Implement webhook integration and enhance SBOM update functionality

Signed-off-by: Rafi <refaei.shikho@hotmail.com>

Author: refoo0

internal/core/assetversion/asset_version_service.go

@@ -419,11 +419,14 @@ func buildBomRefMap(bom normalize.SBOM) map[string]cdx.Component {
 	return res
 }
 
-func (s *service) UpdateSBOM(assetVersion models.AssetVersion, scannerID string, sbom normalize.SBOM) error {
+func (s *service) UpdateSBOM(assetVersion models.AssetVersion, scannerID string, sbom normalize.SBOM) (bool, error) {
+
+	sbomUpdated := false
+
 	// load the asset components
 	assetComponents, err := s.componentRepository.LoadComponents(nil, assetVersion.Name, assetVersion.AssetID, "")
 	if err != nil {
-		return errors.Wrap(err, "could not load asset components")
+		return sbomUpdated, errors.Wrap(err, "could not load asset components")
 	}
 
 	existingComponentPurls := make(map[string]bool)
@@ -513,11 +516,12 @@ func (s *service) UpdateSBOM(assetVersion models.AssetVersion, scannerID string,
 
 	// make sure, that the components exist
 	if err := s.componentRepository.CreateBatch(nil, componentsSlice); err != nil {
-		return err
+		return sbomUpdated, err
 	}
 
-	if err = s.componentRepository.HandleStateDiff(nil, assetVersion.Name, assetVersion.AssetID, assetComponents, dependencies, scannerID); err != nil {
-		return err
+	sbomUpdated, err = s.componentRepository.HandleStateDiff(nil, assetVersion.Name, assetVersion.AssetID, assetComponents, dependencies, scannerID)
+	if err != nil {
+		return sbomUpdated, err
 	}
 
 	// update the license information in the background
@@ -532,7 +536,7 @@ func (s *service) UpdateSBOM(assetVersion models.AssetVersion, scannerID string,
 		}
 	}()
 
-	return nil
+	return sbomUpdated, nil
 }
 
 func (s *service) BuildSBOM(assetVersion models.AssetVersion, version string, organizationName string, components []models.ComponentDependency) *cdx.BOM {

internal/core/common_interfaces.go

@@ -127,7 +127,7 @@ type ComponentRepository interface {
 	LoadPathToComponent(tx DB, assetVersionName string, assetID uuid.UUID, pURL string, scannerID string) ([]models.ComponentDependency, error)
 	SaveBatch(tx DB, components []models.Component) error
 	FindByPurl(tx DB, purl string) (models.Component, error)
-	HandleStateDiff(tx DB, assetVersionName string, assetID uuid.UUID, oldState []models.ComponentDependency, newState []models.ComponentDependency, scannerID string) error
+	HandleStateDiff(tx DB, assetVersionName string, assetID uuid.UUID, oldState []models.ComponentDependency, newState []models.ComponentDependency, scannerID string) (bool, error)
 	GetDependencyCountPerScanner(assetVersionName string, assetID uuid.UUID) (map[string]int, error)
 	GetLicenseDistribution(tx DB, assetVersionName string, assetID uuid.UUID, scannerID string) (map[string]int, error)
 }
@@ -252,7 +252,7 @@ type AssetVersionService interface {
 	BuildVeX(asset models.Asset, assetVersion models.AssetVersion, orgName string, dependencyVulns []models.DependencyVuln) *cdx.BOM
 	GetAssetVersionsByAssetID(assetID uuid.UUID) ([]models.AssetVersion, error)
 	HandleFirstPartyVulnResult(asset models.Asset, assetVersion *models.AssetVersion, sarifScan common.SarifResult, scannerID string, userID string) (int, int, []models.FirstPartyVuln, error)
-	UpdateSBOM(assetVersion models.AssetVersion, scannerID string, sbom normalize.SBOM) error
+	UpdateSBOM(assetVersion models.AssetVersion, scannerID string, sbom normalize.SBOM) (bool, error)
 	HandleScanResult(asset models.Asset, assetVersion *models.AssetVersion, vulns []models.VulnInPackage, scannerID string, userID string) (opened []models.DependencyVuln, closed []models.DependencyVuln, newState []models.DependencyVuln, err error)
 	BuildOpenVeX(asset models.Asset, assetVersion models.AssetVersion, organizationSlug string, dependencyVulns []models.DependencyVuln) vex.VEX
 }
@@ -328,7 +328,7 @@ type JiraIntegrationRepository interface {
 type WebhookIntegrationRepository interface {
 	Save(tx DB, model *models.WebhookIntegration) error
 	Read(id uuid.UUID) (models.WebhookIntegration, error)
-	FindByOrganizationID(orgID uuid.UUID) ([]models.WebhookIntegration, error)
+	FindByOrgIDAndProjectID(orgID uuid.UUID, projectID uuid.UUID) ([]models.WebhookIntegration, error)
 	Delete(tx DB, id uuid.UUID) error
 	GetClientByIntegrationID(integrationID uuid.UUID) (models.WebhookIntegration, error)
 }

