Skip to content

Commit 3a75f0c

Browse files
jinyoungmoonDEVjinyoungmoonDEV
committed
add: add vulnerable_ports logic
1 parent 62311f8 commit 3a75f0c

File tree

3 files changed

+50
-8
lines changed

3 files changed

+50
-8
lines changed

src/plugin/conf/cloud_service_conf.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
DEFAULT_REGION = "us-east-1"
1010
FILTER_FORMAT = []
1111
BOTO3_HTTPS_VERIFIED = None
12+
DEFAULT_VULNERABLE_PORTS = "22,3306"
1213

1314
ASSET_URL = "https://spaceone-custom-assets.s3.ap-northeast-2.amazonaws.com/console-assets/icons/cloud-services/aws"
1415

src/plugin/main.py

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
import logging
22
from spaceone.inventory.plugin.collector.lib.server import CollectorPluginServer
3+
4+
from .conf.cloud_service_conf import DEFAULT_VULNERABLE_PORTS
35
from .manager.base import ResourceManager
46

57
_LOGGER = logging.getLogger("cloudforet")
@@ -311,6 +313,17 @@ def _create_init_metadata():
311313
"inventory.Region",
312314
"inventory.ErrorResource",
313315
],
314-
"options_schema": {},
316+
"options_schema": {
317+
"required": ["vulnerable_ports"],
318+
"type": "object",
319+
"properties": {
320+
"vulnerable_ports": {
321+
"title": "Vulnerable Ports Option",
322+
"type": "string",
323+
"default": DEFAULT_VULNERABLE_PORTS,
324+
"description": "Ex) 22,8080,3306 (Default = 22,3306)",
325+
}
326+
},
327+
},
315328
}
316329
}

src/plugin/manager/ec2/security_group_manager.py

Lines changed: 35 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,8 @@
11
import copy
22
from spaceone.inventory.plugin.collector.lib import *
33
from ..base import ResourceManager
4-
from ...conf.cloud_service_conf import ASSET_URL, INSTANCE_FILTERS
4+
from ...conf.cloud_service_conf import ASSET_URL, INSTANCE_FILTERS, DEFAULT_VULNERABLE_PORTS
5+
from ...error.custom import ERROR_VULNERABLE_PORTS
56

67

78
class SecurityGroupManager(ResourceManager):
@@ -35,6 +36,9 @@ def create_cloud_service_type(self):
3536
def create_cloud_service(self, region, options, secret_data, schema):
3637
cloudtrail_resource_type = "AWS::EC2::SecurityGroup"
3738

39+
# If Port Filter Option Exist
40+
vulnerable_ports = self.options.get("vulnerable_ports", DEFAULT_VULNERABLE_PORTS)
41+
3842
# Get default VPC
3943
default_vpcs = self._get_default_vpc()
4044

@@ -62,7 +66,7 @@ def create_cloud_service(self, region, options, secret_data, schema):
6266
in_rule_copy = copy.deepcopy(in_rule)
6367
inbound_rules.append(
6468
self.custom_security_group_rule_info(
65-
in_rule_copy, _ip_range, "ip_ranges"
69+
in_rule_copy, _ip_range, "ip_ranges",vulnerable_ports
6670
)
6771
)
6872

@@ -73,14 +77,15 @@ def create_cloud_service(self, region, options, secret_data, schema):
7377
in_rule_copy,
7478
_user_group_pairs,
7579
"user_id_group_pairs",
80+
vulnerable_ports,
7681
)
7782
)
7883

7984
for _ip_v6_range in in_rule.get("Ipv6Ranges", []):
8085
in_rule_copy = copy.deepcopy(in_rule)
8186
inbound_rules.append(
8287
self.custom_security_group_rule_info(
83-
in_rule_copy, _ip_v6_range, "ipv6_ranges"
88+
in_rule_copy, _ip_v6_range, "ipv6_ranges",vulnerable_ports
8489
)
8590
)
8691

@@ -91,7 +96,7 @@ def create_cloud_service(self, region, options, secret_data, schema):
9196
out_rule_copy = copy.deepcopy(out_rule)
9297
outbound_rules.append(
9398
self.custom_security_group_rule_info(
94-
out_rule_copy, _ip_range, "ip_ranges"
99+
out_rule_copy, _ip_range, "ip_ranges",vulnerable_ports
95100
)
96101
)
97102

@@ -101,15 +106,15 @@ def create_cloud_service(self, region, options, secret_data, schema):
101106
self.custom_security_group_rule_info(
102107
out_rule_copy,
103108
_user_group_pairs,
104-
"user_id_group_pairs",
109+
"user_id_group_pairs",vulnerable_ports,
105110
)
106111
)
107112

108113
for _ip_v6_range in out_rule.get("Ipv6Ranges", []):
109114
out_rule_copy = copy.deepcopy(out_rule)
110115
outbound_rules.append(
111116
self.custom_security_group_rule_info(
112-
out_rule_copy, _ip_v6_range, "ipv6_ranges"
117+
out_rule_copy, _ip_v6_range, "ipv6_ranges",vulnerable_ports
113118
)
114119
)
115120

@@ -160,7 +165,7 @@ def create_cloud_service(self, region, options, secret_data, schema):
160165
region_name=region,
161166
)
162167

163-
def custom_security_group_rule_info(self, raw_rule, remote, remote_type):
168+
def custom_security_group_rule_info(self, raw_rule, remote, remote_type, vulnerable_ports):
164169
raw_rule.update(
165170
{
166171
"protocol_display": self._get_protocol_display(
@@ -170,6 +175,7 @@ def custom_security_group_rule_info(self, raw_rule, remote, remote_type):
170175
"source_display": self._get_source_display(remote),
171176
"description_display": self._get_description_display(remote),
172177
remote_type: remote,
178+
"vulnerable_ports": self._get_vulnerable_ports(raw_rule, vulnerable_ports)
173179
}
174180
)
175181

@@ -287,3 +293,25 @@ def get_instance_name_from_tags(instance):
287293
return _tag.get("Value")
288294

289295
return ""
296+
297+
@staticmethod
298+
def _get_vulnerable_ports(raw_rule, vulnerable_ports):
299+
is_port_all = False
300+
301+
try:
302+
toPort = int(raw_rule.get("ToPort"))
303+
fromPort = int(raw_rule.get("FromPort"))
304+
except (ValueError, TypeError):
305+
is_port_all = True
306+
toPort, fromPort = None, None
307+
308+
ports = []
309+
try:
310+
for port in map(str.strip, vulnerable_ports.split(',')):
311+
target_port = int(port)
312+
if is_port_all or (fromPort <= target_port <= toPort):
313+
ports.append(target_port)
314+
315+
return ports
316+
except Exception:
317+
raise ERROR_VULNERABLE_PORTS(vulnerable_ports)

0 commit comments

Comments
 (0)