Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
what is the status of this PR? |
|
@mlodic, Sir the analyzer is working. I just have to add _monkeypatch(), and then It should be complete. |
|
thanks for the update please add a reviewer once you finish! |
pranjalg1331
force-pushed
the
NucleiAnalyzer
branch
from
8e3021e to
1b474e2
Compare
|
@drosetti Please review. |
|
I'm reviewing it |
api_app/analyzers_manager/migrations/0148_analyzer_config_nuclei.py
Outdated
Show resolved
Hide resolved
| "base_path": "api_app.analyzers_manager.observable_analyzers", | ||
| }, | ||
| "name": "Nuclei", | ||
| "description": "A fast and customisable vulnerability scanner powered by simple YAML-based templates", |
There was a problem hiding this comment.
add markdown link to the Nuclei webpage or docs. That would be rendered by the frontend
api_app/analyzers_manager/migrations/0148_analyzer_config_nuclei.py
Outdated
Show resolved
Hide resolved
| build: | ||
| context: ../integrations/nuclei_analyzer | ||
| dockerfile: Dockerfile | ||
| image: pranjalg1310/nuclei-analyzer:1.2.2 No newline at end of file |
There was a problem hiding this comment.
switch to test instance here, see other docker analyzers
| mv nuclei /usr/local/bin/ && \ | ||
| chmod +x /usr/local/bin/nuclei && \ | ||
| rm nuclei_3.3.7_linux_amd64.zip && \ | ||
| nuclei -update-template-dir /opt/nuclei-api/nuclei-templates -update-templates && \ |
There was a problem hiding this comment.
you do this to update the template project, right? That's a good thing to do.
However, I did not see any implementation of a way to periodically update them. I expect an implementation of a simple cronjob that daily would check and get updates of these templates. In the pcap_analyzer integration we already added a cronjob, you can take example from there.
There was a problem hiding this comment.
@mlodic I checked the implementation of cron job in pcap_analyzer but could not understand how we are calling these two files - crontab and update_signature. I also tried running pcap analyzer with updated timing to update every minute but could not see any logs being created inside the container.
Could you please guide me more on how to setup cronjob for docker based analyzer and how are they being called?
| wget \ | ||
| unzip && \ | ||
| wget --progress=dot:giga https://github.com/projectdiscovery/nuclei/releases/download/v3.3.7/nuclei_3.3.7_linux_amd64.zip && \ | ||
| unzip nuclei_3.3.7_linux_amd64.zip && \ |
There was a problem hiding this comment.
this approach has 2 problems:
- first, a custom docker image is really needed? they provide one https://docs.projectdiscovery.io/tools/nuclei/install.
- if it is really needed, cannot this be the base of this custom docker image instead of python? That would help maintain a cleaner image plus we would be able to track Nuclei version updates with the dependabot. If you download the binary like this, we wouldn't be able to be notified by the dependabot.
There was a problem hiding this comment.
I have added the Dependabot config. Although I did not know how I could test it, so please take a look.
Signed-off-by: pranjalg1331 <[email protected]>
Signed-off-by: pranjalg1331 <[email protected]>
Signed-off-by: pranjalg1331 <[email protected]>
Signed-off-by: pranjalg1331 <[email protected]>
Signed-off-by: pranjalg1331 <[email protected]>
Signed-off-by: pranjalg1331 <[email protected]>
Signed-off-by: pranjalg1331 <[email protected]>
Signed-off-by: pranjalg1331 <[email protected]>
Signed-off-by: pranjalg1331 <[email protected]>
Signed-off-by: pranjalg1331 <[email protected]>
Signed-off-by: pranjalg1331 <[email protected]>
Signed-off-by: pranjalg1331 <[email protected]>
Signed-off-by: pranjalg1331 <[email protected]>
Signed-off-by: pranjalg1331 <[email protected]>
Signed-off-by: pranjalg1331 <[email protected]>
pranjalg1331
force-pushed
the
NucleiAnalyzer
branch
from
a8eac2b to
eed403c
Compare
Signed-off-by: pranjalg1331 <[email protected]>
Signed-off-by: pranjalg1331 <[email protected]>
Signed-off-by: pranjalg1331 <[email protected]>
|
I have successfully implemented the flask-shell2http library in my Flask API and used the Nuclei Docker image as the base for my Dockerfile. This has significantly simplified the code. Currently, I haven't updated the Dockerfile version in compose-test.yaml to a test version yet. Could you review it before I proceed? |
| build: | ||
| context: ../integrations/nuclei_analyzer | ||
| dockerfile: Dockerfile | ||
| image: pranjalg1310/nuclei-analyzer:1.2.2 No newline at end of file |
| "base_path": "api_app.analyzers_manager.observable_analyzers", | ||
| }, | ||
| "name": "Nuclei", | ||
| "description": "A fast and customisable vulnerability scanner powered by simple YAML-based templates", |
|
|
||
| services: | ||
| nuclei_analyzer: | ||
| image: pranjalg1310/nuclei-analyzer:1.2.3 |
| while [ ! -d "$TEMPLATES_DIR" ] || [ -z "$(ls -A $TEMPLATES_DIR)" ]; do | ||
| echo "Templates not found or empty, retrying update in 10 seconds..." | ||
| nuclei -update-template-dir $TEMPLATES_DIR -update-templates | ||
| sleep 10 | ||
| done |
There was a problem hiding this comment.
whis is a potential infinite loop, do not use while like this. In case the templates are not found, the entrypoint should exit with a custom error
There was a problem hiding this comment.
updated the code to exit if templates are not downloaded successfully.
| done | ||
|
|
||
| echo "Templates downloaded successfully. Starting Flask API..." | ||
| exec gunicorn -b 0.0.0.0:4008 --timeout 120 --access-logfile - "app:app" |
There was a problem hiding this comment.
use all the options we used in the other entrypoint.sh you can found
There was a problem hiding this comment.
