chef
diff --git a/‎.github/actions/notify-new-cves/README.md‎
Lines changed: 137 additions & 0 deletions b/‎.github/actions/notify-new-cves/README.md‎
Lines changed: 137 additions & 0 deletions
diff --git a/‎.github/actions/notify-new-cves/SETUP.md‎
Lines changed: 255 additions & 0 deletions b/‎.github/actions/notify-new-cves/SETUP.md‎
Lines changed: 255 additions & 0 deletions
@@ -0,0 +1,137 @@
+# notify-new-cves Action
+
+Queries the Chef vulnerability analytics database for CVEs first observed within the last 25 hours, enriches each finding with full Grype match details from `chef-vuln-scan-data`, and dispatches notifications to configured channels.
+
+## How It Works
+
+### 1. Detection
+Runs a SQL query against `native_cve_details`:
+```sql
+SELECT * FROM native_cve_details d
+LEFT JOIN native_scan_results r ON ...
+WHERE d.severity = ANY(severities)
+  AND d.first_observed_at >= NOW() - INTERVAL '25 hours'
+  AND d.last_seen_at >= NOW() - INTERVAL '25 hours'
+```
+
+The dual filter on `first_observed_at` and `last_seen_at` ensures only truly new CVEs are notified (appeared recently AND still present in the latest scan).
+
+The 25-hour window provides resilience for workflows that run slightly late.
+
+### 2. Enrichment
+For each CVE found in the database, the script:
+- Globs `chef-vuln-scan-data/{scan_mode}/{product}/{channel}/{download_site}/**/scanners/grype.latest.json`
+- Finds the match where `vulnerability.id`, `artifact.name`, and `artifact.version` match the DB row
+- Extracts the full `vulnerability`, `relatedVulnerabilities`, `matchDetails`, and `artifact` objects
+- Reads `metadata.json` from the same directory for scan provenance (timestamp, Grype version, DB version)
+
+### 3. Notification
+Each CVE is formatted as a Microsoft Teams Adaptive Card with:
+- **Header**: CVE ID, severity, product, version
+- **Details**: CVSS score, EPSS percentile, fix state, affected package
+- **Description**: Truncated to 500 characters
+- **Additional info**: CWEs, install paths, PURL, reference URLs
+- **Footer**: Scan timestamp, Grype version, DB version
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `database-url` | Yes | - | PostgreSQL connection string (DSN) |
+| `data-repo-path` | Yes | `chef-vuln-scan-data` | Path to checked-out chef-vuln-scan-data repo |
+| `severities` | No | `Critical` | Comma-separated severity levels (Critical, High, Medium, Low) |
+| `teams-webhook-url` | No | - | Microsoft Teams incoming webhook URL |
+| `dry-run` | No | `false` | If `true`, print payloads without sending |
+
+## Usage
+
+### In a workflow
+```yaml
+- name: Checkout chef-vuln-scan-data
+  uses: actions/checkout@v4
+  with:
+    repository: chef/chef-vuln-scan-data
+    token: ${{ secrets.DATA_REPO_TOKEN }}
+    path: chef-vuln-scan-data
+
+- name: Notify new CVEs
+  uses: ./.github/actions/notify-new-cves
+  with:
+    database-url: ${{ secrets.DATABASE_URL_RO }}
+    data-repo-path: chef-vuln-scan-data
+    severities: Critical,High
+    teams-webhook-url: ${{ secrets.TEAMS_WEBHOOK_URL }}
+    dry-run: false
+```
+
+### Dry run for testing
+Set `dry-run: true` to print the notification payloads to the Actions log without sending them to Teams. Useful for:
+- Verifying query results
+- Testing card formatting
+- Validating enrichment logic
+
+## Secrets Required
+
+| Secret | Description | Scope |
+|--------|-------------|-------|
+| `DATABASE_URL_RO` | Postgres connection string (read-only user; only performs SELECT queries) | Org or repo |
+| `TEAMS_WEBHOOK_URL` | Teams incoming webhook URL (get from Teams channel connectors) | Org or repo |
+| `DATA_REPO_TOKEN` | PAT for checking out chef-vuln-scan-data (already exists) | Org or repo |
+
+## Dispatcher Pattern
+
+The notification logic is architected as a dispatcher so new channels can be added without changing the detection/enrichment logic:
+
+```python
+def dispatch_notifications(notifications, teams_webhook=None, email_config=None, jira_config=None):
+    if teams_webhook:
+        send_teams_notification(notifications, teams_webhook)
+    if email_config:
+        send_email_notification(notifications, email_config)  # Future
+    if jira_config:
+        create_jira_issues(notifications, jira_config)        # Future
+```
+
+To add a new channel, implement a new `send_*` function and add it to the dispatcher.
