From 91afba7057849efe062b351df34fec33758cce02 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Mon, 1 Apr 2019 16:25:51 +0200 Subject: [PATCH 01/14] Corrected links --- docs/developer-guide/README.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/docs/developer-guide/README.md b/docs/developer-guide/README.md index 3aed8ba661..20804693ee 100644 --- a/docs/developer-guide/README.md +++ b/docs/developer-guide/README.md @@ -78,8 +78,8 @@ curl -X POST 'http://:8080/box/jobs//result' -H 'Conte -To edit these models, Camunda provides a free modelling tool for the BPMN models which you can [download here](camunda_modeler). -Feel free to get inspiration from the [prepackaged processes here](prepackaged_processes). +To edit these models, Camunda provides a free modelling tool for the BPMN models which you can [download here](https://camunda.com/products/modeler/). +Feel free to get inspiration from the [prepackaged processes here](https://github.com/secureCodeBox/engine/tree/master/scb-scanprocesses).
Just copy a process model from the prepackaged? @@ -239,6 +239,3 @@ Note: }, } ``` - -[prepackaged_processes]: https://github.com/secureCodeBox/engine/tree/master/scb-scanprocesses -[camunda_modeler]: https://camunda.com/download/modeler/ From c77ff0bde08c4c23ad41a52e5906950b3beeafa1 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Mon, 1 Apr 2019 16:44:23 +0200 Subject: [PATCH 02/14] Auto format --- docs/user-guide/persistence/README.md | 40 +++++++++++++-------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/docs/user-guide/persistence/README.md b/docs/user-guide/persistence/README.md index e02c27ff9f..8c5b306280 100644 --- a/docs/user-guide/persistence/README.md +++ b/docs/user-guide/persistence/README.md @@ -64,17 +64,17 @@ Alternatively the corresponding environment variables, e.g. `SECURECODEBOX_PERSI The DefectDjojo Persistence Provider requries some additional configuration for every securityTest. This configuration is to set additional information e.g. for which product should engagment and findings be created? -| Meta Field |  Description | Example Value | Mandatory | -| --------------------- | ---------------------------------------------------------------------------------------------------- | ------------- | --------- | -| `DEFECT_DOJO_USER` | Username of the DefectDojo user responsible for the scan. Defaults to username of the technical user | john_doe | no | -| `SCB_BRANCH` | Tag or branch of the product the engagement tested | develop | no | -| `SCB_BUILD_ID` | Build ID of the product the engagement tested | 1.0 | no | -| `SCB_COMMIT_HASH` | Commit hash from repo | 9a03412 | no | -| `SCB_TRACKER` | Link to epic or ticket system with changes to version | http://your-ticket-system.com | no | -| `SCB_REPO` | Repository | http://your-remote-repository.com | no | -| `SCB_BUILD_SERVER` | Build server responsible for CI/CD test | http://your-build-server.com | no | -| `SCB_SCM_SERVER` | Source code server for CI/CD test | http://your-scm-server.com | no | -| `SCB_ENGAGEMENT_TITLE`| Title for the engagement. Defaults to name of the supported scanner or "Generic Findings Import" | Engagement No.1337 | no | +| Meta Field |  Description | Example Value | Mandatory | +| ---------------------- | ---------------------------------------------------------------------------------------------------- | --------------------------------- | --------- | +| `DEFECT_DOJO_USER` | Username of the DefectDojo user responsible for the scan. Defaults to username of the technical user | john_doe | no | +| `SCB_BRANCH` | Tag or branch of the product the engagement tested | develop | no | +| `SCB_BUILD_ID` | Build ID of the product the engagement tested | 1.0 | no | +| `SCB_COMMIT_HASH` | Commit hash from repo | 9a03412 | no | +| `SCB_TRACKER` | Link to epic or ticket system with changes to version | http://your-ticket-system.com | no | +| `SCB_REPO` | Repository | http://your-remote-repository.com | no | +| `SCB_BUILD_SERVER` | Build server responsible for CI/CD test | http://your-build-server.com | no | +| `SCB_SCM_SERVER` | Source code server for CI/CD test | http://your-scm-server.com | no | +| `SCB_ENGAGEMENT_TITLE` | Title for the engagement. Defaults to name of the supported scanner or "Generic Findings Import" | Engagement No.1337 | no | An example security test with these values set would look like this. @@ -91,15 +91,15 @@ An example security test with these values set would look like