secureCodeBox · J12934 · Nov 10, 2021 · Oct 1, 2021 · Oct 1, 2021 · Oct 2, 2021
diff --git a/hooks/cascading-scans/README.md b/hooks/cascading-scans/README.md
@@ -162,6 +162,7 @@ zap-http         zap-baseline-scan   non-invasive   medium
 |-----|------|---------|-------------|
 | hook.image.repository | string | `"docker.io/securecodebox/hook-cascading-scans"` | Hook image repository |
 | hook.image.tag | string | defaults to the charts version | The image Tag defaults to the charts version if not defined. |
+| hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. |
 | hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
 
 ## License

diff --git a/hooks/cascading-scans/hook/hook.test.js b/hooks/cascading-scans/hook/hook.test.js
@@ -1130,6 +1130,7 @@ test("Templating should apply to environment variables", () => {
               "value": "foobar.com",
             },
           ],
+          "hookSelector": Object {},
           "initContainers": Array [],
           "parameters": Array [
             "--regular",
@@ -1379,6 +1380,7 @@ test("Templating should apply to initContainer environment variables", () => {
         "spec": Object {
           "cascades": Object {},
           "env": Array [],
+          "hookSelector": Object {},
           "initContainers": Array [
             Object {
               "command": Array [

diff --git a/hooks/cascading-scans/templates/cascading-scans-hook.yaml b/hooks/cascading-scans/templates/cascading-scans-hook.yaml
@@ -13,6 +13,7 @@ metadata:
     {{ toYaml . }}
     {{- end }}
 spec:
+  priority: {{ .Values.hook.priority }}
   type: ReadOnly
   image: "{{ .Values.hook.image.repository }}:{{ .Values.hook.image.tag | default .Chart.Version }}"
   imagePullSecrets:

diff --git a/hooks/cascading-scans/values.yaml b/hooks/cascading-scans/values.yaml
@@ -17,5 +17,8 @@ hook:
   # hook.labels -- Add Kubernetes Labels to the hook definition
   labels: {}
 
+  # -- Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks.
+  priority: 0
+
   # hook.ttlSecondsAfterFinished -- Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
   ttlSecondsAfterFinished: null
diff --git a/hooks/finding-post-processing/README.md b/hooks/finding-post-processing/README.md
@@ -89,6 +89,7 @@ The `override` field specifies the desired fields and values that need to be upd
 |-----|------|---------|-------------|
 | hook.image.repository | string | `"docker.io/securecodebox/hook-finding-post-processing"` | Hook image repository |
 | hook.image.tag | string | defaults to the charts version | The image Tag defaults to the charts version if not defined. |
+| hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. |
 | hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
 | rules | list | `[]` |  |
 

diff --git a/hooks/finding-post-processing/templates/finding-post-processing-hook.yaml b/hooks/finding-post-processing/templates/finding-post-processing-hook.yaml
@@ -12,6 +12,7 @@ metadata:
     {{ toYaml . }}
     {{- end }}
 spec:
+  priority: {{ .Values.hook.priority }}
   type: ReadAndWrite
   image: "{{ .Values.hook.image.repository }}:{{ .Values.hook.image.tag | default .Chart.Version }}"
   env:

diff --git a/hooks/finding-post-processing/values.yaml b/hooks/finding-post-processing/values.yaml
@@ -33,5 +33,8 @@ hook:
   # hook.labels -- Add Kubernetes Labels to the hook definition
   labels: {}
 
+  # -- Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks.
+  priority: 0
+
   # hook.ttlSecondsAfterFinished -- Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
   ttlSecondsAfterFinished: null
diff --git a/hooks/generic-webhook/README.md b/hooks/generic-webhook/README.md
@@ -57,6 +57,7 @@ Kubernetes: `>=v1.11.0-0`
 |-----|------|---------|-------------|
 | hook.image.repository | string | `"docker.io/securecodebox/hook-generic-webhook"` | Hook image repository |
 | hook.image.tag | string | defaults to the charts version | The image Tag defaults to the charts version if not defined. |
+| hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. |
 | hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
 | webhookUrl | string | `"http://example.com"` | The URL of your WebHook endpoint |
 

