Run active checks in parallel
Problem
Each active check contains different attacks, and each attack results in a HTTP request made to the target web server. These attacks should be run in parallel so that scans run in a timely manner.
The issue Run active attacks in parallel (#389048 - closed) introduced a parallel strategy where active checks are run sequentially, and attacks within an attack are run in parallel. This causes non determinism in scans because attacks stop running as soon as one is successful. As the attacks are run in parallel, if more than one of the attacks would result in a finding then it's not guaranteed to always create the same finding.
Proposal
At the moment, active checks are run sequentially, attacks within the check are run in parallel. This issue proposes to change the strategy to run active checks in parallel, and within each check run attacks sequentially.
This solves the non-determinism that occurs within an active check. This strategy may need to be revisited when timing attacks are introduced.
Implementation plan
-
Make sure that iterating HTTP messages can be safely done in parallel -
Change the active check service to use RelatedTasks
to run the checks in parallel -
Update the active check RelatedTask
to run sequentially -
Update the end-to-end test 7/8
CI job to include the74-1
end to end test, this should now be deterministic