Merge pull request #247 from Secure-Compliance-Solutions-LLC/dev

v21.4.3-v1
Secure-Compliance-Solutions-LLC · Aug 8, 2021 · 45166f1 · 45166f1
2 parents fea49b6 + ca2a655
commit 45166f1
Show file tree

Hide file tree

Showing 9 changed files with 160 additions and 31 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -7,6 +7,9 @@ assignees: Dexus, pixelsquared
 
 ---
 
+**** Before you open a bug issue, please read the documentation. If you do not find an answer to your problem there, please look in the issues that have already been closed. Only if you still have not found an answer to your problem should you open a new issue. ****
+** https://securecompliance.gitbook.io/projects/openvas-greenbone-deployment-full-guide **
+
 **Describe the bug**
 A clear and concise description of what the bug is.
 

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -23,11 +23,94 @@ permissions:
   packages: write
 
 jobs:
-  build_test:
-    name: Build and Test
+  build_test_trivy:
+    name: Build and Test - Trivy
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+
+      - name: PrepareReg Names
+        run: |
+          echo IMAGE_REPOSITORY_GHCR=$(echo "ghcr.io/${{ github.repository }}" | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
+          echo IMAGE_TAG=$(echo ${{ github.ref }} | tr '[:upper:]' '[:lower:]' | awk '{split($0,a,"/"); print a[3]}') >> $GITHUB_ENV
+
+      - name: Set tag var
+        id: vars
+        run: echo ::set-output name=docker_tag::$(echo ${GITHUB_REF} | cut -d'/' -f3)-${GITHUB_SHA}
+
+      - name: Download artifact
+        uses: dawidd6/action-download-artifact@v2
+        with:
+          # Optional, GitHub token, a Personal Access Token with `public_repo` scope if needed
+          # Required, if artifact is from a different repo
+          github_token: ${{secrets.GITHUB_TOKEN}}
+          # Required, workflow file name or ID
+          workflow: build-apk.yml
+          # Optional, will use the branch
+          branch: master
+          # Optional, uploaded artifact name,
+          # will download all artifacts if not specified
+          # and extract them in respective subdirectories
+          # https://github.com/actions/download-artifact#download-all-artifacts
+          name: apk-builds
+          # Optional, directory where to extract artifact. Defaults to the artifact name (see `name` input)
+          path: ${{ github.workspace }}/apk-build/
+          # Optional, defaults to current repo
+          repo: Secure-Compliance-Solutions-LLC/GVM-APK-build
+
+      - name: Build the Docker image
+        run: docker build . --file Dockerfile --build-arg OPT_PDF=1 --tag ${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}
+
+      - uses: actions/[email protected]
+        with:
+          path: .trivy
+          key: ${{ runner.os }}-trivy-${{ github.run_id }}
+          restore-keys: |
+            ${{ runner.os }}-trivy-
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}"
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"
+          cache-dir: .trivy
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        if: always()
+        with:
+          image-ref: "${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}"
+          format: "template"
+          template: "@/contrib/sarif.tpl"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH"
+          cache-dir: .trivy
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        if: always()
+        with:
+          sarif_file: "trivy-results.sarif"
+
+      - name: Correct Trivy cache permissions
+        if: always()
+        run: sudo chown -R $USER:$GROUP .trivy
+
+  build_test_anchore:
+    name: Build and Test - Anchore
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: PrepareReg Names
+        run: |
+          echo IMAGE_REPOSITORY_GHCR=$(echo "ghcr.io/${{ github.repository }}" | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
+          echo IMAGE_TAG=$(echo ${{ github.ref }} | tr '[:upper:]' '[:lower:]' | awk '{split($0,a,"/"); print a[3]}') >> $GITHUB_ENV
+
       - name: Set tag var
         id: vars
         run: echo ::set-output name=docker_tag::$(echo ${GITHUB_REF} | cut -d'/' -f3)-${GITHUB_SHA}
@@ -53,13 +136,20 @@ jobs:
           repo: Secure-Compliance-Solutions-LLC/GVM-APK-build
 
