implements: #37

Author: timbastin

internal/core/asset/asset_dto.go

@@ -43,6 +43,8 @@ type AssetDTO struct {
 	CVSSAutomaticTicketThreshold *float64 `json:"cvssAutomaticTicketThreshold"`
 	RiskAutomaticTicketThreshold *float64 `json:"riskAutomaticTicketThreshold"`
 
+	VulnAutoReopenAfterDays *int `json:"vulnAutoReopenAfterDays"`
+
 	BadgeSecret   *uuid.UUID `json:"badgeSecret"`
 	WebhookSecret *uuid.UUID `json:"webhookSecret"`
 
@@ -81,6 +83,8 @@ func toDTO(asset models.Asset) AssetDTO {
 		CVSSAutomaticTicketThreshold: asset.CVSSAutomaticTicketThreshold,
 		RiskAutomaticTicketThreshold: asset.RiskAutomaticTicketThreshold,
 
+		VulnAutoReopenAfterDays: asset.VulnAutoReopenAfterDays,
+
 		AssetVersions: asset.AssetVersions,
 
 		ExternalEntityProviderID: asset.ExternalEntityProviderID,
@@ -168,6 +172,8 @@ type PatchRequest struct {
 
 	ConfigFiles *map[string]any `json:"configFiles"`
 
+	VulnAutoReopenAfterDays *int `json:"vulnAutoReopenAfterDays"`
+
 	WebhookSecret *string `json:"webhookSecret"`
 	BadgeSecret   *string `json:"badgeSecret"`
 }
@@ -246,5 +252,10 @@ func (assetPatch *PatchRequest) applyToModel(asset *models.Asset) bool {
 		}
 	}
 
+	if assetPatch.VulnAutoReopenAfterDays != nil {
+		updated = true
+		asset.VulnAutoReopenAfterDays = assetPatch.VulnAutoReopenAfterDays
+	}
+
 	return updated
 }

internal/core/common_interfaces.go

@@ -23,6 +23,7 @@ import (
 	cdx "github.com/CycloneDX/cyclonedx-go"
 	"github.com/google/uuid"
 	"github.com/l3montree-dev/devguard/internal/common"
+
 	"github.com/l3montree-dev/devguard/internal/core/normalize"
 	"github.com/l3montree-dev/devguard/internal/database/models"
 	"github.com/labstack/echo/v4"
@@ -149,6 +150,7 @@ type DependencyVulnRepository interface {
 	GetDependencyVulnsByDefaultAssetVersion(tx DB, assetID uuid.UUID, scannerID string) ([]models.DependencyVuln, error)
 	ListUnfixedByAssetAndAssetVersionAndScannerID(assetVersionName string, assetID uuid.UUID, scannerID string) ([]models.DependencyVuln, error)
 	GetHintsInOrganizationForVuln(tx DB, orgID uuid.UUID, pURL string, cveID string) (common.DependencyVulnHints, error)
+	GetAllByAssetIDAndState(tx DB, assetID uuid.UUID, state models.VulnState, durationSinceStateChange time.Duration) ([]models.DependencyVuln, error)
 }
 
 type FirstPartyVulnRepository interface {

internal/core/daemon/auto_reopen.go

@@ -0,0 +1,66 @@
+// Copyright (C) 2025 l3montree GmbH
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as
+// published by the Free Software Foundation, either version 3 of the
+// License, or (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package daemon
+
+import (
+	"fmt"
+	"log/slog"
+	"time"
+
+	"github.com/l3montree-dev/devguard/internal/core"
+	"github.com/l3montree-dev/devguard/internal/database/models"
+	"github.com/l3montree-dev/devguard/internal/database/repositories"
+)
+
+func AutoReopenAcceptedVulnerabilities(db core.DB) error {
+
+	dependencyVulnRepository := repositories.NewDependencyVulnRepository(db)
+	assetRepository := repositories.NewAssetRepository(db)
+
+	assets, err := assetRepository.All()
+	if err != nil {
+		return err
+	}
+
+	for _, asset := range assets {
+		// check if the asset has auto-reopen enabled
+		if asset.VulnAutoReopenAfterDays == nil {
+			continue
+		}
+
+		// convert days to time.Duration
+		reopenAfterDuration := time.Duration(*asset.VulnAutoReopenAfterDays) * 24 * time.Hour
+
+		// get all closed/accepted vulnerabilities for the asset version
+		vulnerabilities, err := dependencyVulnRepository.GetAllByAssetIDAndState(nil, asset.ID, models.VulnStateAccepted, reopenAfterDuration)
+		if err != nil {
+			return err
+		}
+
+		// create a new vulnerability event for each vulnerability
+		events := make([]models.VulnEvent, 0, len(vulnerabilities))
+		for _, vuln := range vulnerabilities {
+			// create a new event for the vulnerability
+			event := models.NewReopenedEvent(vuln.ID, models.VulnTypeDependencyVuln, "system", fmt.Sprintf("Automatically reopened since the vulnerability was accepted more than %d days ago", *asset.VulnAutoReopenAfterDays))
+			events = append(events, event)
+
+			dependencyVulnRepository.ApplyAndSave(nil, &vuln, &event)
+			slog.Info("reopened vulnerability since it was accepted more than the configured time", "vulnerabilityID", vuln.ID, "assetID", asset.ID, "reopenAfterDays", *asset.VulnAutoReopenAfterDays)
+		}
+	}
+
+	return nil
+}

