Merge pull request #954 from l3montree-dev/add-basic-risk-handling-information-sharing-inside-org

Added hints about other instances of the same vuln in other parts of organization

Author: timbastin

cmd/devguard/api/api.go

@@ -729,6 +729,7 @@ func BuildRouter(db core.DB) *echo.Echo {
 	dependencyVulnRouter.POST("/:dependencyVulnID/", dependencyVulnController.CreateEvent, neededScope([]string{"manage"}), projectScopedRBAC(core.ObjectAsset, core.ActionUpdate))
 	dependencyVulnRouter.POST("/:dependencyVulnID/mitigate/", dependencyVulnController.Mitigate, neededScope([]string{"manage"}), projectScopedRBAC(core.ObjectAsset, core.ActionUpdate))
 	dependencyVulnRouter.GET("/:dependencyVulnID/events/", vulnEventController.ReadAssetEventsByVulnID)
+	dependencyVulnRouter.GET("/:dependencyVulnID/hints/", dependencyVulnController.Hints)
 
 	firstPartyVulnRouter := assetVersionRouter.Group("/first-party-vulns")
 	firstPartyVulnRouter.GET("/", firstPartyVulnController.ListPaged)

internal/common/cve_obj.go

@@ -66,3 +66,12 @@ func (r RiskCalculationReport) String() string {
 	}
 	return string(str)
 }
+
+// used to return information about other instances of a dependency vuln in other parts of an organization
+type DependencyVulnHints struct {
+	AmountOpen              int `json:"amountOpen"`
+	AmountFixed             int `json:"amountFixed"`
+	AmountAccepted          int `json:"amountAccepted"`
+	AmountFalsePositive     int `json:"amountFalsePositive"`
+	AmountMarkedForTransfer int `json:"amountMarkedForTransfer"`
+}

internal/core/common_interfaces.go

@@ -148,6 +148,7 @@ type DependencyVulnRepository interface {
 	ApplyAndSave(tx DB, dependencyVuln *models.DependencyVuln, vulnEvent *models.VulnEvent) error
 	GetDependencyVulnsByDefaultAssetVersion(tx DB, assetID uuid.UUID, scannerID string) ([]models.DependencyVuln, error)
 	ListUnfixedByAssetAndAssetVersionAndScannerID(assetVersionName string, assetID uuid.UUID, scannerID string) ([]models.DependencyVuln, error)
+	GetHintsInOrganizationForVuln(tx DB, orgID uuid.UUID, pURL string, cveID string) (common.DependencyVulnHints, error)
 }
 
 type FirstPartyVulnRepository interface {

internal/core/org/org_dto.go

@@ -78,9 +78,10 @@ type patchRequest struct {
 	Grundschutz            *bool   `json:"grundschutz"`
 	Description            *string `json:"description"`
 
-	IsPublic    *bool           `json:"isPublic"`
-	ConfigFiles *map[string]any `json:"configFiles"`
-	Language    *string         `json:"language"`
+	ShareVulnInformation *bool           `json:"shareVulnInformation"`
+	IsPublic             *bool           `json:"isPublic"`
+	ConfigFiles          *map[string]any `json:"configFiles"`
+	Language             *string         `json:"language"`
 }
 
 func (p patchRequest) applyToModel(org *models.Org) bool {
@@ -137,6 +138,11 @@ func (p patchRequest) applyToModel(org *models.Org) bool {
 		org.Description = *p.Description
 	}
 
+	if p.ShareVulnInformation != nil {
+		updated = true
+		org.SharesVulnInformation = *p.ShareVulnInformation
+	}
+
 	if p.IsPublic != nil {
 		updated = true
 		org.IsPublic = *p.IsPublic
@@ -177,9 +183,9 @@ type OrgDTO struct {
 
 	JiraIntegrations []common.JiraIntegrationDTO `json:"jiraIntegrations" gorm:"foreignKey:OrgID;"`
 
