cloudsploit
cloudsploit copied to clipboard
Published
20 hours ago •
aquasecurity
aquasecurity
Error: Unable to scan Github scan in accordance with the instructions in included docs.
trafficstars
Since I could not find issues related with Github scan errors, I'd like to post this issue.
It may be necessary to modify some source codes, documents in order to scan Github properly. The procedure to reproduce errors and my fix are shown below. (Because I'm not a professional in software development, I don't know if my fix is appropriate.)
[My Environment]
OS: Ubuntu 22.04.1 x86_64 NodeJS: 18.14.0-deb-1nodesource1 node -v => 18.14.0 npm -v => 9.3.1 Cloud Sploit: 2.0.0
[Procedures]
(1) Download the source code "cloudsploit-2.0.0.tar.gz", expand it and build it. Configure config.js in accordance with docs/github.md and run cloudsploit. Stopped with errors!
owner@ubuntu220401:~/cloudsploit-2.0.0.work$ node ./index.js --config=./config.js
_____ _ _ _____ _ _ _
/ ____| | | |/ ____| | | (_) |
| | | | ___ _ _ __| | (___ _ __ | | ___ _| |_
| | | |/ _ \| | | |/ _` |\___ \| '_ \| |/ _ \| | __|
| |____| | (_) | |_| | (_| |____) | |_) | | (_) | | |_
\_____|_|\___/ \__,_|\__,_|_____/| .__/|_|\___/|_|\__|
| |
|_|
CloudSploit by Aqua Security, Ltd.
Cloud security auditing for AWS, Azure, GCP, Oracle, and GitHub
INFO: Using CloudSploit config file: ./config.js
INFO: Skipping AWS pagination mode
INFO: Determining API calls to make...
DEBUG: Skipping GitHub plugin Public Keys Rotated because it is not for User accounts
DEBUG: Skipping GitHub plugin GPG Keys Rotated because it is not for User accounts
DEBUG: Skipping GitHub plugin User MFA Enabled because it is not for User accounts
DEBUG: Skipping GitHub plugin User Private Emails because it is not for User accounts
INFO: Found 6 API calls to make for github plugins
INFO: Collecting metadata. This may take several minutes...
/home/owner/cloudsploit-2.0.0.work/collectors/github/collector.js:110
const app = new Octoapp(appConfig);
^
TypeError: Octoapp is not a constructor
at collect (/home/owner/cloudsploit-2.0.0.work/collectors/github/collector.js:110:17)
at engine (/home/owner/cloudsploit-2.0.0.work/engine.js:95:5)
at Object.<anonymous> (/home/owner/cloudsploit-2.0.0.work/index.js:204:1)
at Module._compile (node:internal/modules/cjs/loader:1226:14)
at Module._extensions..js (node:internal/modules/cjs/loader:1280:10)
at Module.load (node:internal/modules/cjs/loader:1089:32)
at Module._load (node:internal/modules/cjs/loader:930:12)
at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)
at node:internal/main/run_main_module:23:47
Node.js v18.14.0
owner@ubuntu220401:~/cloudsploit-2.0.0.work$
(2) Edit index.js in "@octokit/app" module to fix TypeError.
owner@ubuntu220401:~/cloudsploit-2.0.0.work$ vi ./node_modules/@octokit/app/dist-node/index.js
exports.App = App;
===>
module.exports = App;
(3) Re-run cloudsploit. Stopped with errors!
owner@ubuntu220401:~/cloudsploit-2.0.0.work$ node ./index.js --config=./config.js
_____ _ _ _____ _ _ _
/ ____| | | |/ ____| | | (_) |
| | | | ___ _ _ __| | (___ _ __ | | ___ _| |_
| | | |/ _ \| | | |/ _` |\___ \| '_ \| |/ _ \| | __|
| |____| | (_) | |_| | (_| |____) | |_) | | (_) | | |_
\_____|_|\___/ \__,_|\__,_|_____/| .__/|_|\___/|_|\__|
| |
|_|
CloudSploit by Aqua Security, Ltd.
