mirror of
https://github.com/morten-olsen/homelab-nuclei-operator.git
synced 2026-02-08 02:16:23 +01:00
240 lines
6.8 KiB
Go
240 lines
6.8 KiB
Go
/*
|
|
Copyright 2025.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package scanner
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"fmt"
|
|
"os"
|
|
"os/exec"
|
|
"path/filepath"
|
|
"strings"
|
|
"time"
|
|
|
|
nucleiv1alpha1 "github.com/mortenolsen/nuclei-operator/api/v1alpha1"
|
|
)
|
|
|
|
// Scanner defines the interface for executing Nuclei scans
|
|
type Scanner interface {
|
|
// Scan executes a Nuclei scan against the given targets and returns the results
|
|
Scan(ctx context.Context, targets []string, options ScanOptions) (*ScanResult, error)
|
|
}
|
|
|
|
// ScanOptions contains configuration options for a scan
|
|
type ScanOptions struct {
|
|
// Templates specifies which Nuclei templates to use (paths or tags)
|
|
Templates []string
|
|
// Severity filters results by minimum severity level
|
|
Severity []string
|
|
// Timeout is the maximum duration for the scan
|
|
Timeout time.Duration
|
|
}
|
|
|
|
// ScanResult contains the results of a completed scan
|
|
type ScanResult struct {
|
|
// Findings contains all vulnerabilities/issues discovered
|
|
Findings []nucleiv1alpha1.Finding
|
|
// Summary provides aggregated statistics
|
|
Summary nucleiv1alpha1.ScanSummary
|
|
// Duration is how long the scan took
|
|
Duration time.Duration
|
|
}
|
|
|
|
// NucleiScanner implements the Scanner interface using the Nuclei binary
|
|
type NucleiScanner struct {
|
|
nucleiBinaryPath string
|
|
templatesPath string
|
|
}
|
|
|
|
// Config holds configuration for the NucleiScanner
|
|
type Config struct {
|
|
// NucleiBinaryPath is the path to the nuclei binary (default: "nuclei")
|
|
NucleiBinaryPath string
|
|
// TemplatesPath is the path to nuclei templates (default: use nuclei's default)
|
|
TemplatesPath string
|
|
// DefaultTimeout is the default scan timeout (default: 30m)
|
|
DefaultTimeout time.Duration
|
|
}
|
|
|
|
// DefaultConfig returns a Config with default values
|
|
func DefaultConfig() Config {
|
|
return Config{
|
|
NucleiBinaryPath: getEnvOrDefault("NUCLEI_BINARY_PATH", "nuclei"),
|
|
TemplatesPath: getEnvOrDefault("NUCLEI_TEMPLATES_PATH", ""),
|
|
DefaultTimeout: getEnvDurationOrDefault("NUCLEI_TIMEOUT", 30*time.Minute),
|
|
}
|
|
}
|
|
|
|
// NewNucleiScanner creates a new NucleiScanner with the given configuration
|
|
func NewNucleiScanner(config Config) *NucleiScanner {
|
|
return &NucleiScanner{
|
|
nucleiBinaryPath: config.NucleiBinaryPath,
|
|
templatesPath: config.TemplatesPath,
|
|
}
|
|
}
|
|
|
|
// NewNucleiScannerWithDefaults creates a new NucleiScanner with default configuration
|
|
func NewNucleiScannerWithDefaults() *NucleiScanner {
|
|
return NewNucleiScanner(DefaultConfig())
|
|
}
|
|
|
|
// Scan executes a Nuclei scan against the given targets
|
|
func (s *NucleiScanner) Scan(ctx context.Context, targets []string, options ScanOptions) (*ScanResult, error) {
|
|
if len(targets) == 0 {
|
|
return nil, fmt.Errorf("no targets provided for scan")
|
|
}
|
|
|
|
startTime := time.Now()
|
|
|
|
// Create a temporary directory for this scan
|
|
tmpDir, err := os.MkdirTemp("", "nuclei-scan-*")
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create temp directory: %w", err)
|
|
}
|
|
defer os.RemoveAll(tmpDir)
|
|
|
|
// Write targets to a file
|
|
targetsFile := filepath.Join(tmpDir, "targets.txt")
|
|
if err := os.WriteFile(targetsFile, []byte(strings.Join(targets, "\n")), 0600); err != nil {
|
|
return nil, fmt.Errorf("failed to write targets file: %w", err)
|
|
}
|
|
|
|
// Build the nuclei command arguments
|
|
args := s.buildArgs(targetsFile, options)
|
|
|
|
// Set timeout from options or use default
|
|
timeout := options.Timeout
|
|
if timeout == 0 {
|
|
timeout = 30 * time.Minute
|
|
}
|
|
|
|
// Create context with timeout
|
|
scanCtx, cancel := context.WithTimeout(ctx, timeout)
|
|
defer cancel()
|
|
|
|
// Execute nuclei
|
|
cmd := exec.CommandContext(scanCtx, s.nucleiBinaryPath, args...)