this. } }, "metaData": { - "DEFECT_DOJO_USER": "john_doe", - "SCB_BRANCH": "develop", - "SCB_BUILD_ID": "1.0", - "SCB_COMMIT_HASH": "9a03412", - "SCB_TRACKER": "http://your-ticket-system.com", - "SCB_REPO": "http://your-remote-repository.com", - "SCB_BUILD_SERVER": "http://your-build-server.com", - "SCB_SCM_SERVER": "http://your-scm-server.com", - "SCB_ENGAGEMENT_TITLE": "Engagement No.1337" + "DEFECT_DOJO_USER": "john_doe", + "SCB_BRANCH": "develop", + "SCB_BUILD_ID": "1.0", + "SCB_COMMIT_HASH": "9a03412", + "SCB_TRACKER": "http://your-ticket-system.com", + "SCB_REPO": "http://your-remote-repository.com", + "SCB_BUILD_SERVER": "http://your-build-server.com", + "SCB_SCM_SERVER": "http://your-scm-server.com", + "SCB_ENGAGEMENT_TITLE": "Engagement No.1337" } } ] From 93eff52d8cb9722134cd11ed339d3a455048fc01 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Mon, 1 Apr 2019 17:44:17 +0200 Subject: [PATCH 03/14] Clarified how the defectdojo product is slected when starting a securityTest --- docs/user-guide/persistence/README.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/user-guide/persistence/README.md b/docs/user-guide/persistence/README.md index 8c5b306280..e91dd4c572 100644 --- a/docs/user-guide/persistence/README.md +++ b/docs/user-guide/persistence/README.md @@ -62,7 +62,10 @@ Alternatively the corresponding environment variables, e.g. `SECURECODEBOX_PERSI #### Runetime Security Test Config The DefectDjojo Persistence Provider requries some additional configuration for every securityTest. -This configuration is to set additional information e.g. for which product should engagment and findings be created? +This configuration has only one **mandatory** parameter, which is the **context** of the security scan. This has to be the same as the product name inside DefectDojo related to the scan. Once the scan is finished a new engagment for the product and all findings are getting imported. + +Other than the context, there are also a number of optional params, which are used to populate other fields of the DefectDojo engagment. +These can be set by passing them in the `metaData` param of the securityTest. | Meta Field |  Description | Example Value | Mandatory | | ---------------------- | ---------------------------------------------------------------------------------------------------- | --------------------------------- | --------- | @@ -76,13 +79,13 @@ This configuration is to set additional information e.g. for which product shoul | `SCB_SCM_SERVER` | Source code server for CI/CD test | http://your-scm-server.com | no | | `SCB_ENGAGEMENT_TITLE` | Title for the engagement. Defaults to name of the supported scanner or "Generic Findings Import" | Engagement No.1337 | no | -An example security test with these values set would look like this. +An example security test with these values set would look like this: ```json [ { "name": "nmap", - "context": "feature-team-1/product-1", + "context": "product-1", "target": { "name": "Test Server", "location": "10.11.11.11", From 148f123caac6eb278711f31ebe1e44cce2ee1626 Mon Sep 17 00:00:00 2001 From: Robert Seedorff Date: Wed, 10 Apr 2019 11:49:35 +0200 Subject: [PATCH 04/14] Added a new issue type template for scanner requests --- .../ISSUE_TEMPLATE/new_security_scanner.md | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/new_security_scanner.md diff --git a/.github/ISSUE_TEMPLATE/new_security_scanner.md b/.github/ISSUE_TEMPLATE/new_security_scanner.md new file mode 100644 index 0000000000..4209c8d8eb --- /dev/null +++ b/.github/ISSUE_TEMPLATE/new_security_scanner.md @@ -0,0 +1,35 @@ +--- +name: 'New Security Scanner request' +about: 'Suggest an idea for a new security scanner to integrate in this project.' +labels: 'security scanner' +--- +## New Scanner implementation request + +**Is your feature request related to a problem? Please describe.** +- _A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]_ + +**Describe the solution you'd like** +- _A clear and concise description of what you want to happen._ + +**Describe alternatives you've considered** +- _A clear and concise description of any alternative solutions or features you've considered._ + +**Additional context** +- _Add any other context or screenshots about the feature request here._ + +## Steps to implement a new scanner +> Hint: A general guide how to implement a new scanner is documented [here]( https://github.com/secureCodeBox/secureCodeBox/blob/master/docs/developer-guide/README.md#developing-own-processes) + +### Must have +- [ ] Create a [new public secureCodeBox repository](https://github.com/organizations/secureCodeBox/repositories/new) for the scanner implementation +- [ ] Implement a new scanner microservice an reuse