Project: https://github.com/zricethezav/gitleaks

Describe alternatives you've considered

Additional context

Steps to implement a new scanner

• Create a new folder with the name of the scanner here
• Add a README.md and give a brief overview of the scanner and its configuration options.
• Implement a new scanner specific scan-type.yaml
• Implement a new scanner specific parse-definition.yaml
• Add (optional) some cascading-rules.yaml
• Add (optional) a Dockerfile for the scanner if there is no existing one publicly available on dockerHub
• Use the parser-SDK to implement a new findings parser (currently based on NodeJS)
• Add unit tests with at minimum 80% test coverage

Describe the bug
After running a nikto scan, the findings cannot be imported into elasticsearch. Instead the RestHighLevelClient raises the following error:

{
  "error": {
    "root_cause": [
      {
        "type": "illegal_argument_exception",
        "reason": "request [/securecodebox_services_2020-02-12] contains unrecognized parameter: [include_type_name]"
      }
    ],
    "type": "illegal_argument_exception",
    "reason": "request [/securecodebox_services_2020-02-12] contains unrecognized parameter: [include_type_name]"
  },
  "status": 400
}

I have tested 2 scanners nikto and sslyze and both resulted in the same error. I assume maybe my elasticsearch configuration is wrong.

To Reproduce
Steps to reproduce the behavior:

1. Run docker-compose up from the current master branch
2. Send a put request to start a nikto or sslyze scan
3. After the initialization of the ElasticSearchPersistenceProvider the message
   "Unexpected Error while trying to init a persistence provider!" should appear.
4. See error

System (please complete the following information):

• OS: Windows 10
• Docker Version: 19.03.4
• Docker Compose Version: 1.24.1

EDIT: In case anyone else has this issue, make sure you have the elasticsearch-oss version 6.8.1 or higher.

When you start the stack for the first time, you have to add a "simple filter" in the tasklist menu. If you miss this step you couldn't see the result tasks.

We should document this step in the user guide.

The v2.0.0 release is close 😱🚀

For the release we should prepare some release notes which could link to @Weltraumschaf up and coming v2 announcement blog posts.

Requires #136 & #137

Hi,
I installed scb via docker-compose, added a user, granted it all permissions and roles and spun up instances of dvwa and juice-shop to test on.
When I try to initiate an advanced scan I get a ticket and claim it, but when I try to set anything in the advanced parameters field (i.e. nmap -A localhost or nikto -host localhost -port 3000) the "Complete" Button is disabled, same goes for the "Save" button. I can click it once, but when I refresh the ticket no changes are actually saved.
Is this a known bug or am I doing something wrong?

Thanks in advance, Cheers!

The secureCodeBox API should be secured with an authentication method like Basic Auth to ensure that only authenticated scanners are allowed to pull and push scan jobs. This is important if you deploy the scanner and engine in different networks.

Therefore the Engine API needs an configurable Authentication and all scanners must be able to authenticate. This feature must be configurable via environment variables.

Describe the bug
CLI tries to connect to the deprecated and removed /box/processes endpoint.
This makes the cli assume that the engine is down and terminate before doing any actual work.

To Reproduce
Start any process via cli.

Expected behavior
Process should be started correctly.

Additional context
To ensure that the error are detected earlier, the integration test could try to start a process via the cli.

To test if the repo migration (see: #136) worked correctly, we should perform a test release in the repository to ensure that the workflow and release process still works correctly.

Is your feature request related to a problem?
As an DevSecOps developer i want to use the Wordpress Security Scanner with the secureCodeBox, to test my Wordpress instance, if there are some old plugin versions installed.

Hint: If you are new and need some help implementing a new security for the secureCodeBox, please have a look at our documentation.

