aikido-zen 0.1.1-arm64-linux → 1.0.0.pre.beta.1-arm64-linux

data/lib/aikido/zen/request/schema/auth_schemas.rb

@@ -18,6 +18,20 @@ module Aikido::Zen
         @schemas.map(&:as_json) unless @schemas.empty?
       end
 
+      def self.from_json(schemas_array)
+        return NONE if !schemas_array || schemas_array.empty?
+
+        AuthSchemas.new(schemas_array.map do |schema|
+          if schema[:type] == "http"
+            Authorization.new(schema[:scheme])
+          elsif schema[:type] == "apiKey"
+            ApiKey.new(schema[:in], schema[:name])
+          else
+            raise "Invalid schema type: #{schema[:type]}"
+          end
+        end)
+      end
+
       def ==(other)
         other.is_a?(self.class) && schemas == other.schemas
       end

data/lib/aikido/zen/request/schema/builder.rb

@@ -68,8 +68,6 @@ module Aikido::Zen
           new(type: "boolean")
         when String
           new(type: "string")
-        when Integer
-          new(type: "integer")
         when Numeric
           new(type: "number")
         when Array

data/lib/aikido/zen/request/schema/definition.rb

@@ -65,11 +65,6 @@ module Aikido::Zen
         in {type: _}, {type: "null"}
           new(definition.merge(optional: true))
 
-        # number | integer => number
-        in [{type: "integer"}, {type: "number"}] |
-           [{type: "number"}, {type: "integer"}]
-          new(definition.merge(other.definition).merge(type: "number"))
-
         # x | y => [x, y] if x != y
         else
           left_type, right_type = definition[:type], other.definition[:type]

data/lib/aikido/zen/request/schema.rb

@@ -48,6 +48,24 @@ module Aikido::Zen
       {body: body, query: query_schema.as_json, auth: auth_schema.as_json}.compact
     end
 
+    def self.from_json(data)
+      if data.empty?
+        return Request::Schema.new(
+          content_type: nil,
+          body_schema: EMPTY_SCHEMA,
+          query_schema: EMPTY_SCHEMA,
+          auth_schema: Aikido::Zen::Request::Schema::AuthSchemas.new([])
+        )
+      end
+
+      Request::Schema.new(
+        content_type: data[:body].nil? ? nil : data[:body][:type],
+        body_schema: data[:body].nil? ? EMPTY_SCHEMA : Aikido::Zen::Request::Schema::Definition.new(data[:body][:schema]),
+        query_schema: data[:query].nil? ? EMPTY_SCHEMA : Aikido::Zen::Request::Schema::Definition.new(data[:query]),
+        auth_schema: Aikido::Zen::Request::Schema::AuthSchemas.from_json(data[:auth])
+      )
+    end
+
     # Merges the request specification with another request's specification.
     #
     # @param other [Aikido::Zen::Request::Schema, nil]
@@ -56,9 +74,6 @@ module Aikido::Zen
       return self if other.nil?
 
       self.class.new(
-        # TODO: this is currently overriding the content type with the new
-        # value, but we should support APIs that accept input in many types
-        # (e.g. JSON and XML)
         content_type: other.content_type,
         body_schema: body_schema.merge(other.body_schema),
         query_schema: query_schema.merge(other.query_schema),

data/lib/aikido/zen/runtime_settings.rb

@@ -45,7 +45,7 @@ module Aikido::Zen
     # @param data [Hash] the decoded JSON payload from the /api/runtime/config
     #   API endpoint.
     #
-    # @return [void]
+    # @return [bool]
     def update_from_json(data)
       last_updated_at = updated_at
 
@@ -56,7 +56,7 @@ module Aikido::Zen
       self.skip_protection_for_ips = RuntimeSettings::IPSet.from_json(data["allowedIPAddresses"])
       self.received_any_stats = data["receivedAnyStats"]
 
