search

lunasec-io / lunasec

LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/
https://www.lunasec.io/
Other
1.44k stars 164 forks source link

Fetch epss scores #1087

Closed breadchris closed 1 year ago

breadchris commented 1 year ago

STOP: Is this a security vulnerability? If so, follow Responsible Disclosure and email us at security@lunasec.io instead of opening a public PR.

CLAassistant commented 1 year ago

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
2 out of 3 committers have signed the CLA.

:white_check_mark: breadchris
:white_check_mark: freeqaz
:x: github-actions[bot]
You have signed the CLA already but the status is still pending? Let us recheck it.

github-actions[bot] commented 1 year ago

Hasura Semantic Diff

Hasura config files have changed. This comment shows which fields have changed ignoring formatting.

Click to expand! ``` (root level) + one list entry added: - "!include vulnerability_cisa_known_exploited.yaml" (root level) + two map entries added: table: name: cisa_known_exploited schema: vulnerability computed_fields: - name: vulnerability comment: "Vulnerability referenced by the known exploited vulnerability." definition: function: name: cisa_known_exploited_vulnerability schema: vulnerability table_argument: known_exploited (root level) + one map entry added: computed_fields: - name: cisa_known_exploited definition: function: name: vulnerability_cisa_known_exploited schema: vulnerability table_argument: vulnerability lunatrace-custom.permissions - three list entries removed: - role: user definition: schema: | scalar JSON scalar UUID type AuthenticatedRepoCloneUrlOutput { url: String } type Mutation { presignManifestUpload(project_id: UUID!): PresignedUrlResponse } type PresignedUrlResponse { bucket: String! headers: JSON! key: String! url: String! } type Query { authenticatedRepoCloneUrl(repoGithubId: Int!): AuthenticatedRepoCloneUrlOutput fakeQueryToHackHasuraBeingABuggyMess: String sbomUrl(buildId: UUID!): String } type SbomUploadUrlOutput { error: Boolean! uploadUrl: UploadUrl } type UploadUrl { headers: JSON! url: String! } - role: service definition: schema: | scalar JSON scalar UUID type AuthenticatedRepoCloneUrlOutput { url: String } type Mutation { presignManifestUpload(project_id: UUID!): PresignedUrlResponse } type PresignedUrlResponse { bucket: String! headers: JSON! key: String! url: String! } type Query { authenticatedRepoCloneUrl(repoGithubId: Int!): AuthenticatedRepoCloneUrlOutput fakeQueryToHackHasuraBeingABuggyMess: String presignSbomUpload(orgId: UUID!, buildId: UUID!): SbomUploadUrlOutput sbomUrl(buildId: UUID!): String } type SbomUploadUrlOutput { error: Boolean! uploadUrl: UploadUrl } type UploadUrl { headers: JSON! url: String! } input SbomUploadUrlInput { orgId: UUID! projectId: UUID! } - role: cli definition: schema: | scalar JSON scalar UUID type Query { presignSbomUpload(orgId: UUID!, buildId: UUID!): SbomUploadUrlOutput } type SbomUploadUrlOutput { error: Boolean! uploadUrl: UploadUrl } type UploadUrl { headers: JSON! url: String! } + three list entries added: - role: user definition: schema: | scalar JSON scalar UUID type AuthenticatedRepoCloneUrlOutput { url: String } type Mutation { presignManifestUpload(project_id: UUID!): PresignedUrlResponse } type PresignedUrlResponse { bucket: String! headers: JSON! key: String! url: String! } type Query { authenticatedRepoCloneUrl(repoGithubId: Int!): AuthenticatedRepoCloneUrlOutput fakeQueryToHackHasuraBeingABuggyMess: String sbomUrl(buildId: UUID!): String } type SbomUploadUrlOutput { error: Boolean! uploadUrl: UploadUrl } type UploadUrl { headers: JSON! url: String! } - role: service definition: schema: | scalar JSON scalar UUID type AuthenticatedRepoCloneUrlOutput { url: String } type Mutation { presignManifestUpload(project_id: UUID!): PresignedUrlResponse } type PresignedUrlResponse { bucket: String! headers: JSON! key: String! url: String! } type Query { authenticatedRepoCloneUrl(repoGithubId: Int!): AuthenticatedRepoCloneUrlOutput fakeQueryToHackHasuraBeingABuggyMess: String presignSbomUpload(orgId: UUID!, buildId: UUID!): SbomUploadUrlOutput sbomUrl(buildId: UUID!): String } type SbomUploadUrlOutput { error: Boolean! uploadUrl: UploadUrl } type UploadUrl { headers: JSON! url: String! } input SbomUploadUrlInput { orgId: UUID! projectId: UUID! } - role: cli definition: schema: | scalar JSON scalar UUID type Query { presignSbomUpload(orgId: UUID!, buildId: UUID!): SbomUploadUrlOutput } type SbomUploadUrlOutput { error: Boolean! uploadUrl: UploadUrl } type UploadUrl { headers: JSON! url: String! } diff --git a/lunatrace/bsl/hasura/migrations/lunatrace/1672788403469_add_cisa_known_exploited_vulnerabilities/down.sql b/lunatrace/bsl/hasura/migrations/lunatrace/1672788403469_add_cisa_known_exploited_vulnerabilities/down.sql new file mode 100644 index 00000000..5ce32bb1 --- /dev/null +++ b/lunatrace/bsl/hasura/migrations/lunatrace/1672788403469_add_cisa_known_exploited_vulnerabilities/down.sql @@ -0,0 +1,5 @@ + +DROP TABLE IF EXISTS vulnerability.cisa_known_exploited CASCADE; +DROP INDEX IF EXISTS vulnerability_equivalent_b_idx; +DROP FUNCTION vulnerability.cisa_known_exploited_vulnerability; +DROP FUNCTION vulnerability.vulnerability_cisa_known_exploited; diff --git a/lunatrace/bsl/hasura/migrations/lunatrace/1672788403469_add_cisa_known_exploited_vulnerabilities/up.sql b/lunatrace/bsl/hasura/migrations/lunatrace/1672788403469_add_cisa_known_exploited_vulnerabilities/up.sql new file mode 100644 index 00000000..83e8ffa4 --- /dev/null +++ b/lunatrace/bsl/hasura/migrations/lunatrace/1672788403469_add_cisa_known_exploited_vulnerabilities/up.sql @@ -0,0 +1,37 @@ +-- Indexes to speed up EPSS inserter +CREATE INDEX IF NOT EXISTS vulnerability_equivalent_b_idx ON vulnerability.equivalent (b); + +CREATE INDEX IF NOT EXISTS vulnerability_vulnerability_source_id_idx ON vulnerability.vulnerability (source_id); + +-- Table to hold the CISA Known Exploited vulnerabilities +CREATE TABLE IF NOT EXISTS vulnerability.cisa_known_exploited ( + "id" uuid NOT NULL DEFAULT gen_random_uuid(), + cve TEXT UNIQUE, + vendor_project text NOT NULL, + product text NOT NULL, + vulnerability_name text NOT NULL, + date_added date NOT NULL, + short_description text NOT NULL, + required_action text NOT NULL, + due_date date NOT NULL, + notes text NOT NULL, + PRIMARY KEY ("id"), + CHECK (cve LIKE 'CVE-%') +); + +CREATE OR REPLACE FUNCTION vulnerability.cisa_known_exploited_vulnerability(known_exploited vulnerability.cisa_known_exploited) + RETURNS SETOF vulnerability.vulnerability AS $$ + SELECT * + FROM vulnerability.vulnerability + WHERE source_id = known_exploited.cve +$$ LANGUAGE sql STABLE; + +CREATE OR REPLACE FUNCTION vulnerability.vulnerability_cisa_known_exploited(vulnerability vulnerability.vulnerability) + RETURNS SETOF vulnerability.cisa_known_exploited + LANGUAGE sql + STABLE +AS $function$ + SELECT * + FROM vulnerability.cisa_known_exploited + WHERE cve = vulnerability.source_id +$function$ ```