internal/core/daemon/auto_reopen_integration_test.go

@@ -0,0 +1,230 @@
+package daemon_test
+
+import (
+	"fmt"
+	"testing"
+	"time"
+
+	integration_tests "github.com/l3montree-dev/devguard/integrationtestutil"
+	"github.com/l3montree-dev/devguard/internal/core"
+	"github.com/l3montree-dev/devguard/internal/core/daemon"
+	"github.com/l3montree-dev/devguard/internal/database/models"
+	"github.com/l3montree-dev/devguard/internal/database/repositories"
+	"github.com/l3montree-dev/devguard/internal/utils"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAutoReopenAcceptedVulnerabilities(t *testing.T) {
+	db, terminate := integration_tests.InitDatabaseContainer("../../../initdb.sql")
+	defer terminate()
+
+	err := db.AutoMigrate(
+		&models.Org{},
+		&models.Project{},
+		&models.AssetVersion{},
+		&models.Asset{},
+		&models.ComponentDependency{},
+		&models.Component{},
+		&models.CVE{},
+		&models.AffectedComponent{},
+		&models.DependencyVuln{},
+		&models.Exploit{},
+		&models.VulnEvent{},
+		&models.FirstPartyVuln{},
+	)
+	assert.NoError(t, err)
+
+	// Create test data
+	_, project, asset, assetVersion := integration_tests.CreateOrgProjectAndAssetAssetVersion(db)
+
+	// Set up repositories
+	assetRepo := repositories.NewAssetRepository(db)
+	dependencyVulnRepo := repositories.NewDependencyVulnRepository(db)
+
+	t.Run("should not reopen vulnerabilities if auto-reopen is not configured", func(t *testing.T) {
+		// Ensure asset has no auto-reopen configuration
+		asset.VulnAutoReopenAfterDays = nil
+		err := assetRepo.Update(db, &asset)
+		assert.NoError(t, err)
+
+		// Create a vulnerability that was accepted 2 hours ago
+		vulnerability := createTestVulnerability(t, db, asset, assetVersion, 2*time.Hour)
+		acceptVulnerability(t, db, &vulnerability, 2*time.Hour)
+
+		// Run auto-reopen
+		err = daemon.AutoReopenAcceptedVulnerabilities(db)
+		assert.NoError(t, err)
+
+		// Verify vulnerability is still accepted
+		updatedVuln, err := dependencyVulnRepo.Read(vulnerability.ID)
+		assert.NoError(t, err)
+		assert.Equal(t, models.VulnStateAccepted, updatedVuln.State)
+	})
+
+	t.Run("should not reopen vulnerabilities that are within the time threshold", func(t *testing.T) {
+		// Configure asset for auto-reopen after 1 day
+		autoReopenAfterDays := 1
+		asset.VulnAutoReopenAfterDays = &autoReopenAfterDays
+		err := assetRepo.Update(db, &asset)
+		assert.NoError(t, err)
+
+		// Create a vulnerability that was accepted 1 hour ago (within threshold)
+		vulnerability := createTestVulnerability(t, db, asset, assetVersion, 1*time.Hour)
+		acceptVulnerability(t, db, &vulnerability, 1*time.Hour)
+
+		// Run auto-reopen
+		err = daemon.AutoReopenAcceptedVulnerabilities(db)
+		assert.NoError(t, err)
+
+		// Verify vulnerability is still accepted
+		updatedVuln, err := dependencyVulnRepo.Read(vulnerability.ID)
+		assert.NoError(t, err)
+		assert.Equal(t, models.VulnStateAccepted, updatedVuln.State)
+	})
+
+	t.Run("should reopen vulnerabilities that exceed the time threshold", func(t *testing.T) {
+		// Configure asset for auto-reopen after 1 day
+		autoReopenAfterDays := 1
+		asset.VulnAutoReopenAfterDays = &autoReopenAfterDays
+		err := assetRepo.Update(db, &asset)
+		assert.NoError(t, err)
+
+		// Create a vulnerability that was accepted 2 days ago (exceeds threshold)
+		vulnerability := createTestVulnerability(t, db, asset, assetVersion, 48*time.Hour)
+		acceptVulnerability(t, db, &vulnerability, 48*time.Hour)
+
+		// Run auto-reopen
+		err = daemon.AutoReopenAcceptedVulnerabilities(db)
+		assert.NoError(t, err)
+
+		// Verify vulnerability has been reopened
+		updatedVuln, err := dependencyVulnRepo.Read(vulnerability.ID)
+		assert.NoError(t, err)
+		assert.Equal(t, models.VulnStateOpen, updatedVuln.State)
+
+		// Verify a reopen event was created
+		events := updatedVuln.Events
+		assert.NotEmpty(t, events)
+
+		// Find the reopen event
+		var reopenEvent *models.VulnEvent
+		for _, event := range events {
+			if event.Type == models.EventTypeReopened {
+				reopenEvent = &event
+				break
+			}
+		}
+
+		assert.NotNil(t, reopenEvent, "Expected to find a reopen event")
+		assert.Equal(t, "system", reopenEvent.UserID)