-      Aikido::Zen.agent.updated_settings! if updated_at != last_updated_at
+      updated_at != last_updated_at
     end
   end
 end

data/lib/aikido/zen/scanners/path_traversal/helpers.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Scanners
+    module PathTraversal
+      DANGEROUS_PATH_PARTS = ["../", "..\\"]
+      LINUX_ROOT_FOLDERS = [
+        "/bin/",
+        "/boot/",
+        "/dev/",
+        "/etc/",
+        "/home/",
+        "/init/",
+        "/lib/",
+        "/media/",
+        "/mnt/",
+        "/opt/",
+        "/proc/",
+        "/root/",
+        "/run/",
+        "/sbin/",
+        "/srv/",
+        "/sys/",
+        "/tmp/",
+        "/usr/",
+        "/var/"
+      ]
+
+      DANGEROUS_PATH_STARTS = LINUX_ROOT_FOLDERS + ["c:/", "c:\\"]
+
+      module Helpers
+        def self.contains_unsafe_path_parts(filepath)
+          DANGEROUS_PATH_PARTS.each do |dangerous_part|
+            return true if filepath.include?(dangerous_part)
+          end
+
+          false
+        end
+
+        def self.starts_with_unsafe_path(filepath, user_input)
+          # Check if path is relative (not absolute or drive letter path)
+          # Required because `expand_path` will build absolute paths from relative paths
+          return false if Pathname.new(filepath).relative? || Pathname.new(user_input).relative?
+
+          normalized_path = File.expand_path__internal_for_aikido_zen(filepath).downcase
+          normalized_user_input = File.expand_path__internal_for_aikido_zen(user_input).downcase
+
+          DANGEROUS_PATH_STARTS.each do |dangerous_start|
+            if normalized_path.start_with?(dangerous_start) && normalized_path.start_with?(normalized_user_input)
+              # If the user input is the same as the dangerous start, we don't want to flag it
+              # to prevent false positives.
+              # e.g., if user input is /etc/ and the path is /etc/passwd, we don't want to flag it,
+              # as long as the user input does not contain a subdirectory or filename
+              if user_input == dangerous_start || user_input == dangerous_start.chomp("/")
+                return false
+              end
+              return true
+            end
+          end
+          false
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/path_traversal_scanner.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require_relative "path_traversal/helpers"
+
+module Aikido::Zen
+  module Scanners
+    class PathTraversalScanner
+      def self.skips_on_nil_context?
+        true
+      end
+
+      # Checks if the user introduced input is trying to access other path using
+      # Path Traversal kind of attacks.
+      #
+      # @param filepath [String] the expanded path that is tried to be read
+      # @param context [Aikido::Zen::Context]
+      # @param sink [Aikido::Zen::Sink] the Sink that is running the scan.
+      # @param operation [Symbol, String] name of the method being scanned.
+      #
+      # @return [Aikido::Zen::Attacks::PathTraversalAttack, nil] an Attack if any
+      # user input is detected to be attempting a Path Traversal Attack, or +nil+ if not.
+      def self.call(filepath:, sink:, context:, operation:)
+        context.payloads.each do |payload|
+          next unless new(filepath, payload.value).attack?
+
+          return Attacks::PathTraversalAttack.new(
+            sink: sink,
+            input: payload,
+            filepath: filepath,
+            context: context,
+            operation: "#{sink.operation}.#{operation}"
+          )
+        end
+
+        nil
+      end
+
+      def initialize(filepath, input)
+        @filepath = filepath.downcase
+        @input = input.downcase
+      end
+
+      def attack?
+        # Single character are ignored because they don't pose a big threat
+        return false if @input.length <= 1
+
+        # We ignore cases where the user input is longer than the file path.
+        # Because the user input can't be part of the file path.
+        return false if @input.length > @filepath.length
+
+        # We ignore cases where the user input is not part of the file path.
+        return false unless @filepath.include?(@input)
+
+        if PathTraversal::Helpers.contains_unsafe_path_parts(@filepath) && PathTraversal::Helpers.contains_unsafe_path_parts(@input)
+          return true
+        end
+
+        # Check for absolute path traversal
+        PathTraversal::Helpers.starts_with_unsafe_path(@filepath, @input)
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/shell_injection/helpers.rb

