From 88dba86de6791aadd280234c81930e447229c786 Mon Sep 17 00:00:00 2001 From: Ruben Romero Montes Date: Mon, 19 Feb 2024 12:20:41 +0100 Subject: [PATCH] fix: add domain to cve keys Signed-off-by: Ruben Romero Montes --- deploy/onguard.yaml | 2 +- deploy/openshift/template.yaml | 2 +- .../repository/redis/BulkRedisRepository.java | 2 +- .../redis/VulnerabilityRedisRepository.java | 18 +++++++++++------- .../onguard/service/LoadService.java | 2 +- src/main/resources/application.properties | 4 +--- src/test/resources/vulnerabilities.redis | 4 ++-- 7 files changed, 18 insertions(+), 16 deletions(-) diff --git a/deploy/onguard.yaml b/deploy/onguard.yaml index 878116a..20cc01c 100644 --- a/deploy/onguard.yaml +++ b/deploy/onguard.yaml @@ -105,7 +105,7 @@ data: echo "There is an ongoing load. Skip" else echo "Unknown load status ${load}. Force reload" - curl -XPOST ${endpoint} + curl -XPOST ${endpoint}?reload=true fi else echo "Unexpected status code ${status_code}. Skip load and sync." diff --git a/deploy/openshift/template.yaml b/deploy/openshift/template.yaml index 5e3ddea..ca83167 100644 --- a/deploy/openshift/template.yaml +++ b/deploy/openshift/template.yaml @@ -147,7 +147,7 @@ objects: echo "There is an ongoing load. Skip" else echo "Unknown load status ${load}. Force reload." - curl -XPOST ${endpoint} + curl -XPOST ${endpoint}?reload=true fi else echo "Unexpected status code ${status_code}. Skip load and sync." diff --git a/src/main/java/com/redhat/ecosystemappeng/onguard/repository/redis/BulkRedisRepository.java b/src/main/java/com/redhat/ecosystemappeng/onguard/repository/redis/BulkRedisRepository.java index e401d71..5bca22b 100644 --- a/src/main/java/com/redhat/ecosystemappeng/onguard/repository/redis/BulkRedisRepository.java +++ b/src/main/java/com/redhat/ecosystemappeng/onguard/repository/redis/BulkRedisRepository.java @@ -27,7 +27,7 @@ @ApplicationScoped public class BulkRedisRepository implements BulkRepository { - private static final String LOAD_RECORD = "load"; + private static final String LOAD_RECORD = "load:status"; private final ValueCommands bulkCommands; diff --git a/src/main/java/com/redhat/ecosystemappeng/onguard/repository/redis/VulnerabilityRedisRepository.java b/src/main/java/com/redhat/ecosystemappeng/onguard/repository/redis/VulnerabilityRedisRepository.java index d5f6d3a..4cfca22 100644 --- a/src/main/java/com/redhat/ecosystemappeng/onguard/repository/redis/VulnerabilityRedisRepository.java +++ b/src/main/java/com/redhat/ecosystemappeng/onguard/repository/redis/VulnerabilityRedisRepository.java @@ -49,10 +49,10 @@ public class VulnerabilityRedisRepository implements VulnerabilityRepository { ObjectMapper mapper; private final ValueCommands aliasCommands; - private final JsonCommands jsonCommands; + private final JsonCommands vulnCommands; public VulnerabilityRedisRepository(RedisDataSource ds) { - this.jsonCommands = ds.json(String.class); + this.vulnCommands = ds.json(String.class); this.aliasCommands = ds.value(Alias.class); } @@ -61,16 +61,20 @@ public Vulnerability get(String cveId) { if (cveId == null) { return null; } - var vuln = jsonCommands.jsonGet(cveId, Vulnerability.class); + var vuln = vulnCommands.jsonGet(cvesKey(cveId), Vulnerability.class); if (vuln == null) { return Vulnerability.builder().cveId(cveId).build(); } return vuln; } + private String cvesKey(String cveId) { + return "cves:" + cveId; + } + @Override public void save(Vulnerability vulnerability) { - jsonCommands.jsonSet(vulnerability.cveId(), vulnerability); + vulnCommands.jsonSet(cvesKey(vulnerability.cveId()), vulnerability); var alias = new Alias(vulnerability.cveId(), vulnerability.cveId()); aliasCommands.set(Alias.getKey(alias.id()), alias); } @@ -85,10 +89,10 @@ public List list(List cves) { if (cves == null || cves.isEmpty()) { return Collections.emptyList(); } - var first = cves.get(0); - var varargs = new ArrayList<>(cves.subList(1, cves.size())); + var first = cvesKey(cves.get(0)); + var varargs = new ArrayList<>(cves.subList(1, cves.size()).stream().map(this::cvesKey).toList()); varargs.add("$"); - var found = jsonCommands.jsonMget(first, varargs.toArray(new String[0])); + var found = vulnCommands.jsonMget(first, varargs.toArray(new String[0])); var results = new ArrayList(); for (int i = 0; i < cves.size(); i++) { Vulnerability vuln = null; diff --git a/src/main/java/com/redhat/ecosystemappeng/onguard/service/LoadService.java b/src/main/java/com/redhat/ecosystemappeng/onguard/service/LoadService.java index 60eb0bc..970109b 100644 --- a/src/main/java/com/redhat/ecosystemappeng/onguard/service/LoadService.java +++ b/src/main/java/com/redhat/ecosystemappeng/onguard/service/LoadService.java @@ -48,7 +48,7 @@ public class LoadService { @Inject BulkRepository bulkRepository; - @ConfigProperty(name = "load.pageSize", defaultValue = "200") + @ConfigProperty(name = "load.pageSize", defaultValue = "1000") Integer pageSize; public void loadFromNvdApi(LocalDateTime since) { diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 124a284..f3ee208 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -9,8 +9,6 @@ quarkus.rest-client.nvd-api.url=https://services.nvd.nist.gov quarkus.management.enabled=true -# sync every 2nd hour -load.sync.cron=0 0 */2 * * ? -load.pageSize=200 +load.pageSize=1000 quarkus.cache.redis.osvQueryBatch.expire-after-write=1d \ No newline at end of file diff --git a/src/test/resources/vulnerabilities.redis b/src/test/resources/vulnerabilities.redis index a4592be..8286b7e 100644 --- a/src/test/resources/vulnerabilities.redis +++ b/src/test/resources/vulnerabilities.redis @@ -1,5 +1,5 @@ -JSON.SET CVE-2022-24683 $ '{"affected": [{"package": {"ecosystem": "Go","name": "github.com/hashicorp/nomad","purl": "pkg:golang/github.com/hashicorp/nomad"},"ranges": [{"events": [{"introduced": "0.9.2"},{"fixed": "1.0.18"}],"type": "SEMVER"}]},{"package": {"ecosystem": "Go","name": "github.com/hashicorp/nomad","purl": "pkg:golang/github.com/hashicorp/nomad"},"ranges": [{"events": [{"introduced": "1.1.0"},{"fixed": "1.1.12"}],"type": "SEMVER"}]},{"package": {"ecosystem": "Go","name": "github.com/hashicorp/nomad","purl": "pkg:golang/github.com/hashicorp/nomad"},"ranges": [{"events": [{"introduced": "1.2.0"},{"fixed": "1.2.6"}],"type": "SEMVER"}]}],"created": "2024-01-12T08:42:52.166+00:00","cveId": "CVE-2022-24683","description": "Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root. There are currently no known workarounds. Users are recommended to upgrade as soon as possible to avoid this issue.","metrics": {"cvssMetricV2": [{"acInsufInfo": false,"baseSeverity": "HIGH","cvssData": {"availabilityImpact": "NONE","baseScore": 7.8,"confidentialityImpact": "COMPLETE","integrityImpact": "NONE","vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N","version": "2.0"},"exploitabilityScore": 