-	Webhooks []common.WebhookIntegrationDTO `json:"webhooks" gorm:"foreignKey:OrgID;"`
-
-	IsPublic bool `json:"isPublic" gorm:"default:false;"`
+	SharesVulnInformation bool                           `json:"sharesVulnInformation"`
+	IsPublic              bool                           `json:"isPublic" gorm:"default:false;"`
+	Webhooks              []common.WebhookIntegrationDTO `json:"webhooks" gorm:"foreignKey:OrgID;"`
 
 	ConfigFiles map[string]any `json:"configFiles"`
 
@@ -231,6 +237,7 @@ func fromModel(org models.Org) OrgDTO {
 		Grundschutz:            org.Grundschutz,
 		Slug:                   org.Slug,
 		Description:            org.Description,
+		SharesVulnInformation:  org.SharesVulnInformation,
 		IsPublic:               org.IsPublic,
 
 		Projects:                 org.Projects,

internal/core/vuln/dependency_vuln_controller.go

@@ -46,14 +46,14 @@ func NewHTTPController(dependencyVulnRepository core.DependencyVulnRepository, d
 	}
 }
 
-func (c dependencyVulnHTTPController) ListByOrgPaged(ctx core.Context) error {
+func (controller dependencyVulnHTTPController) ListByOrgPaged(ctx core.Context) error {
 
-	userAllowedProjectIds, err := c.projectService.ListAllowedProjects(ctx)
+	userAllowedProjectIds, err := controller.projectService.ListAllowedProjects(ctx)
 	if err != nil {
 		return echo.NewHTTPError(500, "could not get projects").WithInternal(err)
 	}
 
-	pagedResp, err := c.dependencyVulnRepository.GetDefaultDependencyVulnsByOrgIDPaged(
+	pagedResp, err := controller.dependencyVulnRepository.GetDefaultDependencyVulnsByOrgIDPaged(
 		nil,
 
 		utils.Map(userAllowedProjectIds, func(p models.Project) string {
@@ -73,10 +73,10 @@ func (c dependencyVulnHTTPController) ListByOrgPaged(ctx core.Context) error {
 	}))
 }
 
-func (c dependencyVulnHTTPController) ListByProjectPaged(ctx core.Context) error {
+func (controller dependencyVulnHTTPController) ListByProjectPaged(ctx core.Context) error {
 	project := core.GetProject(ctx)
 
-	pagedResp, err := c.dependencyVulnRepository.GetDefaultDependencyVulnsByProjectIDPaged(
+	pagedResp, err := controller.dependencyVulnRepository.GetDefaultDependencyVulnsByProjectIDPaged(
 		nil,
 		project.ID,
 
@@ -95,13 +95,13 @@ func (c dependencyVulnHTTPController) ListByProjectPaged(ctx core.Context) error
 	}))
 }
 
-func (c dependencyVulnHTTPController) ListPaged(ctx core.Context) error {
+func (controller dependencyVulnHTTPController) ListPaged(ctx core.Context) error {
 	// get the asset
 	assetVersion := core.GetAssetVersion(ctx)
 
 	// check if we should list flat - this means not grouped by package
 	if ctx.QueryParam("flat") == "true" {
-		dependencyVulns, err := c.dependencyVulnRepository.GetDependencyVulnsByAssetVersionPagedAndFlat(nil, assetVersion.Name, assetVersion.AssetID, core.GetPageInfo(ctx), ctx.QueryParam("search"), core.GetFilterQuery(ctx), core.GetSortQuery(ctx))
+		dependencyVulns, err := controller.dependencyVulnRepository.GetDependencyVulnsByAssetVersionPagedAndFlat(nil, assetVersion.Name, assetVersion.AssetID, core.GetPageInfo(ctx), ctx.QueryParam("search"), core.GetFilterQuery(ctx), core.GetSortQuery(ctx))
 		if err != nil {
 			return echo.NewHTTPError(500, "could not get dependencyVulns").WithInternal(err)
 		}
@@ -111,7 +111,7 @@ func (c dependencyVulnHTTPController) ListPaged(ctx core.Context) error {
 		}))
 	}
 