+
+## Scheduled Workflow
+
+The workflow that calls this action lives in [chef/chef-vuln-scan-orchestrator](https://github.com/chef/chef-vuln-scan-orchestrator):
+- Path: `.github/workflows/notify-new-cves.yml`
+- Schedule: 10:00 UTC daily (after nightly scans complete around 07:00 UTC)
+- Advantage: Uses existing `DATA_REPO_TOKEN` secret already configured in the orchestrator
+
+## Verification Steps
+
+### 1. Dry run
+Trigger `cd-notify-new-cves.yml` manually with `dry-run: true` — confirm formatted card payload appears in the Actions log.
+
+### 2. Inject test row
+Manually insert a test CVE into `native_cve_details`:
+```sql
+INSERT INTO native_cve_details (
+    scan_mode, product, channel, download_site,
+    cve_id, severity, package_name, package_version,
+    fix_available, fix_version,
+    first_observed_at, last_seen_at
+) VALUES (
+    'native', 'test-product', 'stable', 'commercial',
+    'CVE-2025-99999', 'Critical', 'test-package', '1.0.0',
+    false, NULL,
+    NOW(), NOW()
+);
+```
+
+Trigger dry run and confirm the test CVE is detected and enriched.
+
+### 3. End-to-end
+Remove `dry-run: true` and trigger the workflow — confirm a Teams message arrives in the configured channel.
+
+### 4. No false positives
+Re-run the workflow the next day when no new CVEs exist — confirm no messages are sent.
+
+## Limitations
+
+- **Scope**: Only native/modern products (habitat and container scans not yet supported)
+- **Deduplication**: A CVE appearing in multiple OS/arch platforms will send multiple notifications (one per unique product × CVE × package combination)
+- **Rate limiting**: Teams webhooks have rate limits (check Microsoft docs); may need throttling for large batches
@@ -0,0 +1,255 @@
+# CVE Notifier Setup Guide
+
+## Quick Start
+
+The CVE notification system has been implemented in three components:
+
+1. **notify.py** - Python script that queries the database, enriches with Grype data, and sends Teams notifications
+2. **action.yml** - GitHub Action wrapper around notify.py
+3. **cd-notify-new-cves.yml** - Scheduled workflow that runs daily at 10:00 UTC (in another repo).
+
+## Files Created
+
+```
+common-github-actions/
+├── .github/
+│   ├── actions/
+│   │   └── notify-new-cves/
+│   │       ├── action.yml         # Action definition
+│   │       ├── notify.py          # Core notification script
+│   │       └── README.md          # Detailed documentation
+│   └── workflows/
+│       └── cd-notify-new-cves.yml # Daily scheduled workflow
+```
+
+## Prerequisites
+
+### 1. Create GitHub Secrets
+
+Add these secrets to the `chef/chef-vuln-scan-orchestrator` repository (or at org level):
+
+| Secret Name | Description | How to Get It |
+|------------|-------------|---------------|
+| `DATABASE_URL_RO` | Postgres connection string (read-only user) | From your RDS instance or infrastructure team |
+| `TEAMS_WEBHOOK_URL` | Teams incoming webhook URL | Create in Teams: Channel → Connectors → Incoming Webhook |
+| `DATA_REPO_TOKEN` | PAT for chef-vuln-scan-data | Should already exist (used by scan workflows) |
+
+**Note**: The notification workflow only performs `SELECT` queries on `scan_runs`, `native_cve_details`, and `native_scan_results`. No write operations are performed—you can use a dedicated read-only database user for security.
