adds functionality to test webhooks - disabled first party vulnerability webhooks for now

timbastin · timbastin · commit 6ff60663bd32 · 2025-08-04T11:34:39.000+02:00
diff --git a/cmd/devguard/api/api.go b/cmd/devguard/api/api.go
@@ -588,6 +588,8 @@ func BuildRouter(db core.DB) *echo.Echo {
 
 	organizationRouter.POST("/integrations/webhook/test-and-save/", webhookIntegration.Save, neededScope([]string{"manage"}), accessControlMiddleware(core.ObjectOrganization, core.ActionUpdate))
 
+	organizationRouter.POST("/integrations/webhook/test/", webhookIntegration.Test, neededScope([]string{"manage"}), accessControlMiddleware(core.ObjectOrganization, core.ActionRead))
+
 	organizationRouter.PUT("/integrations/webhook/:id/", webhookIntegration.Update, neededScope([]string{"manage"}), accessControlMiddleware(core.ObjectOrganization, core.ActionUpdate))
 
 	organizationRouter.DELETE("/integrations/webhook/:id/", webhookIntegration.Delete, neededScope([]string{"manage"}), accessControlMiddleware(core.ObjectOrganization, core.ActionUpdate))
@@ -611,6 +613,9 @@ func BuildRouter(db core.DB) *echo.Echo {
 	projectRouter.GET("/", projectController.Read)
 
 	projectRouter.POST("/integrations/webhook/test-and-save/", webhookIntegration.Save, neededScope([]string{"manage"}), projectScopedRBAC(core.ObjectProject, core.ActionUpdate))
+
+	projectRouter.POST("/integrations/webhook/test/", webhookIntegration.Test, neededScope([]string{"manage"}), projectScopedRBAC(core.ObjectProject, core.ActionRead))
+
 	projectRouter.PUT("/integrations/webhook/:id/", webhookIntegration.Update, neededScope([]string{"manage"}), projectScopedRBAC(core.ObjectProject, core.ActionUpdate))
 	projectRouter.DELETE("/integrations/webhook/:id/", webhookIntegration.Delete, neededScope([]string{"manage"}), projectScopedRBAC(core.ObjectProject, core.ActionUpdate))
 
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -10,7 +10,7 @@ services:
     # dockerfile: Dockerfile.postgres
     env_file: .env
     ports:
-    - "5432:5432"
+    - "5433:5432"
     volumes:
     - postgres:/var/lib/postgresql/data
     - ./initdb.sql:/docker-entrypoint-initdb.d/init.sql
diff --git a/internal/core/integrations/webhook/webhook_client.go b/internal/core/integrations/webhook/webhook_client.go
@@ -15,6 +15,7 @@ import (
 	cdx "github.com/CycloneDX/cyclonedx-go"
 	"github.com/l3montree-dev/devguard/internal/core"
 	"github.com/l3montree-dev/devguard/internal/core/vuln"
+	"github.com/l3montree-dev/devguard/internal/database/models"
 )
 
 type WebhookStruct struct {
@@ -32,6 +33,16 @@ const (
 	WebhookTypeSBOM                      WebhookType = "sbom"
 	WebhookTypeFirstPartyVulnerabilities WebhookType = "firstPartyVulnerabilities"
 	WebhookTypeDependencyVulnerabilities WebhookType = "dependencyVulnerabilities"
+	WebhookTypeTest                      WebhookType = "test"
+)
+
+type TestPayloadType string
+
+const (
+	TestPayloadTypeEmpty                 TestPayloadType = "empty"
+	TestPayloadTypeSampleSBOM            TestPayloadType = "sampleSbom"
+	TestPayloadTypeSampleDependencyVulns TestPayloadType = "sampleDependencyVulns"
+	TestPayloadTypeSampleFirstPartyVulns TestPayloadType = "sampleFirstPartyVulns"
 )
 
 type webhookClient struct {
@@ -96,8 +107,9 @@ func (c *webhookClient) SendSBOM(SBOM cdx.BOM, org core.OrgObject, project core.
 }
 
 func (c *webhookClient) SendFirstPartyVulnerabilities(vuln []vuln.FirstPartyVulnDTO, org core.OrgObject, project core.ProjectObject, asset core.AssetObject, assetVersion core.AssetVersionObject) error {
+	return nil
 
-	body := WebhookStruct{
+	/*body := WebhookStruct{
 		Organization: org,
 		Project:      project,
 		Asset:        asset,
@@ -121,7 +133,7 @@ func (c *webhookClient) SendFirstPartyVulnerabilities(vuln []vuln.FirstPartyVuln
 		return fmt.Errorf("failed to send vulnerability, status: %s,", resp.Status)
 	}
 
