Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: Unable to scan Github scan in accordance with the instructions in included docs. #1546

Open
dsk-imgw opened this issue Feb 10, 2023 · 0 comments
Open

Error: Unable to scan Github scan in accordance with the instructions in included docs. #1546

dsk-imgw opened this issue Feb 10, 2023 · 0 comments

Comments

@dsk-imgw
Copy link

Since I could not find issues related with Github scan errors, I'd like to post this issue.

It may be necessary to modify some source codes, documents in order to scan Github properly.
The procedure to reproduce errors and my fix are shown below. (Because I'm not a professional in software development, I don't know if my fix is appropriate.)

[My Environment]

OS: Ubuntu 22.04.1 x86_64
NodeJS: 18.14.0-deb-1nodesource1
node -v => 18.14.0
npm -v => 9.3.1
Cloud Sploit: 2.0.0

[Procedures]

(1) Download the source code "cloudsploit-2.0.0.tar.gz", expand it and build it. Configure config.js in accordance with docs/github.md and run cloudsploit. Stopped with errors!

owner@ubuntu220401:~/cloudsploit-2.0.0.work$ node ./index.js --config=./config.js

   _____ _                 _  _____       _       _ _   
  / ____| |               | |/ ____|     | |     (_) |  
 | |    | | ___  _   _  __| | (___  _ __ | | ___  _| |_ 
 | |    | |/ _ \| | | |/ _` |\___ \| '_ \| |/ _ \| | __|
 | |____| | (_) | |_| | (_| |____) | |_) | | (_) | | |_ 
  \_____|_|\___/ \__,_|\__,_|_____/| .__/|_|\___/|_|\__|
                                   | |                  
                                   |_|                  

  CloudSploit by Aqua Security, Ltd.
  Cloud security auditing for AWS, Azure, GCP, Oracle, and GitHub

INFO: Using CloudSploit config file: ./config.js
INFO: Skipping AWS pagination mode
INFO: Determining API calls to make...
DEBUG: Skipping GitHub plugin Public Keys Rotated because it is not for User accounts
DEBUG: Skipping GitHub plugin GPG Keys Rotated because it is not for User accounts
DEBUG: Skipping GitHub plugin User MFA Enabled because it is not for User accounts
DEBUG: Skipping GitHub plugin User Private Emails because it is not for User accounts
INFO: Found 6 API calls to make for github plugins
INFO: Collecting metadata. This may take several minutes...
/home/owner/cloudsploit-2.0.0.work/collectors/github/collector.js:110
    const app = new Octoapp(appConfig);
                ^

TypeError: Octoapp is not a constructor
    at collect (/home/owner/cloudsploit-2.0.0.work/collectors/github/collector.js:110:17)
    at engine (/home/owner/cloudsploit-2.0.0.work/engine.js:95:5)
    at Object.<anonymous> (/home/owner/cloudsploit-2.0.0.work/index.js:204:1)
    at Module._compile (node:internal/modules/cjs/loader:1226:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1280:10)
    at Module.load (node:internal/modules/cjs/loader:1089:32)
    at Module._load (node:internal/modules/cjs/loader:930:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)
    at node:internal/main/run_main_module:23:47

Node.js v18.14.0
owner@ubuntu220401:~/cloudsploit-2.0.0.work$

(2) Edit index.js in "@octokit/app" module to fix TypeError.

owner@ubuntu220401:~/cloudsploit-2.0.0.work$ vi ./node_modules/@octokit/app/dist-node/index.js

exports.App = App;

===>

module.exports = App;

(3) Re-run cloudsploit. Stopped with errors!

owner@ubuntu220401:~/cloudsploit-2.0.0.work$ node ./index.js --config=./config.js

   _____ _                 _  _____       _       _ _   
  / ____| |               | |/ ____|     | |     (_) |  
 | |    | | ___  _   _  __| | (___  _ __ | | ___  _| |_ 
 | |    | |/ _ \| | | |/ _` |\___ \| '_ \| |/ _ \| | __|
 | |____| | (_) | |_| | (_| |____) | |_) | | (_) | | |_ 
  \_____|_|\___/ \__,_|\__,_|_____/| .__/|_|\___/|_|\__|
                                   | |                  
                                   |_|                  