@@ -0,0 +1,159 @@
+# frozen_string_literal: true
+
+module Aikido::Zen::Scanners::ShellInjection
+  module Helpers
+    ESCAPE_CHARS = %W[' "]
+    DANGEROUS_CHARS_INSIDE_DOUBLE_QUOTES = %W[$ ` \\ !]
+    DANGEROUS_CHARS = [
+      "#", "!", '"', "$", "&", "'", "(", ")", "*", ";", "<", "=", ">", "?",
+      "[", "\\", "]", "^", "`", "{", "|", "}", " ", "\n", "\t", "~"
+    ]
+
+    COMMANDS = %w[sleep shutdown reboot poweroff halt ifconfig chmod chown ping
+      ssh scp curl wget telnet kill killall rm mv cp touch echo cat head
+      tail grep find awk sed sort uniq wc ls env ps who whoami id w df du
+      pwd uname hostname netstat passwd arch printenv logname pstree hostnamectl
+      set lsattr killall5 dmesg history free uptime finger top shopt :]
+
+    PATH_PREFIXES = %w[/bin/ /sbin/ /usr/bin/ /usr/sbin/ /usr/local/bin/ /usr/local/sbin/]
+
+    SEPARATORS = [" ", "\t", "\n", ";", "&", "|", "(", ")", "<", ">"]
+
+    # @param command [string]
+    # @param user_input [string]
+    def self.is_safely_encapsulated(command, user_input)
+      segments = command.split(user_input)
+
+      # The next condition is merely here to be compliant with what javascript does when splitting strings:
+      # From js doc https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/split
+      #   > If separator appears at the beginning (or end) of the string, it still has the effect of splitting,
+      #   > resulting in an empty (i.e. zero length) string appearing at the first (or last) position of
+      #   > the returned array.
+      # This is necessary because this code is ported form the firewall-node code.
+      if user_input.length > 1
+        if command.start_with? user_input
+          segments.unshift ""
+        end
+
+        if command.end_with? user_input
+          segments << ""
+        end
+      end
+
+      # Call the helper function to get current and next segments
+      get_current_and_next_segments(segments).all? do |segments_pair|
+        char_before_user_input = segments_pair[:current_segment][-1]
+        char_after_user_input = segments_pair[:next_segment][0]
+
+        # Check if the character before is an escape character
+        is_escape_char = ESCAPE_CHARS.include?(char_before_user_input)
+
+        unless is_escape_char
+          next false
+        end
+
+        # If characters before and after the user input do not match, return false
+        next false if char_before_user_input != char_after_user_input
+
+        # If user input contains the escape character, return false
+        next false if user_input.include?(char_before_user_input)
+
+        # Handle dangerous characters inside double quotes
+        if char_before_user_input == '"' && DANGEROUS_CHARS_INSIDE_DOUBLE_QUOTES.any? { |char| user_input.include?(char) }
+          next false
+        end
+
+        next true
+      end
+    end
+
+    def self.get_current_and_next_segments(segments)
+      segments.each_cons(2).map { |current_segment, next_segment| {current_segment: current_segment, next_segment: next_segment} }
+    end
+
+    # Helper function for sorting commands by length (longer commands first)
+    def self.by_length(a, b)
+      b.length - a.length
+    end
+
+    # Escape characters with special meaning either inside or outside character sets.
+    # Use a simple backslash escape when it’s always valid, and a `\xnn` escape when the simpler
+    # form would be disallowed by Unicode patterns’ stricter grammar.
+    #
+    # Inspired by https://github.com/sindresorhus/escape-string-regexp/
+    def self.escape_string_regexp(string)
+      string.gsub(/[|\\{}()\[\]^$+*?.]/) { "\\#{$&}" }.gsub("-", '\\x2d')
+    end
+
+    # Construct the regex for commands
+    COMMANDS_REGEX = Regexp.new(
+      "([/.]*((#{PATH_PREFIXES.map { |p| Helpers.escape_string_regexp(p) }.join("|")})?((#{COMMANDS.sort(&method(:by_length)).join("|")}))))",
+      Regexp::IGNORECASE
+    )
+
+    def self.contains_shell_syntax(command, user_input)
+      # Check if input is only whitespace
