secureCodeBox · rfelber · Aug 7, 2021 · Jul 28, 2021 · Jul 28, 2021 · Jul 30, 2021
diff --git a/.gitignore b/.gitignore
@@ -13,6 +13,7 @@
 **/*.monopic
 .s3_credentials
 **/__pycache__
+**/venv/
 
 
 ### IntelliJ IDEA ###

diff --git a/scanners/zap-advanced/.helmignore b/scanners/zap-advanced/.helmignore
@@ -5,9 +5,7 @@
 .DS_Store
 
 parser/
-scanner/*.*
-scanner/zapclient/
-scanner/tests/
+scanner/
 examples/
 docs/
 

diff --git a/...ers/zap-advanced/examples/demo-petstoreapi-scan-authenticated-no-hardcoded-urls/scan.yaml b/...ers/zap-advanced/examples/demo-petstoreapi-scan-authenticated-no-hardcoded-urls/scan.yaml
@@ -0,0 +1,74 @@
+# SPDX-FileCopyrightText: 2021 iteratec GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: zap-advanced-scan-config
+data:
+  2-zap-advanced-scan.yaml: |-
+
+    # ZAP Contexts Configuration 
+    contexts:
+      # Name to be used to refer to this context in other jobs, mandatory
+      - name: scb-petstore-context
+        # An optional list of regexes to include
+        includePaths:
+          - "https?://.*\\..*.svc:.*"
+          - "https?://.*\\..*.svc/.*"
+          - "https?://.*\\..*.svc.cluster.local/.*"
+          - "https?://.*\\..*.svc.cluster.local:.*"
+        # An optional list of regexes to exclude
+        excludePaths:
+          - ".*\\.css"
+          - ".*\\.png"
+          - ".*\\.jpeg"
+
+    apis:
+      - name: scb-petstore-api
+        # -- The Name of the context (zapConfiguration.contexts[x].name) to spider, default: first context available.
+        context: scb-petstore-context
+        # -- format of the API ('openapi', 'grapql', 'soap')
+        format: openapi
+        # -- path to the OpenAPI spec. Always relative to the targets **hosts**, paths in the targets url will be ignored
+        path: /v2/swagger.json
+
+    # ZAP ActiveScans Configuration 
+    scanners:
+      - name: scb-petstore-scan
+        # String: Name of the context to attack, default: first context
+        context: scb-petstore-context
+        # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
+        maxRuleDurationInMins: 1
+        # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
+        maxScanDurationInMins: 5
+        # Int: The max number of threads per host, default: 2
+        threadPerHost: 5
+
+
+---
+apiVersion: "execution.securecodebox.io/v1"
+kind: Scan
+metadata:
+  name: "zap-advanced-api-scan-petstore"
+  labels:
+    organization: "OWASP"
+spec:
+  scanType: "zap-advanced-scan"
+  parameters:
+    # target URL including the protocol
+    - "--target"
+    - "http://swagger-petstore.default.svc/"
+    - "--context"
+    - "scb-petstore-context"
+  volumeMounts:
+    - name: zap-advanced-scan-config
+      mountPath: /home/securecodebox/configs/2-zap-advanced-scan.yaml
+      subPath: 2-zap-advanced-scan.yaml
+      readOnly: true
+  volumes:
+    - name: zap-advanced-scan-config
+      configMap:
+        name: zap-advanced-scan-config
diff --git a/scanners/zap-advanced/examples/demo-petstoreapi-scan-unauthenticated/scan.yaml b/scanners/zap-advanced/examples/demo-petstoreapi-scan-unauthenticated/scan.yaml
@@ -36,7 +36,10 @@ data:
         url: http://petstore.demo-targets.svc/
         # An optional list of regexes to include
         includePaths:
-          - "http://petstore.demo-targets.svc/v2.*"
+          - "https?://.*\\..*.svc:.*"
+          - "https?://.*\\..*.svc/.*"
+          - "https?://.*\\..*.svc.cluster.local/.*"
+          - "https?://.*\\..*.svc.cluster.local:.*"
         # An optional list of regexes to exclude
         excludePaths:
           - ".*\\.css"
@@ -51,6 +54,8 @@ data:
         format: openapi
         # -- Url to start spidering from, default: first context URL
         url: http://petstore.demo-targets.svc/v2/swagger.json
+        # -- Relative path for the given targetUrl. mutually exclusiv to the URL configuration.
+        relativePath: /v2/swagger.json
         # -- Override host setting in swagger.json
         hostOverride: http://petstore.demo-targets.svc
 

diff --git a/scanners/zap-advanced/scanner/docker-compose.demo-apps.yaml b/scanners/zap-advanced/scanner/docker-compose.demo-apps.yaml
@@ -9,7 +9,7 @@ services:
     deploy:
       replicas: 1
       restart_policy:
-        condition: any
+        condition: on-failure
     ports:
       - "8080:8080"
     healthcheck:
@@ -26,7 +26,7 @@ services:
     deploy:
       replicas: 1
       restart_policy:
-        condition: any
+        condition: on-failure
     ports:
       - "3000:3000"
     healthcheck:
@@ -43,7 +43,7 @@ services:
     deploy:
       replicas: 1
       restart_policy:
-        condition: any
+        condition: on-failure
     ports:
       - "8000:8080"
     environment: 