-	pagedResp, packageNameIndexMap, err := c.dependencyVulnRepository.GetByAssetVersionPaged(
+	pagedResp, packageNameIndexMap, err := controller.dependencyVulnRepository.GetByAssetVersionPaged(
 		nil,
 		assetVersion.Name,
 		assetVersion.AssetID,
@@ -191,7 +191,7 @@ func (c dependencyVulnHTTPController) ListPaged(ctx core.Context) error {
 	return ctx.JSON(200, core.NewPaged(core.GetPageInfo(ctx), pagedResp.Total, values))
 }
 
-func (c dependencyVulnHTTPController) Mitigate(ctx core.Context) error {
+func (controller dependencyVulnHTTPController) Mitigate(ctx core.Context) error {
 	type justification struct {
 		Comment string `json:"comment"`
 	}
@@ -218,23 +218,23 @@ func (c dependencyVulnHTTPController) Mitigate(ctx core.Context) error {
 	}
 
 	// fetch the dependencyVuln again from the database. We do not know anything what might have changed. The third party integrations might have changed the state of the dependency_vuln.
-	dependencyVuln, err := c.dependencyVulnRepository.Read(dependencyVulnID)
+	dependencyVuln, err := controller.dependencyVulnRepository.Read(dependencyVulnID)
 	if err != nil {
 		return echo.NewHTTPError(404, "could not find dependencyVuln")
 	}
 
 	return ctx.JSON(200, convertToDetailedDTO(dependencyVuln))
 }
 
-func (c dependencyVulnHTTPController) Read(ctx core.Context) error {
+func (controller dependencyVulnHTTPController) Read(ctx core.Context) error {
 
 	dependencyVulnID, _, err := core.GetVulnID(ctx)
 	if err != nil {
 		return echo.NewHTTPError(400, "invalid dependencyVuln id")
 	}
 	asset := core.GetAsset(ctx)
 
-	dependencyVuln, err := c.dependencyVulnRepository.Read(dependencyVulnID)
+	dependencyVuln, err := controller.dependencyVulnRepository.Read(dependencyVulnID)
 	if err != nil {
 		return echo.NewHTTPError(404, "could not find dependencyVuln")
 	}
@@ -246,7 +246,28 @@ func (c dependencyVulnHTTPController) Read(ctx core.Context) error {
 	return ctx.JSON(200, convertToDetailedDTO(dependencyVuln))
 }
 
-func (c dependencyVulnHTTPController) CreateEvent(ctx core.Context) error {
+func (controller dependencyVulnHTTPController) Hints(ctx core.Context) error {
+	//if enabled in org settings we also want to send hints
+	org := core.GetOrg(ctx)
+
+	dependencyVulnID, _, err := core.GetVulnID(ctx)
+	if err != nil {
+		return echo.NewHTTPError(400, "invalid dependencyVuln id")
+	}
+
+	dependencyVuln, err := controller.dependencyVulnRepository.Read(dependencyVulnID)
+	if err != nil {
+		return echo.NewHTTPError(404, "could not find dependencyVuln")
+	}
+
+	hints, err := controller.dependencyVulnRepository.GetHintsInOrganizationForVuln(nil, org.ID, *dependencyVuln.ComponentPurl, *dependencyVuln.CVEID)
+	if err != nil {
+		return err
+	}
+	return ctx.JSON(200, hints)
+}
+
+func (controller dependencyVulnHTTPController) CreateEvent(ctx core.Context) error {
 	asset := core.GetAsset(ctx)
 	assetVersion := core.GetAssetVersion(ctx)
 	thirdPartyIntegration := core.GetThirdPartyIntegration(ctx)
@@ -255,7 +276,7 @@ func (c dependencyVulnHTTPController) CreateEvent(ctx core.Context) error {
 		return echo.NewHTTPError(400, "invalid dependencyVuln id")
 	}
 
