8000 Introduce scope limiter on cascading rules to enforce scope by EndPositive · Pull Request #805 · secureCodeBox/secureCodeBox · GitHub
[go: up one dir, main page]
Skip to content

Introduce scope limiter on cascading rules to enforce scope #805

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
J12934 merged 58 commits into from
Dec 8, 2021
Merged

Introduce scope limiter on cascading rules to enforce scope #805

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
58 commits
Select commit Hold shift + click to select a range
14ec455
Add reverse-matches
Nov 10, 2021
bae68d1
Merge remote-tracking branch 'upstream/main' into reverse-matches
Nov 10, 2021
cf49cb3
AND together `anyOf`, `allOf`, and `noneOf`
Nov 15, 2021
86899c9
Implement subdomainOf operator
Nov 15, 2021
f207d10
Implement "global" validation/error handling
Nov 15, 2021
2aef704
Select only annotations with domain `scope.cascading.securecodebox.io/`
Nov 16, 2021
9c5f93c
Enforce immutability of `scope.cascading.securecodebox.io/` annotations
Nov 16, 2021
da3eeae
Loudly fail if new scope annotations are defined in a cascading rule
Nov 16, 2021
869f4d2
Rename ScanAnnotationSelector to ScopeLimiter and SelectorAttributeMa…
Nov 17, 2021
2ff80be
Add `scopeLimiterAliases` to scanner values.yaml
Nov 17, 2021
8751a3d
Remove unused import
Nov 17, 2021
013c2e2
Make scope limiter actually run in cluster
Nov 17, 2021
59d9a28
JSON stringify logs
Nov 17, 2021
54169c0
Updating Helm Docs
malexmave Nov 18, 2021
a449016
Add more test cases
malexmave Nov 18, 2021
97c3df1
Add a few more test cases
malexmave Nov 18, 2021
7d5581b
Add `scopeLimiterAliases` to new scanner template
Nov 18, 2021
a158fb1
Rename `reverse-matches.ts` to `scope-limiter.ts` and `isReverseMatch…
Nov 18, 2021
548ba43
Error operator name instead of operator function
Nov 18, 2021
cccd622
Rename lhs and rhs to their semantic names
Nov 18, 2021
3f1dbd5
Get rid of redundant operators
Nov 19, 2021
0c1d8c9
Add inline documentation for every operator
Nov 19, 2021
c40992b
Fix unit tests
Nov 25, 2021
e67f8c2
Add IPv6 support to InCIDR
Nov 25, 2021
b081011
Add support for templating a list from findings
Nov 26, 2021
ecab082
Handle whitespace explicitly in list function
Nov 26, 2021
7d98c1e
Consistency
Nov 26, 2021
5a6b31e
Add more tests and error handling
Nov 26, 2021
3f2ba81
Add tons of comments everywhere and convert `templateValue` return ty…
Nov 26, 2021
d82177c
Merge branch 'main' into reverse-matches
Nov 26, 2021
058340f
Reduce list requirement key depth
Nov 26, 2021
275cbfc
Actually test with a key that is too short.
Nov 26, 2021
c86600e
Fix expected error message for unit test
malexmave Nov 26, 2021
9d7d7aa
Add some more unit tests
malexmave Nov 26, 2021
33906e4
Add failing test
Nov 26, 2021
09a0c51
Add test for v6 constraint without v6 address
malexmave Nov 26, 2021
6ed9c26
Rework test suite to bdd and implement `list`, `split`, and `keyinobj…
Nov 29, 2021
e162d92
Replace all `test` by `it`
Nov 29, 2021
73a3748
Rename `cascadedScans` to `isInScope` in test suite
Nov 29, 2021
b56f3ff
Add more `Contains` tests
Nov 29, 2021
c90379d
Add `In` tests
Nov 29, 2021
ff081c0
Add trailing delimiter to internal split
Nov 29, 2021
e4f0324
Rename `keyinobjectlist` -> `pickValues` and `list` -> `asList`
Nov 29, 2021
2500c0c
Add failing test case for trailing comma
malexmave Nov 30, 2021
edf7161
Add more tests for trailing comma in `list`
Nov 30, 2021
b2285c2
Rename `asList` to `getValues`
Nov 30, 2021
051b3ae
Use replace with RegEx instead of replaceAll
malexmave Nov 30, 2021
d415288
Support comma with trailing space for split
malexmave Nov 30, 2021
2a3733d
Rename getValues to asList
malexmave Nov 30, 2021
5c5dc6f
Rename pickValues to getValues
malexmave Nov 30, 2021
31110aa
Add more test cases to increase coverage
malexmave Nov 30, 2021
e1e797e
Make `Values` field required
Nov 30, 2021
af68075
Test lists in alias
Nov 30, 2021
42c3d20
Merge branch 'main' into reverse-matches
Dec 1, 2021
27d6e60
Merge branch 'main' into reverse-matches
J12934 Dec 7, 2021
cad9840
Merge branch 'main' into reverse-matches
J12934 Dec 7, 2021
4e906b3
Update use of `getCascadingScans` function
J12934 Dec 8, 2021
2dabb0f
Update snapshots
J12934 Dec 8, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .templates/new-scanner/templates/new-scanner-parse-definition.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,5 @@ spec:
ttlSecondsAfterFinished: {{ .Values.parser.ttlSecondsAfterFinished }}
env:
{{- toYaml .Values.parser.env | nindent 4 }}
scopeLimiterAliases:
{{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }}
3 changes: 3 additions & 0 deletions .templates/new-scanner/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ parser:
# parser.env -- Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
env: []

# parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter.
scopeLimiterAliases: {}

scanner:
image:
# scanner.image.repository -- Container Image to run the scan
Expand Down
4 changes: 2 additions & 2 deletions hooks/cascading-scans/hook/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,10 @@ RUN mkdir -p /home/app
WORKDIR /home/app
COPY package.json package-lock.json ./
RUN npm ci
COPY hook.ts scan-helpers.ts kubernetes-label-selector.ts ./
COPY hook.ts scan-helpers.ts scope-limiter.ts kubernetes-label-selector.ts ./
RUN npm run build

FROM ${namespace:-securecodebox}/hook-sdk-nodejs:${baseImageTag:-latest}
WORKDIR /home/app/hook-wrapper/hook/
COPY --from=install --chown=app:app /home/app/node_modules/ ./node_modules/
COPY --from=build --chown=app:app /home/app/hook.js /home/app/hook.js.map /home/app/scan-helpers.js /home/app/scan-helpers.js.map /home/app/kubernetes-label-selector.js /home/app/kubernetes-label-selector.js.map ./
COPY --from=build --chown=app:app /home/app/hook.js /home/app/hook.js.map /home/app/scan-helpers.js /home/app/scan-helpers.js.map /home/app/scope-limiter.js /home/app/scope-limiter.js.map /home/app/kubernetes-label-selector.js /home/app/kubernetes-label-selector.js.map ./
3058
Loading
0