Legg til en limit for sårbarhetsvarsling på slack

Eks. kun varsle ved CRITICAL sårbarheter.
digipost · Feb 29, 2024 · 1d3a114 · 1d3a114
1 parent 3a1ef5e
commit 1d3a114
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 8 deletions.
diff --git a/src/main/kotlin/no/digipost/github/monitoring/Domain.kt b/src/main/kotlin/no/digipost/github/monitoring/Domain.kt
@@ -1,4 +1,5 @@
 package no.digipost.github.monitoring
+import com.github.graphql.client.type.SecurityAdvisorySeverity
 import com.google.gson.annotations.SerializedName
 import java.time.ZonedDateTime
 
@@ -15,7 +16,7 @@ data class Repository(
 ${this.owner}/${this.name} - ${this.language}
 Antall sårbarheter: ${this.vulnerabilities.size}
     ${this.vulnerabilities.map { """Package: ${it.packageName}
-    Severity: ${it.severity}
+    Severity: ${it.severity.name}
     Score: ${it.score} / 10
     CVE: ${it.CVE}
     """ }.joinToString("\n")}
@@ -25,7 +26,7 @@ Antall sårbarheter: ${this.vulnerabilities.size}
 }
 
 data class Vulnerability(
-    var severity: String,
+    var severity: SecurityAdvisorySeverity,
     var createdAt: String,
     var packageName: String,
     var score: Double,

diff --git a/src/main/kotlin/no/digipost/github/monitoring/GithubGraphql.kt b/src/main/kotlin/no/digipost/github/monitoring/GithubGraphql.kt
@@ -107,7 +107,7 @@ private suspend fun getVulnerabilitiesForRepo(
         val vulnerabilities = vulnerabilityAlerts.mapNotNull {
             it?.let {
                 Vulnerability(
-                    it.securityVulnerability!!.severity.name,
+                    it.securityVulnerability!!.severity,
                     it.createdAt.toString().substring(0, 10),
                     it.securityVulnerability.`package`.name,
                     it.securityVulnerability.advisory.cvss.score,
@@ -159,3 +159,4 @@ private suspend fun listRepos(apolloClient: ApolloClient, repositoryChannel: Cha
         cursor = response.data?.viewer?.repositories?.pageInfo?.endCursor
     }
 }
+
diff --git a/src/main/kotlin/no/digipost/github/monitoring/Main.kt b/src/main/kotlin/no/digipost/github/monitoring/Main.kt
@@ -2,6 +2,7 @@ package no.digipost.github.monitoring
 
 import com.apollographql.apollo3.ApolloClient
 import com.apollographql.apollo3.api.http.HttpHeader
+import com.github.graphql.client.type.SecurityAdvisorySeverity
 import io.micrometer.core.instrument.MultiGauge
 import io.micrometer.core.instrument.Tags
 import io.micrometer.prometheus.PrometheusConfig
@@ -48,6 +49,7 @@ suspend fun main(): Unit = coroutineScope {
         }
     }
 
+    val severityLimitForNotifications = if (System.getenv().containsKey("severity_limit")) SecurityAdvisorySeverity.safeValueOf(System.getenv("severity_limit")) else SecurityAdvisorySeverity.CRITICAL
     val logger = LoggerFactory.getLogger("no.digipost.github.monitoring.Main")
     val prometheusMeterRegistry = PrometheusMeterRegistry(PrometheusConfig.DEFAULT)
 
@@ -74,7 +76,7 @@ suspend fun main(): Unit = coroutineScope {
             try {
                 withTimeout(TIMOUT_PUBLISH_VULNS) {
                     val timeMillis = measureTimeMillis {
-                        publish(apolloClientFactory.invoke(), githubApiClient, slackClient, multiGaugeRepoVulnCount, multiGaugeContainerScan, multiGaugeInfoScore)
+                        publish(apolloClientFactory.invoke(), githubApiClient, slackClient, severityLimitForNotifications, multiGaugeRepoVulnCount, multiGaugeContainerScan, multiGaugeInfoScore)
                     }
                     logger.info("Henting av repos med sårbarheter tok ${timeMillis}ms")
                 }
@@ -115,15 +117,15 @@ fun cachedApolloClientFactory(token: String): () -> ApolloClient {
     }
 }
 
-suspend fun publish(apolloClient: ApolloClient, githubApiClient: GithubApiClient, slackClient: SlackClient?, registerRepos: MultiGauge, registerContainerScanStats: MultiGauge, registerVulnerabilites: MultiGauge): Unit = coroutineScope {
+suspend fun publish(apolloClient: ApolloClient, githubApiClient: GithubApiClient, slackClient: SlackClient?, severityLimit: SecurityAdvisorySeverity, registerRepos: MultiGauge, registerContainerScanStats: MultiGauge, registerVulnerabilites: MultiGauge): Unit = coroutineScope {
 
     val channel = Channel<Repos>()
     launch {
         fetchAllReposWithVulnerabilities(apolloClient, githubApiClient)
             .let { repos ->
                 if (existingVulnerabilities != null) {
                     repos.getUniqueCVEs()
-                        .filter { (cve, _) -> !existingVulnerabilities!!.containsKey(cve) }
+                        .filter { (cve, vulnerability) -> !existingVulnerabilities!!.containsKey(cve) && vulnerability.severity.ordinal <= severityLimit.ordinal }
                         .forEach { (_, vulnerability) ->
                             println("Ny sårbarhet: $vulnerability")
                             slackClient?.sendToSlack(vulnerability)
@@ -160,7 +162,7 @@ suspend fun publish(apolloClient: ApolloClient, githubApiClient: GithubApiClient
                             "created", vuln.createdAt,
                             "CVE", vuln.CVE,
                             "packagename", vuln.packageName,
-                            "severity", vuln.severity,
+                            "severity", vuln.severity.name,
                         ), vuln.score
                     )
                 }

diff --git a/src/main/kotlin/no/digipost/github/monitoring/SlackClient.kt b/src/main/kotlin/no/digipost/github/monitoring/SlackClient.kt
@@ -22,7 +22,7 @@ class SlackClient(private val webhookUrl: String) {
     }
 
     private fun toSlackInformation(vulnerability: Vulnerability): String {
-        return "*${vulnerability.severity} (${vulnerability.score})* " +
+        return "*${vulnerability.severity.name} (${vulnerability.score})* " +
                 "<https://nvd.nist.gov/vuln/detail/${vulnerability.CVE}|${vulnerability.CVE}>, " +
                 "package name: ${vulnerability.packageName}"
     }