RFC: Add Scanner Capability Flag to enhance Scanner Worker Selection

[J12934]

Is your feature request related to a problem? Please describe.

When it comes to Multi Tenancy there are two main axis we'd like two support with the secureCodeBox Engine:

Team Separation

This allows the association of scanners operated by the teams with that team. The scanners will then only work on scan jobs created by that team. This was implemented in #79.

Capability Separation

Not every worker deployment in a team has to be the same.

Some scanners might...

• be deployed in certain network situation which enable different scans.
• have files mounted onto their filesystem which are required to perform certain scans.
• have certain configuration / deployment requirements by the scanner to run certain kinds of scans. E.g. nmap requiring root rights / linux capabilities to run OS detection scans (See: Operating System scans need root rights scanner-infrastructure-nmap#2)

This problem can be solved by using the team separation feature by creating a new team for every team / capability combination, but that is quite tedious. These teams could look something like this:

• team42
• team42_nmap_privileged
• team42_zap_behindwaf

Creating new teams requires to assign all team members to every of their related teams, which is a big organisational overhead.

Describe the solution you'd like

I'd like to introduce capabilities into the StartSecurityTest and the LockScanJob APIs.

The addition to the startSecurity Test API would be a new optional requiredCapabilities attribute which allows the user to express which capabilities are required for the scan job.

The addition to the LockScanJob API would allow the scanners to communicate to the engine which capabilities the have.

POST https://engine.securecodebox.demo/box/securityTests

[
  {
    "context": "Feature Team 1",
    "metaData": {},
    "name": "nmap",
    "target": {
      "attributes": {
        "NMAP_PARAMETER": "-Pn"
      },
      "location": "127.0.0.1",
      "name": "SecureCodeBox Demo Website"
    },
    "tenant": "team-1",
	"requiredCapabilities": [
		"behind-firewall",
  		"privileged-deployment"
	]
  }
]

The relevant new attribute here is requiredCapabilities.

For a scanner to be able to work on this task it would need to be configured that:

• The engine user of the scanner worker, set by the env vars: ENGINE_SCANNERSERVICES_USER and ENGINE_BASIC_AUTH_PASSWORD need to be a member of team-1
• The worker need to have the (new) environment var SCANNER_CAPABILITIES to be set to: behind-firewall,privileged-deployment (or privileged-deployment,behind-firewall, the order should not matter)

Scanner without the SCANNER_CAPABILITIES env var will only be able to work on scan jobs without requiredCapabilities.

Example deployment (docker-compose for readability):

nmap-team42:
    image: securecodebox/nmap:latest
    environment:
      - ENGINE_ADDRESS=http://engine:8080
      - ENGINE_BASIC_AUTH_USER=team42-tu-nmap
      - ENGINE_BASIC_AUTH_PASSWORD=foobar
      - SCANNER_CAPABILITIES=behind-firewall,privileged-deployment

Describe alternatives you've considered

• Multiple teams (see problem descriptions)
• Using camunda custom permissions, to prevent scanner without capabilities to access scan jobs.