Steps to implement a new scanner

A general guide how to implement a new scanner is documented here

Must have

• Create a new public secureCodeBox repository for the scanner implementation
• Implement a new scanner microservice an reuse some of the existing stuff, if possible
• Check if there is a healthcheck for the microservice implemented
• Implement a new basic security process for the scanner
• Update the docker-compose files and integrate your new scanner there
• Update the user guide and developer guide
• Implement a integration test for the scanner here

Should have

• Update the CLI examples
• Update the Jenkins Pipeline examples
• Update the OpenShift Container Setup

Is your feature request related to a problem? Please describe.
Enhance the multi tenancy support of the secureCodeBox API.

This allows Users to restrict access to ability to see and work on securityTests. This enables Users to scan services located in isolated networks, by restricting the access to Scans to the technical users of the scanner services inside these networks. By restricting the access to the securityTest to the isolated worker it is ensured that no other worker outside this network can "steal" this job.

Describe the solution you'd like
The easiest way to configure multi tenancy is to create multiple camunda tenants (secureCodeBox engine) and assign the technical users to the corresponding tenant. To control to which tenant a securityTest should belong you can set the tenant attribute on the securityTest model, when starting a process.

Note: You need to be a member of the tenant to start a process as part of the tenant. When the tenant attribute is set to null or is not set at all the process will be started without a tenant.

Open Todos:

• Add documentation on how multi tenancy works and how to use it
• Find & Document a way to prevent tenant works to lock jobs without a tenant. (This should already be possible to do, by setting up the authentication correctly)

As a secureCodeBox user i would like to be able to change / manipulate the nmap findings severity, based on a simple rule pattern. By default all NMAP Port findings are classified with the severity Informational. In some use cases i would like to change the port specific severity classification based on custom rules. For example if some port ranges are prohibited 🚫 to use.

The custom severity configuration should also be applied if the NMAP scan will be started by cascadingScanRules (e.g. as subsequent scan started by AMASS).

Describe the solution you'd like
In the secureCodeBox v1 there is an NMAP specific implementation example how to change some port specific severity classifications, but without any configuration options: secureCodeBox/engine@c40b499

An example configuration could look something like this:

openport:
  port: 21
    severity: HIGH
  port: 22
    severity: MEDIUM
  port: 389
    severity: HIGH
  port: 9200
    severity: LOW

Describe alternatives you've considered
The updatefield-hook implements a lightweight findings post processing. But currently it is only possible to add new attributes to findings. But it has no feature to manipulate finding attributes based on rules. Extending the updatefield-hook in this way would maybe leed to a more generic solution which could also apply to other scanners and usecases.

For a more generic approach maybe the cascadingRule definition configuration semantic could be a good example how to configure the post processing:

rules:
  - rule:
       matches:
         anyOf:
           - category: "Open Port"
              attributes:
                port: 21
                state: open
           - category: "Open Port"
              attributes:
                port: 389
                state: open
        attribute:
          name: "severity"
          value: "high"
  - rule:
       matches:
         anyOf:
           - category: "Open Port"
              attributes:
                port: 22
                state: open
        attribute:
          name: "severity"
          value: "medium"
  - rule:
       matches:
         anyOf:
           - category: "Open Port"
              attributes:
                port: 9200
                state: open
        attribute:
          name: "severity"
          value: "low"

When will you release the project?

name: '🚓 New Security Scanner request'
about: 'Suggest an idea for a new security scanner to integrate in this project.'
labels: 'scanner'

New Scanner implementation request

Is your feature request related to a problem? Please describe.
As user, I would like to use VEGA with the secureCodeBox

Describe the solution you'd like
VEGA is integrated into the secureCodeBox

Steps to implement a new scanner

• Create a new folder with the name of the scanner here
• Add a README.md and give a brief overview of the scanner and its configuration options.
• Implement a new scanner specific scan-type.yaml
• Implement a new scanner specific parse-definition.yaml
• Add (optional) some cascading-rules.yaml
• Add (optional) a Dockerfile for the scanner if there is no existing one publicly available on dockerHub
• Use the parser-SDK to implement a new findings parser (currently based on NodeJS)
• Add unit tests with at minimum 80% test coverage
  ~

Is your feature request related to a problem? Please describe.
As a security tester i would like to configure the start time pattern for scheduledScans more precisely. For now it is possible to configure the time interval (hours) between to scans but the starting point relates to the installation time of the scheduledScan.

