Skip to content

Commit

Permalink
Manual merge of origin/main and address comments by @ammer92
Browse files Browse the repository at this point in the history
  • Loading branch information
originalsouth committed Jul 4, 2024
2 parents 54cea93 + b9bbc3b commit 90fbda2
Show file tree
Hide file tree
Showing 147 changed files with 6,433 additions and 1,872 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/boefjes_container_image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ jobs:
cp _version.py boefjes/boefjes/katalogus/version.py
- name: Build container image
uses: docker/build-push-action@v5
uses: docker/build-push-action@v6
with:
# We don't use git context because that doesn't process .dockerignore
# https://github.com/docker/cli/issues/2827
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/build-debian-docker-image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ jobs:
type=sha
- name: Build and push Docker image
uses: docker/build-push-action@v5
uses: docker/build-push-action@v6
with:
context: ./packaging/${{ matrix.dist }}
push: true
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/bytes_container_image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ jobs:
cp _version.py bytes/bytes/version.py
- name: Build container image
uses: docker/build-push-action@v5
uses: docker/build-push-action@v6
with:
# We don't use git context because that doesn't process .dockerignore
# https://github.com/docker/cli/issues/2827
Expand Down
69 changes: 69 additions & 0 deletions .github/workflows/containerized_boefjes.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
name: Build containerized boefjes

on:
push:
branches:
- "main"
- "release-*"
tags:
- "*"
paths:
- boefjes/boefjes/plugins/**
- boefjes/images/**
- .github/workflows/containerized_boefjes.yml
pull_request:
paths:
- boefjes/boefjes/plugins/kat_nmap_tcp/**
- boefjes/boefjes/plugins/kat_nmap_udp/**
- boefjes/boefjes/plugins/kat_dnssec/**
- boefjes/images/**
- .github/workflows/containerized_boefjes.yml

jobs:
build_containerized_boefjes:
strategy:
matrix:
include:
- dockerfile: boefjes/boefjes/plugins/kat_nmap_tcp/boefje.Dockerfile
image: openkat/nmap
- dockerfile: boefjes/boefjes/plugins/kat_dnssec/boefje.Dockerfile
image: openkat/dns-sec
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
ghcr.io/${{ github.repository_owner }}/${{ matrix.image }}
tags: |
type=ref,event=branch
type=ref,event=tag
type=ref,event=pr
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
id: buildx

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build container image for ${{ matrix.image }}
uses: docker/build-push-action@v6
with:
# We don't use git context because that doesn't process .dockerignore
# https://github.com/docker/cli/issues/2827
context: ./boefjes
file: ${{ matrix.dockerfile }}
push: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
2 changes: 1 addition & 1 deletion .github/workflows/keiko_container_image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ jobs:
cp _version.py keiko/keiko/version.py
- name: Build container image
uses: docker/build-push-action@v5
uses: docker/build-push-action@v6
with:
# We don't use git context because that doesn't process .dockerignore
# https://github.com/docker/cli/issues/2827
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/masscan_container_image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ jobs:
type=sha
- name: Build and push Docker image
uses: docker/build-push-action@v5
uses: docker/build-push-action@v6
with:
context: ./boefjes/images/masscan
push: true
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/mula_container_image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ jobs:
cp _version.py mula/scheduler/version.py
- name: Build container image
uses: docker/build-push-action@v5
uses: docker/build-push-action@v6
with:
# We don't use git context because that doesn't process .dockerignore
# https://github.com/docker/cli/issues/2827
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/octopoes_container_image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ jobs:
cp _version.py octopoes/octopoes/version.py
- name: Build container image
uses: docker/build-push-action@v5
uses: docker/build-push-action@v6
with:
# We don't use git context because that doesn't process .dockerignore
# https://github.com/docker/cli/issues/2827
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/rocky_container_image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ jobs:
cp _version.py rocky/rocky/version.py
- name: Build container image
uses: docker/build-push-action@v5
uses: docker/build-push-action@v6
with:
# We don't use git context because that doesn't process .dockerignore
# https://github.com/docker/cli/issues/2827
Expand Down
6 changes: 3 additions & 3 deletions boefjes/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,9 @@ build: images

images: # Build the images for the containerized boefjes
# Dns-records is disabled for now, see the discussion in https://github.com/minvws/nl-kat-coordination/pull/2709
# docker build -f images/base.Dockerfile -t openkat/dns-records --build-arg BOEFJE_PATH=./boefjes/plugins/kat_dns .
docker build -f ./boefjes/plugins/kat_dnssec/boefje.Dockerfile -t openkat/dns-sec .
docker build -f ./boefjes/plugins/kat_nmap_tcp/boefje.Dockerfile -t openkat/nmap .
# docker build -f images/base.Dockerfile -t ghcr.io/minvws/openkat/dns-records --build-arg BOEFJE_PATH=./boefjes/plugins/kat_dns .
docker build -f ./boefjes/plugins/kat_dnssec/boefje.Dockerfile -t ghcr.io/minvws/openkat/dns-sec:latest .
docker build -f ./boefjes/plugins/kat_nmap_tcp/boefje.Dockerfile -t ghcr.io/minvws/openkat/nmap:latest .


