Merge pull request #63 from secureCodeBox/fix/scheduled-scan-cascading-scans

rfelber · web-flow · commit 4ce96cc7a810 · 2020-07-23T17:08:52.000+02:00
Fix Declarative CombinedScans Hooks from crashing when used by a ScheduledScan
diff --git a/hooks/declarative-subsequent-scans/hook.test.js b/hooks/declarative-subsequent-scans/hook.test.js
@@ -9,21 +9,21 @@ beforeEach(() => {
     kind: "Scan",
     metadata: {
       name: "nmap-foobar.com",
-      annotations: {}
+      annotations: {},
     },
     spec: {
       scanType: "nmap",
       parameters: "foobar.com",
-      cascades: {}
-    }
+      cascades: {},
+    },
   };
 
   sslyzeCascadingRules = [
     {
       apiVersion: "cascading.experimental.securecodebox.io/v1",
       kind: "CascadingRule",
       metadata: {
-        name: "tls-scans"
+        name: "tls-scans",
       },
       spec: {
         matches: {
@@ -32,23 +32,23 @@ beforeEach(() => {
               category: "Open Port",
               attributes: {
                 port: 443,
-                service: "https"
-              }
+                service: "https",
+              },
             },
             {
               category: "Open Port",
               attributes: {
-                service: "https"
-              }
-            }
-          ]
+                service: "https",
+              },
+            },
+          ],
         },
         scanSpec: {
           scanType: "sslyze",
-          parameters: ["--regular", "{{$.hostOrIP}}:{{attributes.port}}"]
-        }
-      }
-    }
+          parameters: ["--regular", "{{$.hostOrIP}}:{{attributes.port}}"],
+        },
+      },
+    },
   ];
 });
 
@@ -61,9 +61,9 @@ test("should create subsequent scans for open HTTPS ports (NMAP findings)", () =
         state: "open",
         hostname: "foobar.com",
         port: 443,
-        service: "https"
-      }
-    }
+        service: "https",
+      },
+    },
   ];
 
   const cascadedScans = getCascadingScans(
@@ -97,9 +97,9 @@ test("Should create no subsequent scans if there are no rules", () => {
         state: "open",
         hostname: "foobar.com",
         port: 443,
-        service: "https"
-      }
-    }
+        service: "https",
+      },
+    },
   ];
 
   const cascadingRules = [];
@@ -121,9 +121,9 @@ test("should not try to do magic to the scan name if its something random", () =
         hostname: undefined,
         ip_address: "10.42.42.42",
         port: 443,
-        service: "https"
-      }
-    }
+        service: "https",
+      },
+    },
   ];
 
   const cascadedScans = getCascadingScans(
@@ -160,9 +160,9 @@ test("should not start scan when the cascadingrule for it is already in the chai
         state: "open",
         hostname: "foobar.com",
         port: 443,
-        service: "https"
-      }
-    }
+        service: "https",
+      },
+    },
   ];
 
   const cascadedScans = getCascadingScans(
@@ -173,3 +173,41 @@ test("should not start scan when the cascadingrule for it is already in the chai
 
   expect(cascadedScans).toMatchInlineSnapshot(`Array []`);
 });
+
+test("should not crash when the annotations are not set", () => {
+  parentScan.metadata.annotations = undefined;
+
+  const findings = [
+    {
+      name: "Port 443 is open",
+      category: "Open Port",
+      attributes: {
+        state: "open",
+        hostname: "foobar.com",
+        port: 443,
+        service: "https",
+      },
+    },
+  ];
+
+  const cascadedScans = getCascadingScans(
+    parentScan,
+    findings,
+    sslyzeCascadingRules
+  );
+
+  expect(cascadedScans).toMatchInlineSnapshot(`
+    Array [
+      Object {
+        "cascades": null,
+        "generatedBy": "tls-scans",
+        "name": "sslyze-foobar.com-tls-scans",
+        "parameters": Array [
+          "--regular",
+          "foobar.com:443",
+        ],
+        "scanType": "sslyze",
+      },
+    ]
+  `);
+});
diff --git a/hooks/declarative-subsequent-scans/hook.ts b/hooks/declarative-subsequent-scans/hook.ts
@@ -52,7 +52,10 @@ export function getCascadingScans(
   const cascadingRuleChain = new Set<string>();
 
   // Get the current Scan Chain (meaning which CascadingRules were used to start this scan and its parents) and convert it to a set, which makes it easier to query.
-  if (parentScan.metadata.annotations["cascading.securecodebox.io/chain"]) {
+  if (
+    parentScan.metadata.annotations &&
+    parentScan.metadata.annotations["cascading.securecodebox.io/chain"]
+  ) {
     const chainElements = parentScan.metadata.annotations[
       "cascading.securecodebox.io/chain"
     ].split(",");
diff --git a/hooks/declarative-subsequent-scans/scan-helpers.ts b/hooks/declarative-subsequent-scans/scan-helpers.ts
@@ -65,7 +65,7 @@ export async function startSubsequentSecureCodeBoxScan({
 }) {
   let cascadingChain: Array<string> = [];
 
-  if (parentScan.metadata.annotations["cascading.securecodebox.io/chain"]) {
+  if (parentScan.metadata.annotations && parentScan.metadata.annotations["cascading.securecodebox.io/chain"]) {
     cascadingChain = parentScan.metadata.annotations[
       "cascading.securecodebox.io/chain"
     ].split(",");