  CloudSploit by Aqua Security, Ltd.
  Cloud security auditing for AWS, Azure, GCP, Oracle, and GitHub

INFO: Using CloudSploit config file: ./config.js
INFO: Skipping AWS pagination mode
INFO: Determining API calls to make...
DEBUG: Skipping GitHub plugin Public Keys Rotated because it is not for User accounts
DEBUG: Skipping GitHub plugin GPG Keys Rotated because it is not for User accounts
DEBUG: Skipping GitHub plugin User MFA Enabled because it is not for User accounts
DEBUG: Skipping GitHub plugin User Private Emails because it is not for User accounts
INFO: Found 6 API calls to make for github plugins
INFO: Collecting metadata. This may take several minutes...
/home/owner/cloudsploit-2.0.0.work/node_modules/jsonwebtoken/sign.js:103
    throw err;
    ^

Error: secretOrPrivateKey must have a value
    at module.exports [as sign] (/home/owner/cloudsploit-2.0.0.work/node_modules/jsonwebtoken/sign.js:107:20)
    at getSignedJsonWebToken (/home/owner/cloudsploit-2.0.0.work/node_modules/@octokit/app/dist-node/index.js:31:30)
    at collect (/home/owner/cloudsploit-2.0.0.work/collectors/github/collector.js:111:21)
    at engine (/home/owner/cloudsploit-2.0.0.work/engine.js:95:5)
    at Object.<anonymous> (/home/owner/cloudsploit-2.0.0.work/index.js:204:1)
    at Module._compile (node:internal/modules/cjs/loader:1226:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1280:10)
    at Module.load (node:internal/modules/cjs/loader:1089:32)
    at Module._load (node:internal/modules/cjs/loader:930:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)

Node.js v18.14.0
owner@ubuntu220401:~/cloudsploit-2.0.0.work$

(4) In order to fix no "secretOrPrivateKey" error (since not reading Github App ID and the private key in), edit index.js to add "application_id" and "private_key" in cloudConfig, aligned with the variable "appConfig" in collector/github/collector.js.

owner@ubuntu220401:~/cloudsploit-2.0.0.work$ vi index.js

    cloudConfig = {
        token: config.credentials.github.token,
        url: config.credentials.github.url,
        organization: config.credentials.github.organization,
        login: config.credentials.github.login
    };

===>

   cloudConfig = {
        token: config.credentials.github.token,
        url: config.credentials.github.url,
        organization: config.credentials.github.organization,
        login: config.credentials.github.login,
        application_id: config.credentials.github.appid,
        private_key: config.credentials.github.privatekey
    };

(5) Edit config_example.js.

owner@ubuntu220401:~/cloudsploit-2.0.0.work$ vi config_example.js

	github: {
        // OPTION 1: If using a credential JSON file, enter the path below
        // credential_file: '/path/to/file.json',
        // OPTION 2: If using hard-coded credentials, enter them below
        // token: process.env.GITHUB_TOKEN || '',
        // url: process.env.GITHUB_URL || 'https://api.github.com',
        // login: process.env.GITHUB_LOGIN || 'myusername',
        // organization: process.env.GITHUB_ORG || false
    }

===>

    github: {
        // OPTION 1: If using a credential JSON file, enter the path below
        // credential_file: '/path/to/file.json',
        // OPTION 2: If using hard-coded credentials, enter them below
        // token: process.env.GITHUB_TOKEN || '',
        // url: process.env.GITHUB_URL || 'https://api.github.com',
        // login: process.env.GITHUB_LOGIN || 'myusername',
        // organization: process.env.GITHUB_ORG || false,
        // appid: process.env.GITHUB_APPID || '',
        // privatekey: process.env.GITHUB_PRIVATEKEY || "-----BEGIN RSA PRIVATE KEY-----\n..."
    }

(6) In Github, add GitHub Application and install it. Do not forget to obtain "App ID" and "private key". "Personal Access Token" is not necessary.

(7) Copy config_example.js to config.js, and edit config.js to set proper values. The value of "token" does not seem to be used in cloudsploit, so not required.