diff --git a/hooks/generic-webhook/templates/webhook-hook.yaml b/hooks/generic-webhook/templates/webhook-hook.yaml
@@ -12,6 +12,7 @@ metadata:
     {{ toYaml . }}
     {{- end }}
 spec:
+  priority: {{ .Values.hook.priority }}
   type: ReadOnly
   image: "{{ .Values.hook.image.repository }}:{{ .Values.hook.image.tag | default .Chart.Version }}"
   ttlSecondsAfterFinished: {{ .Values.hook.ttlSecondsAfterFinished }}

diff --git a/hooks/generic-webhook/values.yaml b/hooks/generic-webhook/values.yaml
@@ -20,5 +20,8 @@ hook:
   # hook.labels -- Add Kubernetes Labels to the hook definition
   labels: {}
 
+  # -- Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks.
+  priority: 0
+
   # hook.ttlSecondsAfterFinished -- Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
   ttlSecondsAfterFinished: null
diff --git a/hooks/notification/README.md b/hooks/notification/README.md
@@ -346,6 +346,7 @@ To fill your template with data we provide the following objects.
 | hook.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
 | hook.image.repository | string | `"docker.io/securecodebox/hook-notification"` | Hook image repository |
 | hook.image.tag | string | defaults to the charts version | Image tag |
+| hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. |
 | hook.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
 | notificationChannels[0].endPoint | string | `"SOME_ENV_KEY"` |  |
 | notificationChannels[0].name | string | `"slack"` |  |

diff --git a/hooks/notification/templates/notification-hook.yaml b/hooks/notification/templates/notification-hook.yaml
@@ -12,6 +12,7 @@ metadata:
     {{ toYaml . }}
     {{- end }}
 spec:
+  priority: {{ .Values.hook.priority }}
   type: ReadOnly
   imagePullPolicy: "{{ .Values.hook.image.pullPolicy }}"
   image: "{{ .Values.hook.image.repository }}:{{ .Values.hook.image.tag | default .Chart.Version }}"

diff --git a/hooks/notification/values.yaml b/hooks/notification/values.yaml
@@ -19,6 +19,9 @@ hook:
   # hook.labels -- Add Kubernetes Labels to the hook definition
   labels: {}
 
+  # -- Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks.
+  priority: 0
+
   # hook.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
   ttlSecondsAfterFinished: null
 

diff --git a/hooks/persistence-defectdojo/README.md b/hooks/persistence-defectdojo/README.md
@@ -229,7 +229,8 @@ spec:
 | defectdojo.url | string | `"http://defectdojo-django.default.svc"` | Url to the DefectDojo Instance |
 | hook.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
 | hook.image.repository | string | `"docker.io/securecodebox/hook-persistence-defectdojo"` | Hook image repository |
-| hook.image.tag | string | `nil` | Container image tag |
+| hook.image.tag | string | defaults to the charts version | Container image tag |
+| hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. |
 
 ## License
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)

diff --git a/hooks/persistence-defectdojo/templates/persistence-provider.yaml b/hooks/persistence-defectdojo/templates/persistence-provider.yaml
@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-apiVersion: "execution.securecodebox.io/v1"
+apiVersion: execution.securecodebox.io/v1
 kind: ScanCompletionHook
 metadata:
   name: {{ include "persistence-defectdojo.fullname" . }}
@@ -13,6 +13,7 @@ metadata:
     {{ toYaml . }}
     {{- end }}
 spec:
+  priority: {{ .Values.hook.priority }}
   {{- if .Values.defectdojo.syncFindingsBack }}
   type: ReadAndWrite
   {{- else }}

diff --git a/hooks/persistence-defectdojo/values.yaml b/hooks/persistence-defectdojo/values.yaml
@@ -19,6 +19,9 @@ hook:
   # hook.labels -- Add Kubernetes Labels to the hook definition
   labels: {}
 