-	return nil
+	return nil*/
 }
 
 func (c *webhookClient) SendDependencyVulnerabilities(vuln []vuln.DependencyVulnDTO, org core.OrgObject, project core.ProjectObject, asset core.AssetObject, assetVersion core.AssetVersionObject) error {
@@ -152,3 +164,183 @@ func (c *webhookClient) SendDependencyVulnerabilities(vuln []vuln.DependencyVuln
 
 	return nil
 }
+
+func (c *webhookClient) SendTest(org core.OrgObject, project core.ProjectObject, asset core.AssetObject, assetVersion core.AssetVersionObject, payloadType TestPayloadType) error {
+
+	var payload any
+	var webhookType WebhookType
+
+	switch payloadType {
+	case TestPayloadTypeEmpty:
+		payload = map[string]any{
+			"message":   "This is a test webhook from DevGuard",
+			"timestamp": time.Now().UTC().Format(time.RFC3339),
+		}
+		webhookType = WebhookTypeTest
+
+	case TestPayloadTypeSampleSBOM:
+		payload = createSampleSBOM()
+		webhookType = WebhookTypeSBOM
+
+	case TestPayloadTypeSampleDependencyVulns:
+		payload = createSampleDependencyVulns()
+		webhookType = WebhookTypeDependencyVulnerabilities
+
+	case TestPayloadTypeSampleFirstPartyVulns:
+		payload = createSampleFirstPartyVulns()
+		webhookType = WebhookTypeFirstPartyVulnerabilities
+
+	default:
+		payload = map[string]any{
+			"message":   "This is a test webhook from DevGuard",
+			"timestamp": time.Now().UTC().Format(time.RFC3339),
+		}
+		webhookType = WebhookTypeTest
+	}
+
+	body := WebhookStruct{
+		Organization: org,
+		Project:      project,
+		Asset:        asset,
+		AssetVersion: assetVersion,
+		Payload:      payload,
+		Type:         webhookType,
+	}
+
+	var buf bytes.Buffer
+	err := json.NewEncoder(&buf).Encode(body)
+	if err != nil {
+		return err
+	}
+
+	resp, err := c.CreateRequest("POST", c.URL, &buf)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("failed to send test webhook, status: %s", resp.Status)
+	}
+
+	return nil
+}
+
+func createSampleSBOM() cdx.BOM {
+	return cdx.BOM{
+		BOMFormat:    "CycloneDX",
+		SpecVersion:  cdx.SpecVersion1_4,
+		SerialNumber: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+		Version:      1,
+		Metadata: &cdx.Metadata{
+			Timestamp: time.Now().UTC().Format(time.RFC3339),
+			Component: &cdx.Component{
+				Type:       cdx.ComponentTypeApplication,
+				Name:       "example-web-app",
+				Version:    "1.2.3",
+				PackageURL: "pkg:docker/example/web-app@1.2.3",
+			},
+		},
+		Components: &[]cdx.Component{
+			{
+				Type:       cdx.ComponentTypeLibrary,
+				Name:       "express",
+				Version:    "4.18.2",
+				PackageURL: "pkg:npm/express@4.18.2",
+				Licenses: &cdx.Licenses{
+					{License: &cdx.License{ID: "MIT"}},
+				},
+			},
+			{
+				Type:       cdx.ComponentTypeLibrary,
+				Name:       "log4j-core",
+				Version:    "2.14.1",
+				PackageURL: "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
+				Licenses: &cdx.Licenses{
+					{License: &cdx.License{ID: "Apache-2.0"}},
+				},
+			},
+		},
+	}
+}
+
+func createSampleDependencyVulns() []vuln.DependencyVulnDTO {
+	cve := "CVE-2021-44228"
+	purl := "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1"
+	fixedVersion := "2.15.0"
+	depth := 2
+	risk := 95
+	rawRisk := 9.8
+	priority := 1
+	effort := 4
+
+	cveData := &models.CVE{
+		CVE:                   "CVE-2021-44228",
+		Description:           "Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.",
+		CVSS:                  10.0,
+		Severity:              models.SeverityCritical,
+		AttackVector:          "Network",
+		AttackComplexity:      "Low",
+		PrivilegesRequired:    "None",
+		UserInteraction:       "None",
+		Scope:                 "Changed",
+		ConfidentialityImpact: "High",
+		IntegrityImpact:       "High",
+		AvailabilityImpact:    "High",
+		Vector:                "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+	}
+
+	return []vuln.DependencyVulnDTO{
+		{
+			ID:                    "dep-vuln-001",
+			ScannerIDs:            "trivy",
+			AssetVersionName:      "v1.2.3",
+			AssetID:               "asset-12345",
+			State:                 models.VulnStateOpen,
+			CVEID:                 &cve,
+			CVE:                   cveData,
+			ComponentPurl:         &purl,
+			ComponentDepth:        &depth,
+			ComponentFixedVersion: &fixedVersion,
+			Effort:                &effort,
+			RiskAssessment:        &risk,
+			RawRiskAssessment:     &rawRisk,
+			Priority:              &priority,
+			LastDetected:          time.Now(),
+			CreatedAt:             time.Now().Add(-24 * time.Hour),
+			RiskRecalculatedAt:    time.Now(),
+		},
+	}
+}
+
+func createSampleFirstPartyVulns() []vuln.FirstPartyVulnDTO {
+	message := "SQL injection vulnerability detected"
+
+	return []vuln.FirstPartyVulnDTO{
+		{
+			ID:               "fpv-001",
+			ScannerIDs:       "semgrep",
+			Message:          &message,
+			AssetVersionName: "v1.2.3",
+			AssetID:          "asset-12345",
+			State:            models.VulnStateOpen,
+			RuleID:           "javascript.lang.security.audit.sqli",
+			URI:              "src/auth/login.js",
+			SnippetContents: []models.SnippetContent{
+				{
+					StartLine: 42,
+					EndLine:   45,
+					Snippet:   `const query = "SELECT * FROM users WHERE username = '" + username + "'";`,
+				},
+			},
+			CreatedAt:       time.Now(),
+			Commit:          "abc123",
+			Author:          "Developer",
+			RuleName:        "SQL Injection Detection",
+			RuleDescription: "Detects SQL injection vulnerabilities",
+			RuleProperties: map[string]any{
+				"severity": "HIGH",
+				"cwe":      "CWE-89",
+			},
+		},
+	}
+}
diff --git a/internal/core/integrations/webhook/webhook_integration.go b/internal/core/integrations/webhook/webhook_integration.go
@@ -5,6 +5,7 @@ package webhook
 