|
|
|
|
var stdout, stderr bytes.Buffer
|
|
cmd.Stdout = &stdout
|
|
cmd.Stderr = &stderr
|
|
|
|
err = cmd.Run()
|
|
duration := time.Since(startTime)
|
|
|
|
// Check for context cancellation
|
|
if scanCtx.Err() == context.DeadlineExceeded {
|
|
return nil, fmt.Errorf("scan timed out after %v", timeout)
|
|
}
|
|
if scanCtx.Err() == context.Canceled {
|
|
return nil, fmt.Errorf("scan was cancelled")
|
|
}
|
|
|
|
// Nuclei returns exit code 0 even when it finds vulnerabilities
|
|
// Non-zero exit codes indicate actual errors
|
|
if err != nil {
|
|
if exitErr, ok := err.(*exec.ExitError); ok {
|
|
// Exit code 1 can mean "no results found" which is not an error
|
|
if exitErr.ExitCode() != 1 {
|
|
return nil, fmt.Errorf("nuclei execution failed: %w, stderr: %s", err, stderr.String())
|
|
}
|
|
} else {
|
|
return nil, fmt.Errorf("failed to execute nuclei: %w", err)
|
|
}
|
|
}
|
|
|
|
// Parse the JSONL output
|
|
findings, err := ParseJSONLOutput(stdout.Bytes())
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to parse nuclei output: %w", err)
|
|
}
|
|
|
|
// Calculate summary
|
|
summary := calculateSummary(findings, len(targets), duration)
|
|
|
|
return &ScanResult{
|
|
Findings: findings,
|
|
Summary: summary,
|
|
Duration: duration,
|
|
}, nil
|
|
}
|
|
|
|
// buildArgs constructs the command line arguments for nuclei
|
|
func (s *NucleiScanner) buildArgs(targetsFile string, options ScanOptions) []string {
|
|
args := []string{
|
|
"-l", targetsFile,
|
|
"-jsonl",
|
|
"-silent",
|
|
"-no-color",
|
|
}
|
|
|
|
// Add templates path if configured
|
|
if s.templatesPath != "" {
|
|
args = append(args, "-t", s.templatesPath)
|
|
}
|
|
|
|
// Add specific templates if provided
|
|
if len(options.Templates) > 0 {
|
|
for _, t := range options.Templates {
|
|
args = append(args, "-t", t)
|
|
}
|
|
}
|
|
|
|
// Add severity filter if provided
|
|
if len(options.Severity) > 0 {
|
|
args = append(args, "-severity", strings.Join(options.Severity, ","))
|
|
}
|
|
|
|
return args
|
|
}
|
|
|
|
// calculateSummary generates a ScanSummary from the findings
|
|
func calculateSummary(findings []nucleiv1alpha1.Finding, targetsCount int, duration time.Duration) nucleiv1alpha1.ScanSummary {
|
|
severityCounts := make(map[string]int)
|
|
|
|
for _, f := range findings {
|
|
severity := strings.ToLower(f.Severity)
|
|
severityCounts[severity]++
|
|
}
|
|
|
|
return nucleiv1alpha1.ScanSummary{
|
|
TotalFindings: len(findings),
|
|
FindingsBySeverity: severityCounts,
|
|
TargetsScanned: targetsCount,
|
|
DurationSeconds: int64(duration.Seconds()),
|
|
}
|
|
}
|
|
|
|
// getEnvOrDefault returns the environment variable value or a default
|
|
func getEnvOrDefault(key, defaultValue string) string {
|
|
if value := os.Getenv(key); value != "" {
|
|
return value
|
|
}
|
|
return defaultValue
|
|
}
|
|
|
|
// getEnvDurationOrDefault returns the environment variable as a duration or a default
|
|
func getEnvDurationOrDefault(key string, defaultValue time.Duration) time.Duration {
|
|
if value := os.Getenv(key); value != "" {
|
|
if d, err := time.ParseDuration(value); err == nil {
|
|
return d
|
|
}
|
|
}
|
|
return defaultValue
|
|
}
|