+  # -- Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks.
+  priority: 0
+
 defectdojo:
   # -- Syncs back (two way sync) all imported findings from DefectDojo to SCB Findings Store. When set to false the hook will only import the findings to DefectDojo (one way sync).
   syncFindingsBack: true

diff --git a/hooks/persistence-elastic/README.md b/hooks/persistence-elastic/README.md
@@ -82,6 +82,7 @@ the [Luxon documentation](https://moment.github.io/luxon/docs/manual/formatting.
 | fullnameOverride | string | `""` |  |
 | hook.image.repository | string | `"docker.io/securecodebox/hook-persistence-elastic"` | Hook image repository |
 | hook.image.tag | string | defaults to the charts version | The image Tag defaults to the charts version if not defined. |
+| hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. |
 | hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
 | imagePullSecrets | list | `[]` |  |
 | indexAppendNamespace | bool | `true` | Define if the name of the namespace where this hook is deployed to must be added to the index name. The namespace can be used to separate index by tenants (namespaces). |

diff --git a/hooks/persistence-elastic/templates/persistence-provider.yaml b/hooks/persistence-elastic/templates/persistence-provider.yaml
@@ -13,6 +13,7 @@ metadata:
     {{ toYaml . }}
     {{- end }}
 spec:
+  priority: {{ .Values.hook.priority }}
   type: ReadOnly
   image: "{{ .Values.hook.image.repository }}:{{ .Values.hook.image.tag | default .Chart.Version }}"
   ttlSecondsAfterFinished: {{ .Values.hook.ttlSecondsAfterFinished }}

diff --git a/hooks/persistence-elastic/values.yaml b/hooks/persistence-elastic/values.yaml
@@ -89,5 +89,8 @@ hook:
   # hook.labels -- Add Kubernetes Labels to the hook definition
   labels: {}
 
+  # -- Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks.
+  priority: 0
+
   # hook.ttlSecondsAfterFinished -- Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
   ttlSecondsAfterFinished: null
diff --git a/hooks/update-field/README.md b/hooks/update-field/README.md
@@ -64,6 +64,7 @@ helm upgrade --install ufh secureCodeBox/update-field-hook --set attribute.name=
 | attribute.value | string | `"my-own-category"` | The value of the attribute you want to add to each finding result |
 | hook.image.repository | string | `"docker.io/securecodebox/hook-update-field"` | Hook image repository |
 | hook.image.tag | string | defaults to the charts version | The image Tag defaults to the charts version if not defined. |
+| hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. |
 | hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
 
 ## License

diff --git a/hooks/update-field/templates/update-field-hook.yaml b/hooks/update-field/templates/update-field-hook.yaml
@@ -12,6 +12,7 @@ metadata:
     {{ toYaml . }}
     {{- end }}
 spec:
+  priority: {{ .Values.hook.priority }}
   type: ReadAndWrite
   image: "{{ .Values.hook.image.repository }}:{{ .Values.hook.image.tag | default .Chart.Version }}"
   ttlSecondsAfterFinished: {{ .Values.hook.ttlSecondsAfterFinished }}

diff --git a/hooks/update-field/values.yaml b/hooks/update-field/values.yaml
@@ -23,5 +23,8 @@ hook:
   # hook.labels -- Add Kubernetes Labels to the hook definition
   labels: {}
 
+  # -- Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks.
+  priority: 0
+
   # hook.ttlSecondsAfterFinished -- Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
   ttlSecondsAfterFinished: null
diff --git a/operator/apis/execution/v1/scan_types.go b/operator/apis/execution/v1/scan_types.go
@@ -108,6 +108,8 @@ type ScanStatus struct {
 	Findings FindingStats `json:"findings,omitempty"`
 
 	ReadAndWriteHookStatus []HookStatus `json:"readAndWriteHookStatus,omitempty"`
+
+	OrderedHookStatuses [][]*HookStatus `json:"orderedHookStatuses,omitempty"`
 }
 
 // HookState Describes the State of a Hook on a Scan
@@ -125,6 +127,8 @@ type HookStatus struct {
 	HookName string    `json:"hookName"`
 	State    HookState `json:"state"`
 	JobName  string    `json:"jobName,omitempty"`
+	Priority int       `json:"priority"`
+	Type     HookType  `json:"type"`
 }
 