some of the existing stuff, if possible +- [ ] Check if there is a [healthcheck](https://github.com/secureCodeBox/secureCodeBox/blob/master/docs/developer-guide/README.md#healthchecks-for-scanner-microservices) for the microservice implemented +- [ ] Implement a [new basic security process](https://github.com/secureCodeBox/secureCodeBox/blob/master/docs/developer-guide/README.md#developing-a-process-model) for the scanner +- [ ] Update the [docker-compose](https://github.com/secureCodeBox/secureCodeBox/blob/master/docker-compose.yml) files and integrate your new scanner there +- [ ] Update the [user guide](https://github.com/secureCodeBox/secureCodeBox/tree/master/docs/user-guide) and [developer guide](https://github.com/secureCodeBox/secureCodeBox/tree/master/docs/developer-guide) +- [ ] Implement a integration test for the scanner [here](https://github.com/secureCodeBox/secureCodeBox/tree/master/test) + +### Should have +- [ ] Update the [CLI examples](https://github.com/secureCodeBox/secureCodeBox/tree/master/cli) +- [ ] Update the [Jenkins Pipeline](https://github.com/secureCodeBox/integration-pipeline-jenkins-examples) examples +- [ ] Update the [OpenShift Container Setup](https://github.com/secureCodeBox/ansible-role-securecodebox-openshift) From f3215e4cdbcbe7810730e7fdf621ec7db3ddf482 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 17 Apr 2019 12:28:09 +0200 Subject: [PATCH 05/14] Corrected typo in description --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8edf1a81fa..1e8344598d 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ ![secureCodeBox](docs/resources/logo.png "secureCodeBox") -> _secureCodeBox_ is a docker based, modularized toolchain for continuous security scans of your software project. It's goal is to orchestrate and easily automate a bunch of security-testing tools out of the box. +> _secureCodeBox_ is a docker based, modularized toolchain for continuous security scans of your software project. Its goal is to orchestrate and easily automate a bunch of security-testing tools out of the box. ## Overview From 268bad7b8df60c2d607a845bad9afb6f5ec5991a Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 24 Apr 2019 10:50:16 +0200 Subject: [PATCH 06/14] Moved the meta fields docs below the api docs As they can only be used with the api, the api should be introduced first --- docs/user-guide/README.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/user-guide/README.md b/docs/user-guide/README.md index 1e3bc93825..963596b1c1 100644 --- a/docs/user-guide/README.md +++ b/docs/user-guide/README.md @@ -20,6 +20,7 @@ Username: choosen Username Password: choosen Password ``` + 4. You are now logged in. Additional users can be created in the user managment section. New users are created without any permissions by default. They are not even permitted to log in. This can be changed by assigning them to the pre-exsisting groups or by granting them the required permission individually. ![User management](../resources/userManagement.png) @@ -56,10 +57,6 @@ Password: choosen Password The secureCodeBox can save the security tests results into different data stores. A list with all availible stores and how to configure and use them can be found [here](./persistence/README.md). -## Meta Fields and How to use them - -MetaFields can be used to tag security tests with custom data relevant for you. We have encountered some data values which we found paticulary usefull and standardized their format to be used in multiple places. The list and formats can be found [here](./metafields/README.md). - ## Starting securityTests using the REST-API In order to start a scan via the REST-API, send a PUT-Request to the following URL: @@ -93,6 +90,10 @@ The following links contain completes examples and explanations how to set up an 2. [Scanning Server Rendered Applications like BodgeIt Store using Arachni](./usage-examples/arachni-bodgeit-example.md) 3. [Scanning Server Rendered Applications like BodgeIt Store using OWASP ZAP](./usage-examples/zap-bodgeit-example.md) +## Meta Fields and How to use them + +MetaFields can be used to tag security tests with custom data relevant for you. We have encountered some data values which we found paticulary usefull and standardized their format to be used in multiple places. The list and formats can be found [here](./metafields/README.md). + ## Starting Scan-Processes using the CLI We have introduced a [simple secureCodeBox CLI](../../cli/README.md) which is based on the REST-API. This CLI can be used to configure and start Scan-Process or to integrate with you CI/CD