Add Qualys and latest ATC-Framework

backend/Dockerfile.pe

@@ -28,7 +28,7 @@ RUN ./aws/install
 # Sync the latest from cf-staging branch
 RUN git clone -b crossfeed-SQS https://github.com/cisagov/ATC-Framework.git && \
     cd ATC-Framework && \
-    git checkout a48a14ee7a42443b9458a8c1d7348204f2fe4db9 && \
+    git checkout 074fcaf4c4e3dd1cd2d71aeeab71319db3701c48 && \
     pip install .
 
 RUN python -m spacy download en_core_web_lg

backend/serverless.yml

@@ -154,6 +154,13 @@ resources:
         VisibilityTimeout: 18000  # 5 hours
         MaximumMessageSize: 262144  # 256 KB
         MessageRetentionPeriod: 604800  # 7 days
+    QualysQueue:
+      Type: AWS::SQS::Queue
+      Properties:
+        QueueName: ${self:provider.stage}-qualys-queue
+        VisibilityTimeout: 18000  # 5 hours
+        MaximumMessageSize: 262144  # 256 KB
+        MessageRetentionPeriod: 604800  # 7 days
 
 functions:
   - ${file(./src/tasks/functions.yml)}

backend/src/tasks/scanExecution.ts

@@ -11,7 +11,8 @@ const SCAN_LIST = [
   'cybersixgill',
   'shodan',
   'xpanse',
-  'asmSync'
+  'asmSync',
+  'qualys'
 ];
 
 if (process.env.IS_LOCAL) {
@@ -160,7 +161,9 @@ async function startLocalContainers(
           `PE_API_URL=${process.env.PE_API_URL}`,
           `PE_API_KEY=${process.env.PE_API_KEY}`,
           `CF_API_KEY=${process.env.CF_API_KEY}`,
-          `WHOIS_XML_KEY=${process.env.WHOIS_XML_KEY}`
+          `WHOIS_XML_KEY=${process.env.WHOIS_XML_KEY}`,
+          `QUALYS_USERNAME=${process.env.QUALYS_USERNAME}`,
+          `QUALYS_PASSWORD=${process.env.QUALYS_PASSWORD}`
         ]
       } as any);
       await container.start();
@@ -223,7 +226,7 @@ export const handler: Handler = async (event) => {
       await startDesiredTasks(scanType, desiredCount);
     } else {
       console.log(
-        'Shodan, ASMSync, DNSTwist, IntelX, Xpanse, and Cybersixgill are the only script types available right now. Must be all lowercase.'
+        'Shodan, Qualys, ASMSync, DNSTwist, IntelX, Xpanse, and Cybersixgill are the only script types available right now. Must be all lowercase.'
       );
     }
   } catch (error) {

backend/worker/generate_config.sh

@@ -44,6 +44,10 @@ api_key=${INTELX_API_KEY}
 api_key=${XPANSE_API_KEY}
 auth_id=${XPANSE_AUTH_ID}
 
+[was]
+username=${QUALYS_USERNAME}
+password=${QUALYS_PASSWORD}
+
 
 EOF
 

backend/worker/pe-worker-entry.sh

@@ -64,6 +64,8 @@ while true; do
     COMMAND="pe-source xpanse --org='$ORG'"
   elif [[ "$SERVICE_TYPE" = *"asmSync"* ]]; then
     COMMAND="pe-asm-sync asm-sqs --org='$ORG'"
+  elif [[ "$SERVICE_TYPE" = *"qualys"* ]]; then
+    COMMAND="pe-source was-findings-sync --org='$ORG'"
   else
     echo "Unsupported SERVICE_TYPE: $SERVICE_TYPE"
     break

dev.env.example

@@ -110,3 +110,5 @@ PE_FARGATE_CLUSTER_NAME=pe-staging-worker
 PE_FARGATE_TASK_DEFINITION_NAME=pe-staging-worker
 
 WHOIS_XML_KEY=change_me
+QUALYS_USERNAME=change_me
+QUALYS_PASSWORD=change_me

infrastructure/pe_worker.tf

@@ -164,6 +164,14 @@ resource "aws_ecs_task_definition" "pe_worker" {
       {
         "name": "WHOIS_XML_KEY",
         "valueFrom": "${data.aws_ssm_parameter.whoisxml_api_key.arn}"
+      },
+      {
+        "name": "QUALYS_USERNAME",
+        "valueFrom": "${data.aws_ssm_parameter.qualys_username.arn}"
+      },
+      {
+        "name": "QUALYS_PASSWORD",
+        "valueFrom": "${data.aws_ssm_parameter.qualys_password.arn}"
       }
     ]
   }

infrastructure/stage.tfvars

@@ -59,6 +59,8 @@ ssm_lg_workspace_name                = "/crossfeed/staging/LG_WORKSPACE_NAME"
 ssm_pe_api_key                       = "/crossfeed/staging/PE_API_KEY"
 ssm_cf_api_key                       = "/crossfeed/staging/CF_API_KEY"
 ssm_whoisxml_api_key                 = "/crossfeed/staging/WHOIS_XML_KEY"
+ssm_qualys_username                = "/crossfeed/staging/QUALYS_USERNAME"
+ssm_qualys_password                = "/crossfeed/staging/QUALYS_PASSWORD"
 db_group_name                        = "crossfeed-staging-db-group"
 worker_ecs_repository_name           = "crossfeed-staging-worker"
 worker_ecs_cluster_name              = "crossfeed-staging-worker"

infrastructure/vars.tf

@@ -333,6 +333,18 @@ variable "ssm_whoisxml_api_key" {
   default     = "/crossfeed/staging/WHOIS_XML_KEY"
 }
 
+variable "ssm_qualys_username" {
+  description = "ssm_qualys_username"
+  type        = string
+  default     = "/crossfeed/staging/QUALYS_USERNAME"
+}
+
+variable "ssm_qualys_password" {
+  description = "ssm_qualys_password"
+  type        = string
+  default     = "/crossfeed/staging/QUALYS_PASSWORD"
+}
+
 variable "ssm_xpanse_auth_id" {
   description = "ssm_xpanse_auth_id"
   type        = string

infrastructure/worker.tf

@@ -88,6 +88,8 @@ resource "aws_iam_role_policy" "worker_task_execution_role_policy" {
           "${data.aws_ssm_parameter.xpanse_api_key.arn}",
           "${data.aws_ssm_parameter.xpanse_auth_id.arn}",
           "${data.aws_ssm_parameter.whoisxml_api_key.arn}",
+          "${data.aws_ssm_parameter.qualys_username.arn}",
+          "${data.aws_ssm_parameter.qualys_password.arn}",
           "${data.aws_ssm_parameter.sixgill_client_secret.arn}",
           "${data.aws_ssm_parameter.lg_api_key.arn}",
           "${data.aws_ssm_parameter.lg_workspace_name.arn}",
@@ -389,6 +391,10 @@ data "aws_ssm_parameter" "xpanse_api_key" { name = var.ssm_xpanse_api_key }
 
 data "aws_ssm_parameter" "whoisxml_api_key" { name = var.ssm_whoisxml_api_key }
 
+data "aws_ssm_parameter" "qualys_username" { name = var.ssm_qualys_username}
+
+data "aws_ssm_parameter" "qualys_password" { name = var.ssm_qualys_password}
+
 data "aws_ssm_parameter" "xpanse_auth_id" { name = var.ssm_xpanse_auth_id }
 
 data "aws_ssm_parameter" "sixgill_client_secret" { name = var.ssm_sixgill_client_secret }