Cloud security auditing for AWS, Azure, GCP, Oracle, and GitHub
INFO: Using CloudSploit config file: ./config.js
INFO: Skipping AWS pagination mode
INFO: Determining API calls to make...
DEBUG: Skipping GitHub plugin Public Keys Rotated because it is not for User accounts
DEBUG: Skipping GitHub plugin GPG Keys Rotated because it is not for User accounts
DEBUG: Skipping GitHub plugin User MFA Enabled because it is not for User accounts
DEBUG: Skipping GitHub plugin User Private Emails because it is not for User accounts
INFO: Found 6 API calls to make for github plugins
INFO: Collecting metadata. This may take several minutes...
/home/owner/cloudsploit-2.0.0.work/node_modules/jsonwebtoken/sign.js:103
throw err;
^
Error: secretOrPrivateKey must have a value
at module.exports [as sign] (/home/owner/cloudsploit-2.0.0.work/node_modules/jsonwebtoken/sign.js:107:20)
at getSignedJsonWebToken (/home/owner/cloudsploit-2.0.0.work/node_modules/@octokit/app/dist-node/index.js:31:30)
at collect (/home/owner/cloudsploit-2.0.0.work/collectors/github/collector.js:111:21)
at engine (/home/owner/cloudsploit-2.0.0.work/engine.js:95:5)
at Object.<anonymous> (/home/owner/cloudsploit-2.0.0.work/index.js:204:1)
at Module._compile (node:internal/modules/cjs/loader:1226:14)
at Module._extensions..js (node:internal/modules/cjs/loader:1280:10)
at Module.load (node:internal/modules/cjs/loader:1089:32)
at Module._load (node:internal/modules/cjs/loader:930:12)
at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)
Node.js v18.14.0
owner@ubuntu220401:~/cloudsploit-2.0.0.work$
(4) In order to fix no "secretOrPrivateKey" error (since not reading Github App ID and the private key in), edit index.js to add "application_id" and "private_key" in cloudConfig, aligned with the variable "appConfig" in collector/github/collector.js.
owner@ubuntu220401:~/cloudsploit-2.0.0.work$ vi index.js
cloudConfig = {
token: config.credentials.github.token,
url: config.credentials.github.url,
organization: config.credentials.github.organization,
login: config.credentials.github.login
};
===>
cloudConfig = {
token: config.credentials.github.token,
url: config.credentials.github.url,
organization: config.credentials.github.organization,
login: config.credentials.github.login,
application_id: config.credentials.github.appid,
private_key: config.credentials.github.privatekey
};
(5) Edit config_example.js.
owner@ubuntu220401:~/cloudsploit-2.0.0.work$ vi config_example.js
github: {
// OPTION 1: If using a credential JSON file, enter the path below
// credential_file: '/path/to/file.json',
// OPTION 2: If using hard-coded credentials, enter them below
// token: process.env.GITHUB_TOKEN || '',
// url: process.env.GITHUB_URL || 'https://api.github.com',
// login: process.env.GITHUB_LOGIN || 'myusername',
// organization: process.env.GITHUB_ORG || false
}
===>
github: {
// OPTION 1: If using a credential JSON file, enter the path below
// credential_file: '/path/to/file.json',
// OPTION 2: If using hard-coded credentials, enter them below
// token: process.env.GITHUB_TOKEN || '',
// url: process.env.GITHUB_URL || 'https://api.github.com',
// login: process.env.GITHUB_LOGIN || 'myusername',
// organization: process.env.GITHUB_ORG || false,
// appid: process.env.GITHUB_APPID || '',
// privatekey: process.env.GITHUB_PRIVATEKEY || "-----BEGIN RSA PRIVATE KEY-----\n..."
}
(6) In Github, add GitHub Application and install it. Do not forget to obtain "App ID" and "private key". "Personal Access Token" is not necessary.