-	dependencyVuln, err := c.dependencyVulnRepository.Read(dependencyVulnID)
+	dependencyVuln, err := controller.dependencyVulnRepository.Read(dependencyVulnID)
 	if err != nil {
 		return echo.NewHTTPError(404, "could not find dependencyVuln")
 	}
@@ -275,7 +296,7 @@ func (c dependencyVulnHTTPController) CreateEvent(ctx core.Context) error {
 	justification := status.Justification
 	mechanicalJustification := status.MechanicalJustification
 
-	ev, err := c.dependencyVulnService.UpdateDependencyVulnState(nil, asset.ID, userID, &dependencyVuln, statusType, justification, mechanicalJustification, assetVersion.Name)
+	ev, err := controller.dependencyVulnService.UpdateDependencyVulnState(nil, asset.ID, userID, &dependencyVuln, statusType, justification, mechanicalJustification, assetVersion.Name)
 	if err != nil {
 		return err
 	}

internal/database/models/org_model.go

@@ -23,7 +23,8 @@ type Org struct {
 
 	JiraIntegrations []JiraIntegration `json:"jiraIntegrations" gorm:"foreignKey:OrgID;"`
 
-	Webhooks []WebhookIntegration `json:"webhooks" gorm:"foreignKey:OrgID;"`
+	SharesVulnInformation bool                 `json:"sharesVulnInformation" gorm:"default:false"`
+	Webhooks              []WebhookIntegration `json:"webhooks" gorm:"foreignKey:OrgID;"`
 
 	IsPublic bool `json:"isPublic" gorm:"default:false;"`
 

internal/database/repositories/dependency_vuln_repository.go

@@ -1,7 +1,11 @@
 package repositories
 
 import (
+	"fmt"
+	"log/slog"
+
 	"github.com/google/uuid"
+	"github.com/l3montree-dev/devguard/internal/common"
 	"github.com/l3montree-dev/devguard/internal/core"
 	"github.com/l3montree-dev/devguard/internal/utils"
 
@@ -282,3 +286,41 @@ func (repository *dependencyVulnRepository) FindByTicketID(tx core.DB, ticketID
 	}
 	return vuln, nil
 }
+
+func (repository *dependencyVulnRepository) GetHintsInOrganizationForVuln(tx core.DB, orgID uuid.UUID, pURL string, cveID string) (common.DependencyVulnHints, error) {
+	type stateCount struct {
+		State string `json:"state"`
+		Count int    `json:"count"`
+	}
+	var hints common.DependencyVulnHints
+	stateCounts := make([]stateCount, 0, 7)
+
+	err := repository.GetDB(tx).Debug().Raw(`SELECT d.state as "state", COUNT(d.state) as "count" FROM dependency_vulns d WHERE asset_id IN (
+		SELECT id from assets WHERE project_id IN (
+		  SELECT id from projects WHERE organization_id = ?
+	  )
+	) AND d.cve_id = ? AND d.component_purl = ? GROUP BY d.state`, orgID, cveID, pURL).Scan(&stateCounts).Error
+	if err != nil {
+		return hints, err
+	}
+	// convert information from query to hints struct
+	for _, state := range stateCounts {
+		//maybe use VulnStates for this, needs conversion then
+		switch state.State {
+		case "open":
+			hints.AmountOpen += state.Count
+		case "fixed":
+			hints.AmountFixed += state.Count
+		case "accepted":
+			hints.AmountAccepted += state.Count
+		case "falsePositive":
+			hints.AmountFalsePositive += state.Count
+		case "markedForTransfer":
+			hints.AmountMarkedForTransfer += state.Count
+		default:
+			slog.Error("invalid state", "state", state.State) //debug for now, can be removed later
+			return hints, fmt.Errorf("invalid state")
+		}
+	}
+	return hints, nil
+}