-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.go
399 lines (330 loc) · 10.7 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
// Ortelius v11 Vulnerability Microservice that handles creating Vulnerability from OSV.dev
// Runs as a cronjob
package main
import (
"archive/zip"
"bytes"
"context"
"crypto/tls"
"encoding/json"
"fmt"
"io"
"net"
"net/http"
"net/url"
"os"
"strings"
"github.com/arangodb/go-driver/v2/arangodb"
mapset "github.com/deckarep/golang-set/v2"
"github.com/ortelius/scec-commons/database"
_ "github.com/ortelius/scec-vulnerability/docs"
)
type vulnID struct {
ID string `json:"id"`
Modified string `json:"modified"`
}
type cveText struct {
Description string `json:"cvetext"`
}
var logger = database.InitLogger()
var dbconn = database.InitializeDatabase()
func getMitreURL() string {
// Get the environment variable value for MITER_MAPPING_URL
mitreURL := os.Getenv("MITER_MAPPING_URL")
// Check if deppkgURL is empty
if len(mitreURL) == 0 {
// Get the environment variable value for SCEC_DEPPKG_SERVICE_HOST
mitreHost := os.Getenv("SCEC_MITER_MAPPING_SERVICE_HOST")
if mitreHost == "" {
mitreHost = "127.0.0.1"
}
// Resolve the host name
addrs, err := net.LookupAddr(mitreHost)
if err != nil || len(addrs) == 0 {
logger.Sugar().Infoln("Error resolving host:", err)
return ""
}
host := addrs[0]
// Get the environment variable value for SCEC_DEPPKG_SERVICE_PORT
mitrePort := os.Getenv("SCEC_MITER_MAPPING_SERVICE_PORT")
if mitrePort == "" {
mitrePort = "80"
}
// Construct the URL
mitreURL = fmt.Sprintf("http://%s:%s/msapi/mitre", host, mitrePort)
}
return mitreURL
}
// unpackAndLoad
func unpackAndLoad(src string, currentVulns mapset.Set[string]) error {
r, err := zip.OpenReader(src)
if err != nil {
return err
}
defer func() {
if err := r.Close(); err != nil {
panic(err)
}
}()
// Closure to address file descriptors issue with all the deferred .Close() methods
extractAndWriteFile := func(f *zip.File) error {
// Check for ZipSlip: https://snyk.io/research/zip-slip-vulnerability
if strings.Contains(f.Name, "/") {
return fmt.Errorf("%s: illegal file path", f.Name)
}
rc, err := f.Open()
if err != nil {
return err
}
defer func() {
if err := rc.Close(); err != nil {
panic(err)
}
}()
if !f.FileInfo().IsDir() {
var vulnJSON strings.Builder
_, err = io.Copy(&vulnJSON, rc) // #nosec G110
if err != nil {
return err
}
var vulnIDMod vulnID
var vulnStr = vulnJSON.String()
if err := json.Unmarshal([]byte(vulnStr), &vulnIDMod); err != nil {
logger.Sugar().Infoln(err)
}
key := vulnIDMod.ID + vulnIDMod.Modified
if currentVulns.Contains(key) {
return nil
}
logger.Sugar().Infof("%s %s %s", src, vulnIDMod.ID, vulnIDMod.Modified)
// Add json to db
if err := newVuln(vulnStr); err != nil {
logger.Sugar().Infoln(err)
logger.Sugar().Infoln(vulnStr)
}
currentVulns.Add(key)
}
return nil
}
for _, f := range r.File {
err := extractAndWriteFile(f)
if err != nil {
return err
}
}
return nil
}
// LoadFromOSVDev retrieves the vulns from osv.dev and adds them to the Arangodb
func LoadFromOSVDev() {
if currentVulns, err := getVulns(); err == nil {
baseURL := "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/ecosystems.txt?alt=media"
client := http.Client{}
resp, err := client.Get(baseURL)
if err != nil {
logger.Sugar().Fatal(err)
}
// We Read the response body on the line below.