       - name: Build the Docker image
-        run: docker build . --file Dockerfile --build-arg OPT_PDF=1 --tag myapp:${{ steps.vars.outputs.docker_tag }}
+        run: docker build . --file Dockerfile --build-arg OPT_PDF=1 --tag ${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}
+
+      - uses: anchore/scan-action@v2
+        if: always()
+        id: scan
+        with:
+          image: "${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}"
+          acs-report-enable: true
 
-      - name: Scan with Phonito Security
-        uses: phonito/phonito-scanner-action@master
+      - name: upload Anchore scan SARIF report
+        if: always()
+        uses: github/codeql-action/upload-sarif@v1
         with:
-          image: myapp:${{ steps.vars.outputs.docker_tag }}
-          phonito-token: ${{ secrets.PHONITO_TOKEN }}
+          sarif_file: ${{ steps.scan.outputs.sarif }}
 
   build_release:
     name: Build and Release
@@ -179,7 +269,7 @@ jobs:
             latest=${{ steps.releasePreareLatestTag.outputs.latest}}
             onlatest=${{ steps.releasePreareLatestTag.outputs.latest}}
             prefix=
-            suffix=-full
+            suffix=-full,onlatest=${{ steps.releasePreareLatestTag.outputs.latest}}
           tags: |
             type=ref,event=branch
             type=ref,event=tag
@@ -213,7 +303,7 @@ jobs:
             latest=${{ steps.releasePreareLatestTag.outputs.latest}}
             onlatest=${{ steps.releasePreareLatestTag.outputs.latest}}
             prefix=
-            suffix=-data
+            suffix=-data,onlatest=${{ steps.releasePreareLatestTag.outputs.latest}}
           tags: |
             type=ref,event=branch
             type=ref,event=pr
@@ -245,7 +335,7 @@ jobs:
             latest=${{ steps.releasePreareLatestTag.outputs.latest}}
             onlatest=${{ steps.releasePreareLatestTag.outputs.latest}}
             prefix=
-            suffix=-data-full
+            suffix=-data-full,onlatest=${{ steps.releasePreareLatestTag.outputs.latest}}
           tags: |
             type=ref,event=branch
             type=ref,event=pr

diff --git a/.gitignore b/.gitignore
@@ -68,4 +68,9 @@ $RECYCLE.BIN/
 # Windows shortcuts
 *.lnk
 
-apk-build/
+# Docker Build Local
+/apk-build/
+/storage/
+# For github.com/nektos/act local workflow testing
+.env
+.secrets
diff --git a/Dockerfile b/Dockerfile
@@ -77,7 +77,7 @@ RUN { \
     && sleep 10 \
     && apk add --no-cache --allow-untrusted logrotate curl wget su-exec tzdata postfix mailx bash openssh supervisor openssh-client-common libxslt xmlstarlet zip sshpass socat net-snmp-tools samba-client py3-lxml py3-gvm@custcom openvas@custcom openvas-smb@custcom openvas-config@custcom gvmd@custcom gvm-libs@custcom greenbone-security-assistant@custcom ospd-openvas@custcom \
     && mkdir -p /var/log/supervisor/ \
-    && su -c "mkdir /var/lib/gvm/.ssh/ && chmod 700 /var/lib/gvm/.ssh/ && touch /var/lib/gvm/.ssh/authorized_keys && chmod 644 /var/lib/gvm/.ssh/authorized_keys" gvm 
+    && su -c "mkdir -p /var/lib/gvm/.ssh/ && chmod 700 /var/lib/gvm/.ssh/ && touch /var/lib/gvm/.ssh/authorized_keys && chmod 644 /var/lib/gvm/.ssh/authorized_keys" gvm 
 
 COPY gvm-sync-data/gvm-sync-data.tar.xz /opt/gvm-sync-data.tar.xz
 COPY scripts/* /
@@ -86,6 +86,7 @@ COPY config/supervisord.conf /etc/supervisord.conf
 COPY config/logrotate-gvm.conf /etc/logrotate.d/gvm
 COPY config/redis-openvas.conf /etc/redis.conf
 COPY config/sshd_config /etc/ssh/sshd_config
+COPY config/* /opt/config/
 