+      return false if user_input.strip.empty?
+
+      # Check if the user input contains any dangerous characters
+      if DANGEROUS_CHARS.any? { |c| user_input.include?(c) }
+        return true
+      end
+
+      # If the command is exactly the same as the user input, check if it matches the regex
+      if command == user_input
+        return match_all(command, COMMANDS_REGEX).any? do |match|
+          match[:match].length == command.length && match[:match] == command
+        end
+      end
+
+      # Check if the command contains a commonly used command
+      match_all(command, COMMANDS_REGEX).each do |match|
+        # We found a command like `rm` or `/sbin/shutdown` in the command
+        # Check if the command is the same as the user input
+        # If it's not the same, continue searching
+        next if user_input != match[:match]
+
+        # Otherwise, we'll check if the command is surrounded by separators
+        # These separators are used to separate commands and arguments
+        # e.g. `rm<space>-rf`
+        # e.g. `ls<newline>whoami`
+        # e.g. `echo<tab>hello` Check if the command is surrounded by separators
+        char_before = if match[:index] - 1 < 0
+          nil
+        else
+          command[match[:index] - 1]
+        end
+
+        char_after = if match[:index] + match[:match].length >= command.length
+          nil
+        else
+          command[match[:index] + match[:match].length]
+        end
+
+        # e.g. `<separator>rm<separator>`
+        if SEPARATORS.include?(char_before) && SEPARATORS.include?(char_after)
+          return true
+        end
+
+        # e.g. `<separator>rm`
+        if SEPARATORS.include?(char_before) && char_after.nil?
+          return true
+        end
+
+        # e.g. `rm<separator>`
+        if char_before.nil? && SEPARATORS.include?(char_after)
+          return true
+        end
+      end
+
+      false
+    end
+
+    def self.match_all(string, regex)
+      string.enum_for(:scan, regex).map do |match|
+        {match: match[0], index: $~.begin(0)}
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/shell_injection_scanner.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require_relative "shell_injection/helpers"
+
+module Aikido::Zen
+  module Scanners
+    class ShellInjectionScanner
+      def self.skips_on_nil_context?
+        true
+      end
+
+      # @param command [String]
+      # @param sink [Aikido::Zen::Sink]
+      # @param context [Aikido::Zen::Context]
+      # @param operation [Symbol, String]
+      #
+      def self.call(command:, sink:, context:, operation:)
+        context.payloads.each do |payload|
+          next unless new(command, payload.value).attack?
+
+          return Attacks::ShellInjectionAttack.new(
+            sink: sink,
+            input: payload,
+            command: command,
+            context: context,
+            operation: "#{sink.operation}.#{operation}"
+          )
+        end
+
+        nil
+      end
+
+      # @param command [String]
+      # @param input [String]
+      def initialize(command, input)
+        @command = command
+        @input = input
+      end
+
+      def attack?
+        # Block single ~ character. For example `echo ~`
+        if @input == "~"
+          if @command.size > 1 && @command.include?("~")
+            return true
+          end
+        end
+
+        # we ignore single character since they don't pose a big threat.
+        # They are only able to crash the shell, not execute arbitraty commands.
+        return false if @input.size <= 1
+
+        # We ignore cases where the user input is longer than the command because
+        # the user input can't be part of the command
+        return false if @input.size > @command.size
+
+        return false unless @command.include?(@input)
+
+        return false if ShellInjection::Helpers.is_safely_encapsulated @command, @input
+
+        ShellInjection::Helpers.contains_shell_syntax @command, @input
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/sql_injection_scanner.rb

