Hi,
is there an idea of when the integration will be planned?
Thanks

Hi,

we have it on the road map. So maybe we will look into this topic in the next weeks/montsh.

@STeXE89 We're looking into OpenVAS. Problem is that OpenVAS is a quite complicated beast and it would lead to massive work to integrate it into these cureCodeBox. We're even not sure if it's feasible. Could you please describe your concrete use case in detail?

I am also really interested in an implementation of OpenVAS into SecureCodeBox.
We are planning to migrate our entire scanning infrastructure, which includes Nikto, Zap and OpenVAS (with GSAD) to SecureCodeBox + DefectDojo.

The streamlined deployment and configuration of scans and checks would help us a lot and getting rid of GSAD would also be great since we don't have multiple platforms for handling our scan results.

Hi @moxli,

thanks for your answer.

To be honest, we have no experience with OpenVAS. @Zero3141 looked into itand it is a quite complicated setup with roundabout 9 containers necessary for OpenVAS. We're not sure if it's worth or feasible at all to integrate it.

Since you're not the first one asking for OpenVAS, we don;t want to simply ignore your request. Could you tell use a bit more in detail what kind of scans you perform with OpenVAS and what types of vulns it finds. The question we want to answer: Does it generate findings we could also find with the current available scanners of the secureCodeBox or does it generate complete different findings we also want to find with the secureCodeBox. In latter case it wouldbe worth the effort to extract the scanner from the OpenVAS setupt and try to integrate it.

OTOH would it be a solution to use secureCodeBox and OpenVAS side-by-side and feed the findings into one DefectDojo?

Hi @Weltraumschaf,

Thanks for your interest.

I understand that full integration is hard work.
For now I think it is sufficient to port the complete distribution from docker-compose (https://greenbone.github.io/docs/latest/22.4/container/index.html) to the helm secureCodeBox repository for k8s to be able to use the same secureCodeBox machine and infrastructure.
The minimum integration required is an automatic tool (or cronjob) to import defects from GSA (OpenVAS) to DefectDojo (manual export from GSA and import into DefectDojo are now possible).
Future integration, for example, is to retrieve the results from the DNS scan and automatically add them to the target list to run the OpenVAS scan.
Another integration is to use secureCodeBox's cron scheduler to run OpenVAS scans (to use only one scheduler: secureCodeBox and not the GSA scheduler)

Thank you!

Hi,
If it can be useful, I saw that there is also a tool for commands:
https://greenbone.github.io/gvm-tools/index.html
Thanks

Hi @Weltraumschaf and @STeXE89,

I've had a look at the OpenVAS scanner. It seems quite difficult to integrate. They use a proprietary protocol to send messages between docker containers. If you want to integrate it, it might be possible to use only the openvas-scanner container, but it requires some reverse engineering of the protocol and I'm not sure of the viability of this. You could opt to run openVAS in the cluster as a fixed instance, and find a way to interface with it using SCB data via cascading rules if at all possible, but that will likely cause scalability issues.

If all you need is data from OpenVAS to in your DefectDojo instance, It might be best to create a cron job that pipes the data from OpenVAS to DefectDojo. DefectDojo already has an integration for OpenVAS, but if that does not suffice, it might be good to open an issue at DefectDojo for OpenVAS integration. I don't know why it would be beneficial to add that to SCB.

Hi @STeXE89,

sorry for the long time to wait for an answer.

We investigated this topic and like @Stijn-FE already mentioned: It's not that easy. The TL;DR ist: We will not integrate OpenVAS into the secureCodeBox. A more detailed explanation you can find in our architecture decision record No. 19.

In our opinion it will be a better aproach to operate secureCodeBox and OpenVAS side-by-side and aggregate the findings in one DefectDojo.

If you need to trigger OpenVAS scans from the secureCodeBox (e.g. for found hosts or such), you may do this by writing a custom read hook which triggers OpenVAS by it's API. If you need support about how to write such a hook, feel free to reach us out in our Slack.