+		assert.NotNil(t, reopenEvent.Justification, "Expected justification to not be nil")
+		assert.Contains(t, *reopenEvent.Justification, "Automatically reopened")
+	})
+
+	t.Run("should handle multiple assets with different configurations", func(t *testing.T) {
+		// Create another asset with different auto-reopen configuration
+		asset2 := models.Asset{
+			Name:        "test-asset-2",
+			Slug:        "test-asset-2",
+			ProjectID:   project.ID,
+			Type:        models.AssetTypeApplication,
+			Description: "Test asset 2",
+		}
+		autoReopenAfter2Days := 2
+		asset2.VulnAutoReopenAfterDays = &autoReopenAfter2Days
+		err := assetRepo.Create(db, &asset2)
+		assert.NoError(t, err)
+
+		assetVersion2 := models.AssetVersion{
+			AssetID:       asset2.ID,
+			Name:          "main",
+			DefaultBranch: true,
+		}
+		assetVersionRepo := repositories.NewAssetVersionRepository(db)
+		err = assetVersionRepo.Create(db, &assetVersion2)
+		assert.NoError(t, err)
+
+		// Set different auto-reopen thresholds
+		autoReopenAfter1Days := 1
+		asset.VulnAutoReopenAfterDays = &autoReopenAfter1Days
+		err = assetRepo.Update(db, &asset)
+		assert.NoError(t, err)
+
+		// Create vulnerabilities for both assets
+		vuln1 := createTestVulnerability(t, db, asset, assetVersion, 1*time.Hour)
+		acceptVulnerability(t, db, &vuln1, 36*time.Hour) // Accepted 1.5 days ago
+
+		vuln2 := createTestVulnerability(t, db, asset2, assetVersion2, 2*time.Hour)
+		acceptVulnerability(t, db, &vuln2, 72*time.Hour) // Accepted 3 days ago
+
+		// Run auto-reopen
+		err = daemon.AutoReopenAcceptedVulnerabilities(db)
+		assert.NoError(t, err)
+
+		// Verify both vulnerabilities are reopened
+		updatedVuln1, err := dependencyVulnRepo.Read(vuln1.ID)
+		assert.NoError(t, err)
+		assert.Equal(t, models.VulnStateOpen, updatedVuln1.State)
+
+		updatedVuln2, err := dependencyVulnRepo.Read(vuln2.ID)
+		assert.NoError(t, err)
+		assert.Equal(t, models.VulnStateOpen, updatedVuln2.State)
+	})
+}
+
+// createTestVulnerability creates a test dependency vulnerability
+func createTestVulnerability(t *testing.T, db core.DB, asset models.Asset, assetVersion models.AssetVersion, timeAgo time.Duration) models.DependencyVuln {
+	// Create a unique CVE ID for each test case
+	cveID := fmt.Sprintf("CVE-2025-TEST-%d", time.Now().UnixNano())
+
+	// Create a test CVE
+	cve := models.CVE{
+		CVE:                 cveID,
+		DatePublished:       time.Now().Add(-24 * time.Hour),
+		DateLastModified:    time.Now().Add(-12 * time.Hour),
+		Description:         "Test vulnerability for auto-reopen testing",
+		CVSS:                7.5,
+		Severity:            models.SeverityHigh,
+		ExploitabilityScore: 3.9,
+		ImpactScore:         3.6,
+	}
+	err := db.Create(&cve).Error
+	assert.NoError(t, err)
+
+	// Create the vulnerability - ID will be auto-generated by BeforeSave hook
+	vulnerability := models.DependencyVuln{
+		Vulnerability: models.Vulnerability{
+			AssetVersionName: assetVersion.Name,
+			AssetID:          asset.ID,
+			State:            models.VulnStateOpen,
+			ScannerIDs:       "test-scanner",
+			LastDetected:     time.Now().Add(-timeAgo),
+		},
+		CVEID:          utils.Ptr(cveID),
+		ComponentPurl:  utils.Ptr("pkg:npm/test-package@1.0.0"),
+		ComponentDepth: utils.Ptr(0),
+	}
+	err = db.Create(&vulnerability).Error
+	assert.NoError(t, err)
+
+	return vulnerability
+}
+
+// acceptVulnerability creates an accepted event for a vulnerability
+func acceptVulnerability(t *testing.T, db core.DB, vulnerability *models.DependencyVuln, timeAgo time.Duration) {
+	// Create an accepted event using the model constructor
+	acceptEvent := models.NewAcceptedEvent(vulnerability.CalculateHash(), models.VulnTypeDependencyVuln, "test-user", "Accepted for testing")
+
+	// Manually set the creation time for testing
+	acceptEvent.CreatedAt = time.Now().Add(-timeAgo)
+	acceptEvent.UpdatedAt = time.Now().Add(-timeAgo)
+
+	err := db.Create(&acceptEvent).Error
+	assert.NoError(t, err)
+
+	// Update vulnerability state
+	vulnerability.State = models.VulnStateAccepted
+	vulnerability.LastDetected = time.Now().Add(-timeAgo)
+	err = db.Save(vulnerability).Error
+	assert.NoError(t, err)
+}

