helm/securecodebox/persistence-defectdojo 5.0.0

v5.0.0

on Artifact Hub

What's Changed

This release brings some long awaited improvements and optimizations.
Some of this required breaking changes, these are listed below.

💣 Breaking

Removed / Replaced ScanTypes

• zap-baseline-scan and zap-advanced in favor of the zap-automation-framework. The zap-automation-framework ScanTpye includes all functionalities of the removed ScanTypes and can be customized easily. The default ScanType for the AutoDiscovery has been changed to the zap-automation-framework as well. For migrating to the zap-automation-framework please refer to migration to zap-automation framework guide.
• amass has been replaced with subfinder. Amass is still an amzing tool, but with its focus on becoming more of a standalone platform / database for attack surfaces keeping it integrated and updated in the secureCodeBox was getting harder and harder. subfinder is a very good replacement for subdomain discovery, thats also generally quicker and produces a similar result.
• kubeaudit was removed as the scanner itself isn't maintaned anymore. As a replacement you can use the trivy with it's k8s scanning mode, see trivy ScanType k8s example.
• typo3scan was removed as the scanner itself isn't maintaned anymore. Most security aspects of typo3 are now hard to verify from the outside as it requires authentication (which is really good). Some typo3 security aspects (e.g. a incomplete installation) can be verified by nuclei.
• doggo was removed. Doggo was added primarily as an experimentation to be used to deduplicate duplicate scan target from cascading rules based on DNS entries. That approach hasn't worked out unfortunately. The doggo integration has been non-functional for a while (see: #2853). As an alternative, nuclei already includes some DNS record based checks, if checks for specific records are required custom nuclei rules could be used to fulfil those requirements.
• cmseek was removed. cmseek has seen little updates in the last years. Our secureCodeBox integration with cmseek was always pretty basic, only supporting joomla (a specfifc CMS) results, which hasn't been a big focus for us. As a replacement we recommend using nuclei which has joomla rules which will likely receive more updates in the future.

➡️ Reference: #2670

Renamed ClusterRole and ClusterRoleBinding

To avoid naming collisions with other cluster‑scoped resources, the operator's ClusterRole formerly called manager-role has been renamed to securecodebox‑manager-role, and the corresponding ClusterRoleBinding manager-rolebinding is now securecodebox‑manager-rolebinding. The official Helm chart will automatically create and reference these new names when you update the operator.

If you maintain a custom deployment that directly references manager-role or manager-rolebinding, be sure to update those references to securecodebox‑manager-role and securecodebox‑manager-rolebinding respectively.

➡️ Reference: #3002

Changes to trivy k8s scope (namespace / cluster)

The kubeauditScope on the trivy ScanType chart was renamed to k8sScanScope Scope. The previous name was used for consistency with the kubeaudit ScanType, but it never really made sense and was confusing.
The default k8sScanScope scope was also changed from cluster to namespace, The cluster mode needs cluster wide permissions, which makes the trivy chart hard to install in properly locked down RBAC setups.

➡️ Reference: #3025

Removed Integrated Elasticsearch and Kibana Helm Charts

The integrated Elasticsearch and Kibana Helm charts have been dropped from the Persistence ElasticSearch Hook. These charts were intended as a quick-start option, but since Elastic no longer provides their own Helm charts, they have been removed. The documentation has been updated with guidance on setting up an Elasticsearch cluster using the ECK operator.

➡️ Reference: #2892

Changed Default Elasticsearch Index

The default Elasticsearch index has been updated from scbv2 to scb. The inclusion of v2 was a confusing oversight that has been outdated since the release of secureCodeBox v3.
If you had previously ingested finding using the scbv2 index prefix you can keep using it by setting the indexPrefix helm value back to scbv2 or by migrating your existing indexes to match the new naming scheme.

➡️ Reference: #2892

Replaced Bitnami MinIO Subchart with Direct MinIO Deployment

Due to upcoming deprecations in Bitnami Helm charts, the operator's MinIO integration has been changed from using the Bitnami MinIO subchart to a direct MinIO deployment using the official docker.io/minio/minio image.

