nexpose-asset-producer

README

nexpose-asset-producer - A service that produces scanned Nexpose assets to an event stream

https://github.com/asecurityteam/nexpose-asset-producer

• nexpose-asset-producer
  • Overview
  • Quick Start
  • Configuration
    • Dependency Check
  • Status
  • Contributing
    • Building And Testing
    • Quality Gates
    • License
    • Contributing Agreement

Overview

This project is meant to be used with Nexpose. It provides a docker image that when run, provides an endpoint that can be called with a Site ID for a site that was recently scanned. The service will query the Nexpose API with the Scan ID in order to get a list of assets that are in that site, then produce each individual asset on an event stream.

This project is a part of a bigger project to Automate Nexpose Vulnerability Scan results. The idea is that once a scan is run, the scan ID can be sent to this nexpose-asset-producer, then once the nexpose-asset-producer puts the asset on the event stream, it can be hydrated with vulnerability information, including vulnerability details and solutions, which also need to be queried from the Nexpose API, so that you can find out which vulnerabilities exist in your assets and how to fix them.

Quick Start

Configuration

Environment Variables

Here are the environment variables that need to be set

Name	Required	Description	Example
NEXPOSE_API_HOST	Yes	Scheme and host for the Nexpose instance	https://nexpose.mycompany.com
NEXPOSE_API_USERNAME	Yes	Username to access the Nexpose instance	myusername
NEXPOSE_API_PASSWORD	Yes	Password that corresponds to the provided username	mypassword
NEXPOSE_PAGESIZE	No	The number of Nexpose assets to get back at a time (default 100)	100
HTTPPRODUCER_API_HOST	Yes	Scheme and host for the HTTP event producer (i.e., Benthos connected to SQS/Kinesis)	http://benthos:4195

Dependency Check

Depending on the user, this service or app can be composed of a bunch of sidecars. While one can check whether the configuration and placement of these sidecars are configured correctly internally it might be useful to check whether environment variables point to the correct external dependencies.

An obvious external dependency would be Nexpose itself. There is a baked in dependency check within assetfetcher, to which users can check whether they are able to connect to Nexpose with /dependencycheck(example in gateway-incoming.yaml).

Status

This project is in incubation which means we are not yet operating this tool in production and the interfaces are subject to change.

Contributing

Building And Testing

We publish a docker image called SDCLI that bundles all of our build dependencies. It is used by the included Makefile to help make building and testing a bit easier. The following actions are available through the Makefile:

• make dep

  Install the project dependencies into a vendor directory

• make lint

  Run our static analysis suite

• make test

  Run unit tests and generate a coverage artifact

• make integration

  Run integration tests and generate a coverage artifact

• make coverage

  Report the combined coverage for unit and integration tests

• make build

  Generate a local build of the project (if applicable)

• make run

  Run a local instance of the project (if applicable)

• make doc

  Generate the project code documentation and make it viewable locally.

Quality Gates

Our build process will run the following checks before going green:

• make lint
• make test
• make integration
• make coverage (combined result must be 85% or above for the project)

Running these locally, will give early indicators of pass/fail.

License

This project is licensed under Apache 2.0. See LICENSE.txt for details.

Contributing Agreement

Atlassian requires signing a contributor's agreement before we can accept a patch. If you are an individual you can fill out the individual CLA. If you are contributing on behalf of your company then please fill out the corporate CLA.