Merge pull request #9 from Secure-Compliance-Solutions-LLC/dev

v21.4.2-v1

Author: austinsonger

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,41 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "[Bug]"
+labels: bug
+assignees: Dexus, pixelsquared
+
+---
+
+**** Before you open a bug issue, please read the documentation. If you do not find an answer to your problem there, please look in the issues that have already been closed. Only if you still have not found an answer to your problem should you open a new issue. ****
+** https://securecompliance.gitbook.io/projects/openvas-greenbone-deployment-full-guide **
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Host Device:**
+ - OS:
+ - Version:
+
+**Image in use:**
+- Self build? 
+- Output from `docker image inspect <image>` :
+```
+# docker image inspect <image> 
+```
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: "[Enhancement]"
+labels: ''
+assignees: austinsonger, Dexus
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,19 @@
+## Summary
+
+Summarize your PR. If it involves visual changes, include a screenshot or GIF.
+
+
+### Checklist
+
+Delete any items that are not applicable to this PR.
+
+- [ ] [Update Documentation](https://github.com/Secure-Compliance-Solutions-LLC/gitbook) was added for features that require explanation or tutorials
+
+### Enhancements:
+
+
+### Fixed Bug/Issues solved:
+
+
+### Breaking Changes:
+

.github/workflows/docker-publish.yml

@@ -0,0 +1,258 @@
+name: Docker Image Build and Release
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master, dev]
+  create:
+    tags:
+
+concurrency: ci-${{ github.ref }}
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+  IMAGE_NAME_GHCR: ghcr.io/${{ github.repository }}
+  IMAGE_NAME_DOCKER: securecompliance/openvas
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build_test_trivy:
+    name: Build and Test - Trivy
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: PrepareReg Names
+        run: |
+          echo IMAGE_REPOSITORY_GHCR=$(echo "ghcr.io/${{ github.repository }}" | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
+          echo IMAGE_TAG=$(echo ${{ github.ref }} | tr '[:upper:]' '[:lower:]' | awk '{split($0,a,"/"); print a[3]}') >> $GITHUB_ENV
+
+      - name: Set tag var
+        id: vars
+        run: echo ::set-output name=docker_tag::$(echo ${GITHUB_REF} | cut -d'/' -f3)-${GITHUB_SHA}
+
+      - name: Download artifact
+        uses: dawidd6/action-download-artifact@v2
+        with:
+          # Optional, GitHub token, a Personal Access Token with `public_repo` scope if needed
+          # Required, if artifact is from a different repo
+          github_token: ${{secrets.GITHUB_TOKEN}}
+          # Required, workflow file name or ID
+          workflow: build-apk.yml
+          # Optional, will use the branch
+          branch: master
+          # Optional, uploaded artifact name,
+          # will download all artifacts if not specified
+          # and extract them in respective subdirectories
+          # https://github.com/actions/download-artifact#download-all-artifacts
+          name: apk-builds
+          # Optional, directory where to extract artifact. Defaults to the artifact name (see `name` input)
+          path: ${{ github.workspace }}/apk-build/
+          # Optional, defaults to current repo
+          repo: Secure-Compliance-Solutions-LLC/GVM-APK-build
+
+      - name: Build the Docker image
+        run: docker build . --file Dockerfile --tag ${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}
+
+      - uses: actions/cache@v2.1.4
+        with:
+          path: .trivy
+          key: ${{ runner.os }}-trivy-${{ github.run_id }}
+          restore-keys: |
+            ${{ runner.os }}-trivy-
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}"
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"
+          cache-dir: .trivy
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        if: always()
+        with:
+          image-ref: "${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}"
+          format: "template"
+          template: "@/contrib/sarif.tpl"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH"
+          cache-dir: .trivy
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        if: always()
+        with:
+          sarif_file: "trivy-results.sarif"
+
+      - name: Correct Trivy cache permissions
+        if: always()
+        run: sudo chown -R $USER:$GROUP .trivy
+
+  build_test_anchore:
+    name: Build and Test - Anchore
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: PrepareReg Names
+        run: |
+          echo IMAGE_REPOSITORY_GHCR=$(echo "ghcr.io/${{ github.repository }}" | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
+          echo IMAGE_TAG=$(echo ${{ github.ref }} | tr '[:upper:]' '[:lower:]' | awk '{split($0,a,"/"); print a[3]}') >> $GITHUB_ENV
+
+      - name: Set tag var
+        id: vars
+        run: echo ::set-output name=docker_tag::$(echo ${GITHUB_REF} | cut -d'/' -f3)-${GITHUB_SHA}
+
+      - name: Download artifact
+        uses: dawidd6/action-download-artifact@v2
+        with:
+          # Optional, GitHub token, a Personal Access Token with `public_repo` scope if needed
+          # Required, if artifact is from a different repo
+          github_token: ${{secrets.GITHUB_TOKEN}}
+          # Required, workflow file name or ID
+          workflow: build-apk.yml
+          # Optional, will use the branch
+          branch: master
+          # Optional, uploaded artifact name,
+          # will download all artifacts if not specified
+          # and extract them in respective subdirectories
+          # https://github.com/actions/download-artifact#download-all-artifacts
+          name: apk-builds
+          # Optional, directory where to extract artifact. Defaults to the artifact name (see `name` input)
+          path: ${{ github.workspace }}/apk-build/
+          # Optional, defaults to current repo
+          repo: Secure-Compliance-Solutions-LLC/GVM-APK-build
+
+      - name: Build the Docker image
+        run: docker build . --file Dockerfile --tag ${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}
+
+      - uses: anchore/scan-action@v2
+        if: always()
+        id: scan
+        with:
+          image: "${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}"
+          acs-report-enable: true
+
+      - name: upload Anchore scan SARIF report
+        if: always()
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+  build_release:
+    name: Build and Release
+    runs-on: ubuntu-latest
+
+    outputs:
+      labels: ${{ steps.meta.outputs.labels }}
+      tags: ${{ steps.meta.outputs.tags }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+        with:
+          submodules: recursive
+
+      - uses: docker/setup-buildx-action@v1
+        id: buildx
+        with:
+          install: true
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Login to GitHub Container Registry ${{ env.REGISTRY }}
+        uses: docker/login-action@v1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to DockerHub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Relase Prepare for latest Tag
+        id: releasePreareLatestTag
+        shell: bash
+        run: |
+          if [[ "$GITHUB_EVENT_NAME" == "create" ]] && [[ "$GITHUB_REF" =~ ^refs/tags/v.* ]]; then
+            echo -n "::set-output name=latest::true"
+          else
+            echo -n "::set-output name=latest::false"
+          fi
+
+      - name: Relase Prepare
+        id: releasePreare
+        run: |
+          echo -n "::set-output name=images::"
+          if [ "${GITHUB_EVENT_NAME}" != "pull_request" ]; then
+            echo -n "${IMAGE_NAME_DOCKER}"
+            echo -n ","
+          fi
+          echo -n "${IMAGE_NAME_GHCR}"
+
+      - name: Download artifact
+        uses: dawidd6/action-download-artifact@v2
+        with:
+          # Optional, GitHub token, a Personal Access Token with `public_repo` scope if needed
+          # Required, if artifact is from a different repo
+          github_token: ${{secrets.GITHUB_TOKEN}}
+          # Required, workflow file name or ID
+          workflow: build-apk.yml
+          # Optional, will use the branch
+          branch: master
+          # Optional, uploaded artifact name,
+          # will download all artifacts if not specified
+          # and extract them in respective subdirectories
+          # https://github.com/actions/download-artifact#download-all-artifacts
+          name: apk-builds
+          # Optional, directory where to extract artifact. Defaults to the artifact name (see `name` input)
+          path: ${{ github.workspace }}/apk-build/
+          # Optional, defaults to current repo
+          repo: Secure-Compliance-Solutions-LLC/GVM-APK-build
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta2
+        uses: docker/metadata-action@v3
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          images: ${{ steps.releasePreare.outputs.images }}
+          flavor: |
+            latest=${{ steps.releasePreareLatestTag.outputs.latest}}
+            prefix=
+            suffix=
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{raw}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta2.outputs.tags }}
+          labels: ${{ steps.meta2.outputs.labels }}
+          build-args: |
+            SETUP=0