(7) Copy config_example.js to config.js, and edit config.js to set proper values. The value of "token" does not seem to be used in cloudsploit, so not required.
(8) Re-run cloudsploit. Success!
owner@ubuntu220401:~/cloudsploit-2.0.0.work$ node ./index.js --config=./config.js
_____ _ _ _____ _ _ _
/ ____| | | |/ ____| | | (_) |
| | | | ___ _ _ __| | (___ _ __ | | ___ _| |_
| | | |/ _ \| | | |/ _` |\___ \| '_ \| |/ _ \| | __|
| |____| | (_) | |_| | (_| |____) | |_) | | (_) | | |_
\_____|_|\___/ \__,_|\__,_|_____/| .__/|_|\___/|_|\__|
| |
|_|
CloudSploit by Aqua Security, Ltd.
Cloud security auditing for AWS, Azure, GCP, Oracle, and GitHub
INFO: Using CloudSploit config file: ./config.js
INFO: Skipping AWS pagination mode
INFO: Determining API calls to make...
DEBUG: Skipping GitHub plugin Public Keys Rotated because it is not for User accounts
DEBUG: Skipping GitHub plugin GPG Keys Rotated because it is not for User accounts
DEBUG: Skipping GitHub plugin User MFA Enabled because it is not for User accounts
DEBUG: Skipping GitHub plugin User Private Emails because it is not for User accounts
INFO: Found 6 API calls to make for github plugins
INFO: Collecting metadata. This may take several minutes...
[@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
[@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
INFO: Metadata collection complete. Analyzing...
INFO: Analysis complete. Scan report to follow...
┌────┬──────────┬──────────────────────────────────────┬──────────────────────┬──┬────┬───────────────────────────┐
│ Ca │ Plugin │ Description │ Resource │R │ St │ Message │
│ te │ │ │ │e │ at │ │
│ go │ │ │ │g │ us │ │
│ ry │ │ │ │i │ │ │
│ │ │ │ │o │ │ │
│ │ │ │ │n │ │ │
├────┼──────────┼──────────────────────────────────────┼──────────────────────┼──┼────┼───────────────────────────┤
│ Or │ Org Plan │ Checks that the number of seats is │ N/A │ g│ UN │ Unable to query for │
│ gs │ Limit │ not close to the limit of available │ │ l│ KN │ organization plan │
│ │ │ licensed seats. │ │ o│ OW │ information: │
│ │ │ │ │ b│ N │ HttpError:404 │
│ │ │ │ │ a│ │ │
│ │ │ │ │ l│ │ │
├────┼──────────┼──────────────────────────────────────┼──────────────────────┼──┼────┼───────────────────────────┤
│ Or │ Org │ Checks the default permission given │ N/A │ g│ UN │ Unable to query for │
│ gs │ Default │ to new users added to an │ │ l│ KN │ organization permission │
│ │ Permissi │ organization. │ │ o│ OW │ information: │
│ │ on │ │ │ b│ N │ HttpError:404 │
│ │ │ │ │ a│ │ │
│ │ │ │ │ l│ │ │
├────┼──────────┼──────────────────────────────────────┼──────────────────────┼──┼────┼───────────────────────────┤
│ Or │ Org MFA │ Checks whether multi-factor │ N/A │ g│ UN │ Unable to query for │
│ gs │ Required │ authentication is required at the │ │ l│ KN │ organization MFA │
│ │ │ org-level. │ │ o│ OW │ information: │
│ │ │ │ │ b│ N │ HttpError:404 │
│ │ │ │ │ a│ │ │
│ │ │ │ │ l│ │ │
├────┼──────────┼──────────────────────────────────────┼──────────────────────┼──┼────┼───────────────────────────┤
...snip...
INFO: Scan complete
owner@ubuntu220401:~/cloudsploit-2.0.0.work$
(9) Optionally, edit collector/github/collector.js to suppress deprecated warnings of "@octokit/rest".
var Octokit = require('@octokit/rest');
===>
var { Octokit } = require('@octokit/rest');
