forked from aquasecurity/cloudsploit
-
Notifications
You must be signed in to change notification settings - Fork 2
/
engine.js
156 lines (134 loc) · 6.84 KB
/
engine.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
var async = require('async');
var exports = require('./exports.js');
var suppress = require('./postprocess/suppress.js');
var output = require('./postprocess/output.js');
/**
* The main function to execute CloudSploit scans.
* @param cloudConfig The configuration for the cloud provider.
* @param settings General purpose settings.
*/
var engine = function(cloudConfig, settings) {
// Initialize any suppression rules based on the the command line arguments
var suppressionFilter = suppress.create(settings.suppress);
// Initialize the output handler
var outputHandler = output.create(settings);
// Configure Service Provider Collector
var collector = require(`./collectors/${settings.cloud}/collector.js`);
var plugins = exports[settings.cloud];
var apiCalls = [];
// Print customization options
if (settings.compliance) console.log(`INFO: Using compliance modes: ${settings.compliance.join(', ')}`);
if (settings.govcloud) console.log('INFO: Using AWS GovCloud mode');
if (settings.china) console.log('INFO: Using AWS China mode');
if (settings.ignore_ok) console.log('INFO: Ignoring passing results');
if (settings.skip_paginate) console.log('INFO: Skipping AWS pagination mode');
if (settings.suppress && settings.suppress.length) console.log('INFO: Suppressing results based on suppress flags');
if (settings.plugin) {
if (!plugins[settings.plugin]) return console.log(`ERROR: Invalid plugin: ${settings.plugin}`);
console.log(`INFO: Testing plugin: ${plugins[settings.plugin].title}`);
}
// STEP 1 - Obtain API calls to make
console.log('INFO: Determining API calls to make...');
var skippedPlugins = [];
Object.entries(plugins).forEach(function(p){
var pluginId = p[0];
var plugin = p[1];
// Skip plugins that don't match the ID flag
var skip = false;
if (settings.plugin && settings.plugin !== pluginId) {
skip = true;
} else {
// Skip GitHub plugins that do not match the run type
if (settings.cloud == 'github') {
if (cloudConfig.organization &&
plugin.types.indexOf('org') === -1) {
skip = true;
console.debug(`DEBUG: Skipping GitHub plugin ${plugin.title} because it is not for Organization accounts`);
} else if (!cloudConfig.organization &&
plugin.types.indexOf('org') === -1) {
skip = true;
console.debug(`DEBUG: Skipping GitHub plugin ${plugin.title} because it is not for User accounts`);
}
}
if (settings.compliance && settings.compliance.length) {
if (!plugin.compliance || !Object.keys(plugin.compliance).length) {
skip = true;
console.debug(`DEBUG: Skipping plugin ${plugin.title} because it is not used for compliance programs`);
} else {
// Compare
var cMatch = false;
settings.compliance.forEach(function(c){
if (plugin.compliance[c]) cMatch = true;
});
if (!cMatch) {
skip = true;
console.debug(`DEBUG: Skipping plugin ${plugin.title} because it did not match compliance programs ${settings.compliance.join(', ')}`);
}
}
}
}
if (skip) {
skippedPlugins.push(pluginId);
} else {
plugin.apis.forEach(function(api) {
if (apiCalls.indexOf(api) === -1) apiCalls.push(api);
});
}
});
if (!apiCalls.length) return console.log('ERROR: Nothing to collect.');
console.log(`INFO: Found ${apiCalls.length} API calls to make for ${settings.cloud} plugins`);
console.log('INFO: Collecting metadata. This may take several minutes...');
// STEP 2 - Collect API Metadata from Service Providers
collector(cloudConfig, {
api_calls: apiCalls,
paginate: settings.skip_paginate,
govcloud: settings.govcloud,
china: settings.china
}, function(err, collection) {
if (err || !collection || !Object.keys(collection).length) return console.log(`ERROR: Unable to obtain API metadata: ${err || 'No data returned'}`);
outputHandler.writeCollection(collection, settings.cloud);
console.log('INFO: Metadata collection complete. Analyzing...');
console.log('INFO: Analysis complete. Scan report to follow...');
var maximumStatus = 0;
async.mapValuesLimit(plugins, 10, function(plugin, key, pluginDone) {
if (skippedPlugins.indexOf(key) > -1) return pluginDone(null, 0);
plugin.run(collection, settings, function(err, results) {
for (var r in results) {
// If we have suppressed this result, then don't process it
// so that it doesn't affect the return code.
if (suppressionFilter([key, results[r].region || 'any', results[r].resource || 'any'].join(':'))) {
continue;
}
var complianceMsg = [];
if (settings.compliance && settings.compliance.length) {
settings.compliance.forEach(function(c){
if (plugin.compliance && plugin.compliance[c]) {
complianceMsg.push(`${c.toUpperCase()}: ${plugin.compliance[c]}`);
}
});
}
complianceMsg = complianceMsg.join('; ');
if (!complianceMsg.length) complianceMsg = null;
// Write out the result (to console or elsewhere)
outputHandler.writeResult(results[r], plugin, key, complianceMsg);
// Add this to our tracking fo the worst status to calculate
// the exit code
maximumStatus = Math.max(maximumStatus, results[r].status);
}
setTimeout(function() { pluginDone(err, maximumStatus); }, 0);
});
}, function(err) {
if (err) return console.log(err);
// console.log(JSON.stringify(collection, null, 2));
outputHandler.close();
if (settings.exit_code) {
// The original cloudsploit always has a 0 exit code. With this option, we can have
// the exit code depend on the results (useful for integration with CI systems)
console.log(`INFO: Exiting with exit code: ${maximumStatus}`);
process.exitCode = maximumStatus;
}
console.log('INFO: Scan complete');
});
});
};
module.exports = engine;