internal/core/daemon/daemon.go

@@ -131,6 +131,19 @@ func Start(db core.DB) {
 			slog.Info("scan updated", "duration", time.Since(start))
 		}
 
+		if shouldMirror(configService, "vulndb.autoReopen") {
+			start = time.Now()
+			// update the auto reopen
+			if err := AutoReopenAcceptedVulnerabilities(db); err != nil {
+				slog.Error("could not update auto reopen", "err", err)
+				return nil
+			}
+			if err := markMirrored(configService, "vulndb.autoReopen"); err != nil {
+				slog.Error("could not mark vulndb.autoReopen as mirrored", "err", err)
+			}
+			slog.Info("auto reopen updated", "duration", time.Since(start))
+		}
+
 		// after we have a fresh vulndb we can update the dependencyVulns.
 		// we save data inside the dependency_vulns table: ComponentDepth and ComponentFixedVersion
 		// those need to be updated before recalculating the risk

internal/core/integrations/gitlabint/gitlab_integration.go

@@ -252,14 +252,14 @@ func (g *GitlabIntegration) checkIfTokenIsValid(ctx core.Context, token models.G
 	}
 
 	// check if the token is valid by fetching the user
-	user, resp, err := gitlabClient.ListGroups(ctx.Request().Context(), &gitlab.ListGroupsOptions{
+	user, _, err := gitlabClient.ListGroups(ctx.Request().Context(), &gitlab.ListGroupsOptions{
 		MinAccessLevel: utils.Ptr(gitlab.ReporterPermissions), // only list groups where the user has at least reporter permissions
 		ListOptions:    gitlab.ListOptions{PerPage: 1},        // we only need to check if the request is successful, so we can limit the number of results
 	})
 
 	_ = user
 	if err != nil {
-		slog.Error("failed to get user", "err", err, "tokenHash", utils.HashString(token.AccessToken), "statusCode", resp.StatusCode)
+		slog.Error("failed to get user", "err", err, "tokenHash", utils.HashString(token.AccessToken))
 		return false
 	}