Pipeline (e.g. Jenkins). From b682fd195d481c06858150ffc6cbd205f4f8dfaf Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 24 Apr 2019 11:01:51 +0200 Subject: [PATCH 07/14] Add explanation to docs on how the processes differ when started via the ui / rest api --- docs/user-guide/README.md | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/docs/user-guide/README.md b/docs/user-guide/README.md index 963596b1c1..b12f261578 100644 --- a/docs/user-guide/README.md +++ b/docs/user-guide/README.md @@ -57,7 +57,15 @@ Password: choosen Password The secureCodeBox can save the security tests results into different data stores. A list with all availible stores and how to configure and use them can be found [here](./persistence/README.md). -## Starting securityTests using the REST-API +## Starting securityTests + +### Starting securityTests using the UI + +When a scan is started via the Camunda UI, the scan is considered to be a manual scans. This means that its results has to be confirmed before they it gets persisted by the configured persistence provider (e.g. elasticsearch). The results will show up in the tasklist and will get persistet once their the task has been marked as completed. + +### Starting securityTests using the REST-API + +When a scan is started via the REST-API, the scan is considered to be automated. This means that the results will get automatically persisted into the configured perssitence provider (e.g. elasticsearch). The results of the securityTest will however **not** show up in the tasklist. The securityTest will be completed directly and the results are only availible via the persistence provider or by accessing it via the Rest-API. In order to start a scan via the REST-API, send a PUT-Request to the following URL: `<>/box/securityTests`. @@ -82,6 +90,12 @@ The scanning target is set within the payload. A securityTest running a nmap por You can check out a more detailed API documentation in the Swagger Docs of the secureCodeBox Engine. The Swagger Docs come together with the secureCodeBox Engine. You can access it at `<>/swagger-ui.html`. If you dont have one running yet you can look at the staticly exported version of it here: [Static API Docs](../developer-guide/api-doc.md) +#### Meta Fields and How to use them + +MetaFields can be used to tag security tests with custom data relevant for you. We have encountered some data values which we found paticulary usefull and standardized their format to be used in multiple places. The list and formats can be found [here](./metafields/README.md). + +MetaFields can currently only be set via the rest api. See the swagger docs for how to set them. + ### In Depth Scan Examples The following links contain completes examples and explanations how to set up and start scans against demo application. @@ -90,10 +104,6 @@ The following links contain completes examples and explanations how to set up an 2. [Scanning Server Rendered Applications like BodgeIt Store using Arachni](./usage-examples/arachni-bodgeit-example.md) 3. [Scanning Server Rendered Applications like BodgeIt Store using OWASP ZAP](./usage-examples/zap-bodgeit-example.md) -## Meta Fields and How to use them - -MetaFields can be used to tag security tests with custom data relevant for you. We have encountered some data values which we found paticulary usefull and standardized their format to be used in multiple places. The list and formats can be found [here](./metafields/README.md). - ## Starting Scan-Processes using the CLI We have introduced a [simple secureCodeBox CLI](../../cli/README.md) which is based on the REST-API. This CLI can be used to configure and start Scan-Process or to integrate with you CI/CD Pipeline (e.g. Jenkins). From fd535fbf9025d103c574a8905e174db7279614c9 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 8 May 2019 15:25:34 +0200 Subject: [PATCH 08/14] Remove test.only from sslyze test --- test/sslyze.test.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/sslyze.test.js b/test/sslyze.test.js index 81b8f5ac1c..d58b1bbdcc 100644 --- a/test/sslyze.test.js +++ b/test/sslyze.test.js @@ -1,6 +1,6 @@ const { startSecurityTest, Time } = require('./sdk'); -test.only( +test( 'finds tls information for securecodebox.io', async () => { const securityTest = await startSecurityTest({ From 1ffffe15f62e320671cd898c22c560aa9e599dac Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 8 May 2019 15:26:25 +0200 Subject: [PATCH 09/14] Add ssh scanner to compose file --- docker-compose.