 
 ARG SETUP=0
@@ -94,6 +95,7 @@ ENV SETUP=${SETUP:-0} \
     OPT_PDF=${OPT_PDF:-0}
 
 RUN env \
+    && chmod +x /*.sh \
     && if [ "${SETUP}" == "1" ]; then \
     ln -snf "/usr/share/zoneinfo/$TZ" /etc/localtime && echo "$TZ" >/etc/timezone \
     && /usr/bin/supervisord -c /etc/supervisord.conf || true ; \

diff --git a/Makefile b/Makefile
@@ -11,9 +11,32 @@ apkbuild:
 	make build
 
 .PHONY: build
-build: 
+build: build_latest build_full build_data build_data_full 
+
+build_latest: 
+	cd ${PWD} ; \
+	docker build -t securecompliance/gvm:no-data -t securecompliance/gvm:latest .
+build_full: 
+	cd ${PWD} ; \
+	docker build --build-arg OPT_PDF=1  -t securecompliance/gvm:full .
+build_data: 
+	cd ${PWD} ; \
+	docker build --build-arg SETUP=1 -t securecompliance/gvm:data .
+build_data_full: 
 	cd ${PWD} ; \
-	docker build -t securecompliance/gvm:no-data -t securecompliance/gvm:latest . ; \
-	docker build --build-arg OPT_PDF=1 -t securecompliance/gvm:no-data-full . ; \
-	docker build --build-arg SETUP=1 -t securecompliance/gvm:data . ; 
-	docker build --build-arg SETUP=1 --build-arg OPT_PDF=1 -t securecompliance/gvm:data-full . ; 
+	docker build --build-arg SETUP=1 --build-arg OPT_PDF=1 -t securecompliance/gvm:data-full .
+
+run-full:
+	mkdir -p ${PWD}/storage/postgres-db
+	mkdir -p ${PWD}/storage/openvas-plugins
+	mkdir -p ${PWD}/storage/gvm
+	mkdir -p ${PWD}/storage/ssh
+	docker run --rm --publish 8080:9392 --publish 5432:5432 --publish 2222:22 \
+	--env DB_PASSWORD="postgres DB password" \
+	--env PASSWORD="webUI password" \
+	--env SSHD="true" \
+	--volume "${PWD}/storage/postgres-db:/opt/database" \
+	--volume "${PWD}/storage/openvas-plugins:/var/lib/openvas/plugins" \
+	--volume "${PWD}/storage/gvm:/var/lib/gvm" \
+	--volume "${PWD}/storage/ssh:/etc/ssh" \
+	--name gvm securecompliance/gvm:data-full
diff --git a/scripts/add-scanner.sh b/scripts/add-scanner.sh
@@ -1,5 +1,7 @@
 #!/usr/bin/env bash
 set -Eeuo pipefail
+touch /var/lib/gvm/.ssh/authorized_keys
+chmod 600 /var/lib/gvm/.ssh/authorized_keys
 
 read -p "Scanner Name: " SCANNER_NAME
 read -p "Scanner ID: " SCANNER_ID
@@ -9,5 +11,5 @@ echo "Adding scanner $SCANNER_NAME..."
 
 su -c "gvmd --create-scanner='$SCANNER_NAME' --scanner-type=OpenVAS --scanner-host='/sockets/$SCANNER_ID.sock'" gvm
 
-echo "$SCANNER_KEY\n" >>/var/lib/gvm/.ssh/authorized_keys
+echo "${SCANNER_KEY}" >>/var/lib/gvm/.ssh/authorized_keys
 chown gvm:gvm -R /var/lib/gvm/.ssh
diff --git a/scripts/migration_v21.4.0_ubuntu_images.sh b/scripts/migration_v21.4.0_ubuntu_images.sh
@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
diff --git a/scripts/reset-gvmd-admin-password.sh b/scripts/reset-gvmd-admin-password.sh
@@ -3,8 +3,8 @@ set -Eeuo pipefail
 