diff --git a/scanners/zap-advanced/scanner/docker-compose.test.yaml b/scanners/zap-advanced/scanner/docker-compose.test.yaml
@@ -9,7 +9,7 @@ services:
     deploy:
       replicas: 1
       restart_policy:
-        condition: any
+        condition: on-failure
     ports:
       - "8080:8080"
     healthcheck:
@@ -26,7 +26,7 @@ services:
     deploy:
       replicas: 1
       restart_policy:
-        condition: any
+        condition: on-failure
     ports:
       - "3000:3000"
     healthcheck:
@@ -43,7 +43,7 @@ services:
     deploy:
       replicas: 1
       restart_policy:
-        condition: any
+        condition: on-failure
     ports:
       - "8000:8080"
     environment: 
@@ -64,7 +64,7 @@ services:
     deploy:
       replicas: 1
       restart_policy:
-        condition: any
+        condition: on-failure
     ports:
       - "8090:8090"
     links:
@@ -91,15 +91,15 @@ services:
       - 'api.addrs.addr.regex=true'
       - '-config'
       - 'api.disablekey=true'
-      - '-addonupdate'
-      - '-addoninstall'
-      - 'pscanrulesBeta'
-      - '-addoninstall'
-      - 'ascanrulesBeta'
-      - '-addoninstall'
-      - 'pscanrulesAlpha'
-      - '-addoninstall'
-      - 'ascanrulesAlpha'
+      #- '-addonupdate'
+      #- '-addoninstall'
+      #- 'pscanrulesBeta'
+      #- '-addoninstall'
+      #- 'ascanrulesBeta'
+      #- '-addoninstall'
+      #- 'pscanrulesAlpha'
+      #- '-addoninstall'
+      #- 'ascanrulesAlpha'
     healthcheck:
       interval: 1m30s
       retries: 3

diff --git a/scanners/zap-advanced/scanner/docker-compose.yaml b/scanners/zap-advanced/scanner/docker-compose.yaml
@@ -9,7 +9,7 @@ services:
     deploy:
       replicas: 1
       restart_policy:
-        condition: any
+        condition: on-failure
     ports:
       - "8080:8080"
     healthcheck:
@@ -26,7 +26,7 @@ services:
     deploy:
       replicas: 1
       restart_policy:
-        condition: any
+        condition: on-failure
     ports:
       - "3000:3000"
     healthcheck:
@@ -43,7 +43,7 @@ services:
     deploy:
       replicas: 1
       restart_policy:
-        condition: any
+        condition: on-failure
     ports:
       - "8000:8080"
     environment: 
@@ -64,7 +64,7 @@ services:
     deploy:
       replicas: 1
       restart_policy:
-        condition: any
+        condition: on-failure
     ports:
       - "8090:8090"
     links:
@@ -91,15 +91,15 @@ services:
       - 'api.addrs.addr.regex=true'
       - '-config'
       - 'api.disablekey=true'
-      - '-addonupdate'
-      - '-addoninstall'
-      - 'pscanrulesBeta'
-      - '-addoninstall'
-      - 'ascanrulesBeta'
-      - '-addoninstall'
-      - 'pscanrulesAlpha'
-      - '-addoninstall'
-      - 'ascanrulesAlpha'
+      #- '-addonupdate'
+      #- '-addoninstall'
+      #- 'pscanrulesBeta'
+      #- '-addoninstall'
+      #- 'ascanrulesBeta'
+      #- '-addoninstall'
+      #- 'pscanrulesAlpha'
+      #- '-addoninstall'
+      #- 'ascanrulesAlpha'
     healthcheck:
       interval: 1m30s
       retries: 3

diff --git a/...advanced/scanner/tests/mocks/context-using-forced-context/1_zap-advanced-scan-config.yaml b/...advanced/scanner/tests/mocks/context-using-forced-context/1_zap-advanced-scan-config.yaml
@@ -0,0 +1,20 @@
+# SPDX-FileCopyrightText: 2021 iteratec GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+contexts:
+  - name: scb-bodgeit-context
+    url: http://bodgeit:8080/bodgeit/
+  - name: scb-test-context
+    url: http://test.example.com
+spiders:
+  - name: scb-test-spider
+    context: scb-test-context
+  - name: should-not-take-this-spider
+    context: scb-bodgeit-context
+scanners:
+  - name: should-not-take-this-scanner
+    context: scb-bodgeit-context
+  - name: scb-test-scanner
+    context: scb-test-context
diff --git a/...zap-advanced/scanner/tests/mocks/scan-full-bodgeit-docker/1_zap-advanced-scan-config.yaml b/...zap-advanced/scanner/tests/mocks/scan-full-bodgeit-docker/1_zap-advanced-scan-config.yaml
@@ -3,6 +3,19 @@
 # SPDX-License-Identifier: Apache-2.0
 
