From 1d3a114e5712a9b6d7e1bad0f53c27ef42dfb847 Mon Sep 17 00:00:00 2001 From: Kristian Rosland Date: Thu, 29 Feb 2024 14:58:52 +0100 Subject: [PATCH] =?UTF-8?q?Legg=20til=20en=20limit=20for=20s=C3=A5rbarhets?= =?UTF-8?q?varsling=20p=C3=A5=20slack?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Eks. kun varsle ved CRITICAL sårbarheter. --- .../kotlin/no/digipost/github/monitoring/Domain.kt | 5 +++-- .../no/digipost/github/monitoring/GithubGraphql.kt | 3 ++- src/main/kotlin/no/digipost/github/monitoring/Main.kt | 10 ++++++---- .../no/digipost/github/monitoring/SlackClient.kt | 2 +- 4 files changed, 12 insertions(+), 8 deletions(-) diff --git a/src/main/kotlin/no/digipost/github/monitoring/Domain.kt b/src/main/kotlin/no/digipost/github/monitoring/Domain.kt index d0dca19..945abac 100644 --- a/src/main/kotlin/no/digipost/github/monitoring/Domain.kt +++ b/src/main/kotlin/no/digipost/github/monitoring/Domain.kt @@ -1,4 +1,5 @@ package no.digipost.github.monitoring +import com.github.graphql.client.type.SecurityAdvisorySeverity import com.google.gson.annotations.SerializedName import java.time.ZonedDateTime @@ -15,7 +16,7 @@ data class Repository( ${this.owner}/${this.name} - ${this.language} Antall sårbarheter: ${this.vulnerabilities.size} ${this.vulnerabilities.map { """Package: ${it.packageName} - Severity: ${it.severity} + Severity: ${it.severity.name} Score: ${it.score} / 10 CVE: ${it.CVE} """ }.joinToString("\n")} @@ -25,7 +26,7 @@ Antall sårbarheter: ${this.vulnerabilities.size} } data class Vulnerability( - var severity: String, + var severity: SecurityAdvisorySeverity, var createdAt: String, var packageName: String, var score: Double, diff --git a/src/main/kotlin/no/digipost/github/monitoring/GithubGraphql.kt b/src/main/kotlin/no/digipost/github/monitoring/GithubGraphql.kt index c114fbe..be73636 100644 --- a/src/main/kotlin/no/digipost/github/monitoring/GithubGraphql.kt +++ b/src/main/kotlin/no/digipost/github/monitoring/GithubGraphql.kt @@ -107,7 +107,7 @@ private suspend fun getVulnerabilitiesForRepo( val vulnerabilities = vulnerabilityAlerts.mapNotNull { it?.let { Vulnerability( - it.securityVulnerability!!.severity.name, + it.securityVulnerability!!.severity, it.createdAt.toString().substring(0, 10), it.securityVulnerability.`package`.name, it.securityVulnerability.advisory.cvss.score, @@ -159,3 +159,4 @@ private suspend fun listRepos(apolloClient: ApolloClient, repositoryChannel: Cha cursor = response.data?.viewer?.repositories?.pageInfo?.endCursor } } + diff --git a/src/main/kotlin/no/digipost/github/monitoring/Main.kt b/src/main/kotlin/no/digipost/github/monitoring/Main.kt index 936766c..a01ca55 100644 --- a/src/main/kotlin/no/digipost/github/monitoring/Main.kt +++ b/src/main/kotlin/no/digipost/github/monitoring/Main.kt @@ -2,6 +2,7 @@ package no.digipost.github.monitoring import com.apollographql.apollo3.ApolloClient import com.apollographql.apollo3.api.http.HttpHeader +import com.github.graphql.client.type.SecurityAdvisorySeverity import io.micrometer.core.instrument.MultiGauge import io.micrometer.core.instrument.Tags import io.micrometer.prometheus.PrometheusConfig @@ -48,6 +49,7 @@ suspend fun main(): Unit = coroutineScope { } } + val severityLimitForNotifications = if (System.getenv().containsKey("severity_limit")) SecurityAdvisorySeverity.safeValueOf(System.getenv("severity_limit")) else SecurityAdvisorySeverity.CRITICAL val logger = LoggerFactory.getLogger("no.digipost.github.monitoring.Main") val prometheusMeterRegistry = PrometheusMeterRegistry(PrometheusConfig.DEFAULT) @@ -74,7 +76,7 @@ suspend fun main(): Unit = coroutineScope { try { withTimeout(TIMOUT_PUBLISH_VULNS) { val timeMillis = measureTimeMillis { - publish(apolloClientFactory.invoke(), githubApiClient, slackClient, multiGaugeRepoVulnCount, multiGaugeContainerScan, multiGaugeInfoScore) + publish(apolloClientFactory.invoke(), githubApiClient, slackClient, severityLimitForNotifications, multiGaugeRepoVulnCount, multiGaugeContainerScan, multiGaugeInfoScore) } logger.info("Henting av repos med sårbarheter tok ${timeMillis}ms") } @@ -115,7 +117,7 @@ fun cachedApolloClientFactory(token: String): () -> ApolloClient { } } -suspend fun publish(apolloClient: ApolloClient, githubApiClient: GithubApiClient, slackClient: SlackClient?, registerRepos: MultiGauge, registerContainerScanStats: MultiGauge, registerVulnerabilites: MultiGauge): Unit = coroutineScope { +suspend fun publish(apolloClient: ApolloClient, githubApiClient: GithubApiClient, slackClient: SlackClient?, severityLimit: SecurityAdvisorySeverity, registerRepos: MultiGauge, registerContainerScanStats: MultiGauge, registerVulnerabilites: MultiGauge): Unit = coroutineScope { val channel = Channel() launch { @@ -123,7 +125,7 @@ suspend fun publish(apolloClient: ApolloClient, githubApiClient: GithubApiClient .let { repos -> if (existingVulnerabilities != null) { repos.getUniqueCVEs() - .filter { (cve, _) -> !existingVulnerabilities!!.containsKey(cve) } + .filter { (cve, vulnerability) -> !existingVulnerabilities!!.containsKey(cve) && vulnerability.severity.ordinal <= severityLimit.ordinal } .forEach { (_, vulnerability) -> println("Ny sårbarhet: $vulnerability") slackClient?.sendToSlack(vulnerability) @@ -160,7 +162,7 @@ suspend fun publish(apolloClient: ApolloClient, githubApiClient: GithubApiClient "created", vuln.createdAt, "CVE", vuln.CVE, "packagename", vuln.packageName, - "severity", vuln.severity, + "severity", vuln.severity.name, ), vuln.score ) } diff --git a/src/main/kotlin/no/digipost/github/monitoring/SlackClient.kt b/src/main/kotlin/no/digipost/github/monitoring/SlackClient.kt index c39940d..75a22cc 100644 --- a/src/main/kotlin/no/digipost/github/monitoring/SlackClient.kt +++ b/src/main/kotlin/no/digipost/github/monitoring/SlackClient.kt @@ -22,7 +22,7 @@ class SlackClient(private val webhookUrl: String) { } private fun toSlackInformation(vulnerability: Vulnerability): String { - return "*${vulnerability.severity} (${vulnerability.score})* " + + return "*${vulnerability.severity.name} (${vulnerability.score})* " + ", " + "package name: ${vulnerability.packageName}" }