body, err := io.ReadAll(resp.Body)
if err != nil {
logger.Sugar().Fatalln(err)
}
resp.Body.Close()
// Convert the body to type string
ecosystems := strings.Split(string(body), "\n")
for _, platform := range ecosystems {
if len(strings.TrimSpace(platform)) == 0 {
continue
}
tr := &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: false,
MinVersion: tls.VersionTLS12,
},
}
client := &http.Client{Transport: tr}
url := fmt.Sprintf("https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/%s%%2Fall.zip?alt=media", url.PathEscape(platform))
logger.Sugar().Infof("%s", url)
if resp, err := client.Get(url); err == nil {
filename := fmt.Sprintf("%s.zip", platform)
if out, err := os.Create(filename); err == nil {
if _, err := io.Copy(out, resp.Body); err != nil {
logger.Sugar().Infoln(err)
}
out.Close()
} else {
logger.Sugar().Infoln(err)
}
if err := unpackAndLoad(filename, currentVulns); err != nil {
logger.Sugar().Infoln(err)
logger.Sugar().Fatalln(filename)
}
os.Remove(filename)
resp.Body.Close()
} else {
logger.Sugar().Infoln(err)
}
}
} else {
logger.Sugar().Fatalln(err)
}
}
// getVulns godoc
// @Summary Get a list of Vulns aleady in the database
// @Description Returns a Set of vuln ids
// @Tags vulns
func getVulns() (mapset.Set[string], error) {
var cursor arangodb.Cursor // db cursor for rows
var err error // for error handling
var ctx = context.Background() // use default database context
currentVulns := mapset.NewSet[string]()
// query all the domains in the collection
aql := `FOR vuln in vulns
RETURN {id: vuln._key, modified: vuln.modified}`
// execute the query with no parameters
if cursor, err = dbconn.Database.Query(ctx, aql, nil); err != nil {
logger.Sugar().Errorf("Failed to run query: %v", err) // log error
return currentVulns, err
}
defer cursor.Close() // close the cursor when returning from this function
for cursor.HasMore() { // loop thru all of the documents
var vulnIDMod vulnID
// fetch a document from the cursor
if _, err = cursor.ReadDocument(ctx, &vulnIDMod); err != nil {
logger.Sugar().Errorf("Failed to read document: %v", err)
return currentVulns, err
}
key := vulnIDMod.ID + vulnIDMod.Modified
currentVulns.Add(key)
}
return currentVulns, nil
}
// newVuln godoc
// @Summary Create a Vulnerability
// @Description Create a new Vulnerability and persist it
// @Tags vulnerability
func newVuln(vulnJSON string) error {
var err error // for error handling
var ctx = context.Background() // use default database context
// Unmarshal the raw message into a map so we can access the summary and details keys
var content map[string]interface{}
if err = json.Unmarshal([]byte(strings.Replace(vulnJSON, "\"id\":", "\"_key\":", 1)), &content); err != nil {
logger.Sugar().Infoln(err)
} else {
combinedJSON := vulnJSON
summary := ""
details := ""
if val, ok := content["summary"]; ok {
if s, ok := val.(string); ok {
summary = s
}
}
if val, ok := content["details"]; ok {
if d, ok := val.(string); ok {
details = d
}
}
cve := cveText{
Description: summary + " " + details,
}
jsonData, err := json.Marshal(cve)
if err != nil {
logger.Sugar().Errorln("Error marshaling JSON:", err)
return err
}
mitreURL := getMitreURL()
if len(mitreURL) > 0 {
// #nosec G107
resp, err := http.Post(mitreURL, "application/json", bytes.NewBuffer(jsonData))
if err == nil {
defer resp.Body.Close()
if resp.StatusCode == 200 {
if body, err := io.ReadAll(resp.Body); err == nil {
techniqueJSON := ", \"techniques\":" + string(body)
lastBraceIndex := strings.LastIndex(vulnJSON, "}")
if lastBraceIndex != -1 {
combinedJSON = vulnJSON[:lastBraceIndex] + techniqueJSON + "}"
}
// convert the combined json string into the map so we can persist it in Arango
combinedJSON = strings.Replace(combinedJSON, "\"id\":", "\"_key\":", 1)
}
}
} else {
logger.Sugar().Errorln("Error sending POST request:", err)
}
}
if err := json.Unmarshal([]byte(combinedJSON), &content); err != nil {
logger.Sugar().Infoln(err)
}
// overwriteMode := arangodb.CollectionDocumentCreateOverwriteModeConflict
overwrite := true
options := &arangodb.CollectionDocumentCreateOptions{
Overwrite: &overwrite,
}
// update existing docs and add if missing
if _, err = dbconn.Collections["vulns"].CreateDocumentWithOptions(ctx, content, options); err != nil {
logger.Sugar().Errorf("Failed to create document: %v", err)
}
aql := `FOR vuln IN vulns
FILTER vuln._key == @vulnKey
LET purls = UNIQUE(
FOR affected IN vuln.affected
FILTER LENGTH(affected.package.purl) > 0
LET purl = FIRST(SPLIT(affected.package.purl, '?'))
RETURN purl
)
FILTER LENGTH(purls) > 0
FOR purl IN purls
// Upsert the purl and capture the _key of the upserted purl document
LET upsertedPurl = FIRST(
UPSERT { purl: purl }
INSERT { purl: purl }
UPDATE {} IN purls
RETURN NEW
)
// Ensure the upsertedPurl is properly captured
LET purlKey = upsertedPurl._key
// Check for existing edge using the purlKey
LET existingEdge = FIRST(
FOR edge IN purl2vulns
FILTER edge._from == CONCAT("purls/", purlKey) AND edge._to == CONCAT("vulns/", vuln._key)
RETURN edge
)
// Insert edge if it does not exist
FILTER existingEdge == NULL
INSERT { _from: CONCAT("purls/", purlKey), _to: CONCAT("vulns/", vuln._key) } INTO purl2vulns
`
// Define bind variables
parameters := map[string]interface{}{
"vulnKey": content["_key"],
}
// Execute the query
ctx := context.Background()
cursor, err := dbconn.Database.Query(ctx, aql, &arangodb.QueryOptions{BindVars: parameters})
if err != nil {
logger.Sugar().Errorf("Failed to execute query %s: %v", aql, err)
}
cursor.Close()
}
return nil
}
// @title Ortelius v11 Vulnerability Microservice
// @version 11.0.0
// @description Vulnerabilities from osv.dev
// @description 
// @description 
// @description
// @description 
// @description [](https://github.com/ortelius/scec-vulnerability/actions?query=workflow%3AMegaLinter+branch%3Amain)
// @description 
// @description [](https://api.securityscorecards.dev/projects/github.com/ortelius/scec-vulnerability)
// @description
// @description 
// @termsOfService http://swagger.io/terms/
// @contact.name Ortelius Google Group
// @contact.email [email protected]
// @license.name Apache 2.0
// @license.url http://www.apache.org/licenses/LICENSE-2.0.html
// @host localhost:8080
func main() {
LoadFromOSVDev()
}