 // FindingStats contains the general stats about the results of the scan

diff --git a/operator/apis/execution/v1/scancompletionhook_types.go b/operator/apis/execution/v1/scancompletionhook_types.go
@@ -30,6 +30,11 @@ type ScanCompletionHookSpec struct {
 	// Defines weather the hook should be able to change the findings or is run in a read only mode.
 	Type HookType `json:"type"`
 
+	// Higher priority hooks run before low priority hooks. Within a priority class ReadAndWrite hooks are started before ReadOnly hooks, ReadAndWrite hooks wil be launched in serial, and ReadOnly hooks will be launched in parallel.
+	// +kubebuilder:default=0
+	// +kubebuilder:validation:Optional
+	Priority int `json:"priority"`
+
 	// Image is the container image for the hooks kubernetes job
 	Image string `json:"image,omitempty"`
 	// ImagePullSecrets used to access private hooks images
@@ -60,6 +65,7 @@ type ScanCompletionHookStatus struct {
 
 // +kubebuilder:object:root=true
 // +kubebuilder:printcolumn:name="Type",type=string,JSONPath=`.spec.type`,description="ScanCompletionHook Type"
+// +kubebuilder:printcolumn:name="Priority",type=string,JSONPath=`.spec.priority`,description="ScanCompletionHook Priority"
 // +kubebuilder:printcolumn:name="Image",type=string,JSONPath=`.spec.image`,description="ScanCompletionHook Image"
 
 // ScanCompletionHook is the Schema for the ScanCompletionHooks API

diff --git a/operator/apis/execution/v1/zz_generated.deepcopy.go b/operator/apis/execution/v1/zz_generated.deepcopy.go
diff --git a/operator/config/crd/bases/execution.securecodebox.io_scancompletionhooks.yaml b/operator/config/crd/bases/execution.securecodebox.io_scancompletionhooks.yaml
@@ -24,6 +24,10 @@ spec:
       jsonPath: .spec.type
       name: Type
       type: string
+    - description: ScanCompletionHook Priority
+      jsonPath: .spec.priority
+      name: Priority
+      type: string
     - description: ScanCompletionHook Image
       jsonPath: .spec.image
       name: Image
@@ -174,6 +178,13 @@ spec:
                       type: string
                   type: object
                 type: array
+              priority:
+                default: 0
+                description: Higher priority hooks run before low priority hooks.
+                  Within a priority class ReadAndWrite hooks are started before ReadOnly
+                  hooks, ReadAndWrite hooks wil be launched in serial, and ReadOnly
+                  hooks will be launched in parallel.
+                type: integer
               serviceAccountName:
                 description: ServiceAccountName Name of the serviceAccount Name used.
                   Should only be used if your hook needs specifc RBAC Access. Otherwise

diff --git a/operator/config/crd/bases/execution.securecodebox.io_scans.yaml b/operator/config/crd/bases/execution.securecodebox.io_scans.yaml
@@ -2906,6 +2906,32 @@ spec:
                   parser & hooks) has been marked as "Done"
                 format: date-time
                 type: string
+              orderedHookStatuses:
+                items:
+                  items:
+                    properties:
+                      hookName:
+                        type: string
+                      jobName:
+                        type: string
+                      priority:
+                        type: integer
+                      state:
+                        description: HookState Describes the State of a Hook on a
+                          Scan
+                        type: string
+                      type:
+                        description: HookType Defines weather the hook should be able
+                          to change the findings or is run in a read only mode.
+                        type: string
+                    required:
+                    - hookName
+                    - priority
+                    - state
+                    - type
+                    type: object
+                  type: array
+                type: array
               rawResultDownloadLink:
                 description: RawResultDownloadLink link to download the raw result
                   file from. Valid for 7 days
@@ -2929,12 +2955,20 @@ spec:
                       type: string
                     jobName:
                       type: string
+                    priority:
+                      type: integer
                     state:
                       description: HookState Describes the State of a Hook on a Scan
                       type: string
+                    type:
+                      description: HookType Defines weather the hook should be able
+                        to change the findings or is run in a read only mode.
+                      type: string
                   required:
                   - hookName
+                  - priority
                   - state
+                  - type
                   type: object
                 type: array
               state: