From ee2a0e68a29ea746880e1985eabea847955adee3 Mon Sep 17 00:00:00 2001 From: Sven Strittmatter Date: Tue, 10 Oct 2023 14:02:21 +0200 Subject: [PATCH 1/5] #1642 Formatting Signed-off-by: Sven Strittmatter --- .../09_architecture_decisions/adr_0019.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/documentation/docs/architecture/09_architecture_decisions/adr_0019.md b/documentation/docs/architecture/09_architecture_decisions/adr_0019.md index 34189f2ca6..a9f84fc9b5 100644 --- a/documentation/docs/architecture/09_architecture_decisions/adr_0019.md +++ b/documentation/docs/architecture/09_architecture_decisions/adr_0019.md @@ -8,10 +8,10 @@ sidebar_label: "ADR-0019" --- # ADR-0019: OpenVAS Integration -| | | -|----------------|----------------------------------------------------| -| **Status**: | DRAFT | -| **Date**: | 2023-09-14 | +| | | +|----------------|------------------------------------------| +| **Status**: | DRAFT | +| **Date**: | 2023-09-14 | | **Author(s)**: | Heiko Kiesel | ## Context @@ -20,13 +20,13 @@ In the past, there were multiple requests for an OpenVAS integration (e.g., [#16 The scanner uses the NASL Attack Scripting Language to implement vulnerability tests. These tests are fetched periodically from the free Greenbone Community Feed or the paid Greenbone Enterprise Feed. These feeds combine Network Vulnerability Tests, CVEs, CPEs, CERT-Bund-Advisories, and DFN-CERT-Advisories. -The offered vulnerability tests offer another type of scans compared to secureCodeBox. They seem to be more focussed on particular CVE's, outdated service versions and advisories. Moreover, some vulnerabilities, for example SSH weaknesses, are already covered in our offered scanneres, e.g., ssh_scan and ssh-audit. The question arises as to whether the tests offered by OpenVAS are already covered by secureCodeBox. +The offered vulnerability tests offer another type of scans compared to secureCodeBox. They seem to be more focussed on particular CVE's, outdated service versions and advisories. Moreover, some vulnerabilities, for example SSH weaknesses, are already covered in our offered scanners, e.g., ssh_scan and ssh-audit. The question arises as to whether the tests offered by OpenVAS are already covered by secureCodeBox. The scanners and their corresponding parsers in secureCodeBox are implemented with Docker containers. We either dockerized them ourselves or used provided ones. Greenbone also provides a dockerized version of their OpenVAS scanner in a [Docker Compose file]. Technically, one can communicate to parts of OpenVAS with two protocols. The Open Scanner Protocol is provided by `ospd-openvas`. With that, it is possible to start scans, get Vulnerability Tests information and receive scan results. The Greenbone Management Protocol allows to communicate with the core OpenVAS Greenbone Security Assistant. With it, one can create, read, update and delete scans and vulnerability information. These two protocols are available in the official [python-gvm] package. -Furthermore, OpenVAS offers another type of scans (vulnerability tests). They seem to be more focussed on particular CVE's, outdated service versions and advisories. Moreover, some vulnerabilities, for example SSH weaknesses, are already covered in our offered scanneres, e.g., ssh_scan and ssh-audit. +Furthermore, OpenVAS offers another type of scans (vulnerability tests). They seem to be more focussed on particular CVE's, outdated service versions and advisories. Moreover, some vulnerabilities, for example SSH weaknesses, are already covered in our offered scanners, e.g., ssh_scan and ssh-audit. ### Problem @@ -54,4 +54,4 @@ TODO [Docker Compose file]: https://greenbone.github.io/docs/latest/22.4/container/index.html#docker-compose-file [Minimal OpenVAS Docker setup]: https://forum.greenbone.net/t/minimal-docker-setup-with-python-gvm-osp-api/15630 [python-gvm]: https://python-gvm.readthedocs.io/en/latest/usage.html -[Persistence Hook]: https://www.securecodebox.io/docs/hooks/defectdojo \ No newline at end of file +[Persistence Hook]: https://www.securecodebox.io/docs/hooks/defectdojo From 0894b4ea5e2165431dff432dc1ae9e40a4ce7756 Mon Sep 17 00:00:00 2001 From: Sven Strittmatter Date: Tue, 10 Oct 2023 15:42:54 +0200 Subject: [PATCH 2/5] #1642 Add myself as author Signed-off-by: Sven Strittmatter --- .../architecture/09_architecture_decisions/adr_0019.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/documentation/docs/architecture/09_architecture_decisions/adr_0019.md b/documentation/docs/architecture/09_architecture_decisions/adr_0019.md index a9f84fc9b5..cf1d310ca4 100644 --- a/documentation/docs/architecture/09_architecture_decisions/adr_0019.md +++ b/documentation/docs/architecture/09_architecture_decisions/adr_0019.md @@ -8,11 +8,11 @@ sidebar_label: "ADR-0019" --- # ADR-0019: OpenVAS Integration -| | | -|----------------|------------------------------------------| -| **Status**: | DRAFT | -| **Date**: | 2023-09-14 | -| **Author(s)**: | Heiko Kiesel | +| | | +|----------------|----------------------------------------------------------------------------------------------| +| **Status**: | DRAFT | +| **Date**: | 2023-09-14 | +| **Author(s)**: | Heiko Kiesel , Sven Strittmatter | ## Context From a4979b5c00d36c9dd2c2fa1308bc6842202353ce Mon Sep 17 00:00:00 2001 From: Sven Strittmatter Date: Tue, 10 Oct 2023 15:43:24 +0200 Subject: [PATCH 3/5] #1642 Link to OpenVAS Signed-off-by: Sven Strittmatter --- .../docs/architecture/09_architecture_decisions/adr_0019.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/documentation/docs/architecture/09_architecture_decisions/adr_0019.md b/documentation/docs/architecture/09_architecture_decisions/adr_0019.md index cf1d310ca4..b71925f8f9 100644 --- a/documentation/docs/architecture/09_architecture_decisions/adr_0019.md +++ b/documentation/docs/architecture/09_architecture_decisions/adr_0019.md @@ -16,7 +16,7 @@ sidebar_label: "ADR-0019" ## Context -In the past, there were multiple requests for an OpenVAS integration (e.g., [#1642]). OpenVAS is an all-in-one solution, consisting of a scanner, database, frontend dashboard, and so on. Its architecture is shown in detail on their [OpenVAS architecture] page. +In the past, there were multiple requests for an [OpenVAS] integration (e.g., [Issue 1642]). OpenVAS is an all-in-one solution, consisting of a scanner, database, frontend dashboard, and so on. Its architecture is shown in detail on their [OpenVAS architecture] page. The scanner uses the NASL Attack Scripting Language to implement vulnerability tests. These tests are fetched periodically from the free Greenbone Community Feed or the paid Greenbone Enterprise Feed. These feeds combine Network Vulnerability Tests, CVEs, CPEs, CERT-Bund-Advisories, and DFN-CERT-Advisories. @@ -49,7 +49,8 @@ TODO TODO -[#1642]: https://github.com/secureCodeBox/secureCodeBox/issues/1642 +[Issue 1642]: https://github.com/secureCodeBox/secureCodeBox/issues/1642 +[OpenVAS]: https://openvas.org/ [OpenVAS architecture]: https://greenbone.github.io/docs/latest/background.html [Docker Compose file]: https://greenbone.github.io/docs/latest/22.4/container/index.html#docker-compose-file [Minimal OpenVAS Docker setup]: https://forum.greenbone.net/t/minimal-docker-setup-with-python-gvm-osp-api/15630 From 35f1d420989d77237def76ce5c997b2de0681294 Mon Sep 17 00:00:00 2001 From: Sven Strittmatter Date: Tue, 10 Oct 2023 15:43:38 +0200 Subject: [PATCH 4/5] #1642 Improve gramar Signed-off-by: Sven Strittmatter --- .../docs/architecture/09_architecture_decisions/adr_0019.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/docs/architecture/09_architecture_decisions/adr_0019.md b/documentation/docs/architecture/09_architecture_decisions/adr_0019.md index b71925f8f9..15ede46f0a 100644 --- a/documentation/docs/architecture/09_architecture_decisions/adr_0019.md +++ b/documentation/docs/architecture/09_architecture_decisions/adr_0019.md @@ -20,7 +20,7 @@ In the past, there were multiple requests for an [OpenVAS] integration (e.g., [I The scanner uses the NASL Attack Scripting Language to implement vulnerability tests. These tests are fetched periodically from the free Greenbone Community Feed or the paid Greenbone Enterprise Feed. These feeds combine Network Vulnerability Tests, CVEs, CPEs, CERT-Bund-Advisories, and DFN-CERT-Advisories. -The offered vulnerability tests offer another type of scans compared to secureCodeBox. They seem to be more focussed on particular CVE's, outdated service versions and advisories. Moreover, some vulnerabilities, for example SSH weaknesses, are already covered in our offered scanners, e.g., ssh_scan and ssh-audit. The question arises as to whether the tests offered by OpenVAS are already covered by secureCodeBox. +The offered vulnerability tests offer another type of scans compared to secureCodeBox. They