init defectdojo-exporter

Dockerfile

@@ -0,0 +1,14 @@
+FROM golang:1.22.5-alpine AS builder
+WORKDIR /app
+
+COPY . ./
+
+WORKDIR /app/cmd/defectdojo-exporter
+
+RUN apk add --no-cache binutils \
+    && CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -ldflags="-w -s" -o defectdojo-exporter main.go \
+    && strip /app/cmd/defectdojo-exporter/defectdojo-exporter
+
+FROM alpine:3.20
+
+COPY --from=builder /app/cmd/defectdojo-exporter/defectdojo-exporter /usr/local/bin/defectdojo-exporter

Makefile

@@ -0,0 +1,22 @@
+# DOCKER TASKS
+
+DOCKER_IMAGE_NAME := exporter
+DOCKER_IMAGE_TAG := defectdojo
+DOCKER_CONTAINER_NAME := defectdojo-exporter
+
+.PHONY: all build run extract clean
+
+all: build run extract clean
+
+build:
+	docker build -t $(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG) .
+
+run:
+	docker run --name $(DOCKER_CONTAINER_NAME) $(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG)
+
+extract:
+	docker cp $(DOCKER_CONTAINER_NAME):/usr/local/bin/defectdojo-exporter ./defectdojo-exporter
+
+clean:
+	docker stop $(DOCKER_CONTAINER_NAME) || true
+	docker rm $(DOCKER_CONTAINER_NAME) || true

README.md

@@ -0,0 +1,33 @@
+# Vulnerability Metrics Collector from [DefectDojo](https://github.com/DefectDojo/django-DefectDojo)
+
+## Metrics
+
+The application collects and exposes the following metrics:
+
+- `dojo_vulnerabilities_active`: Number of active vulnerabilities.
+- `dojo_vulnerabilities_duplicate`: Number of duplicate vulnerabilities.
+- `dojo_vulnerabilities_under_review`: Number of vulnerabilities under review.
+- `dojo_vulnerabilities_false_positive`: Number of false positive vulnerabilities.
+- `dojo_vulnerabilities_out_of_scope`: Number of vulnerabilities out of scope.
+- `dojo_vulnerabilities_risk_accepted`: Number of vulnerabilities with risk accepted.
+- `dojo_vulnerabilities_verified`: Number of verified vulnerabilities.
+- `dojo_vulnerabilities_mitigated`: Number of mitigated vulnerabilities.
+
+## Lables
+
+- `product`: The name or identifier of the product associated with the vulnerabilities.
+- `severity`: The severity level of the vulnerabilities, such as informational, low, medium, high, or critical.
+- `cwe`: The Common Weakness Enumeration (CWE) identifier associated with the vulnerabilities.
+
+## Configuration
+
+Create a config.yaml file in the folder with the binary exporter to configure the following variables:
+
+```yaml
+DD_TOKEN: "12345678901234567890"
+DD_URL: "https://defectdojo.com"
+# port for running exporter
+PORT: 8080
+```
+
+Once configured and running, the collector exposes the metrics at the /metrics endpoint.

cmd/defectdojo-exporter/go.mod

@@ -0,0 +1,17 @@
+module defectdojo-exporter
+
+go 1.22.5
+
+require github.com/prometheus/client_golang v1.20.3
+
+require (
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/klauspost/compress v1.17.9 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
+)

cmd/defectdojo-exporter/go.sum

@@ -0,0 +1,24 @@
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA=
+github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/prometheus/client_golang v1.20.3 h1:oPksm4K8B+Vt35tUhw6GbSNSgVlVSBH0qELP/7u83l4=
+github.com/prometheus/client_golang v1.20.3/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
+github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
+github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc=
+github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
+github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
+github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=

cmd/defectdojo-exporter/main.go

@@ -0,0 +1,36 @@
+package main
+
+import (
+	"collector"
+	"config"
+	"defectdojo"
+	"fmt"
+	"log"
+	"net/http"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+)
+
+func main() {
+	// load config
+	config := config.LoadConfig()
+
+	// register metric
+	prometheus.MustRegister(defectdojo.VulnActiveGauge)
+	prometheus.MustRegister(defectdojo.VulnDuplicateGauge)
+	prometheus.MustRegister(defectdojo.VulnUnderReviewGauge)
+	prometheus.MustRegister(defectdojo.VulnFalsePositiveGauge)
+	prometheus.MustRegister(defectdojo.VulnOutOfScopeGauge)
+	prometheus.MustRegister(defectdojo.VulnRiskAcceptedGauge)
+	prometheus.MustRegister(defectdojo.VulnVerifiedGauge)
+	prometheus.MustRegister(defectdojo.VulnMitigatedGauge)
+
+	// start exporter
+	go collector.CollectMetrics(config.DD_URL, config.DD_TOKEN)
+
+	http.Handle("/metrics", promhttp.Handler())
+	log.Printf("Starting server on :%d", config.PORT)
+
+	log.Fatal(http.ListenAndServe(fmt.Sprintf(":%d", config.PORT), nil))
+}

config/config.go

@@ -0,0 +1,29 @@
+package config
+
+import (
+	"log"
+	"os"
+
+	"gopkg.in/yaml.v3"
+)
+
+type Config struct {
+	DD_URL   string `yaml:"DD_URL"`
+	DD_TOKEN string `yaml:"DD_TOKEN"`
+	PORT     int    `yaml:"PORT"`
+}
+
+// LoadConfig load config.yaml
+func LoadConfig() *Config {
+	file, err := os.ReadFile("config.yaml")
+	if err != nil {
+		log.Fatal("error reading config file: ", err)
+	}
+
+	var config Config
+	if err := yaml.Unmarshal(file, &config); err != nil {
+		log.Fatal("error unmarshalling config file: ", err)
+	}
+
+	return &config
+}

config/go.mod

@@ -0,0 +1,5 @@
+module config
+
+go 1.22.5
+
+require gopkg.in/yaml.v3 v3.0.1

config/go.sum

@@ -0,0 +1,4 @@
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

configs/config.yaml

@@ -0,0 +1,3 @@
+DD_TOKEN: "12345678901234567890"
+DD_URL: "https://defectdojo.com"
+PORT: 8080