Skip to content

Commit

Permalink
Merge branch 'master' of https://github.com/AkhtarAmir/scans into fea…
Browse files Browse the repository at this point in the history 
…ture/code-build-desired-sources
  • Loading branch information
@AkhtarAmir
AkhtarAmir committed Apr 20, 2021
2 parents 4993a1a + cd0b677 commit f593472
Show file tree
Hide file tree
Showing 30 changed files with 829 additions and 254 deletions.
2 changes: 1 addition & 1 deletion collectors/azure/collector.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,7 +181,7 @@ var calls = {
},
databaseAccounts: {
list: {
url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DocumentDB/databaseAccounts?api-version=2020-04-01'
url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DocumentDB/databaseAccounts?api-version=2020-06-01-preview'
}
}
};
Expand Down
2 changes: 1 addition & 1 deletion collectors/google/collector.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,7 @@ var collect = function(GoogleConfig, settings, callback) {

helpers.authenticate(GoogleConfig)
.then(client => {

async.eachOfLimit(calls, 10, function(call, service, serviceCb) {
if (!collection[service]) collection[service] = {};

Expand Down
17 changes: 17 additions & 0 deletions config_example.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,14 @@ module.exports = {
// session_token: process.env.AWS_SESSION_TOKEN || '',
// plugins_remediate: ['bucketEncryptionInTransit']
},
aws_remediate: {
// OPTION 1: If using a credential JSON file, enter the path below
// credential_file: '/path/to/file.json',
// OPTION 2: If using hard-coded credentials, enter them below
// access_key: process.env.AWS_ACCESS_KEY_ID || '',
// secret_access_key: process.env.AWS_SECRET_ACCESS_KEY || '',
// session_token: process.env.AWS_SESSION_TOKEN || '',
},
azure: {
// OPTION 1: If using a credential JSON file, enter the path below
// credential_file: '/path/to/file.json',
Expand All @@ -20,6 +28,15 @@ module.exports = {
// directory_id: process.env.AZURE_DIRECTORY_ID || '',
// subscription_id: process.env.AZURE_SUBSCRIPTION_ID || ''
},
azure_remediate: {
// OPTION 1: If using a credential JSON file, enter the path below
// credential_file: '/path/to/file.json',
// OPTION 2: If using hard-coded credentials, enter them below
// application_id: process.env.AZURE_APPLICATION_ID || '',
// key_value: process.env.AZURE_KEY_VALUE || '',
// directory_id: process.env.AZURE_DIRECTORY_ID || '',
// subscription_id: process.env.AZURE_SUBSCRIPTION_ID || ''
},
google: {
// OPTION 1: If using a credential JSON file, enter the path below
// credential_file: process.env.GOOGLE_APPLICATION_CREDENTIALS || '/path/to/file.json',
Expand Down
176 changes: 102 additions & 74 deletions engine.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,17 @@ var async = require('async');
var exports = require('./exports.js');
var suppress = require('./postprocess/suppress.js');
var output = require('./postprocess/output.js');

var azureHelper = require('./helpers/azure/auth.js');

function runAuth(settings, remediateConfig, callback) {
if (settings.cloud && settings.cloud == 'azure') {
azureHelper.login(remediateConfig, function(err, loginData) {
if (err) return (callback(err));
remediateConfig.token = loginData.token;
return callback();
});
} else callback();
}
/**
* The main function to execute CloudSploit scans.
* @param cloudConfig The configuration for the cloud provider.
Expand Down Expand Up @@ -138,84 +148,102 @@ var engine = function(cloudConfig, settings) {
console.log('INFO: Analysis complete. Scan report to follow...');

var maximumStatus = 0;

async.mapValuesLimit(plugins, 10, function(plugin, key, pluginDone) {
if (skippedPlugins.indexOf(key) > -1) return pluginDone(null, 0);

var postRun = function(err, results) {
if (err) return console.log(`ERROR: ${err}`);
if (!results || !results.length) {
console.log(`Plugin ${plugin.title} returned no results. There may be a problem with this plugin.`);
} else {
for (var r in results) {
// If we have suppressed this result, then don't process it
// so that it doesn't affect the return code.
if (suppressionFilter([key, results[r].region || 'any', results[r].resource || 'any'].join(':'))) {
continue;
}

var complianceMsg = [];
if (settings.compliance && settings.compliance.length) {
settings.compliance.forEach(function(c) {
if (plugin.compliance && plugin.compliance[c]) {
complianceMsg.push(`${c.toUpperCase()}: ${plugin.compliance[c]}`);
}
});
}
complianceMsg = complianceMsg.join('; ');
if (!complianceMsg.length) complianceMsg = null;

// Write out the result (to console or elsewhere)
outputHandler.writeResult(results[r], plugin, key, complianceMsg);

