nexpose-asset-attributor

command module
v1.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 13, 2020 License: Apache-2.0 Imports: 12 Imported by: 0

README

nexpose-asset-attributor - Attribute Assets from Nexpose to Teams and People

GoDoc Build Status codecov.io

https://github.com/asecurityteam/nexpose-asset-attributor

Overview

The nexpose-asset-attributor provides a lambda handler which accepts payloads containing an asset and a list of vulnerabilities associated with that asset, as defined in the nexpose-vuln-hydrator service, and attempts to query asset inventory systems to provide additional business context for the asset.

Currently, the only inventory system provided is the asset-inventory-api service's cloud APIs. The nexpose-asset-attributor service will attempt to query both the /v1/cloud/ip and /v1/cloud/hostname APIs concurrently, and will use the first result to add the additional business context. This library also exposes a public AssetAttributor interface, if you'd like define your own attribution sources.

Quick Start

Install docker and docker-compose.

The app can be run locally by running make run.

This will run docker-compose for the serverfull project as well as the supplied serverfull-gateway configuration. The sample configration provided assumes there will be a stats collector running. To disable this, remove the stats configuration lines from the server configuration and the serverfull-gateway configuration.

The app should now be running on port 8080.

curl -vX POST "http://localhost:8080" -H "Content-Type:application/json" -d @pkg/handlers/v1/testdata/config.valid.json

Configuration

Images of this project are built, and hosted on DockerHub. The system is configured using environment variables. The following are all of the configuration options for the system:

# (bool) Use the Lambda SDK to start the system.
NEXPOSEASSETATTRIBUTOR_LAMBDAMODE="false"
# (string) The output of the event producer. Choices are BENTHOS OR POST.
NEXPOSEASSETATTRIBUTOR_PRODUCER_TYPE="BENTHOS"
# (string) The YAML or JSON text of a Benthos configuration.
NEXPOSEASSETATTRIBUTOR_PRODUCER_BENTHOS_YAML=""
# (string) The URL to POST.
NEXPOSEASSETATTRIBUTOR_PRODUCER_POST_ENDPOINT=""
# (string) The type of HTTP client. Choices are SMART and DEFAULT.
NEXPOSEASSETATTRIBUTOR_PRODUCER_POST_HTTPCLIENT_TYPE="DEFAULT"
# (string) The full OpenAPI specification with transportd extensions.
NEXPOSEASSETATTRIBUTOR_PRODUCER_POST_HTTPCLIENT_SMART_OPENAPI=""
# (string) The asset-inventory-api cloud asset URL to query.
NEXPOSEASSETATTRIBUTOR_CLOUDASSETINVENTORY_ENDPOINT=""
# (string) The type of HTTP client. Choices are SMART and DEFAULT.
NEXPOSEASSETATTRIBUTOR_CLOUDASSETINVENTORY_HTTPCLIENT_TYPE="default"
# (string) The full OpenAPI specification with transportd extensions.
NEXPOSEASSETATTRIBUTOR_CLOUDASSETINVENTORY_HTTPCLIENT_SMART_OPENAPI=""

This list can be generated by building the binary and passing the -h or -help flag:

go run main.go -h

For those who do not have access to AWS Lambda, you can run your own configuration by composing this image with your own custom configuration of serverfull-gateway.

Logging

This project makes use of logevent which provides structured logging using Go structs and tags. By default the project will set a logger value in the context for each request. The handler uses the LogFn function defined in pkg/domain/alias.go to extract the logger instance from the context.

The built in logger can be configured through the serverfull runtime configuration.

Stats

This project uses xstats as its underlying stats library. By default the project will set a stat client value in the context for each request. The handler uses the StatFn function defined in pkg/domain/alias.go to extract the logger instance from the context.

The built in stats client can be configured through the serverfull runtime configuration.

Additional resources:

Validation and Failure Handling

In the event that when an asset fails to attribute information from a given source, or if it has invalid data, it is important that there is logic around handling such cases before producing this asset. These cases might vary between operators, thus this is a configurable piece.

In order to configure a validator, or a failure handler, one would need to pass in implementations of an AssetValidator and AttributionFailureHandler in main.go, which are defined in pkg/domain/validator.go and pkg/domain/attributor.go. Depending on how complex these implementations are, one might need to use our Settings library to instantiate these implementations.

Status

This project is in incubation which means we are not yet operating this tool in production and the interfaces are subject to change.

Contributing

If you are interested in contributing to the project, feel free to open an issue or PR.

Building And Testing

We publish a docker image called SDCLI that bundles all of our build dependencies. It is used by the included Makefile to help make building and testing a bit easier. The following actions are available through the Makefile:

  • make dep

    Install the project dependencies into a vendor directory

  • make lint

    Run our static analysis suite

  • make test

    Run unit tests and generate a coverage artifact

  • make integration

    Run integration tests and generate a coverage artifact

  • make coverage

    Report the combined coverage for unit and integration tests

  • make build

    Generate a local build of the project (if applicable)

  • make run

    Run a local instance of the project (if applicable)

  • make doc

    Generate the project code documentation and make it viewable locally.

Quality Gates

Our build process will run the following checks before going green:

  • make lint
  • make test
  • make integration
  • make coverage (combined result must be 85% or above for the project)

Running these locally, will give early indicators of pass/fail.

License

This project is licensed under Apache 2.0. See LICENSE.txt for details.

Contributing Agreement

Atlassian requires signing a contributor's agreement before we can accept a patch. If you are an individual you can fill out the individual CLA. If you are contributing on behalf of your company then please fill out the corporate CLA.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
pkg
assetattributionfailure
assetattributor
assetvalidator
domain
Package domain is a container of all of the domain types and interfaces that are used across multiple packages within the service.
 Package domain is a container of all of the domain types and interfaces that are used across multiple packages within the service.
handlers
Package handlers contains all top level functionality.
 Package handlers contains all top level functionality.
handlers/v1
Package v1 is a container for endpoints that are used to power the v1 of the service.
 Package v1 is a container for endpoints that are used to power the v1 of the service.
logs
Package logs contains all structured log events for the service.
 Package logs contains all structured log events for the service.
Package tests is where integration tests for a project should be placed.
 Package tests is where integration tests for a project should be placed.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.