@@ -6,6 +6,10 @@ require_relative "../internals"
 module Aikido::Zen
   module Scanners
     class SQLInjectionScanner
+      def self.skips_on_nil_context?
+        true
+      end
+
       # Checks if the given SQL query may have dangerous user input injected,
       # and returns an Attack if so, based on the current request.
       #
@@ -22,12 +26,6 @@ module Aikido::Zen
       # @raise [Aikido::Zen::InternalsError] if an error occurs when loading or
       #   calling zenlib. See Sink#scan.
       def self.call(query:, dialect:, sink:, context:, operation:)
-        # FIXME: This assumes queries executed outside of an HTTP request are
-        # safe, but this is not the case. For example, if an HTTP request
-        # enqueues a background job, passing user input verbatim, the job might
-        # pass that input to a query without having a current request in scope.
-        return if context.nil?
-
         dialect = DIALECTS.fetch(dialect) do
           Aikido::Zen.config.logger.warn "Unknown SQL dialect #{dialect.inspect}"
           DIALECTS[:common]

data/lib/aikido/zen/scanners/ssrf/private_ip_checker.rb

@@ -31,35 +31,47 @@ module Aikido::Zen
         # @return [Boolean]
         def private?(hostname_or_address)
           resolve(hostname_or_address).any? do |ip|
-            ip.loopback? || ip.private? || RFC5735.any? { |range| range === ip }
+            PRIVATE_RANGES.any? { |range| range === ip }
           end
         end
 
         private
 
-        RFC5735 = [
-          IPAddr.new("0.0.0.0/8"),
-          IPAddr.new("100.64.0.0/10"),
-          IPAddr.new("127.0.0.0/8"),
-          IPAddr.new("169.254.0.0/16"),
-          IPAddr.new("192.0.0.0/24"),
-          IPAddr.new("192.0.2.0/24"),
-          IPAddr.new("192.31.196.0/24"),
-          IPAddr.new("192.52.193.0/24"),
-          IPAddr.new("192.88.99.0/24"),
-          IPAddr.new("192.175.48.0/24"),
-          IPAddr.new("198.18.0.0/15"),
-          IPAddr.new("198.51.100.0/24"),
-          IPAddr.new("203.0.113.0/24"),
-          IPAddr.new("240.0.0.0/4"),
-          IPAddr.new("224.0.0.0/4"),
-          IPAddr.new("255.255.255.255/32"),
+        # Source: https://github.com/AikidoSec/firewall-node/blob/main/library/vulnerabilities/ssrf/isPrivateIP.ts
+        PRIVATE_IPV4_RANGES = [
+          IPAddr.new("0.0.0.0/8"),         # "This" network (RFC 1122)
+          IPAddr.new("10.0.0.0/8"),        # Private-Use Networks (RFC 1918)
+          IPAddr.new("100.64.0.0/10"),     # Shared Address Space (RFC 6598)
+          IPAddr.new("127.0.0.0/8"),       # Loopback (RFC 1122)
+          IPAddr.new("169.254.0.0/16"),    # Link Local (RFC 3927)
+          IPAddr.new("172.16.0.0/12"),     # Private-Use Networks (RFC 1918)
+          IPAddr.new("192.0.0.0/24"),      # IETF Protocol Assignments (RFC 5736)
+          IPAddr.new("192.0.2.0/24"),      # TEST-NET-1 (RFC 5737)
+          IPAddr.new("192.31.196.0/24"),   # AS112 Redirection Anycast (RFC 7535)
+          IPAddr.new("192.52.193.0/24"),   # Automatic Multicast Tunneling (RFC 7450)
+          IPAddr.new("192.88.99.0/24"),    # 6to4 Relay Anycast (RFC 3068)
+          IPAddr.new("192.168.0.0/16"),    # Private-Use Networks (RFC 1918)
+          IPAddr.new("192.175.48.0/24"),   # AS112 Redirection Anycast (RFC 7535)
+          IPAddr.new("198.18.0.0/15"),     # Network Interconnect Device Benchmark Testing (RFC 2544)
+          IPAddr.new("198.51.100.0/24"),   # TEST-NET-2 (RFC 5737)
+          IPAddr.new("203.0.113.0/24"),    # TEST-NET-3 (RFC 5737)
+          IPAddr.new("224.0.0.0/4"),       # Multicast (RFC 3171)
+          IPAddr.new("240.0.0.0/4"),       # Reserved for Future Use (RFC 1112)
+          IPAddr.new("255.255.255.255/32") # Limited Broadcast (RFC 919)
+        ]
 
-          IPAddr.new("::/128"),              # Unspecified address
-          IPAddr.new("fe80::/10"),           # Link-local address (LLA)
-          IPAddr.new("::ffff:127.0.0.1/128") # IPv4-mapped address
+        PRIVATE_IPV6_RANGES = [
+          IPAddr.new("::/128"),            # Unspecified address (RFC 4291)
+          IPAddr.new("::1/128"),           # Loopback address (RFC 4291)
+          IPAddr.new("fc00::/7"),          # Unique local address (ULA) (RFC 4193
+          IPAddr.new("fe80::/10"),         # Link-local address (LLA) (RFC 4291)
+          IPAddr.new("100::/64"),          # Discard prefix (RFC 6666)
+          IPAddr.new("2001:db8::/32"),     # Documentation prefix (RFC 3849)
+          IPAddr.new("3fff::/20")          # Documentation prefix (RFC 9637)
         ]
 
