diff --git a/.env b/.env index 065a3a5a2d..52a303c376 100644 --- a/.env +++ b/.env @@ -8,9 +8,6 @@ ENGINE_SCANNERSERVICES_PASSWORD=scan # DEFECT_DOJO_API_KEY=your-defect-dojo-api-key-here # -# Default Image Tag. Latest will always be the most recent stable release. -DEFAULT_TAG=latest -# # Enabling the Persistence Providers inside then Engine Container # Even when they are disabled here they might still be started (depending on the way you start your compose stack) # This flag just changes if the engine writes results into the providers @@ -24,3 +21,14 @@ ENABLE_DEFECT_DOJO=false # It can be set automatically by filling the following env vars. CAMUNDA_BPM_ADMIN_USER_ID=false CAMUNDA_BPM_ADMIN_USER_PASSWORD= + +SECURECODEBOX_ENGINE_IMAGE_VERSION=v1.3.1 +SECURECODEBOX_NMAP_IMAGE_VERSION=v1.2.0 +SECURECODEBOX_NIKTO_IMAGE_VERSION=v1.0.1 +SECURECODEBOX_ZAP_IMAGE_VERSION=v1.1.0 +SECURECODEBOX_SSLYZE_IMAGE_VERSION=v1.0.7 +SECURECODEBOX_ARACHNI_IMAGE_VERSION=v1.0.3 +SECURECODEBOX_AMASS_IMAGE_VERSION=v1.1.0 +SECURECODEBOX_SSH_IMAGE_VERSION=v1.2.0 +SECURECODEBOX_WPSCAN_IMAGE_VERSION=v1.1.1 +SECURECODEBOX_NCRACK_IMAGE_VERSION=v0.1.0 diff --git a/.travis.yml b/.travis.yml index fa66b5179c..b697618d90 100644 --- a/.travis.yml +++ b/.travis.yml @@ -10,10 +10,11 @@ notifications: services: - docker env: - - DEFAULT_TAG=latest - - DEFAULT_TAG=unstable + - version=latest + - version=unstable script: - - cp test/.env.test .env + - if [ "$version" == "latest" ]; then cp test/.env.stable.test .env; fi + - if [ "$version" == "unstable" ]; then cp test/.env.stable.test .env; fi - docker-compose -f docker-compose.yml -f docker-compose.demo.yml up -d engine camundadb bodgeit juice-shop nginx unsafe-https old-wordpress ssh-service scanner-infrastructure-nmap scanner-webapplication-arachni scanner-webapplication-zap scanner-infrastructure-amass scanner-infrastructure-sslyze scanner-webserver-nikto scanner-infrastructure-ssh scanner-cms-wpscan scanner-infrastructure-ncrack - cd test - npm ci diff --git a/docker-compose.yml b/docker-compose.yml index 081f6521fa..f225b1a0f7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,10 +1,10 @@ version: "2.1" services: engine: - image: securecodebox/engine:${DEFAULT_TAG} + image: securecodebox/engine:${SECURECODEBOX_ENGINE_IMAGE_VERSION} depends_on: - camundadb: - condition: service_healthy + camundadb: + condition: service_healthy ports: - "8080:8080" networks: @@ -50,7 +50,7 @@ services: container_group: infrastructure command: --max_allowed_packet=65011712 # 512M healthcheck: - test: "/usr/bin/mysql --user=${CAMUNDADB_USER} --password=${CAMUNDADB_PW} --execute \"SHOW DATABASES;\"" + test: '/usr/bin/mysql --user=${CAMUNDADB_USER} --password=${CAMUNDADB_PW} --execute "SHOW DATABASES;"' interval: 5s timeout: 1s retries: 5 @@ -61,7 +61,7 @@ services: - MYSQL_PASSWORD=${CAMUNDADB_PW} scanner-infrastructure-nmap: - image: securecodebox/nmap:${DEFAULT_TAG} + image: securecodebox/nmap:${SECURECODEBOX_NMAP_IMAGE_VERSION} depends_on: engine: condition: service_healthy @@ -75,7 +75,7 @@ services: - ENGINE_BASIC_AUTH_PASSWORD=${ENGINE_SCANNERSERVICES_PASSWORD} scanner-webserver-nikto: - image: securecodebox/nikto:${DEFAULT_TAG} + image: securecodebox/nikto:${SECURECODEBOX_NIKTO_IMAGE_VERSION} depends_on: engine: condition: service_healthy @@ -89,7 +89,7 @@ services: - ENGINE_BASIC_AUTH_PASSWORD=${ENGINE_SCANNERSERVICES_PASSWORD} scanner-webapplication-zap: - image: securecodebox/zap:${DEFAULT_TAG} + image: securecodebox/zap:${SECURECODEBOX_ZAP_IMAGE_VERSION} depends_on: engine: condition: service_healthy @@ -104,7 +104,7 @@ services: - SECURECODEBOX_ZAP_JOBSSCHEDULERCRON=* * * * * * scanner-infrastructure-sslyze: - image: securecodebox/sslyze:${DEFAULT_TAG} + image: securecodebox/sslyze:${SECURECODEBOX_SSLYZE_IMAGE_VERSION} depends_on: engine: condition: service_healthy @@ -118,7 +118,7 @@ services: - ENGINE_BASIC_AUTH_PASSWORD=${ENGINE_SCANNERSERVICES_PASSWORD} scanner-webapplication-arachni: - image: securecodebox/arachni:${DEFAULT_TAG} + image: securecodebox/arachni:${SECURECODEBOX_ARACHNI_IMAGE_VERSION} depends_on: engine: condition: service_healthy @@ -134,7 +134,7 @@ services: - "./plugins/arachni-login-scripts:/securecodebox/static/" scanner-infrastructure-amass: - image: securecodebox/amass:${DEFAULT_TAG} + image: securecodebox/amass:${SECURECODEBOX_AMASS_IMAGE_VERSION} depends_on: engine: condition: service_healthy @@ -148,7 +148,7 @@ services: - ENGINE_BASIC_AUTH_PASSWORD=${ENGINE_SCANNERSERVICES_PASSWORD} scanner-infrastructure-ssh: - image: securecodebox/ssh:${DEFAULT_TAG} + image: securecodebox/ssh:${SECURECODEBOX_SSH_IMAGE_VERSION} depends_on: engine: condition: service_healthy @@ -162,7 +162,7 @@ services: - ENGINE_BASIC_AUTH_PASSWORD=${ENGINE_SCANNERSERVICES_PASSWORD} scanner-cms-wpscan: - image: securecodebox/wpscan:${DEFAULT_TAG} + image: securecodebox/wpscan:${SECURECODEBOX_WPSCAN_IMAGE_VERSION} depends_on: engine: condition: service_healthy @@ -176,10 +176,10 @@ services: - ENGINE_BASIC_AUTH_PASSWORD=${ENGINE_SCANNERSERVICES_PASSWORD} scanner-infrastructure-ncrack: - image: securecodebox/ncrack:${DEFAULT_TAG} + image: securecodebox/ncrack:${SECURECODEBOX_NCRACK_IMAGE_VERSION} depends_on: engine: - condition: service_healthy + condition: service_healthy networks: - frontend labels: diff --git a/test/.env.test b/test/.env.stable.test similarity index 62% rename from test/.env.test rename to test/.env.stable.test index 6c80fa411d..dea2514fa8 100644 --- a/test/.env.test +++ b/test/.env.stable.test @@ -8,9 +8,6 @@ ENGINE_SCANNERSERVICES_PASSWORD=scan DEFECT_DOJO_API_KEY=your-defect-dojo-api-key-here -# Default Image Tag. Latest will always be the most recent stable release. -DEFAULT_TAG=develop - # Enabling the Persistence Providers inside then Engine Container # Even when they are disabled here they might still be started (depending on the way you start your compose stack) # This flag just changes if the engine writes results into the providers @@ -21,4 +18,15 @@ ENABLE_DEFECT_DOJO=false # By default you will be asked