 ---
+# Global ZAP Configurations - NOT YET IMPLEMENTED
+global:
+  # True to create another ZAP session (overwrite the former if the same name already exists), False to use an existing on
+  isNewSession: true
+  # Sets the ZAP Session name
+  sessionName: SCB
+  # Sets the connection time out, in seconds.
+  timeoutInSeconds: 120
+  # Sets the mode, which may be one of [safe, protect, standard, attack]
+  mode: attack
+  # Sets the user agent that ZAP should use when creating HTTP messages (for example, spider messages or CONNECT requests to outgoing proxy).
+  defaultUserAgent: "secureCodeBox/2.7.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0"
+
 # List of 1 or more contexts, mandatory
 contexts:
   # Name to be used to refer to this context in other jobs, mandatory
@@ -42,6 +55,7 @@ contexts:
     session:
       # Currently supports "scriptBasedSessionManagement", "cookieBasedSessionManagement", "httpAuthSessionManagement"
       type: "cookieBasedSessionManagement"
+
 spiders:
   - name: scb-bodgeit-spider
     # String: Name of the context to spider, default: first context
@@ -58,7 +72,7 @@ spiders:
     maxDuration: 1
     # Int: The maximum tree depth to explore, default 5
     maxDepth: 5
-    # Int: The maximum number of children to add to each node in the tree                     
+    # Int: The maximum number of children to add to each node in the tree
     maxChildren: 10
     # # Int: The max size of a response that will be parsed, default: 2621440 - 2.5 Mb
     # maxParseSizeBytes: 2621440
@@ -86,10 +100,11 @@ spiders:
     requestWaitTime: 200
     # Bool: Whether the spider will send the referer header, default: true
     sendRefererHeader: true
-    # Int: The number of spider threads, default: 2             
+    # Int: The number of spider threads, default: 2
     threadCount: 2
-    # String: The user agent to use in requests, default: '' - use the default ZAP one               
+    # String: The user agent to use in requests, default: '' - use the default ZAP one
     userAgent: "secureCodeBox / ZAP Spider"
+
 scanners:
   - name: scb-bodgeit-scan
     # String: Name of the context to attack, default: first context
@@ -100,7 +115,7 @@ scanners:
     url: http://bodgeit:8080/bodgeit/
     # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
     maxRuleDurationInMins: 1
-    # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited          
+    # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
     maxScanDurationInMins: 2
     # Int: The max number of threads per host, default: 2
     threadPerHost: 5
@@ -110,7 +125,7 @@ scanners:
     addQueryParam: false
     # Bool: If set then automatically handle anti CSRF tokens, default: false
     handleAntiCSRFTokens: false
-    # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false           
+    # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false
     injectPluginIdInHeader: false
     # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false
     scanHeadersAllRequests: false
diff --git a/...p-advanced/scanner/tests/mocks/scan-full-juiceshop-docker/1_zap-advanced-scan-config.yaml b/...p-advanced/scanner/tests/mocks/scan-full-juiceshop-docker/1_zap-advanced-scan-config.yaml
@@ -9,6 +9,7 @@ global:
   isNewSession: true
   # ZAP Session name
   sessionName: secureCodeBox
+
 # List of 1 or more contexts, mandatory
 contexts:
   # Name to be used to refer to this context in other jobs, mandatory
@@ -39,9 +40,10 @@ contexts:
         # must be escaped already to prevent yaml parser colidations '{"user":{"id":1,"email":"[email protected]"}}''
         # loginRequestData: '{"email":"{%username%}","password":"{%password%}"}'
         loginRequestData: '{"email":"[email protected]","password":"admin123"}'
+        # Username Parameter: email
+        # Password Parameter: password
       # Indicates if the current Zap User Session is based on a valid authentication (loggedIn) or not (loggedOut)
       verification:
-        # isLoggedInIndicator: "\Q<a href="password.jsp">\E"
         isLoggedOutIndicator: '\Q{"user":{}}\E'
     users:
       - name: juiceshop-user-1
@@ -59,6 +61,7 @@ contexts:
         # Must be a full path to the script file inside the ZAP container (corresponding to the configMap FileMount)
         filePath: "/home/zap/.ZAP_D/scripts/scripts/session/juiceshop-session-management.js"
         description: "This is a JuiceShop specific SessionManagement Script used to handle JWT."
+
 spiders:
   - name: scb-juiceshop-spider
     # String: Name of the context to spider, default: first context
@@ -77,6 +80,7 @@ spiders:
     maxDuration: 2
     # Int: The maximum tree depth to explore, default 5
     maxDepth: 10
+
 scanners:
   - name: scb-juiceshop-scan
     # String: Name of the context to attack, default: first context