Ajout d'un pipeline Lighthouse

+ améliorations/corrections sur le pipeline d'audit W3AF

resources/com/cadoles/lighthouse/Dockerfile

@@ -0,0 +1,54 @@
+FROM golang:1.11.4 as envtpl
+
+ARG HTTP_PROXY=
+ARG HTTPS_PROXY=
+ARG http_proxy=
+ARG https_proxy=
+
+RUN apt-get update -y && apt-get install -y git
+
+RUN git clone https://github.com/subfuzion/envtpl /src \
+  && cd /src \
+  && git checkout v1.0.0 \
+  && CGO_ENABLED=0 GOOS=linux go build \
+    -ldflags "-X main.AppVersionMetadata=$(date -u +%s)" \
+    -a -installsuffix cgo -o ./bin/envtpl ./cmd/envtpl/.
+
+FROM alpine:3.10
+
+ARG HTTP_PROXY=
+ARG HTTPS_PROXY=
+ARG http_proxy=
+ARG https_proxy=
+
+COPY --from=envtpl /src/bin/envtpl /usr/local/bin/envtpl
+
+RUN apk add --no-cache \
+    nss \
+    freetype \
+    freetype-dev \
+    harfbuzz \
+    ca-certificates \
+    ttf-freefont \
+    nodejs \
+    npm \
+    chromium
+
+RUN npm install -g lighthouse
+
+RUN adduser -D lighthouse   
+
+COPY run-audit.sh /usr/local/bin/run-audit
+RUN chmod +x /usr/local/bin/run-audit
+
+COPY config.js.tmpl /home/lighthouse/config.js.tmpl
+
+WORKDIR /home/lighthouse
+
+RUN mkdir /home/lighthouse/reports
+
+RUN chown -R lighthouse: /home/lighthouse
+
+USER lighthouse
+
+CMD /usr/local/bin/run-audit

resources/com/cadoles/lighthouse/config.js.tmpl

@@ -0,0 +1,4 @@
+module.exports = {
+  extends: 'lighthouse:default',
+  settings: {},
+};

resources/com/cadoles/lighthouse/run-audit.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+envtpl -o config.js /home/lighthouse/config.js.tmpl
+
+mkdir -p reports
+rm -f reports/*
+
+cd reports
+
+lighthouse \
+    --no-enable-error-reporting \
+    --chrome-flags="--headless --disable-dev-shm-usage --no-sandbox --disable-gpu" \
+    --config=../config.js \
+    --output json --output html \
+    --output-path=lighthouse \
+    -- \
+    "$LIGHTHOUSE_URL"

resources/com/cadoles/w3af/Dockerfile

@@ -94,9 +94,17 @@ RUN git clone --depth=1 \
   && rm -rf /home/w3af/w3af/.git \
   && chown -R w3af /home/w3af/w3af
 
+COPY run-audit.sh /usr/local/bin/run-audit
+RUN chmod +x /usr/local/bin/run-audit
+
 USER w3af
 WORKDIR /home/w3af/w3af
 
 COPY audit.w3af.tmpl /home/w3af/w3af/audit.w3af.tmpl
 
+ENV HTTP_PROXY=
+ENV HTTPS_PROXY=
+ENV http_proxy=
+ENV https_proxy=
+
 CMD ["./w3af_console"]

resources/com/cadoles/w3af/audit.w3af.tmpl

@@ -4,7 +4,7 @@
 
 # Configure HTTP settings
 http-settings
-set timeout {{ default 10 .W3AF_TIMEOUT }}
+set timeout {{ default 60 .W3AF_TIMEOUT }}
 {{ if .W3AF_BASIC_AUTH_USERNAME }}
 set basic_auth_user {{ .W3AF_BASIC_AUTH_USERNAME }}
 set basic_auth_passwd {{ .W3AF_BASIC_AUTH_PASSWORD }}
@@ -41,15 +41,23 @@ back
 # Configure target authentication
 auth detailed
 auth config detailed
-set username {{ .W3AF_AUTH_FORM_USERNAME }}
-set password {{ .W3AF_AUTH_FORM_PASSWORD }}
+set username '{{ .W3AF_AUTH_FORM_USERNAME }}'
+set password '{{ .W3AF_AUTH_FORM_PASSWORD }}'
 set method POST
 set auth_url {{ .W3AF_AUTH_FORM_URL }}
-set username_field {{ default "username" .W3AF_AUTH_FORM_USERNAME_FIELD }}
-set password_field {{ default "password" .W3AF_AUTH_FORM_PASSWORD_FIELD }}
-set data_format {{ default "username=%U&password=%P" .W3AF_AUTH_FORM_DATA_FORMAT }}
+set username_field '{{ default "username" .W3AF_AUTH_FORM_USERNAME_FIELD }}'
+set password_field '{{ default "password" .W3AF_AUTH_FORM_PASSWORD_FIELD }}'
+set data_format '{{ default "%u=%U&%p=%P" .W3AF_AUTH_FORM_DATA_FORMAT }}'
 set check_url {{ .W3AF_AUTH_FORM_CHECK_URL }}
-set check_string '{{- default "connected" .W3AF_AUTH_FORM_CHECK_STRING -}}'
+set check_string '{{ default "connected" .W3AF_AUTH_FORM_CHECK_STRING }}'
+set follow_redirects True
+back
+{{end}}
+
+{{ if .W3AF_AUTH_LOGOUT_URL_REGEX }}
+crawl web_spider
+crawl config web_spider
+set ignore_regex {{ .W3AF_AUTH_LOGOUT_URL_REGEX }}
 back
 {{end}}
 

resources/com/cadoles/w3af/run-audit.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+mkdir -p reports
+rm -f reports/*
+envtpl -o audit.w3af /home/w3af/w3af/audit.w3af.tmpl
+/home/w3af/w3af/w3af_console -y -n -s audit.w3af