seem to be more focussed on particular CVE's, outdated service versions and advisories. Moreover, some vulnerabilities, for example SSH weaknesses, are already covered in our offered scanners, e.g., ssh_scan and ssh-audit. The question is whether the tests offered by OpenVAS are already covered by secureCodeBox. The scanners and their corresponding parsers in secureCodeBox are implemented with Docker containers. We either dockerized them ourselves or used provided ones. Greenbone also provides a dockerized version of their OpenVAS scanner in a [Docker Compose file]. From f62d6d99063599f0ae59a1a88868607294a5cde7 Mon Sep 17 00:00:00 2001 From: Sven Strittmatter Date: Fri, 13 Oct 2023 15:48:27 +0200 Subject: [PATCH 5/5] 1642 Write down decision about OpenVAS integration Signed-off-by: Sven Strittmatter --- .../09_architecture_decisions/adr_0019.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/documentation/docs/architecture/09_architecture_decisions/adr_0019.md b/documentation/docs/architecture/09_architecture_decisions/adr_0019.md index 15ede46f0a..c724e624f4 100644 --- a/documentation/docs/architecture/09_architecture_decisions/adr_0019.md +++ b/documentation/docs/architecture/09_architecture_decisions/adr_0019.md @@ -10,7 +10,7 @@ sidebar_label: "ADR-0019" | | | |----------------|----------------------------------------------------------------------------------------------| -| **Status**: | DRAFT | +| **Status**: | ACCEPTED | | **Date**: | 2023-09-14 | | **Author(s)**: | Heiko Kiesel , Sven Strittmatter | @@ -29,25 +29,27 @@ Technically, one can communicate to parts of OpenVAS with two protocols. The Ope Furthermore, OpenVAS offers another type of scans (vulnerability tests). They seem to be more focussed on particular CVE's, outdated service versions and advisories. Moreover, some vulnerabilities, for example SSH weaknesses, are already covered in our offered scanners, e.g., ssh_scan and ssh-audit. -### Problem +### Problematic Container Setup of OpenVAS Due to OpenVAS being an all-in-one solution, the Docker Compose file consists of 16! containers. As we only need support for the Open Scanner Protocol, we tried to isolate the `ospd-openvas` container - the core scanner component. However, it seems like that it is only possible to reave out the container serving the frontend. It is not possible to isolate the scanner. Thus, we need to include the whole OpenVAS setup. For more information see my question regarding a [Minimal OpenVAS Docker setup]. In contrast, secureCodeBox integrates more than 20 independent scanning tools. Each scanning tool is available as a docker container (and the corresponding parsing container). Unlike OpenVAS, only two containers (the operator and MinIO) must be running all the time. The other containers are created and stopped on runtime. -TODO: do we even need it? +### Possible Solution -### Solutions +A more or less reasonable solution could be to run OpenVas as a whole besides secureCodeBox and use secureCodeBox to trigger OpenVAS scans. But there is currently no mechanism implemented to trigger scans outside the secureCodeBox. It may be possible to use a read-hook to do that. -TODO +It is unclear how we could read the findings from OpenVAS back into the secureCodeBox because the design of our architecture does not provide a mechanism for that. Currently test results a _lurked_ by a scanner's sidecar container. We're not sure if this is even possible with OpenVAS. ## Decision -TODO +We will not integrate OpenVAS into the secureCodeBox because of its nature as a whole ecosystem and for the problems mentioned above. + +Albeit, we think that OpenVAS – but we have very view experience with it – may be a good choice to scan infrastructure additionally to the secureCodeBox. At the moment we think a better solution would be to run OpenVAS as a whole besides secureCodeBox and feed the results from both systems into [DefectDojo]. ## Consequences -TODO +- Users need to operate two complete systems. [Issue 1642]: https://github.com/secureCodeBox/secureCodeBox/issues/1642 [OpenVAS]: https://openvas.org/ @@ -56,3 +58,4 @@ TODO [Minimal OpenVAS Docker setup]: https://forum.greenbone.net/t/minimal-docker-setup-with-python-gvm-osp-api/15630 [python-gvm]: https://python-gvm.readthedocs.io/en/latest/usage.html [Persistence Hook]: https://www.securecodebox.io/docs/hooks/defectdojo +[DefectDojo]: https://owasp.org/www-project-defectdojo/