secureCodeBox · J12934 · May 4, 2020 · Apr 27, 2020 · Apr 27, 2020 · Apr 27, 2020
diff --git a/.env b/.env
@@ -8,9 +8,6 @@ ENGINE_SCANNERSERVICES_PASSWORD=scan
 #
 DEFECT_DOJO_API_KEY=your-defect-dojo-api-key-here
 #
-# Default Image Tag. Latest will always be the most recent stable release.
-DEFAULT_TAG=latest
-#
 # Enabling the Persistence Providers inside then Engine Container
 # Even when they are disabled here they might still be started (depending on the way you start your compose stack)
 # This flag just changes if the engine writes results into the providers
@@ -24,3 +21,14 @@ ENABLE_DEFECT_DOJO=false
 # It can be set automatically by filling the following env vars.
 CAMUNDA_BPM_ADMIN_USER_ID=false
 CAMUNDA_BPM_ADMIN_USER_PASSWORD=
+
+SECURECODEBOX_ENGINE_IMAGE_VERSION=v1.3.1
+SECURECODEBOX_NMAP_IMAGE_VERSION=v1.2.0
+SECURECODEBOX_NIKTO_IMAGE_VERSION=v1.0.1
+SECURECODEBOX_ZAP_IMAGE_VERSION=v1.1.0
+SECURECODEBOX_SSLYZE_IMAGE_VERSION=v1.0.7
+SECURECODEBOX_ARACHNI_IMAGE_VERSION=v1.0.3
+SECURECODEBOX_AMASS_IMAGE_VERSION=v1.1.0
+SECURECODEBOX_SSH_IMAGE_VERSION=v1.2.0
+SECURECODEBOX_WPSCAN_IMAGE_VERSION=v1.1.1
+SECURECODEBOX_NCRACK_IMAGE_VERSION=v0.1.0
diff --git a/.travis.yml b/.travis.yml
@@ -10,10 +10,11 @@ notifications:
 services:
   - docker
 env:
-  - DEFAULT_TAG=latest
-  - DEFAULT_TAG=unstable
+  - version=latest
+  - version=unstable
 script:
-  - cp test/.env.test .env
+  - if [ "$version" == "latest" ]; then cp test/.env.stable.test .env; fi
+  - if [ "$version" == "unstable" ]; then cp test/.env.stable.test .env; fi
   - docker-compose -f docker-compose.yml -f docker-compose.demo.yml up -d engine camundadb bodgeit juice-shop nginx unsafe-https old-wordpress ssh-service scanner-infrastructure-nmap scanner-webapplication-arachni scanner-webapplication-zap scanner-infrastructure-amass scanner-infrastructure-sslyze scanner-webserver-nikto scanner-infrastructure-ssh scanner-cms-wpscan scanner-infrastructure-ncrack
   - cd test
   - npm ci

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,10 +1,10 @@
 version: "2.1"
 services:
   engine:
-    image: securecodebox/engine:${DEFAULT_TAG}
+    image: securecodebox/engine:${SECURECODEBOX_ENGINE_IMAGE_VERSION}
     depends_on:
-        camundadb:
-          condition: service_healthy
+      camundadb:
+        condition: service_healthy
     ports:
       - "8080:8080"
     networks:
@@ -50,7 +50,7 @@ services:
       container_group: infrastructure
     command: --max_allowed_packet=65011712 # 512M
     healthcheck:
-      test: "/usr/bin/mysql --user=${CAMUNDADB_USER} --password=${CAMUNDADB_PW} --execute \"SHOW DATABASES;\""
+      test: '/usr/bin/mysql --user=${CAMUNDADB_USER} --password=${CAMUNDADB_PW} --execute "SHOW DATABASES;"'
       interval: 5s
       timeout: 1s
       retries: 5
@@ -61,7 +61,7 @@ services:
       - MYSQL_PASSWORD=${CAMUNDADB_PW}
 