Describe the solution you'd like
To be able to configure a more complex schedule for my security scan it would be great to support a crontab syntax as an alternative option.

Example

apiVersion: "execution.securecodebox.io/v1"
kind: ScheduledScan
metadata:
  name: "nmap-scanme.nmap.org-daily"
spec:
  crontab: "0 12 * * *"
  scanSpec:
    scanType: "nmap"
    parameters:
        # Use nmaps service detection feature
        - "-sV"
        - scanme.nmap.org
  historyLimit: 3

Describe alternatives you've considered
none

Additional context

• About Cron: https://en.wikipedia.org/wiki/Cron
• GO Library for parsing https://godoc.org/github.com/robfig/cron
• https://docs.securecodebox.io/docs/api/crds/scheduled-scan

name: '🚓 New Security Scanner request'
about: 'Suggest an idea for a new security scanner to integrate in this project.'
labels: 'scanner'

New Scanner implementation request

Is your feature request related to a problem? Please describe.
As an user i want to use the Burp Security Scanner with the secureCodeBox, to test my WebApplications.

Describe the solution you'd like
Burp is integrated into the secureCodeBox

Steps to implement a new scanner

• Create a new folder with the name of the scanner here
• Add a README.md and give a brief overview of the scanner and its configuration options.
• Implement a new scanner specific scan-type.yaml
• Implement a new scanner specific parse-definition.yaml
• Add (optional) some cascading-rules.yaml
• Add (optional) a Dockerfile for the scanner if there is no existing one publicly available on dockerHub
• Use the parser-SDK to implement a new findings parser (currently based on NodeJS)
• Add unit tests with at minimum 80% test coverage

As a User i would like to use the OWASP DefectDojo Projekt to analyse my findings (instead or in parallel to my kibana dashboard). While the secureCodeBox has its major focus on the automation part of the security scanner execution, defectDojo is good in visualising, deduplication and analysing the findings.

To integrate OWASP DefectDojo it's necessary to implement a new persistenceProvider which pushes the raw finding results of each scanner to the new DefectDojo API: ImportScan. DefectDojo can be started as a separate Docker Container within the secureCodeBox Stack.

Possible Scanner Integrations:

• NMAP (XML output (use -oX))
• Nikto (XML output)
• ZAP (ZAP XML report format)
• Arachni (Arachni JSON report format.)

Describe the bug
Containers are unhealthy after I've ran docker-compose. Enige container exited.

To Reproduce
Steps to reproduce the behavior:

1. git clone https://github.com/secureCodeBox/secureCodeBox
2. cd secureCodeBox
3. docker-compose -f docker-compose.yml up

Expected behavior
Containers go up and are functional. SecureCodeBox works like a charm ;-)

System (please complete the following information):

• OS: macOS Mojava
• Docker version 19.03.5, build 633a0ea
• docker-compose version 1.25.2, build 698e2846
• Not applicable

Screenshots / Logs
For engine logs: https://pastebin.com/CiYYU34c

We were able to start dockerised securecodebox, but how do we get the data fed into Kibana (as seen on the screenshots)?

Before we can properly release the v2.0.0 we have to merge over the code of this repository into the regular secureCodeBox Repository.

Things that should be thought of (list probably incomplete):

• Update go namespace (#144)
• Search for references in the docs and code (#144, partly docs missing)
• Ensure that the Docker Builds still works (Including github action secrets)
• Ensure that the Helm Publishing still works (Including github action secrets)
• Copy Netlify webhook (configured, works)
• Update Codacity integration
• Update CodeClimate integration
• Update fossa integration

SSH brute-forcing scanner implementation request

Is your feature request related to a problem? Please describe.

Add a scanner to test ssh servers for common username / password combos.