##
Expand Down
2 changes: 1 addition & 1 deletion boefjes/boefjes/plugins/kat_dnssec/boefje.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,5 @@
"Hostname"
],
"scan_level": 1,
"oci_image": "openkat/dns-sec"
"oci_image": "ghcr.io/minvws/openkat/dns-sec:latest"
}
2 changes: 1 addition & 1 deletion boefjes/boefjes/plugins/kat_nmap_ports/schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"title": "PORTS",
"maxLength": 2048,
"type": "string",
"description": "A valid Nmap ports argument (-p)."
"description": "Specify the ports that need to be scanned (nmap format). Single ports are comma separated, port ranges can be specified using the dash symbol. For example: 22,111,137,80-100 will scan ports 22, 111, 137 and the port range 80 up to 100."
}
},
"required": [
Expand Down
2 changes: 1 addition & 1 deletion boefjes/boefjes/plugins/kat_nmap_tcp/boefje.json
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
"TOP_PORTS"
],
"scan_level": 2,
"oci_image": "openkat/nmap",
"oci_image": "ghcr.io/minvws/openkat/nmap:latest",
"oci_arguments": [
"--open",
"-T4",
Expand Down
2 changes: 1 addition & 1 deletion boefjes/boefjes/plugins/kat_snyk/check_version.py
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ def check_version_agains_versionlist(my_version: str, all_versions: list[str]):
lowerbound_ok = False

# Check if lowerbound is < or <=
if re.search("^[[(]", lowerbound):
if re.search(r"^[\[(]", lowerbound):
# Example: "(1.1,1.4]" # https://snyk.io/vuln/maven%3Aorg.apache.nifi%3Anifi-security-utils
upperbound = all_versions.pop(0).strip()
end_bracket = re.search("[])]$", upperbound)
Expand Down
2 changes: 1 addition & 1 deletion boefjes/boefjes/plugins/kat_snyk/main.py
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ def run(boefje_meta: BoefjeMeta) -> list[tuple[set, bytes | str]]:
cve_element = vuln_soup.select("[class='cve']")
cve_code = cve_element[0].text.split("\n")[0] if cve_element else ""

if cve_code != " ":
if cve_code.startswith("CVE-"):
result["cve_vulnerabilities"].append(
{
"cve_code": cve_code,
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
# Creating a bit

Next, we want to look for our Greeting OOI and generate a finding from this once it has been added. Since findings are also an OOI, that means we want to generate OOIs from OOIs. This is the job for a bit. A bit consumes OOIs and generates other OOIs from it.

To start creating a bit create a folder inside `octopoes/bits/` called `check_greeting`. This folder will contain the information about our bit. This is what our folder should look like:

```shell
$ tree octopoes/bits/check_greeting
├── __init__.py
├── bit.py
└── check_greeting.py
```

## `__init__.py`

This file stays empty.

## `bit.py`

Inside this file, we write information about our bit. Here we give information such as the id of our bit, what OOI our bit should look out for, other OOIs that our bit requires (which are related to the OOI the bit is looking out for such as the IpAddress contained inside our Greeting OOI) and the path to the module that runs the bit (in our example this will be `bits.check_greeting.check_greeting`.)

This is what our `bit.py` would look like:

```python
from bits.definitions import BitDefinition, BitParameterDefinition
from octopoes.models.ooi.greeting import Greeting

BIT = BitDefinition(
id="check-greeting",
consumes=Greeting,
parameters=[],
module="bits.check_greeting.check_greeting",
)
```

You can see inside `parameters` that we have given it a new object. This object gives us access to OOIs that are related to the OOI referenced in `consumes`. In our example, we do not have a solid reason to do this.

## `check_greeting.py`

This is the file where the bit's meowgic happens. This file has to contain a run method which accepts the following:

- the model specified inside the `bit.py`'s `consumes` parameter
- additional OOIs that have been specified inside the `bit.py`'s `parameters` parameter
- a dictionary which contains some config

This function returns an `Iterator` of OOIs. The OOIs that we will return have to do with the `Finding` type. This is a special OOI that is not displayed in OpenKAT's _Objects_ tab and instead gets displayed in the _Findings_ tab. This finding contains information such as the name and description of the finding, the severity (how impactful it is that the cause of this finding exists) and a recommendation to the user on what they should do in this situation.

For our case, we will make a simple Finding that will signal to the user that a Greeting OOI has been sighted in the database. This Finding will have a severity level of recommendation this is the lowest of the severity levels. The severity order goes from recommendation to critical like this:

- `recommendation`
- `low`
- `medium`
- `high`
- `critical`

In our code, we will first create the type of finding and then we will create the finding and give more information about the current finding inside the description. This is what our file could look like:

```python
from collections.abc import Iterator

from octopoes.models import OOI
from octopoes.models.ooi.findings import Finding, KATFindingType
from octopoes.models.ooi.greeting import Greeting

def run(
input_ooi: Greeting,
additional_oois: list,
config: dict,
) -> Iterator[OOI]:
greeting_text = input_ooi.greeting
address = input_ooi.address

kat = KATFindingType(id="KAT-GREETING")
yield kat
yield Finding(
finding_type=kat.reference,
ooi=input_ooi.reference,
description=f"We have received a greeting: {greeting_text} because of address: {str(address)}.",
)
```

After this file is created all we have to do is create a finding type of _KAT-GREETING_ that contains the information about the finding. This is done inside `boefjes/boefjes/plugins/kat_kat_finding_types/kat_finding_types.json`. Inside this file, we can add a new object called _KAT-GREETING_ which will contain information about our findings.

We will add the following object to this file:

```json
"KAT-GREETING": {
"description": "A greeting object has been found.",
"risk": "recommendation",
"impact": "This has no impact except for the fact that it uses space in the database.",
"recommendation": "Ignore this finding, it is only for learning purposes."
}
```

After all of this is done, we can run `make kat` and refresh our OpenKAT page. Now our bit should automatically run. But if it takes too long. We can go into the Settings tab and press the _Rerun all bits_ button. After a small delay, we can go to the Findings tab and see our Findings of each Greeting object. If it is... then congratulations! Our Bit is finally working! The last step to complete the introduction is enabling the user to create a report with our findings!
Loading

0 comments on commit 90fbda2

Please sign in to comment.