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index b334d3edf4..05c09483cf 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -140,6 +140,20 @@ services: - ENGINE_ADDRESS=http://engine:8080 - ENGINE_BASIC_AUTH_USER=${ENGINE_SCANNERSERVICES_USER} - ENGINE_BASIC_AUTH_PASSWORD=${ENGINE_SCANNERSERVICES_PASSWORD} + + scanner-infrastructure-ssh: + image: securecodebox/ssh:${DEFAULT_TAG} + depends_on: + engine: + condition: service_healthy + networks: + - frontend + labels: + container_group: scanner + environment: + - ENGINE_ADDRESS=http://engine:8080 + - ENGINE_BASIC_AUTH_USER=${ENGINE_SCANNERSERVICES_USER} + - ENGINE_BASIC_AUTH_PASSWORD=${ENGINE_SCANNERSERVICES_PASSWORD} persistence-elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.3.1 From 78b968ba591f58806e5d88bf21ae8d2ae93945a6 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 8 May 2019 15:26:32 +0200 Subject: [PATCH 10/14] Added ssh integration test --- test/ssh.test.js | 57 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 test/ssh.test.js diff --git a/test/ssh.test.js b/test/ssh.test.js new file mode 100644 index 0000000000..950918269a --- /dev/null +++ b/test/ssh.test.js @@ -0,0 +1,57 @@ +const { startSecurityTest, Time } = require('./sdk'); + +test( + 'finds a few low severity findigns for securecodebox.io', + async () => { + const securityTest = await startSecurityTest({ + context: 'securecodebox.io tls', + metaData: {}, + name: 'ssh', + target: { + name: 'securecodebox.io tls', + location: 'securecodebox.io', + attributes: {}, + }, + }); + + const { report } = securityTest; + + const findings = report.findings.map( + ({ description, category, name, osi_layer, severity }) => ({ + description, + category, + name, + osi_layer, + severity, + }) + ); + + expect(findings.length).toBe(3); + + expect(findings).toContainEqual({ + category: 'SSH Service', + description: 'SSH Compliance Information', + name: 'SSH Compliance', + osi_layer: 'NETWORK', + severity: 'INFORMATIONAL', + }); + + expect(findings).toContainEqual({ + category: 'SSH Service', + description: ' diffie-hellman-group14-sha1', + name: 'Remove these key exchange algorithms', + osi_layer: 'NETWORK', + severity: 'LOW', + }); + + expect(findings).toContainEqual({ + category: 'SSH Service', + description: + ' umac-64-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, hmac-sha1', + name: 'Remove these MAC algorithms', + osi_layer: 'NETWORK', + severity: 'LOW', + }); + }, + 2 * Time.Minute +); From 6f31560ace2cbc63cbac264be5468e543b66de1a Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 8 May 2019 15:29:06 +0200 Subject: [PATCH 11/14] Start ssh scanner in compose stack before running the test suite --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 5c4305ba0d..a0f6a7b7e4 100644 --- a/.travis.yml +++ b/.travis.yml @@ -8,7 +8,7 @@ env: - DEFAULT_TAG=develop script: - cp test/.env.test .env - - docker-compose -f docker-compose.yml -f docker-compose.demo.yml up -d engine camundadb bodgeit juice-shop nginx scanner-infrastructure-nmap scanner-webapplication-arachni scanner-webapplication-zap scanner-infrastructure-amass scanner-webapplication-sslyze scanner-webserver-nikto + - docker-compose -f docker-compose.yml -f docker-compose.demo.yml up -d engine camundadb bodgeit juice-shop nginx scanner-infrastructure-nmap scanner-webapplication-arachni scanner-webapplication-zap scanner-infrastructure-amass scanner-webapplication-sslyze scanner-webserver-nikto scanner-infrastructure-ssh - cd test - npm ci - npm test -- --verbose --forceExit From dc37589aa117313a33cc410e0bc7a85462954e6e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" Date: Tue, 4 Jun 2019 08:28:25 +0000 Subject: [PATCH 12/14] Bump axios from 0.18.0 to 0.18.1 in /test Bumps [axios](https://github.com/axios/axios) from 0.18.0 to 0.18.1. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v0.18.1/CHANGELOG.md) - [Commits](https://github.com/axios/axios/compare/v0.18.0...v0.18.1) --- test/package-lock.json | 65 ++++++++++++++++++++++++++++++------------ test/package.json | 2 +- 2 files changed, 47 insertions(+), 20 deletions(-) diff --git a/test/package-lock.json b/test/package-lock.json index 0226a2bde1..10714f34e6 100644 --- a/test/package-lock.json +++ b/test/package-lock.json @@ -393,13 +393,21 @@ "dev": true }, "axios": { - "version": "0.18.0", - "resolved": "https://registry.npmjs.org/axios/-/axios-0.18.0.tgz", - "integrity": "sha1-MtU+SFHv3AoRmTts0AB4nXDAUQI=", + "version": "0.18.1", + "resolved": "https://registry.npmjs.org/axios/-/axios-0.18.1.tgz", + "integrity": "sha512-0BfJq4NSfQXd+SkFdrvFbG7addhYSBA2mQwISr46pD6E5iqkWg02RAs8vyTT/j0RTnoYmeXauBuSv1qKwR179g==", "dev": true, "requires": { - "follow-redirects": "^1.3.0", - "is-buffer": "^1.1.5" + "follow-redirects": "1.5.10", + "is-buffer": "^2.0.2" + }, + "dependencies": { + "is-buffer": { + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/is-buffer/-/is-buffer-2.0.3.tgz", + "integrity": "sha512-U15Q7MXTuZlrbymiz95PJpZxu8IlipAp4dtS3wOdgPXx3mqBnslrWU14kxfHB+Py/+2PVKSr37dMAgM2A4uArw==", + "dev": true + } } }, "babel-jest": { @@ -1330,9 +1338,9 @@ } }, "follow-redirects": { - "version": "1.6.1", - "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.6.1.tgz", - "integrity": "sha512-t2JCjbzxQpWvbhts3l6SH1DKzSrx8a+SsaVf4h6bG4kOXUuPYS/kg2Lr4gQSb7eemaHqJkOThF1BGyjlUkO1GQ==", + "version": "1.5.10", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.5.10.tgz", + "integrity": "sha512-0V5l4Cizzvqt5D44aTXbFZz+FtyXV1vrDN6qrelxtfYQKW0KO0W2T/hkE8xvGa/540LkZlkaUjO4ailYTFtHVQ==", "dev": true, "requires": { "debug": "=3.1.0" @@ -1396,7 +1404,8 @@ "ansi-regex": { "version": "2.1.1", "bundled": true, - "dev": true + "dev": true, + "optional": true }, "aproba": { "version": "1.2.0", @@ -1417,12 +1426,14 @@ "balanced-match": { "version": "1.0.0", "bundled": true, - "dev": true + "dev": true, + "optional": true }, "brace-expansion": { "version": "1.1.11", "bundled": true, "dev": true, + "optional": true, "requires": { "balanced-match": "^1.0.0", "concat-map": "0.0.1" @@ -1437,17 +1448,20 @@ "code-point-at": { "version": "1.1.0", "bundled": true, - "dev": true + "dev": true, + "optional": true }, "concat-map": { "version": "0.0.1", "bundled": true, - "dev": true + "dev": true, + "optional": true }, "console-control-strings": { "version": "1.1.0", "bundled": true, - "dev": true + "dev": true, + "optional": true }, "core-util-is": { "version": "1.0.2", @@ -1564,7 +1578,8 @@ "inherits": { "version": "2.0.3", "bundled": true, - "dev": true + "dev": true, + "optional": true }, "ini": { "version": "1.3.5", @@ -1576,6 +1591,7 @@ "version": "1.0.0", "bundled": true, "dev": true, + "optional": true, "requires": { "number-is-nan": "^1.0.0" } @@ -1590,6 +1606,7 @@ "version": "3.0.4", "bundled": true, "dev": true, + "optional": true, "requires": { "brace-expansion": "^1.1.7" } @@ -1597,12 +1614,14 @@ "minimist": { "version": "0.0.8", "bundled": true, - "dev": true + "dev": true, + "optional": true }, "minipass": { "version": "2.3.5", "bundled": true, "dev": true, + "optional": true, "requires": { "safe-buffer": "^5.1.2", "yallist": "^3.0.0" @@ -1621,6 +1640,7 @@ "version": "0.5.1", "bundled": true, "dev": true, + "optional": true, "requires": { "minimist": "0.0.8" } @@ -1701,7 +1721,8 @@ "number-is-nan": { "version": "1.0.1", "bundled": true, - "dev": true + "dev": true, + "optional": true }, "object-assign": { "version": "4.1.1", @@ -1713,6 +1734,7 @@ "version": "1.4.0", "bundled": true, "dev": true, + "optional": true, "requires": { "wrappy": "1" } @@ -1798,7 +1820,8 @@ "safe-buffer": { "version": "5.1.2", "bundled": true, - "dev": true + "dev": true, + "optional": true }, "safer-buffer": { "version": "2.1.2", @@ -1834,6 +1857,7 @@ "version": "1.0.2", "bundled": true, "dev": true, + "optional": true, "requires": { "code-point-at": "^1.0.0", "is-fullwidth-code-point": "^1.0.0", @@ -1853,6 +1877,7 @@ "version": "3.0.1", "bundled": true, "dev": true, + "optional": true, "requires": { "ansi-regex": "^2.0.0" } @@ -1896,12 +1921,14 @@ "wrappy": { "version": "1.0.2", "bundled": true, - "dev": true + "dev": true, + "optional": true }, "yallist": { "version": "3.0.3", "bundled": true, - "dev": true + "dev": true, + "optional": true } } }, diff --git a/test/package.json b/test/package.json index 6b1c093c6e..8d22be0309 100644 --- a/test/package.json +++ b/test/package.json @@ -9,7 +9,7 @@ }, "license": "Apache2", "devDependencies": { - "axios": "^0.18.0", + "axios": "^0.18.1", "jest": "^24.0.0" }, "jest": { From 457d8a9cb9c126a6554f5e3cbf1a90ac6dacf60e Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Thu, 6 Jun 2019 09:54:07 +0100 Subject: [PATCH 13/14] Updates to vulnerable dependencies --- test/package-lock.json | 182 +---------------------------------------- 1 file changed, 1 insertion(+), 181 deletions(-) diff --git a/test/package-lock.json b/test/package-lock.json index 10714f34e6..29fc8ae1c7 100644 --- a/test/package-lock.json +++ b/test/package-lock.json @@ -272,24 +272,6 @@ "normalize-path": "^2.1.1" } }, - "append-transform": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/append-transform/-/append-transform-1.0.0.tgz", - "integrity": "sha512-P009oYkeHyU742iSZJzZZywj4QRJdnTWffaKuJQLablCZ1uz6/cW4yaRgcDaoQ+uwOxxnt0gRUcwfsNP2ri0gw==", - "dev": true, - "requires": { - "default-require-extensions": "^2.0.0" - } - }, - "argparse": { - "version": "1.0.10", - "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz", - "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==", - "dev": true, - "requires": { - "sprintf-js": "~1.0.2" - } - }, "arr-diff": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/arr-diff/-/arr-diff-4.0.0.tgz", @@ -353,15 +335,6 @@ "integrity": "sha512-+Ryf6g3BKoRc7jfp7ad8tM4TtMiaWvbF/1/sQcZPkkS7ag3D5nMBCe2UfOTONtAkaG0tO0ij3C5Lwmf1EiyjHg==", "dev": true }, - "async": { - "version": "2.6.1", - "resolved": "https://registry.npmjs.org/async/-/async-2.6.1.tgz", - "integrity": "sha512-fNEiL2+AZt6AlAw/29Cr0UDe4sRAHCpEHh54WMz+Bb7QfNcFw4h3loofyJpLeQs4Yx7yuqu/2dLgM5hKOs6HlQ==", - "dev": true, - "requires": { - "lodash": "^4.17.10" - } - }, "async-limiter": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/async-limiter/-/async-limiter-1.0.0.tgz", @@ -758,19 +731,6 @@ "delayed-stream": "~1.0.0" } }, - "commander": { - "version": "2.17.1", - "resolved": "https://registry.npmjs.org/commander/-/commander-2.17.1.tgz", - "integrity": "sha512-wPMUt6FnH2yzG95SA6mzjQOEKUU3aLaDEmzs1ti+1E9h+CsrZghRlqEM/EJ4KscsQVG8uNN4uVreUeT8+drlgg==", - "dev": true, - "optional": true - }, - "compare-versions": { - "version": "3.4.0", - "resolved": "https://registry.npmjs.org/compare-versions/-/compare-versions-3.4.0.tgz", - "integrity": "sha512-tK69D7oNXXqUW3ZNo/z7NXTEz22TCF0pTE+YF9cxvaAM9XnkLo1fV621xCLrRR6aevJlKxExkss0vWqUCUpqdg==", - "dev": true - }, "component-emitter": { "version": "1.2.1", "resolved": "https://registry.npmjs.org/component-emitter/-/component-emitter-1.2.1.tgz", @@ -892,15 +852,6 @@ "integrity": "sha1-s2nW+128E+7PUk+RsHD+7cNXzzQ=", "dev": true }, - "default-require-extensions": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/default-require-extensions/-/default-require-extensions-2.0.0.tgz", - "integrity": "sha1-9fj7sYp9bVCyH2QfZJ67Uiz+JPc=", - "dev": true, - "requires": { - "strip-bom": "^3.0.0" - } - }, "define-properties": { "version": "1.1.3", "resolved": "https://registry.npmjs.org/define-properties/-/define-properties-1.1.3.tgz", @@ -1065,12 +1016,6 @@ } } }, - "esprima": { - "version": "4.0.1", - "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz", - "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==", - "dev": true - }, "estraverse": { "version": "4.2.0", "resolved": "https://registry.npmjs.org/estraverse/-/estraverse-4.2.0.tgz", @@ -1295,16 +1240,6 @@ "bser": "^2.0.0" } }, - "fileset": { - "version": "2.0.3", - "resolved": "https://registry.npmjs.org/fileset/-/fileset-2.0.3.tgz", - "integrity": "sha1-jnVIqW08wjJ+5eZ0FocjozO7oqA=", - "dev": true, - "requires": { - "glob": "^7.0.3", - "minimatch": "^3.0.3" - } - }, "fill-range": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-4.0.0.tgz", @@ -2000,26 +1935,6 @@ "integrity": "sha1-8QdIy+dq+WS3yWyTxrzCivEgwIE=", "dev": true }, - "handlebars": { - "version": "4.0.12", - "resolved": "https://registry.npmjs.org/handlebars/-/handlebars-4.0.12.tgz", - "integrity": "sha512-RhmTekP+FZL+XNhwS1Wf+bTTZpdLougwt5pcgA1tuz6Jcx0fpH/7z0qd71RKnZHBCxIRBHfBOnio4gViPemNzA==", - "dev": true, - "requires": { - "async": "^2.5.0", - "optimist": "^0.6.1", - "source-map": "^0.6.1", - "uglify-js": "^3.1.4" - }, - "dependencies": { - "source-map": { - "version": "0.6.1", - "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz", - "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==", - "dev": true - } - } - }, "har-schema": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz", @@ -2381,20 +2296,12 @@ }, "istanbul-api": { "version": "2.0.8", - "resolved": "https://registry.npmjs.org/istanbul-api/-/istanbul-api-2.0.8.tgz", - "integrity": "sha512-ITCccemErW+BhZotmyQ/ktlYTAp9r7oWfz1oxxMpgKQVTUw0NAYRbKLbOSNaInipecIKul7U7O5BfCQBBRZa3w==", + "resolved": "", "dev": true, "requires": { - "async": "^2.6.1", - "compare-versions": "^3.2.1", - "fileset": "^2.0.3", "istanbul-lib-coverage": "^2.0.2", - "istanbul-lib-hook": "^2.0.2", "istanbul-lib-instrument": "^3.0.1", - "istanbul-lib-report": "^2.0.3", "istanbul-lib-source-maps": "^3.0.1", - "istanbul-reports": "^2.0.3", - "js-yaml": "^3.12.0", "make-dir": "^1.3.0", "once": "^1.4.0" } @@ -2405,15 +2312,6 @@ "integrity": "sha512-4CsY730KHy12ya/YNKubrMlb7EZZVsEPhXntyRY/Cbs7HN5HdznLbI4UbvIGHgocxHx3VkGe7l6IN1lipetuGg==", "dev": true }, - "istanbul-lib-hook": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/istanbul-lib-hook/-/istanbul-lib-hook-2.0.2.tgz", - "integrity": "sha512-m0MwviQ0Av6qBNDkvKdLBxxuK6ffXo8761gE2bfT+/b+dhg8LUyQhp1nFh795LO12DpiSocuCPIRwILCsN1//Q==", - "dev": true, - "requires": { - "append-transform": "^1.0.0" - } - }, "istanbul-lib-instrument": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/istanbul-lib-instrument/-/istanbul-lib-instrument-3.0.1.tgz", @@ -2429,17 +2327,6 @@ "semver": "^5.5.0" } }, - "istanbul-lib-report": { - "version": "2.0.3", - "resolved": "https://registry.npmjs.org/istanbul-lib-report/-/istanbul-lib-report-2.0.3.tgz", - "integrity": "sha512-25gX27Mbd3MjM41hwGl5lWcQEqaPaMP79YDFS20xuTUujItNmHgTBS3WRZvzyzLE0IAKaL+JpLrryou2WlZNMw==", - "dev": true, - "requires": { - "istanbul-lib-coverage": "^2.0.2", - "make-dir": "^1.3.0", - "supports-color": "^5.4.0" - } - }, "istanbul-lib-source-maps": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/istanbul-lib-source-maps/-/istanbul-lib-source-maps-3.0.1.tgz", @@ -2461,15 +2348,6 @@ } } }, - "istanbul-reports": { - "version": "2.0.3", - "resolved": "https://registry.npmjs.org/istanbul-reports/-/istanbul-reports-2.0.3.tgz", - "integrity": "sha512-qpQ5ZWBkOatTxmTelS+HV5ybPSq7EeXmwXrPbGv7ebP+9DJOtveUcv6hCncZE4IxSAEkdmLEh3xo31SCttbApQ==", - "dev": true, - "requires": { - "handlebars": "^4.0.11" - } - }, "jest": { "version": "24.0.0", "resolved": "https://registry.npmjs.org/jest/-/jest-24.0.0.tgz", @@ -2875,16 +2753,6 @@ "integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==", "dev": true }, - "js-yaml": { - "version": "3.12.1", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.1.tgz", - "integrity": "sha512-um46hB9wNOKlwkHgiuyEVAybXBjwFUV0Z/RaHJblRd9DXltue9FTYvzCr9ErQrK9Adz5MU4gHWVaNUfdmrC8qA==", - "dev": true, - "requires": { - "argparse": "^1.0.7", - "esprima": "^4.0.0" - } - }, "jsbn": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz", @@ -3189,12 +3057,6 @@ "brace-expansion": "^1.1.7" } }, - "minimist": { - "version": "0.0.10", - "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz", - "integrity": "sha1-3j+YVD2/lggr5IrRoMfNqDYwHc8=", - "dev": true - }, "mixin-deep": { "version": "1.3.1", "resolved": "https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz", @@ -3423,16 +3285,6 @@ "wrappy": "1" } }, - "optimist": { - "version": "0.6.1", - "resolved": "https://registry.npmjs.org/optimist/-/optimist-0.6.1.tgz", - "integrity": "sha1-2j6nRob6IaGaERwybpDrFaAZZoY=", - "dev": true, - "requires": { - "minimist": "~0.0.1", - "wordwrap": "~0.0.2" - } - }, "optionator": { "version": "0.8.2", "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.8.2.tgz", @@ -4209,12 +4061,6 @@ "extend-shallow": "^3.0.0" } }, - "sprintf-js": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", - "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=", - "dev": true - }, "sshpk": { "version": "1.16.1", "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.16.1.tgz", @@ -4485,26 +4331,6 @@ "prelude-ls": "~1.1.2" } }, - "uglify-js": { - "version": "3.4.9", - "resolved": "https://registry.npmjs.org/uglify-js/-/uglify-js-3.4.9.tgz", - "integrity": "sha512-8CJsbKOtEbnJsTyv6LE6m6ZKniqMiFWmm9sRbopbkGs3gMPPfd3Fh8iIA4Ykv5MgaTbqHr4BaoGLJLZNhsrW1Q==", - "dev": true, - "optional": true, - "requires": { - "commander": "~2.17.1", - "source-map": "~0.6.1" - }, - "dependencies": { - "source-map": { - "version": "0.6.1", - "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz", - "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==", - "dev": true, - "optional": true - } - } - }, "union-value": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/union-value/-/union-value-1.0.0.tgz", @@ -4727,12 +4553,6 @@ "integrity": "sha1-2e8H3Od7mQK4o6j6SzHD4/fm6Ho=", "dev": true }, - "wordwrap": { - "version": "0.0.3", - "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-0.0.3.tgz", - "integrity": "sha1-o9XabNXAvAAI03I0u68b7WMFkQc=", - "dev": true - }, "wrap-ansi": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-2.1.0.tgz", From f63ce09c958ad79a0ccea77c86d1af0acc107103 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 12 Jun 2019 15:57:51 +0200 Subject: [PATCH 14/14] Update severity of old supported algs in ssh findings --- test/ssh.test.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/ssh.test.js b/test/ssh.test.js index 950918269a..726774ad55 100644 --- a/test/ssh.test.js +++ b/test/ssh.test.js @@ -41,7 +41,7 @@ test( description: ' diffie-hellman-group14-sha1', name: 'Remove these key exchange algorithms', osi_layer: 'NETWORK', - severity: 'LOW', + severity: 'MEDIUM', }); expect(findings).toContainEqual({ @@ -50,7 +50,7 @@ test( ' umac-64-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, hmac-sha1', name: 'Remove these MAC algorithms', osi_layer: 'NETWORK', - severity: 'LOW', + severity: 'MEDIUM', }); }, 2 * Time.Minute