+
+#### Database URL Format
+
+PostgreSQL connection string format:
+- Scheme: `postgresql`
+- Format: `<scheme>://<username>:<password>@<hostname>:<port>/<database>`
+- Default port: `5432`
+
+Replace the angle-bracketed placeholders with your actual connection details.
+
+#### Teams Webhook URL
+1. In Microsoft Teams, go to the channel where you want notifications
+2. Click the `...` menu → Connectors → Incoming Webhook
+3. Name: "Chef CVE Alerts" (or similar)
+4. Upload an icon (optional)
+5. Click "Create"
+6. Copy the webhook URL (starts with `https://progress.webhook.office.com/...`)
+7. Add as GitHub secret
+
+### 2. Verify Database Schema
+
+Ensure your database has the latest migrations applied:
+```bash
+cd chef-vuln-scan-db
+./scripts/migrate.sh
+```
+
+Required tables:
+- `scan_runs` (stores run metadata)
+- `native_cve_details` (stores individual CVE findings)
+- `native_scan_results` (stores scan result aggregates)
+
+### 3. Verify Data Repository Access
+
+The workflow checks out `chef/chef-vuln-scan-data` using `DATA_REPO_TOKEN`. Verify this secret has read access.
+
+## Testing
+
+### Dry Run (Recommended First Step)
+
+1. Go to the [chef-vuln-scan-orchestrator](https://github.com/chef/chef-vuln-scan-orchestrator) repo
+2. Navigate to Actions → Notify New CVEs
+3. Click "Run workflow"
+4. Set `dry-run` to `true`
+5. Set `severities` to `Critical` (or `Critical,High` for testing)
+6. Click "Run workflow"
+
+This will:
+- Query the database
+- Enrich findings with Grype data
+- Print the Teams card payload to the Actions log
+- **NOT** send any actual notifications
+
+Review the output to ensure:
+- CVEs are being detected correctly
+- Enrichment finds the Grype match data
+- Card formatting looks good
+
+### Test with Injected CVE
+
+If you want to test without waiting for a real CVE, inject a test row:
+
+```sql
+-- Connect to your database
+psql $DATABASE_URL
+
+-- Insert a test CVE
+INSERT INTO native_cve_details (
+    scan_mode, product, channel, download_site,
+    cve_id, severity, package_name, package_version,
+    fix_available, fix_version,
+    first_observed_at, last_seen_at
+) VALUES (
+    'native', 'chef', 'stable', 'commercial',
+    'CVE-2025-TEST', 'Critical', 'test-package', '1.0.0',
+    false, NULL,
+    NOW(), NOW()
+) ON CONFLICT DO NOTHING;
+
+-- Verify it was inserted
+SELECT * FROM native_cve_details WHERE cve_id = 'CVE-2025-TEST';
+```
+
+Then run a dry-run workflow. You should see the test CVE in the output.
+
+**Important**: Clean up the test row after testing:
+```sql
+DELETE FROM native_cve_details WHERE cve_id = 'CVE-2025-TEST';
+```
+
+### Live Test
+
+Once dry-run looks good:
+
+1. Run workflow again with `dry-run` set to `false`
+2. Check your Teams channel for the notification
+3. Verify the card displays correctly
+4. Click through the reference links to ensure they work
+
+### Verify No False Positives
+
+Run the workflow again immediately (or the next day when no new CVEs exist). It should:
+- Find 0 new CVEs
+- Print: "No new CVEs detected — no notifications to send"
+- **NOT** send any Teams messages
+
+## Production Schedule
+
+The workflow (located in `chef-vuln-scan-orchestrator/.github/workflows/notify-new-cves.yml`) can be enabled to run automatically daily at **10:00 UTC** by uncommenting the schedule:
+
+```yaml
+schedule:
+  - cron: '0 10 * * *'
+```
+
+This is 3 hours after the nightly scans complete (~07:00 UTC), providing buffer time.