10.0,"impactScore": 6.9,"obtainAllPrivilege": false,"obtainOtherPrivilege": false,"obtainUserPrivilege": false,"source": "nvd@nist.gov","type": "Primary","userInteractionRequired": false}],"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW","attackVector": "NETWORK","availabilityImpact": "NONE","baseScore": 7.5,"baseSeverity": "HIGH","confidentialityImpact": "HIGH","integrityImpact": "NONE","privilegesRequired": "NONE","scope": "UNCHANGED","userInteraction": "NONE","vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version": "3.1"},"exploitabilityScore": 3.9,"impactScore": 3.6,"source": "nvd@nist.gov","type": "Primary"}]},"summary": "Arbitrary file reads in HashiCorp Nomad"}' -JSON.SET CVE-2022-30324 $ '{"affected": [{"package": {"ecosystem": "Go","name": "github.com/hashicorp/nomad","purl": "pkg:golang/github.com/hashicorp/nomad"},"ranges": [{"events": [{"introduced": "0.2.0"},{"fixed": "1.1.14"}],"type": "SEMVER"}]},{"package": {"ecosystem": "Go","name": "github.com/hashicorp/nomad","purl": "pkg:golang/github.com/hashicorp/nomad"},"ranges": [{"events": [{"introduced": "1.2.0"},{"fixed": "1.2.8"}],"type": "SEMVER"}]},{"package": {"ecosystem": "Go","name": "github.com/hashicorp/nomad","purl": "pkg:golang/github.com/hashicorp/nomad"},"ranges": [{"events": [{"introduced": "1.3.0"},{"fixed": "1.3.1"}],"type": "SEMVER"}]}],"created": "2024-01-12T08:42:52.166+00:00","cveId": "CVE-2022-30324","description": "HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 were impacted by go-getter vulnerabilities enabling privilege escalation through the artifact stanza in submitted jobs onto the client agent host. Fixed in 1.1.14, 1.2.8, and 1.3.1.","metrics": {"cvssMetricV2": [{"acInsufInfo": false,"baseSeverity": "HIGH","cvssData": {"availabilityImpact": "PARTIAL","baseScore": 7.5,"confidentialityImpact": "PARTIAL","integrityImpact": "PARTIAL","vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P","version": "2.0"},"exploitabilityScore": 10.0,"impactScore": 6.4,"obtainAllPrivilege": false,"obtainOtherPrivilege": false,"obtainUserPrivilege": false,"source": "nvd@nist.gov","type": "Primary","userInteractionRequired": false}],"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW","attackVector": "NETWORK","availabilityImpact": "HIGH","baseScore": 9.8,"baseSeverity": "CRITICAL","confidentialityImpact": "HIGH","integrityImpact": "HIGH","privilegesRequired": "NONE","scope": "UNCHANGED","userInteraction": "NONE","vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version": "3.1"},"exploitabilityScore": 3.9,"impactScore": 5.9,"source": "nvd@nist.gov","type": "Primary"}]},"summary": "Privilege escalation in Hashicorp Nomad"}' +JSON.SET cves:CVE-2022-24683 $ '{"affected": [{"package": {"ecosystem": "Go","name": "github.com/hashicorp/nomad","purl": "pkg:golang/github.com/hashicorp/nomad"},"ranges": [{"events": [{"introduced": "0.9.2"},{"fixed": "1.0.18"}],"type": "SEMVER"}]},{"package": {"ecosystem": "Go","name": "github.com/hashicorp/nomad","purl": "pkg:golang/github.com/hashicorp/nomad"},"ranges": [{"events": [{"introduced": "1.1.0"},{"fixed": "1.1.12"}],"type": "SEMVER"}]},{"package": {"ecosystem": "Go","name": "github.com/hashicorp/nomad","purl": "pkg:golang/github.com/hashicorp/nomad"},"ranges": [{"events": [{"introduced": "1.2.0"},{"fixed": "1.2.6"}],"type": "SEMVER"}]}],"created": "2024-01-12T08:42:52.166+00:00","cveId": "CVE-2022-24683","description": "Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root. There