+        PRIVATE_RANGES = PRIVATE_IPV4_RANGES + PRIVATE_IPV6_RANGES + PRIVATE_IPV4_RANGES.map(&:ipv4_mapped)
+
         def resolved_in_current_context
           context = Aikido::Zen.current_context
           context && context["dns.lookups"]

data/lib/aikido/zen/scanners/ssrf_scanner.rb

@@ -6,6 +6,12 @@ require_relative "ssrf/dns_lookups"
 module Aikido::Zen
   module Scanners
     class SSRFScanner
+      # SSRF attacks can be triggered through external inputs, so it is essential
+      # to have a valid context to safeguard against these attacks.
+      def self.skips_on_nil_context?
+        true
+      end
+
       # Checks if an outbound HTTP request is to a hostname supplied from user
       # input that resolves to a "dangerous" address. This is called from two
       # different places:
@@ -32,7 +38,6 @@ module Aikido::Zen
       # @return [Aikido::Zen::Attacks::SSRFAttack, nil] an Attack if any user
       #   input is detected to be attempting SSRF, or +nil+ if not.
       def self.call(request:, sink:, context:, operation:, **)
-        return if context.nil?
         return if request.nil? # See NOTE above.
 
         context["ssrf.redirects"] ||= RedirectChains.new
@@ -228,11 +233,11 @@ module Aikido::Zen
       # @api private
       class RedirectChains
         def initialize
-          @redirects = {}
+          @redirects = Hash.new { |h, k| h[k] = [] }
         end
 
         def add(source:, destination:)
-          @redirects[destination] = source
+          @redirects[destination].push(source)
           self
         end
 
@@ -242,11 +247,14 @@ module Aikido::Zen
         #
         # @param uri [URI]
         # @return [URI, nil]
-        def origin(uri)
-          source = @redirects[uri]
+        def origin(uri, visited = Set.new)
+          source = @redirects[uri].first
+
+          return source if visited.include?(source)
+          visited << source
 
-          if @redirects[source]
-            origin(source)
+          if !@redirects[source].empty?
+            origin(source, visited)
           else
             source
           end

data/lib/aikido/zen/scanners/stored_ssrf_scanner.rb

@@ -5,6 +5,12 @@ module Aikido::Zen
     # Inspects the result of DNS lookups, to determine if we're being the target
     # of a stored SSRF targeting IMDS addresses (169.254.169.254).
     class StoredSSRFScanner
+      # Stored-SSRF can occur without external input, so we do not require a
+      # context to determine if an attack is happening.
+      def self.skips_on_nil_context?
+        false
+      end
+
       def self.call(hostname:, addresses:, operation:, sink:, context:, **opts)
         offending_address = new(hostname, addresses).attack?
         return if offending_address.nil?

data/lib/aikido/zen/scanners.rb

@@ -3,3 +3,5 @@
 require_relative "scanners/sql_injection_scanner"
 require_relative "scanners/stored_ssrf_scanner"
 require_relative "scanners/ssrf_scanner"
+require_relative "scanners/path_traversal_scanner"
+require_relative "scanners/shell_injection_scanner"

data/lib/aikido/zen/sink.rb

@@ -84,11 +84,16 @@ module Aikido::Zen
 
       scan = Scan.new(sink: self, context: context)
 
+      scans_performed = 0
       scan.perform do
         result = nil
 
         scanners.each do |scanner|
+          next if scanner.skips_on_nil_context? && context.nil?
+
           result = scanner.call(sink: self, context: context, **scan_params)
+          scans_performed += 1
+
           break result if result
         rescue Aikido::Zen::InternalsError => error
           Aikido::Zen.config.logger.warn(error.message)
@@ -100,7 +105,7 @@ module Aikido::Zen
         result
       end
 
-      @reporter.call(scan)
+      @reporter.call(scan) if scans_performed > 0
 
       scan
     end