// Add this to our tracking for the worst status to calculate
// the exit code
maximumStatus = Math.max(maximumStatus, results[r].status);
// Remediation
if (settings.remediate && settings.remediate.length) {
if (settings.remediate.indexOf(key) > -1) {
if (results[r].status === 2) {
var resource = results[r].resource;
var event = {};
event.region = results[r].region;
event['remediation_file'] = {};
event['remediation_file'] = initializeFile(event['remediation_file'], 'execute', key, resource);
plugin.remediate(cloudConfig, collection, event, resource, (err, result) => {
if (err) return console.log(err);
return console.log(result);
});

function executePlugins(cloudRemediateConfig) {
async.mapValuesLimit(plugins, 10, function(plugin, key, pluginDone) {
if (skippedPlugins.indexOf(key) > -1) return pluginDone(null, 0);

var postRun = function(err, results) {
if (err) return console.log(`ERROR: ${err}`);
if (!results || !results.length) {
console.log(`Plugin ${plugin.title} returned no results. There may be a problem with this plugin.`);
} else {
for (var r in results) {
// If we have suppressed this result, then don't process it
// so that it doesn't affect the return code.
if (suppressionFilter([key, results[r].region || 'any', results[r].resource || 'any'].join(':'))) {
continue;
}

var complianceMsg = [];
if (settings.compliance && settings.compliance.length) {
settings.compliance.forEach(function(c) {
if (plugin.compliance && plugin.compliance[c]) {
complianceMsg.push(`${c.toUpperCase()}: ${plugin.compliance[c]}`);
}
});
}
complianceMsg = complianceMsg.join('; ');
if (!complianceMsg.length) complianceMsg = null;

// Write out the result (to console or elsewhere)
outputHandler.writeResult(results[r], plugin, key, complianceMsg);

// Add this to our tracking for the worst status to calculate
// the exit code
maximumStatus = Math.max(maximumStatus, results[r].status);
// Remediation
if (settings.remediate && settings.remediate.length) {
if (settings.remediate.indexOf(key) > -1) {
if (results[r].status === 2) {
var resource = results[r].resource;
var event = {};
event.region = results[r].region;
event['remediation_file'] = {};
event['remediation_file'] = initializeFile(event['remediation_file'], 'execute', key, resource);
plugin.remediate(cloudRemediateConfig, collection, event, resource, (err, result) => {
if (err) return console.log(err);
return console.log(result);
});
}
}
}
}

}

setTimeout(function() { pluginDone(err, maximumStatus); }, 0);
};

if (plugin.asl) {
console.log(`INFO: Using custom ASL for plugin: ${plugin.title}`);
// Inject APIs and resource maps
plugin.asl.apis = plugin.apis;
var aslConfig = require('./helpers/asl/config.json');
var aslVersion = plugin.asl.version ? plugin.asl.version : aslConfig.current_version;
let aslRunner;
try {
aslRunner = require(`./helpers/asl/asl-${aslVersion}.js`);

} catch (e) {
postRun('Error: ASL: Wrong ASL Version: ', e);
}

aslRunner(collection, plugin.asl, resourceMap, postRun);
} else {
plugin.run(collection, settings, postRun);
}
setTimeout(function() { pluginDone(err, maximumStatus); }, 0);
};

if (plugin.asl) {
console.log(`INFO: Using custom ASL for plugin: ${plugin.title}`);
// Inject APIs and resource maps
plugin.asl.apis = plugin.apis;
var aslConfig = require('./helpers/asl/config.json');
var aslVersion = plugin.asl.version ? plugin.asl.version : aslConfig.current_version;
var aslRunner = require(`./helpers/asl/asl-${aslVersion}.js`);
aslRunner(collection, plugin.asl, resourceMap, postRun);
} else {
plugin.run(collection, settings, postRun);
}
}, function(err) {
if (err) return console.log(err);
// console.log(JSON.stringify(collection, null, 2));
outputHandler.close();
if (settings.exit_code) {
// The original cloudsploit always has a 0 exit code. With this option, we can have
// the exit code depend on the results (useful for integration with CI systems)
console.log(`INFO: Exiting with exit code: ${maximumStatus}`);
process.exitCode = maximumStatus;
}
console.log('INFO: Scan complete');
});
}, function(err) {
if (err) return console.log(err);
// console.log(JSON.stringify(collection, null, 2));
outputHandler.close();
if (settings.exit_code) {
// The original cloudsploit always has a 0 exit code. With this option, we can have
// the exit code depend on the results (useful for integration with CI systems)
console.log(`INFO: Exiting with exit code: ${maximumStatus}`);
process.exitCode = maximumStatus;
}
console.log('INFO: Scan complete');
});
}

if (settings.remediate && settings.remediate.length && cloudConfig.remediate) {
runAuth(settings, cloudConfig.remediate, function(err) {
if (err) return console.log(err);
executePlugins(cloudConfig.remediate);
});
} else {
executePlugins(cloudConfig);
}
});
};

Expand Down
Loading

0 comments on commit f593472

Please sign in to comment.