are currently no known workarounds. Users are recommended to upgrade as soon as possible to avoid this issue.","metrics": {"cvssMetricV2": [{"acInsufInfo": false,"baseSeverity": "HIGH","cvssData": {"availabilityImpact": "NONE","baseScore": 7.8,"confidentialityImpact": "COMPLETE","integrityImpact": "NONE","vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N","version": "2.0"},"exploitabilityScore": 10.0,"impactScore": 6.9,"obtainAllPrivilege": false,"obtainOtherPrivilege": false,"obtainUserPrivilege": false,"source": "nvd@nist.gov","type": "Primary","userInteractionRequired": false}],"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW","attackVector": "NETWORK","availabilityImpact": "NONE","baseScore": 7.5,"baseSeverity": "HIGH","confidentialityImpact": "HIGH","integrityImpact": "NONE","privilegesRequired": "NONE","scope": "UNCHANGED","userInteraction": "NONE","vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version": "3.1"},"exploitabilityScore": 3.9,"impactScore": 3.6,"source": "nvd@nist.gov","type": "Primary"}]},"summary": "Arbitrary file reads in HashiCorp Nomad"}' +JSON.SET cves:CVE-2022-30324 $ '{"affected": [{"package": {"ecosystem": "Go","name": "github.com/hashicorp/nomad","purl": "pkg:golang/github.com/hashicorp/nomad"},"ranges": [{"events": [{"introduced": "0.2.0"},{"fixed": "1.1.14"}],"type": "SEMVER"}]},{"package": {"ecosystem": "Go","name": "github.com/hashicorp/nomad","purl": "pkg:golang/github.com/hashicorp/nomad"},"ranges": [{"events": [{"introduced": "1.2.0"},{"fixed": "1.2.8"}],"type": "SEMVER"}]},{"package": {"ecosystem": "Go","name": "github.com/hashicorp/nomad","purl": "pkg:golang/github.com/hashicorp/nomad"},"ranges": [{"events": [{"introduced": "1.3.0"},{"fixed": "1.3.1"}],"type": "SEMVER"}]}],"created": "2024-01-12T08:42:52.166+00:00","cveId": "CVE-2022-30324","description": "HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 were impacted by go-getter vulnerabilities enabling privilege escalation through the artifact stanza in submitted jobs onto the client agent host. Fixed in 1.1.14, 1.2.8, and 1.3.1.","metrics": {"cvssMetricV2": [{"acInsufInfo": false,"baseSeverity": "HIGH","cvssData": {"availabilityImpact": "PARTIAL","baseScore": 7.5,"confidentialityImpact": "PARTIAL","integrityImpact": "PARTIAL","vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P","version": "2.0"},"exploitabilityScore": 10.0,"impactScore": 6.4,"obtainAllPrivilege": false,"obtainOtherPrivilege": false,"obtainUserPrivilege": false,"source": "nvd@nist.gov","type": "Primary","userInteractionRequired": false}],"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW","attackVector": "NETWORK","availabilityImpact": "HIGH","baseScore": 9.8,"baseSeverity": "CRITICAL","confidentialityImpact": "HIGH","integrityImpact": "HIGH","privilegesRequired": "NONE","scope": "UNCHANGED","userInteraction": "NONE","vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version": "3.1"},"exploitabilityScore": 3.9,"impactScore": 5.9,"source": "nvd@nist.gov","type": "Primary"}]},"summary": "Privilege escalation in Hashicorp Nomad"}' SET alias:GHSA-wmrx-57hm-mw7r '{"id": "GHSA-wmrx-57hm-mw7r", "cveId": "CVE-2022-24683"}' SET alias:GHSA-526x-rm7j-v389 '{"id": "GHSA-526x-rm7j-v389", "cveId": "CVE-2022-30324"}'