nexpose-vuln-hydrator

command module
v1.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 19, 2020 License: Apache-2.0 Imports: 10 Imported by: 0

README

Nexpose Vulnerability Hydrator

GoDoc Build Status codecov.io

https://github.com/asecurityteam/nexpose-vuln-hydrator

Overview

Nexpose Vulnerability Hydrator consumes Asset events (that may be produced by Nexpose Asset Producer) and hydrates them with vulnerability details and possible solutions for those vulnerabilities, which we get from querying Nexpose. Once the asset is hydrated, it gets published to SQS via an SNS topic for the next service to consume. (See Nexpose Vulnerability Filter for a service that consumes these hydrated events)

In order to get the vulnerabilities and solutions for the assets, we call the your Nexpose instance's API with the asset ID at /api/3/assets/{id}/vulnerabilities to get the vulnerabilites for the asset, then call /api/3/vulnerabilities/{id} to get the details each specific vulnerability, /api/3/vulnerabilities/{id}/solutions to get the solutions for the vulnerability, and /api/3/solutions/{id} to get the details for each solution.

Quick Start

Install docker and docker-compose.

The app can be run locally by running make run.

This will run docker-compose for the serverfull project as well as the supplied serverfull-gateway configuration. The sample configration provided assumes there will be a stats collector running. To disable this, remove the stats configuration lines from the server configuration and the serverfull-gateway configuration.

The app should now be running on port 8080.

Configuration

Images of this project are built, and hosted on DockerHub. The system is configured using environment variables. The following are all of the configuration options for the system:

# (bool) Use the Lambda SDK to start the system.
VULNHYDRATOR_LAMBDAMODE="false"
# (string)
VULNHYDRATOR_PRODUCER_TYPE="BENTHOS"
# (string) The YAML or JSON text of a Benthos configuration.
VULNHYDRATOR_PRODUCER_BENTHOS_YAML=""
# (string) The URL to POST.
VULNHYDRATOR_PRODUCER_POST_ENDPOINT=""
# (string) The type of HTTP client. Choices are SMART and DEFAULT.
VULNHYDRATOR_PRODUCER_POST_HTTPCLIENT_TYPE="DEFAULT"
# (string) The full OpenAPI specification with transportd extensions.
VULNHYDRATOR_PRODUCER_POST_HTTPCLIENT_SMART_OPENAPI=""
# (string) The Nexpose host where your Nexpose instance lives (ex. https://nexpose.my-company.com)
VULNHYDRATOR_HYDRATOR_NEXPOSE_HOST: ""
# (int) The number of assets that should be returned from the Nexpose API at one time.
VULNHYDRATOR_HYDRATOR_NEXPOSE_PAGESIZE="100"
# (string) The type of HTTP client. Choices are SMART and DEFAULT.
VULNHYDRATOR_HYDRATOR_NEXPOSE_HTTPCLIENT_TYPE="DEFAULT"

This list can be generated by building the binary and passing the -h or -help flag:

go build -o app . && ./app -h

For those who do not have access to AWS Lambda, you can run your own configuration by composing this image with your own custom configuration of serverfull-gateway.

Logging

This project makes use of logevent which provides structured logging using Go structs and tags. By default the project will set a logger value in the context for each request. The handler uses the LogFn function defined in pkg/domain/alias.go to extract the logger instance from the context.

The built in logger can be configured through the serverfull runtime configuration.

Stats

This project uses xstats as its underlying stats library. By default the project will set a stat client value in the context for each request. The handler uses the StatFn function defined in pkg/domain/alias.go to extract the logger instance from the context.

The built in stats client can be configured through the serverfull runtime configuration.

Additional resources:

Nexpose Authentication

Because Nexpose requires basic authentication, any http calls to Nexpose must contain a basic authentication header. Therefore, one can manually set a basic authentication header in makeNexposeRequest(), within nexpose.go. Alternatively, one can use transportd as a reverse proxy, and use its basic authentication plugin.

In the sample docker-compose file, we can set environment variables to our transportd container, which our api.yaml(which is used by transportd) consumes to add basic authentication. These environment variables look like:

Name Description Example
NEXPOSE_API_USERNAME Username to access the Nexpose instance myusername
NEXPOSE_API_PASSWORD Password that corresponds to the provided username mypassword

Dependency Check

Depending on the user, this service or app can be composed of a bunch of sidecars. While one can check whether the configuration and placement of these sidecars are configured correctly internally it might be useful to check whether environment variables point to the correct external dependencies.

An obvious external dependency would be Nexpose itself. Consider configuring VULNHYDRATOR_DEPENDENCYCHECK_NEXPOSEENDPOINT within docker-compose.yaml, that way users can check whether they are able to connect to Nexpose with /dependencycheck(example in gateway-incoming.yaml).

Status

This project is in incubation which means we are not yet operating this tool in production and the interfaces are subject to change.

Contributing

If you are interested in contributing to the project, feel free to open an issue or PR.

Building And Testing

We publish a docker image called SDCLI that bundles all of our build dependencies. It is used by the included Makefile to help make building and testing a bit easier. The following actions are available through the Makefile:

  • make dep

    Install the project dependencies into a vendor directory

  • make lint

    Run our static analysis suite

  • make test

    Run unit tests and generate a coverage artifact

  • make integration

    Run integration tests and generate a coverage artifact

  • make coverage

    Report the combined coverage for unit and integration tests

  • make build

    Generate a local build of the project (if applicable)

  • make run

    Run a local instance of the project (if applicable)

  • make doc

    Generate the project code documentation and make it viewable locally.

Quality Gates

Our build process will run the following checks before going green:

  • make lint
  • make test
  • make integration
  • make coverage (combined result must be 85% or above for the project)

Running these locally, will give early indicators of pass/fail.

License

This project is licensed under Apache 2.0. See LICENSE.txt for details.

Contributing Agreement

Atlassian requires signing a contributor's agreement before we can accept a patch. If you are an individual you can fill out the individual CLA. If you are contributing on behalf of your company then please fill out the corporate CLA.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
pkg
domain
Package domain is a container of all of the domain types and interfaces that are used across multiple packages within the service.
 Package domain is a container of all of the domain types and interfaces that are used across multiple packages within the service.
handlers
Package handlers contains all top level functionality.
 Package handlers contains all top level functionality.
handlers/v1
Package v1 is a container for endpoints that are used to power the v1 of the service.
 Package v1 is a container for endpoints that are used to power the v1 of the service.
hydrator
logs
Package logs contains all structured log events for the service.
 Package logs contains all structured log events for the service.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.