.gitignore

@@ -0,0 +1,2 @@
+apk-build/
+storage/

.gitmodules

@@ -5,6 +5,7 @@ CMD ["/usr/bin/supervisord", "-n", "-c", "/etc/supervisord.conf"]
 
 ARG SUPVISD=supervisorctl
 ARG DEBUG=N
+ARG AUTOSSH_DEBUG=${AUTOSSH_DEBUG:-0}
 ARG TZ=UTC
 ARG SETUP=0
 
@@ -16,6 +17,7 @@ COPY apk-build/user.abuild/*.pub /etc/apk/keys/
 
 ENV SUPVISD=${SUPVISD:-supervisorctl} \
     DEBUG=${DEBUG:-N} \
+    AUTOSSH_DEBUG=${AUTOSSH_DEBUG:-0} \
     TZ=${TZ:-UTC} \
     SETUP=${SETUP:-0}
 
@@ -30,11 +32,9 @@ RUN { \
     } >/etc/apk/repositories \
     && cat /etc/apk/repositories \
     && sleep 5 \
-    && apk update --update-cache \
+    && apk upgrade --no-cache --available \
     && sleep 5 \
-    && apk upgrade --available \
-    && sleep 5 \
-    && apk add --allow-untrusted curl su-exec tzdata bash openssh supervisor openvas@custcom openvas-smb@custcom openvas-config@custcom gvm-libs@custcom ospd-openvas@custcom \
+    && apk add --no-cache --allow-untrusted curl wget rsync autossh su-exec tzdata bash openssh supervisor openvas@custcom openvas-smb@custcom openvas-config@custcom gvm-libs@custcom ospd-openvas@custcom \
     && mkdir -p /var/log/supervisor/ \
     && sync
 
@@ -43,13 +43,15 @@ COPY scripts/* /
 COPY config/supervisord.conf /etc/supervisord.conf
 COPY config/redis-openvas.conf /etc/redis.conf
 
-VOLUME [ "/var/lib/openvas/plugins" ]
+VOLUME [ "/var/lib/openvas/plugins", "/var/lib/gvm" ]
 
 RUN if [ "${SETUP}" == "1" ]; then \
     ln -snf "/usr/share/zoneinfo/$TZ" /etc/localtime && echo "$TZ" >/etc/timezone \
     && /usr/bin/supervisord -c /etc/supervisord.conf || true ; \
     unset SETUP ;\
     fi \
+    && apk upgrade --no-cache --available \
+    && chmod +x /*.sh \
     && rm /etc/localtime || true\
     && echo "UTC" >/etc/timezone \
     && rm -rf /tmp/* /var/cache/apk/* \