Included gunicorn logging same as Suricata.
| wget \ | ||
| unzip && \ | ||
| wget --progress=dot:giga https://github.com/projectdiscovery/nuclei/releases/download/v3.3.7/nuclei_3.3.7_linux_amd64.zip && \ | ||
| unzip nuclei_3.3.7_linux_amd64.zip && \ |
You can already do this during development because you would use the local built from the compose-tests-yml that would overwrite the build from compose.yml |
Signed-off-by: pranjalg1331 <[email protected]>
Signed-off-by: pranjalg1331 <[email protected]>
Signed-off-by: pranjalg1331 <[email protected]>
mlodic
left a comment
mlodic
left a comment
There was a problem hiding this comment.
this task has been challenging. Last steps and we are ready to merge
| if template_dir in VALID_TEMPLATE_CATEGORIES: | ||
| args.extend(["-t", template_dir]) | ||
| else: | ||
| print(f"Skipping invalid template directory: {template_dir}") |
There was a problem hiding this comment.
this should be a warning log and you should add it in the report like this self.report.errors.append(warning). Remember to reference the analyzed observable in the log
| RUN adduser -D -h /home/${USER} ${USER} | ||
|
|
||
| # Install required packages using apk and clean cache in the same layer | ||
| RUN apk add --no-cache python3 py3-pip \ |
There was a problem hiding this comment.
please select a specific python version here. The more recent the better.
integrations/nuclei_analyzer/app.py
Outdated
| try: | ||
| json_objects.append(json.loads(line)) | ||
| except json.JSONDecodeError: | ||
| print(f"Skipping non-JSON line: {line}") |
|
|
||
| services: | ||
| nuclei_analyzer: | ||
| image: pranjalg1310/nuclei-analyzer:{REACT_APP_INTELOWL_VERSION} |
There was a problem hiding this comment.
use the image from intelowlproject repo
| build: | ||
| context: ../integrations/nuclei_analyzer | ||
| dockerfile: Dockerfile | ||
| image: pranjalg1310/nuclei-analyzer:test No newline at end of file |
| # Expose the API port | ||
| EXPOSE 4008 | ||
|
|
||
| ENTRYPOINT ["/entrypoint.sh"] No newline at end of file |
There was a problem hiding this comment.
could you please add an HEALTHCHECK here as an additional check?
You can check the Dockerfile_nginx as an example. You can check whether the gunicorn app is up or not after a predefined period that should be the expected time of execution of the entrypoint.sh script
There was a problem hiding this comment.
For the health check, I have added an extra endpoint to the API which is being called from the dockerfile.
Signed-off-by: pranjalg1331 <[email protected]>
|
great! |
* Install Kanvas workflow * initial commit Signed-off-by: pranjalg1331 <[email protected]> * Dockerfile Signed-off-by: pranjalg1331 <[email protected]> * synchronous nuclei api Signed-off-by: pranjalg1331 <[email protected]> * removing unnecessary file Signed-off-by: pranjalg1331 <[email protected]> * dockerfile Signed-off-by: pranjalg1331 <[email protected]> * made api async Signed-off-by: pranjalg1331 <[email protected]> * error resolved Signed-off-by: pranjalg1331 <[email protected]> * async working Signed-off-by: pranjalg1331 <[email protected]> * another Signed-off-by: pranjalg1331 <[email protected]> * deepsource errors Signed-off-by: pranjalg1331 <[email protected]> * gunicorn version fixed Signed-off-by: pranjalg1331 <[email protected]> * shell2http architecture Signed-off-by: pranjalg1331 <[email protected]> * deep sorce errors resolved Signed-off-by: pranjalg1331 <[email protected]> * nuclei file update Signed-off-by: pranjalg1331 <[email protected]> * new version for dockerfile Signed-off-by: pranjalg1331 <[email protected]> * migration file changes Signed-off-by: pranjalg1331 <[email protected]> * error corected Signed-off-by: pranjalg1331 <[email protected]> * error resolved Signed-off-by: pranjalg1331 <[email protected]> * dockerfile cleanup code Signed-off-by: pranjalg1331 <[email protected]> * dependabot added + dockerfile test version Signed-off-by: pranjalg1331 <[email protected]> * dependabot for python dependencies Signed-off-by: pranjalg1331 <[email protected]> * healthcheck for api Signed-off-by: pranjalg1331 <[email protected]> --------- Signed-off-by: pranjalg1331 <[email protected]> Co-authored-by: meshery-dev[bot] <132387951+meshery-dev[bot]@users.noreply.github.com>
2 participants
Description
Closes #1883
Sample Resonse-
Type of change
Please delete options that are not relevant.
Checklist
developdumpplugincommand and added it in the project as a data migration. ("How to share a plugin with the community")test_files.zipand you added the default tests for that mimetype in test_classes.py.FREE_TO_USE_ANALYZERSplaybook by following this guide.urlthat contains this information. This is required for Health Checks._monkeypatch()was used in its class to apply the necessary decorators.MockUpResponseof the_monkeypatch()method. This serves us to provide a valid sample for testing.Black,Flake,Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.testsfolder). All the tests (new and old ones) gave 0 errors.DeepSource,Django Doctorsor other third-party linters have triggered any alerts during the CI checks, I have solved those alerts.Important Rules