 RESET_USERNAME=${USERNAME:-${GVMD_USER:-admin}}
 
-read -pr "Reset to new password: " RESET_PASSWORD
-read -pr "Repeate new password: " RESET_PASSWORD2
+read -rp "Reset to new password: " RESET_PASSWORD
+read -rp "Repeate new password: " RESET_PASSWORD2
 
 if [ "${RESET_PASSWORD}" == "${RESET_PASSWORD2}" ]; then
 

diff --git a/scripts/start.sh b/scripts/start.sh
@@ -44,7 +44,7 @@ chown -R gvm:gvm /var/lib/openvas/plugins/
 #echo 'never' >/sys/kernel/mm/transparent_hugepage/defrag
 
 if [ ! -d "/run/redis" ]; then
-	mkdir /run/redis
+	mkdir -p /run/redis
 fi
 
 if [ -S /run/redis/redis.sock ]; then
@@ -53,7 +53,7 @@ fi
 
 if [ ! -d "/run/redis-openvas" ]; then
 	echo "create /run/redis-openvas"
-	mkdir /run/redis-openvas
+	mkdir -p /run/redis-openvas
 fi
 
 if [ -S /run/redis-openvas/redis.sock ]; then
@@ -112,9 +112,10 @@ fi
 until (pg_isready --username=postgres >/dev/null 2>&1 && psql --username=postgres --list >/dev/null 2>&1); do
 	sleep 1
 done
-
-if [[ ! -d "/etc/ssh" ]] || [[ -d "/etc/ssh/" && $(find /etc/ssh/ -maxdepth 0 -empty) ]]; then
-	mkdir /etc/ssh
+if [[ ! -d "/etc/ssh" ]]; then
+	mkdir -p /etc/ssh
+fi
+if [[ -d "/etc/ssh/" && $(find /etc/ssh/ -maxdepth 0 -empty) ]]; then
 	ssh-keygen -A
 fi
 echo "Generate SSH-HOST Keys"
@@ -159,7 +160,7 @@ if [ ! -f "/opt/database/.upgrade_to_21.4.0" ]; then
 fi
 
 if [ ! -d "/run/gvmd" ]; then
-	mkdir /run/gvmd
+	mkdir -p /run/gvmd
 	chown gvm:gvm -R /run/gvmd/
 fi
 
@@ -174,7 +175,7 @@ fi
 
 echo "Creating gvmd folder..."
 su -c "mkdir -p /var/lib/gvm/gvmd/report_formats" gvm
-cp -r /report_formats /var/lib/gvm/gvmd/
+#cp -r /report_formats /var/lib/gvm/gvmd/
 chown gvm:gvm -R /var/lib/gvm
 find /var/lib/gvm/gvmd/report_formats -type f -name "generate" -exec chmod +x {} \;
 
@@ -213,7 +214,7 @@ if [ -S /var/run/ospd/ospd.sock ]; then
 fi
 
 if [ ! -d /var/run/ospd ]; then
-	mkdir /var/run/ospd
+	mkdir -p /var/run/ospd
 fi
 
 echo "Starting Open Scanner Protocol daemon for OpenVAS..."
@@ -281,18 +282,19 @@ if [ "$SSHD" == "true" ]; then
 	echo "Starting OpenSSH Server..."
 	if [ ! -d /var/lib/gvm/.ssh ]; then
 		echo "Creating scanner SSH keys folder..."
-		mkdir /var/lib/gvm/.ssh
+		mkdir -p /var/lib/gvm/.ssh
 		chown gvm:gvm -R /var/lib/gvm/.ssh
 	fi
 	if [ ! -d /sockets ]; then
-		mkdir /sockets
+		mkdir -p /sockets
 		chown gvm:gvm -R /sockets
 	fi
 	echo "gvm:gvm" | chpasswd
 	rm -rfv /var/run/sshd
 	mkdir -p /var/run/sshd
 	if [ ! -f /etc/ssh/sshd_config ]; then
-		mv /sshd_config /etc/ssh/sshd_config
+		cp /opt/config/sshd_config /etc/ssh/sshd_config
+		chown root:root /etc/ssh/sshd_config
 	fi
 	${SUPVISD} start sshd
 	if [ "${DEBUG}" == "Y" ]; then