(8) Re-run cloudsploit. Success!

owner@ubuntu220401:~/cloudsploit-2.0.0.work$ node ./index.js --config=./config.js

   _____ _                 _  _____       _       _ _   
  / ____| |               | |/ ____|     | |     (_) |  
 | |    | | ___  _   _  __| | (___  _ __ | | ___  _| |_ 
 | |    | |/ _ \| | | |/ _` |\___ \| '_ \| |/ _ \| | __|
 | |____| | (_) | |_| | (_| |____) | |_) | | (_) | | |_ 
  \_____|_|\___/ \__,_|\__,_|_____/| .__/|_|\___/|_|\__|
                                   | |                  
                                   |_|                  

  CloudSploit by Aqua Security, Ltd.
  Cloud security auditing for AWS, Azure, GCP, Oracle, and GitHub

INFO: Using CloudSploit config file: ./config.js
INFO: Skipping AWS pagination mode
INFO: Determining API calls to make...
DEBUG: Skipping GitHub plugin Public Keys Rotated because it is not for User accounts
DEBUG: Skipping GitHub plugin GPG Keys Rotated because it is not for User accounts
DEBUG: Skipping GitHub plugin User MFA Enabled because it is not for User accounts
DEBUG: Skipping GitHub plugin User Private Emails because it is not for User accounts
INFO: Found 6 API calls to make for github plugins
INFO: Collecting metadata. This may take several minutes...
[@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
[@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
INFO: Metadata collection complete. Analyzing...
INFO: Analysis complete. Scan report to follow...

  ┌────┬──────────┬──────────────────────────────────────┬──────────────────────┬──┬────┬───────────────────────────┐
  │ Ca │  Plugin  │             Description              │       Resource       │R │ St │          Message          │
  │ te │          │                                      │                      │e │ at │                           │
  │ go │          │                                      │                      │g │ us │                           │
  │ ry │          │                                      │                      │i │    │                           │
  │    │          │                                      │                      │o │    │                           │
  │    │          │                                      │                      │n │    │                           │
  ├────┼──────────┼──────────────────────────────────────┼──────────────────────┼──┼────┼───────────────────────────┤
  │ Or │ Org Plan │ Checks that the number of seats is   │ N/A                  │ g│ UN │ Unable to query for       │
  │ gs │ Limit    │ not close to the limit of available  │                      │ l│ KN │ organization plan         │
  │    │          │ licensed seats.                      │                      │ o│ OW │ information:              │
  │    │          │                                      │                      │ b│ N  │ HttpError:404             │
  │    │          │                                      │                      │ a│    │                           │
  │    │          │                                      │                      │ l│    │                           │
  ├────┼──────────┼──────────────────────────────────────┼──────────────────────┼──┼────┼───────────────────────────┤
  │ Or │ Org      │ Checks the default permission given  │ N/A                  │ g│ UN │ Unable to query for       │
  │ gs │ Default  │ to new users added to an             │                      │ l│ KN │ organization permission   │
  │    │ Permissi │ organization.                        │                      │ o│ OW │ information:              │
  │    │ on       │                                      │                      │ b│ N  │ HttpError:404             │
  │    │          │                                      │                      │ a│    │                           │
  │    │          │                                      │                      │ l│    │                           │
  ├────┼──────────┼──────────────────────────────────────┼──────────────────────┼──┼────┼───────────────────────────┤
  │ Or │ Org MFA  │ Checks whether multi-factor          │ N/A                  │ g│ UN │ Unable to query for       │
  │ gs │ Required │ authentication is required at the    │                      │ l│ KN │ organization MFA          │
  │    │          │ org-level.                           │                      │ o│ OW │ information:              │
  │    │          │                                      │                      │ b│ N  │ HttpError:404             │
  │    │          │                                      │                      │ a│    │                           │
  │    │          │                                      │                      │ l│    │                           │
  ├────┼──────────┼──────────────────────────────────────┼──────────────────────┼──┼────┼───────────────────────────┤
 ...snip...
INFO: Scan complete
owner@ubuntu220401:~/cloudsploit-2.0.0.work$

(9) Optionally, edit collector/github/collector.js to suppress deprecated warnings of "@octokit/rest".

var Octokit = require('@octokit/rest');

===>

var { Octokit } = require('@octokit/rest');
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dsk-imgw