 import (
 	"context"
+	"fmt"
 	"log/slog"
 
 	"github.com/google/uuid"
@@ -152,6 +153,106 @@ func (w *WebhookIntegration) Save(ctx core.Context) error {
 	})
 }
 
+func (w *WebhookIntegration) Test(ctx core.Context) error {
+	var data struct {
+		URL         string `json:"url"`
+		Secret      string `json:"secret"`
+		PayloadType string `json:"payloadType"`
+	}
+
+	if err := ctx.Bind(&data); err != nil {
+		return ctx.JSON(400, "invalid request data")
+	}
+	if data.URL == "" {
+		return ctx.JSON(400, "url is required")
+	}
+
+	// Default to empty payload if not specified
+	if data.PayloadType == "" {
+		data.PayloadType = "empty"
+	}
+
+	// Validate payload type
+	var payloadType TestPayloadType
+	switch data.PayloadType {
+	case "empty":
+		payloadType = TestPayloadTypeEmpty
+	case "sampleSbom":
+		payloadType = TestPayloadTypeSampleSBOM
+	case "sampleDependencyVulns":
+		payloadType = TestPayloadTypeSampleDependencyVulns
+	case "sampleFirstPartyVulns":
+		payloadType = TestPayloadTypeSampleFirstPartyVulns
+	default:
+		return ctx.JSON(400, map[string]string{
+			"error": "Invalid payload type. Supported types: empty, sampleSbom, sampleDependencyVulns, sampleFirstPartyVulns",
+		})
+	}
+
+	// Create example objects for testing
+	org := core.ToOrgObject(core.GetOrg(ctx))
+
+	// For assets and projects, we'll use example data if not available in context
+	var project core.ProjectObject
+	var asset core.AssetObject
+	var assetVersion core.AssetVersionObject
+
+	if core.HasProject(ctx) {
+		project = core.ToProjectObject(core.GetProject(ctx))
+	} else {
+		// Create example project data
+		project = core.ProjectObject{
+			ID:          uuid.New(),
+			Name:        "Example Project",
+			Slug:        "example-project",
+			Description: "Example project for webhook testing",
+			IsPublic:    false,
+			Type:        "application",
+		}
+	}
+
+	// Create example asset and asset version data for testing
+	asset = core.AssetObject{
+		ID:                         uuid.New(),
+		Name:                       "Example Asset",
+		Slug:                       "example-asset",
+		Description:                "Example asset for webhook testing",
+		ProjectID:                  project.ID,
+		AvailabilityRequirement:    "high",
+		IntegrityRequirement:       "high",
+		ConfidentialityRequirement: "high",
+		ReachableFromInternet:      false,
+	}
+
+	assetVersion = core.AssetVersionObject{
+		Name:          "example-version",
+		AssetID:       asset.ID,
+		Slug:          "example-version",
+		DefaultBranch: true,
+		Type:          "branch",
+	}
+
+	// Create webhook client and send test
+	var secret *string
+	if data.Secret != "" {
+		secret = &data.Secret
+	}
+
+	client := NewWebhookClient(data.URL, secret)
+
+	if err := client.SendTest(org, project, asset, assetVersion, payloadType); err != nil {
+		slog.Error("failed to send test webhook", "err", err)
+		return ctx.JSON(400, map[string]string{
+			"error": fmt.Sprintf("Webhook test failed: %s", err.Error()),
+		})
+	}
+
+	return ctx.JSON(200, map[string]string{
+		"message":     "Test webhook sent successfully",
+		"payloadType": data.PayloadType,
+	})
+}
+
 func (w *WebhookIntegration) HandleEvent(event any) error {
 
 	switch event := event.(type) {
@@ -162,10 +263,6 @@ func (w *WebhookIntegration) HandleEvent(event any) error {
 			slog.Error("failed to find webhooks", "err", err)
 			return err
 		}
-		if err != nil {
-			slog.Error("failed to find webhooks for SBOM created event", "err", err)
-			return err
-		}
 
 		for _, webhook := range webhooks {
 			client := NewWebhookClient(webhook.URL, webhook.Secret)