   scanner-infrastructure-nmap:
-    image: securecodebox/nmap:${DEFAULT_TAG}
+    image: securecodebox/nmap:${SECURECODEBOX_NMAP_IMAGE_VERSION}
     depends_on:
       engine:
         condition: service_healthy
@@ -75,7 +75,7 @@ services:
       - ENGINE_BASIC_AUTH_PASSWORD=${ENGINE_SCANNERSERVICES_PASSWORD}
 
   scanner-webserver-nikto:
-    image: securecodebox/nikto:${DEFAULT_TAG}
+    image: securecodebox/nikto:${SECURECODEBOX_NIKTO_IMAGE_VERSION}
     depends_on:
       engine:
         condition: service_healthy
@@ -89,7 +89,7 @@ services:
       - ENGINE_BASIC_AUTH_PASSWORD=${ENGINE_SCANNERSERVICES_PASSWORD}
 
   scanner-webapplication-zap:
-    image: securecodebox/zap:${DEFAULT_TAG}
+    image: securecodebox/zap:${SECURECODEBOX_ZAP_IMAGE_VERSION}
     depends_on:
       engine:
         condition: service_healthy
@@ -104,7 +104,7 @@ services:
       - SECURECODEBOX_ZAP_JOBSSCHEDULERCRON=* * * * * *
 
   scanner-infrastructure-sslyze:
-    image: securecodebox/sslyze:${DEFAULT_TAG}
+    image: securecodebox/sslyze:${SECURECODEBOX_SSLYZE_IMAGE_VERSION}
     depends_on:
       engine:
         condition: service_healthy
@@ -118,7 +118,7 @@ services:
       - ENGINE_BASIC_AUTH_PASSWORD=${ENGINE_SCANNERSERVICES_PASSWORD}
 
   scanner-webapplication-arachni:
-    image: securecodebox/arachni:${DEFAULT_TAG}
+    image: securecodebox/arachni:${SECURECODEBOX_ARACHNI_IMAGE_VERSION}
     depends_on:
       engine:
         condition: service_healthy
@@ -134,7 +134,7 @@ services:
       - "./plugins/arachni-login-scripts:/securecodebox/static/"
 
   scanner-infrastructure-amass:
-    image: securecodebox/amass:${DEFAULT_TAG}
+    image: securecodebox/amass:${SECURECODEBOX_AMASS_IMAGE_VERSION}
     depends_on:
       engine:
         condition: service_healthy
@@ -148,7 +148,7 @@ services:
       - ENGINE_BASIC_AUTH_PASSWORD=${ENGINE_SCANNERSERVICES_PASSWORD}
 
   scanner-infrastructure-ssh:
-    image: securecodebox/ssh:${DEFAULT_TAG}
+    image: securecodebox/ssh:${SECURECODEBOX_SSH_IMAGE_VERSION}
     depends_on:
       engine:
         condition: service_healthy
@@ -162,7 +162,7 @@ services:
       - ENGINE_BASIC_AUTH_PASSWORD=${ENGINE_SCANNERSERVICES_PASSWORD}
 
   scanner-cms-wpscan:
-    image: securecodebox/wpscan:${DEFAULT_TAG}
+    image: securecodebox/wpscan:${SECURECODEBOX_WPSCAN_IMAGE_VERSION}
     depends_on:
       engine:
         condition: service_healthy
@@ -176,10 +176,10 @@ services:
       - ENGINE_BASIC_AUTH_PASSWORD=${ENGINE_SCANNERSERVICES_PASSWORD}
 
   scanner-infrastructure-ncrack:
-    image: securecodebox/ncrack:${DEFAULT_TAG}
+    image: securecodebox/ncrack:${SECURECODEBOX_NCRACK_IMAGE_VERSION}
     depends_on:
       engine:
-        condition: service_healthy 
+        condition: service_healthy
     networks:
       - frontend
     labels:

diff --git a/test/.env.test → test/.env.stable.test b/test/.env.test → test/.env.stable.test
@@ -8,9 +8,6 @@ ENGINE_SCANNERSERVICES_PASSWORD=scan
 