⚠️ Important Migration Notes:

• Data will NOT be migrated automatically from the old Bitnami MinIO deployment to the new direct MinIO deployment
• If you have important scan data stored in the old MinIO instance, you must manually backup and restore it before upgrading
• The new MinIO deployment uses different naming conventions and storage configurations

For Production Environments:
The included MinIO deployment is intended only for quickstart and development setups. For production environments, you should:

• Use an external S3-compatible storage service (AWS S3, Google Cloud Storage, etc.)
• Set minio.enabled=false and configure the s3 section in your values
• Refer to the installation documentation for external storage configuration

If you need to continue using the embedded MinIO for development, the new deployment will create a fresh MinIO instance with the same default bucket configuration.

🚀 Features

• Add subfinder scanner by @joel-sass in #3122
• Speed up parser & hook execution time by up to 2x & reduce cpu load by up to 5x by bundling parser & hook sdk by @J12934 in #3137 & #3141
• Add resource & security context config options for trivy db cache by @J12934 in #3037
• Add default RuntimeDefault SecComp Profile to Luker and change Capability to Uppercase to better match Security Policies by @Reet00 in #3116
• Migrate Kubernetes Service AutoDiscovery to use Zap Automation Framework by default by @Reet00 in #3049
• Improve container security by ensuring that the executed code can't be modified by the container user by @J12934 in #3035

🚓 Security Scanner

• Upgraded gitleaks from v8.24.3 to v8.28.0 @secureCodeBoxBot (#3009, #3012, #3032, #3058, #3068, #3145)

• Upgraded nmap 7.97-r0 by @J12934 in #3133

• Upgraded nuclei from v3.4.2 to v3.4.7 @secureCodeBoxBot (#3027, #3041, #3089, #3107, #3109)
• Upgraded semgrep from 1.120.0 to 1.131.0 @secureCodeBoxBot (#3017, #3038, #3054, #3066, #3076, #3094, #3100, #3112, #3158, #3163)
• Upgraded sslyze from 6.1.0 to 6.2.0 @secureCodeBoxBot (#3166)
• Upgraded subfinder from v2.7.0 to v2.8.0 @secureCodeBoxBot (#3155)
• Upgraded trivy from 0.61.1 to 0.65.0 @secureCodeBoxBot (#3011, #3016, #3055, #3108, #3110, #3164)
• Upgraded trivy-sbom from 0.61.1 to 0.65.0 @secureCodeBoxBot (#3010, #3015, #3056, #3106, #3111, #3162)
• Upgraded whatweb from v0.5.5 to v6.0.1 @secureCodeBoxBot (#3165)

🐛 Bug Fixes

• Fix Issue with nuclei parser issue for dns related findings by @J12934 in #3153

📚 Documentation

• Add rust community scanner by @Weltraumschaf in #3078
• Add YouTube Presentation of scbctl From Thibaut Batale by @Weltraumschaf in #3064
• Add Blog Post about Launch of SCBaaS by @Weltraumschaf in #3118
• Document Project Lead Sync Meeting by @Weltraumschaf in #3090
• Correct duplicated hostname reference in CascadingHook docs by @J12934 in #3172
• Update documentation after initial project lead sync by @Weltraumschaf in #3050
• Inline Link In Markdown To Fix Post Overview by @Weltraumschaf in #3121

🔧 Maintenance

• Add dependabot config for helm charts by @J12934 in #3018
• Drop axios from hook-sdk by @J12934 in #2977
• Migrate Scanner / Parsers to ESM and @kubernetes/client-node v1.x by @J12934 in #3088
• Update Various CI Components by @J12934 in #3136
• Resolve minor security warnings by @J12934 in #3140
• Update test assertions for the integration-test by @Reet00 in #3059

📌 Dependencies

New Contributors

• @joel-sass made their first contribution in #3122
• @renovate[bot] made their first contribution in #3174

Full Changelog: v4.16.0...v5.0.0