to set the admin password on first login. # It can be set automatically by filling the following env vars. CAMUNDA_BPM_ADMIN_USER_ID=kermit -CAMUNDA_BPM_ADMIN_USER_PASSWORD=a \ No newline at end of file +CAMUNDA_BPM_ADMIN_USER_PASSWORD=a + +SECURECODEBOX_ENGINE_IMAGE_VERSION=latest +SECURECODEBOX_NMAP_IMAGE_VERSION=latest +SECURECODEBOX_NIKTO_IMAGE_VERSION=latest +SECURECODEBOX_ZAP_IMAGE_VERSION=latest +SECURECODEBOX_SSLYZE_IMAGE_VERSION=latest +SECURECODEBOX_ARACHNI_IMAGE_VERSION=latest +SECURECODEBOX_AMASS_IMAGE_VERSION=latest +SECURECODEBOX_SSH_IMAGE_VERSION=latest +SECURECODEBOX_WPSCAN_IMAGE_VERSION=latest +SECURECODEBOX_NCRACK_IMAGE_VERSION=latest \ No newline at end of file diff --git a/test/.env.unstable.test b/test/.env.unstable.test new file mode 100644 index 0000000000..c8b89ddec8 --- /dev/null +++ b/test/.env.unstable.test @@ -0,0 +1,32 @@ +CAMUNDADB_DATABASE=camundadb +CAMUNDADB_ROOT_PW=root +CAMUNDADB_USER=camunda +CAMUNDADB_PW=secret + +ENGINE_SCANNERSERVICES_USER=defaultScanner +ENGINE_SCANNERSERVICES_PASSWORD=scan + +DEFECT_DOJO_API_KEY=your-defect-dojo-api-key-here + +# Enabling the Persistence Providers inside then Engine Container +# Even when they are disabled here they might still be started (depending on the way you start your compose stack) +# This flag just changes if the engine writes results into the providers +ENABLE_ELASTICSEARCH=false +ENABLE_DEFECT_DOJO=false + +# Admin User Configuration +# By default you will be asked to set the admin password on first login. +# It can be set automatically by filling the following env vars. +CAMUNDA_BPM_ADMIN_USER_ID=kermit +CAMUNDA_BPM_ADMIN_USER_PASSWORD=a + +SECURECODEBOX_ENGINE_IMAGE_VERSION=unstable +SECURECODEBOX_NMAP_IMAGE_VERSION=unstable +SECURECODEBOX_NIKTO_IMAGE_VERSION=unstable +SECURECODEBOX_ZAP_IMAGE_VERSION=unstable +SECURECODEBOX_SSLYZE_IMAGE_VERSION=unstable +SECURECODEBOX_ARACHNI_IMAGE_VERSION=unstable +SECURECODEBOX_AMASS_IMAGE_VERSION=unstable +SECURECODEBOX_SSH_IMAGE_VERSION=unstable +SECURECODEBOX_WPSCAN_IMAGE_VERSION=unstable +SECURECODEBOX_NCRACK_IMAGE_VERSION=unstable \ No newline at end of file diff --git a/test/combined-nmap-nikto.test.js b/test/combined-nmap-nikto.test.js index c4ad62e1af..f43fa1bdc6 100644 --- a/test/combined-nmap-nikto.test.js +++ b/test/combined-nmap-nikto.test.js @@ -1,15 +1,15 @@ -const { startSecurityTest, Time } = require('./sdk'); +const { startSecurityTest, Time } = require("./sdk"); test( - 'finds open 3000 port of juiceshop', + "finds open 3000 port of juiceshop", async () => { const securityTest = await startSecurityTest({ - context: 'JuiceShopPortScan', + context: "JuiceShopPortScan", metaData: {}, - name: 'combined-nmap-nikto', + name: "combined-nmap-nikto", target: { - name: 'JuiceShop Container', - location: 'juice-shop', + name: "JuiceShop Container", + location: "juice-shop", attributes: { NIKTO_PORTS: "3000", COMBINED_NMAP_NIKTO_PORTS: "80, 443, 3000, 8080, 8443", @@ -19,31 +19,24 @@ test( const { report } = securityTest; - const [finding1, finding2, finding3, ...otherFindings] = report.findings.map( - ({ name, osi_layer, severity }) => ({ - name, - osi_layer, - severity, - }) - ); + const findings = report.findings.map(({ name, osi_layer, severity }) => ({ + name, + osi_layer, + severity, + })); - expect(finding1).toMatchObject({ - name: 'Retrieved x-powered-by header: Express', - osi_layer: 'APPLICATION', - severity: 'INFORMATIONAL', + expect(findings).toContainEqual({ + name: "Retrieved access-control-allow-origin header: *", + osi_layer: "APPLICATION", + severity: "INFORMATIONAL", }); - expect(finding2).toMatchObject({ - name: 'Retrieved access-control-allow-origin header: *', - osi_layer: 'APPLICATION', - severity: 'INFORMATIONAL' - }); - - expect(finding3).toMatchObject({ - name: 'The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS', - osi_layer: 'APPLICATION', - severity: 'INFORMATIONAL' + expect(findings).toContainEqual({ + name: + "The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS", + osi_layer: "APPLICATION", + severity: "INFORMATIONAL", }); }, - 5 * Time.Minute -); \ No newline at end of file + 10 * Time.Minute +); diff --git a/test/nikto.test.js b/test/nikto.test.js index 79d2db4bf2..7b484a6951 100644 --- a/test/nikto.test.js +++ b/test/nikto.test.js @@ -1,48 +1,41 @@ -const { startSecurityTest, Time } = require('./sdk'); +const { startSecurityTest, Time } = require("./sdk"); test( - 'finds open 3000 port of juiceshop', + "finds open 3000 port of juiceshop", async () => { const securityTest = await startSecurityTest({ - context: 'JuiceShopPortScan', + context: "JuiceShopPortScan", metaData: {}, - name: 'nikto', + name: "nikto", target: { - name: 'JuiceShop Container', - location: 'juice-shop', + name: "JuiceShop Container", + location: "juice-shop", attributes: { NIKTO_PORTS: "3000", - COMBINED_NMAP_NIKTO_PORTS: "80, 443, 3000, 8080, 8443", + NIKTO_PARAMETER: "-Tuning 1,2,3,5,7,b", }, }, }); const { report } = securityTest; - const [finding1, finding2, finding3, ...otherFindings] = report.findings.map( - ({ name, osi_layer, severity }) => ({ - name, - osi_layer, - severity, - }) - ); + const findings = report.findings.map(({ name, osi_layer, severity }) => ({ + name, + osi_layer, + severity, + })); - expect(finding1).toMatchObject({ - name: 'Retrieved x-powered-by header: Express', - osi_layer: 'APPLICATION', - severity: 'INFORMATIONAL', + expect(findings).toContainEqual({ + name: "Retrieved access-control-allow-origin header: *", + osi_layer: "APPLICATION", + severity: "INFORMATIONAL", }); - expect(finding2).toMatchObject({ - name: 'Retrieved access-control-allow-origin header: *', - osi_layer: 'APPLICATION', - severity: 'INFORMATIONAL' - }); - - expect(finding3).toMatchObject({ - name: 'The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS', - osi_layer: 'APPLICATION', - severity: 'INFORMATIONAL' + expect(findings).toContainEqual({ + name: + "The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS", + osi_layer: "APPLICATION", + severity: "INFORMATIONAL", }); }, 5 * Time.Minute