 DEFECT_DOJO_API_KEY=your-defect-dojo-api-key-here
 
-# Default Image Tag. Latest will always be the most recent stable release.
-DEFAULT_TAG=develop
-
 # Enabling the Persistence Providers inside then Engine Container
 # Even when they are disabled here they might still be started (depending on the way you start your compose stack)
 # This flag just changes if the engine writes results into the providers
@@ -21,4 +18,15 @@ ENABLE_DEFECT_DOJO=false
 # By default you will be asked to set the admin password on first login. 
 # It can be set automatically by filling the following env vars.
 CAMUNDA_BPM_ADMIN_USER_ID=kermit
-CAMUNDA_BPM_ADMIN_USER_PASSWORD=a
+CAMUNDA_BPM_ADMIN_USER_PASSWORD=a
+
+SECURECODEBOX_ENGINE_IMAGE_VERSION=latest
+SECURECODEBOX_NMAP_IMAGE_VERSION=latest
+SECURECODEBOX_NIKTO_IMAGE_VERSION=latest
+SECURECODEBOX_ZAP_IMAGE_VERSION=latest
+SECURECODEBOX_SSLYZE_IMAGE_VERSION=latest
+SECURECODEBOX_ARACHNI_IMAGE_VERSION=latest
+SECURECODEBOX_AMASS_IMAGE_VERSION=latest
+SECURECODEBOX_SSH_IMAGE_VERSION=latest
+SECURECODEBOX_WPSCAN_IMAGE_VERSION=latest
+SECURECODEBOX_NCRACK_IMAGE_VERSION=latest
diff --git a/test/.env.unstable.test b/test/.env.unstable.test
@@ -0,0 +1,32 @@
+CAMUNDADB_DATABASE=camundadb
+CAMUNDADB_ROOT_PW=root
+CAMUNDADB_USER=camunda
+CAMUNDADB_PW=secret
+
+ENGINE_SCANNERSERVICES_USER=defaultScanner
+ENGINE_SCANNERSERVICES_PASSWORD=scan
+
+DEFECT_DOJO_API_KEY=your-defect-dojo-api-key-here
+
+# Enabling the Persistence Providers inside then Engine Container
+# Even when they are disabled here they might still be started (depending on the way you start your compose stack)
+# This flag just changes if the engine writes results into the providers
+ENABLE_ELASTICSEARCH=false
+ENABLE_DEFECT_DOJO=false
+
+# Admin User Configuration
+# By default you will be asked to set the admin password on first login. 
+# It can be set automatically by filling the following env vars.
+CAMUNDA_BPM_ADMIN_USER_ID=kermit
+CAMUNDA_BPM_ADMIN_USER_PASSWORD=a
+
+SECURECODEBOX_ENGINE_IMAGE_VERSION=unstable
+SECURECODEBOX_NMAP_IMAGE_VERSION=unstable
+SECURECODEBOX_NIKTO_IMAGE_VERSION=unstable
+SECURECODEBOX_ZAP_IMAGE_VERSION=unstable
+SECURECODEBOX_SSLYZE_IMAGE_VERSION=unstable
+SECURECODEBOX_ARACHNI_IMAGE_VERSION=unstable
+SECURECODEBOX_AMASS_IMAGE_VERSION=unstable
+SECURECODEBOX_SSH_IMAGE_VERSION=unstable
+SECURECODEBOX_WPSCAN_IMAGE_VERSION=unstable
+SECURECODEBOX_NCRACK_IMAGE_VERSION=unstable
diff --git a/test/combined-nmap-nikto.test.js b/test/combined-nmap-nikto.test.js
@@ -1,15 +1,15 @@
-const { startSecurityTest, Time } = require('./sdk');
+const { startSecurityTest, Time } = require("./sdk");
 
 test(
-  'finds open 3000 port of juiceshop',
+  "finds open 3000 port of juiceshop",
   async () => {
     const securityTest = await startSecurityTest({
-      context: 'JuiceShopPortScan',
+      context: "JuiceShopPortScan",
       metaData: {},
-      name: 'combined-nmap-nikto',
+      name: "combined-nmap-nikto",
       target: {
-        name: 'JuiceShop Container',
-        location: 'juice-shop',
+        name
17A6
: "JuiceShop Container",
+        location: "juice-shop",
         attributes: {
           NIKTO_PORTS: "3000",
           COMBINED_NMAP_NIKTO_PORTS: "80, 443, 3000, 8080, 8443",
@@ -19,31 +19,24 @@ test(
 
     const { report } = securityTest;
 
