cloudsploit
cloudsploit copied to clipboard
aquasecurity
GCP openAllPorts error
Hello All,
I am working on validating some policies for an application and have been getting an error on the GCP openAllPorts policy. Here is the output:
'''
$ node ./index.js --config ./config.js --cloud google --json=results.json --collection=collection.json --plugin openAllPorts
/ | | | |/ | | | () | | | | | ___ _ _ | | ( _ __ | | ___ | | | | | |/ _ | | | |/ ` |_ | ' | |/ _ | | __| | || | () | || | (| |) | |) | | () | | | _||___/ _,|_,|___/| ./||___/||_| | | |_|
CloudSploit by Aqua Security, Ltd. Cloud security auditing for AWS, Azure, GCP, Oracle, and GitHub
INFO: Using CloudSploit config file: ./config.js INFO: Skipping AWS pagination mode INFO: Testing plugin: Open All Ports INFO: Determining API calls to make... INFO: Found 1 API calls to make for google plugins INFO: Collecting metadata. This may take several minutes... INFO: Metadata collection complete. Analyzing... INFO: Analysis complete. Scan report to follow... INFO: Collection file written to collection.json INFO: JSON file written to results.json
┌──────────────────┬───────────────┬─────────────────────────────────────────────┬─────────┬───────┬──────────────────┬──────────────────────────────────────────────────┐ │ Category │ Plugin │ Description │ Resourc │ Regio │ Status │ Message │ │ │ │ │ e │ n │ │ │ ├──────────────────┼───────────────┼─────────────────────────────────────────────┼─────────┼───────┼──────────────────┼──────────────────────────────────────────────────┤ │ VPC Network │ Open All │ Determines if all ports are open to the │ N/A │ globa │ UNKNOWN │ Unable to query for projects: Unable to obtain │ │ │ Ports │ public │ │ l │ │ data │ ├──────────────────┼───────────────┼─────────────────────────────────────────────┼─────────┼───────┼──────────────────┼──────────────────────────────────────────────────┤ │ VPC Network │ Open All │ Determines if all ports are open to the │ N/A │ globa │ UNKNOWN │ Unable to query for projects: Unable to obtain │ │ │ Ports │ public │ │ l │ │ data │ └──────────────────┴───────────────┴─────────────────────────────────────────────┴─────────┴───────┴──────────────────┴──────────────────────────────────────────────────┘ INFO: Scan complete /X/X/X/node_modules/async/dist/async.js:966 if (fn === null) throw new Error("Callback was already called."); ^
Error: Callback was already called. at /X/X/X/node_modules/async/dist/async.js:966:32 at /X/X/X/node_modules/async/dist/async.js:3685:13 at Timeout._onTimeout (/X/X/X/engine.js:204:45) at listOnTimeout (node:internal/timers:557:17) at processTimers (node:internal/timers:500:7)
Node.js v17.0.1
'''
I do not believe this is a connectivity issue, since all other policies I have tested so far are working as expected.
Let me know what you think, or what I should test.
I am also having this issue on 5/13 GCP projects I use clouds-loot on. The other 8 work fine. I can't work out what the difference between the accounts is. Interesting, I have an older version of cloudsploit on a different server and that older version works fine.
as I workaround, I updated async.js to: function onlyOnce(fn) { return function() { //if (fn === null) throw new Error("Callback was already called."); var callFn = fn; fn = null;
try {
callFn.apply(this, arguments);
}
catch (err){
console.log(Got dougal err: ${err});
}
};
}
And that seems to "fix" it, but I am not sure this is really the ideal solution, as I don't fully understand what the function is trying to achieve, beyond making sure you don't try to call a method from the fn object if it is null (which makes sense)
Hi @chrisoverzero. Can you explain a bit about how your PR fixes this issue? The change itself is straightforward, but doesn't look like it affects the GCP Plugins. Thanks!
@amulroney-del Ack! That PR was meant to tag #936. Apologies. I'll see about correcting that now.