Describe the solution you'd like

Integrate a ssh brute-forcing tools:

Potential Tools:

• Ncrack: https://nmap.org/ncrack/man.html
  Allows for brute-forcing of multiple different services (Noteable: SSH, FTP, POP, IMAP, Wordpress. See the repo for the available modules)
• SSH-Brute-Forcer: https://github.com/R4stl1n/SSH-Brute-Forcer

If you now any other potential tools please add a comment with a link to it.

Steps to implement a new scanner

Hint: A general guide how to implement a new scanner is documented here

Must have

• Create a new public secureCodeBox repository for the scanner implementation
• Implement a new scanner microservice an reuse some of the existing stuff, if possible
• Check if there is a healthcheck for the microservice implemented
• Implement a new basic security process for the scanner
• Update the docker-compose files and integrate your new scanner there
• Update the user guide and developer guide
• Implement a integration test for the scanner here

Should have

• Update the CLI examples
• Update the Jenkins Pipeline examples
• Update the OpenShift Container Setup

Describe the bug

When the user is not authorized to start a specific scan or the engine encounters a error while starting the scan the only related output of the runScanner.sh script is something like "Failed to identify process ID!"

To Reproduce

Use runScanner.sh to start a scan you are not authorized for. E.g. for a tenant you are not a member of.

Expected behavior

The script logs a error related to the response status code.

E.g.
4xx: "The user is not authorized to create this securityTest"
404: "The securityTest 'foobar' does not exists"
500: "Encountered unexpected Error in engine. Check the logs of engine for additional details"

System (please complete the following information):

all

Dear secureCodeBox team,

I decide to spin your box, but unfortunately I do not seem to be able to initialize secureCodeBox in docker. When running docker ps -a, I noticed that securecodebox/engine:oss exited. References are provided in the log-files. Obviously, port 8080 is not hosting any web application (checked with netstat). Lastly, the log files seem to run in a loop while showing the following output.

scanner-webapplication-arachni_1 | D, [2018-08-06T12:21:25.710779 #7] DEBUG -- : Getting new scans
scanner-webapplication-arachni_1 | D, [2018-08-06T12:21:25.711148 #7] DEBUG -- : fetching task
scanner-webapplication-arachni_1 | D, [2018-08-06T12:21:25.722771 #7] DEBUG -- : Error while connecting to http://engine:8080/box/jobs/lock/arachni_webapplicationscan/ce6d88dc-13fb-4ef5-a801-c897fba09d87
scanner-webapplication-arachni_1 | D, [2018-08-06T12:21:25.723134 #7] DEBUG -- : Failed to open TCP connection to engine:8080 (getaddrinfo: Temporary failure in name resolution)
scanner-webapplication-arachni_1 | D, [2018-08-06T12:21:25.723446 #7] DEBUG -- : Sleeping for 5...

We have checked the script both in a Ubuntu 18.04 box on VMWare and a Ubuntu 16.04 box on AWS. In both instances, we have updated the virtual memory (MAX MAP COUNT variable). Both seem to run into the same problems.

Any suggestions?

KR, JK

name: "➹ Feature request"
about: "Suggest an idea for this project"

Is your feature request related to a problem? Please describe.

• When performing subdomain or network scans the results are pretty abstract, and require some amount of further research to determine whats running on a host and get a good overview.

Describe the solution you'd like

• Provide an easy way to screenshot every http port of all found hosts and get the results displayed back in a nice overview. One nice tool for that is aquatone: (https://github.com/michenriksen/aquatone) which does exactly that.

Describe alternatives you've considered

• Do the same outside of the secureCodeBox.
• Open every page by hand

Additional context

• This will be a challenging problem, as the results aka screenshots are by definition large and will in most likelihood require some sort of alternative blob storage for large files, outside the camunda engine.

OWASP Glue
DevSecOps Studio
https://www.owasp.org/index.php/OWASP_DevSecOps_Studio_Project

maybe there arre others. Saves perhaps lots of effort and energy !

To test for common API vulnerabilities like rate limiting, the scanner Astra (https://github.com/flipkart-incubator/Astra) looks promissing.

• Activate release drafter for all repos
• Investigate multi label categories