-    const [finding1, finding2, finding3, ...otherFindings] = report.findings.map(
-      ({ name, osi_layer, severity }) => ({
-        name,
-        osi_layer,
-        severity,
-      })
-    );
+    const findings = report.findings.map(({ name, osi_layer, severity }) => ({
+      name,
+      osi_layer,
+      severity,
+    }));
 
-    expect(finding1).toMatchObject({
-      name: 'Retrieved x-powered-by header: Express',
-      osi_layer: 'APPLICATION',
-      severity: 'INFORMATIONAL',
+    expect(findings).toContainEqual({
+      name: "Retrieved access-control-allow-origin header: *",
+      osi_layer: "APPLICATION",
+      severity: "INFORMATIONAL",
     });
 
-    expect(finding2).toMatchObject({
-      name: 'Retrieved access-control-allow-origin header: *',                                                                                               
-      osi_layer: 'APPLICATION',                                                                                                                              
-      severity: 'INFORMATIONAL'                  
-    });
-
-    expect(finding3).toMatchObject({
-      name: 'The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS',
-      osi_layer: 'APPLICATION',
-      severity: 'INFORMATIONAL'
+    expect(findings).toContainEqual({
+      name:
+        "The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS",
+      osi_layer: "APPLICATION",
+      severity: "INFORMATIONAL",
     });
   },
-  5 * Time.Minute
-);
+  10 * Time.Minute
+);
diff --git a/test/nikto.test.js b/test/nikto.test.js
@@ -1,48 +1,41 @@
-const { startSecurityTest, Time } = require('./sdk');
+const { startSecurityTest, Time } = require("./sdk");
 
 test(
-  'finds open 3000 port of juiceshop',
+  "finds open 3000 port of juiceshop",
   async () => {
     const securityTest = await startSecurityTest({
-      context: 'JuiceShopPortScan',
+      context: "JuiceShopPortScan",
       metaData: {},
-      name: 'nikto',
+      name: "nikto",
       target: {
-        name: 'JuiceShop Container',
-        location: 'juice-shop',
+        name: "JuiceShop Container",
+        location: "juice-shop",
         attributes: {
           NIKTO_PORTS: "3000",
-          COMBINED_NMAP_NIKTO_PORTS: "80, 443, 3000, 8080, 8443",
+          NIKTO_PARAMETER: "-Tuning 1,2,3,5,7,b",
         },
       },
     });
 
     const { report } = securityTest;
 
-    const [finding1, finding2, finding3, ...otherFindings] = report.findings.map(
-      ({ name, osi_layer, severity }) => ({
-        name,
-        osi_layer,
-        severity,
-      })
-    );
+    const findings = report.findings.map(({ name, osi_layer, severity }) => ({
+      name,
+      osi_layer,
+      severity,
+    }));
 
-    expect(finding1).toMatchObject({
-      name: 'Retrieved x-powered-by header: Express',
-      osi_layer: 'APPLICATION',
-      severity: 'INFORMATIONAL',
+    expect(findings).toContainEqual({
+      name: "Retrieved access-control-allow-origin header: *",
+      osi_layer: "APPLICATION",
+      severity: "INFORMATIONAL",
     });
 
-    expect(finding2).toMatchObject({
-      name: 'Retrieved access-control-allow-origin header: *',                                                                                               
-      osi_layer: 'APPLICATION',                                                                                                                              
-      severity: 'INFORMATIONAL'                  
-    });
-
-    expect(finding3).toMatchObject({
-      name: 'The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS',
-      osi_layer: 'APPLICATION',
-      severity: 'INFORMATIONAL'
+    expect(findings).toContainEqual({
+      name:
+        "The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS",
+      osi_layer: "APPLICATION",
+      severity: "INFORMATIONAL",
     });
   },
   5 * Time.Minute