+
+The schedule is commented out by default to allow testing with manual runs first.
+
+## Customization
+
+### Change Severity Threshold
+
+Edit the workflow file to notify on High severity as well:
+```yaml
+severities: Critical,High
+```
+
+Or run manually with custom severities via workflow_dispatch.
+
+### Add Email Notifications
+
+The dispatcher pattern makes this easy:
+
+1. Add email configuration as a secret (JSON with SMTP settings)
+2. Implement `send_email_notification()` in notify.py
+3. Add email logic to `dispatch_notifications()`
+4. Add input to action.yml and workflow
+
+### Add Jira Integration
+
+Similar pattern:
+
+1. Add Jira credentials as secrets
+2. Implement `create_jira_issues()` in notify.py
+3. Add to dispatcher
+4. Configure in action.yml/workflow
+
+## Monitoring
+
+### Check Workflow Runs
+
+- Go to [chef-vuln-scan-orchestrator Actions](https://github.com/chef/chef-vuln-scan-orchestrator/actions)
+- Select "Notify New CVEs" workflow
+- Review recent runs for failures
+- Check logs for warnings about missing Grype matches
+
+### Common Issues
+
+**No CVEs found but expecting some:**
+- Check database: `SELECT * FROM native_cve_details WHERE first_observed_at >= NOW() - INTERVAL '25 hours'`
+- Verify scan workflows are running and inserting data
+- Check `last_seen_at` values are recent
+
+**Grype match not found:**
+- Verify chef-vuln-scan-data repo has the grype.latest.json files
+- Check the file path pattern matches: `{scan_mode}/{product}/{channel}/{download_site}/**/scanners/grype.latest.json`
+- Look for warning in Actions log: "Could not find Grype match for..."
+
+**Teams notification not arriving:**
+- Verify webhook URL is correct
+- Check Teams webhook hasn't been deleted/disabled
+- Look for HTTP error in Actions log
+- Test webhook manually with curl
+
+**Database connection fails:**
+- Verify DATABASE_URL_RO secret is correct
+- Check database is accessible from GitHub Actions runners (security groups/firewalls)
+- Ensure the read-only user has SELECT permissions on the required tables
+
+## Architecture
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│  GitHub Actions: cd-notify-new-cves.yml                     │
+│  Schedule: Daily at 10:00 UTC                               │
+└─────────────────────────────────────────────────────────────┘
+                           │
+                           ▼
+┌─────────────────────────────────────────────────────────────┐
+│  Action: notify-new-cves                                     │
+│  ┌─────────────────────────────────────────────────────┐   │
+│  │  notify.py                                           │   │
+│  │  1. Query Postgres for new CVEs (first_observed_at) │   │
+│  │  2. Enrich with Grype match from chef-vuln-scan-data│   │
+│  │  3. Format as Teams Adaptive Card                    │   │
+│  │  4. Send to webhook (or dry-run)                     │   │
+│  └─────────────────────────────────────────────────────┘   │
+└─────────────────────────────────────────────────────────────┘
+                           │
+                           ▼
+                   ┌──────────────┐
+                   │ Microsoft    │
+                   │ Teams        │
+                   │ Channel      │
+                   └──────────────┘
+```
+
+## Next Steps
+
+1. ✅ Create GitHub secrets (DATABASE_URL_RO, TEAMS_WEBHOOK_URL)
+2. ✅ Run dry-run test
+3. ✅ Inject test CVE and verify detection
+4. ✅ Run live test (send one notification to Teams)
+5. ✅ Monitor first scheduled run at 10:00 UTC tomorrow
+6. ⏳ Consider adding High severity notifications
+7. ⏳ Extend to Habitat scans (requires habitat_cve_details query)
+8. ⏳ Add email/Jira channels as needed