internal/core/integrations/webhook/webhook_client.go

@@ -0,0 +1,66 @@
+// Copyright 2025 l3montree GmbH.
+// SPDX-License-Identifier: 	AGPL-3.0-or-later
+
+package webhook
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+
+	cdx "github.com/CycloneDX/cyclonedx-go"
+)
+
+type webhookClient struct {
+	URL    string
+	Secret *string
+}
+
+func NewWebhookClient(url string, secret *string) *webhookClient {
+	return &webhookClient{
+		URL:    url,
+		Secret: secret,
+	}
+}
+
+func (c *webhookClient) CreateRequest(method, url string, body io.Reader) (*http.Response, error) {
+
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
+	defer cancel()
+
+	req, err := http.NewRequestWithContext(ctx, method, url, body)
+	if err != nil {
+		return nil, err
+	}
+
+	if c.Secret != nil {
+		req.Header.Set("X-DevGuard-Token", *c.Secret)
+	}
+
+	req.Header.Set("Content-Type", "application/json")
+
+	return http.DefaultClient.Do(req)
+}
+
+func (c *webhookClient) SendSBOM(SBOM cdx.BOM) error {
+	var buf bytes.Buffer
+	err := cdx.NewBOMEncoder(&buf, cdx.BOMFileFormatJSON).Encode(&SBOM)
+	if err != nil {
+		return err
+	}
+
+	resp, err := c.CreateRequest("POST", c.URL, &buf)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf("failed to send SBOM, status: %s, body: %s", resp.Status, body)
+	}
+
+	return nil
+}

internal/core/integrations/webhook/webhook_integration.go

@@ -12,6 +12,7 @@ import (
 	"github.com/l3montree-dev/devguard/internal/core"
 	"github.com/l3montree-dev/devguard/internal/database/models"
 	"github.com/l3montree-dev/devguard/internal/database/repositories"
+	"github.com/labstack/echo/v4"
 )
 
 type WebhookIntegration struct {
@@ -103,6 +104,7 @@ func (w *WebhookIntegration) TestAndSave(ctx core.Context) error {
 		Secret      string `json:"secret"`
 		SbomEnabled bool   `json:"sbomEnabled"`
 		VulnEnabled bool   `json:"vulnEnabled"`
+		ProjectID   string `json:"projectId"` // Optional, can be empty if not associated with a project
 	}
 
 	if err := ctx.Bind(&data); err != nil {
@@ -112,11 +114,14 @@ func (w *WebhookIntegration) TestAndSave(ctx core.Context) error {
 		return ctx.JSON(400, "url is required")
 	}
 
-	/* 	projectID := uuid.Nil
-	   	if ok := core.HasProject(ctx); ok {
-	   		project := core.GetProject(ctx)
-	   		projectID = project.ID
-	   	} */
+	var projectID *uuid.UUID
+	if data.ProjectID != "" {
+		parsedProjectID, err := uuid.Parse(data.ProjectID)
+		if err != nil {
+			return ctx.JSON(400, "invalid project ID format")
+		}
+		projectID = &parsedProjectID
+	}
 
 	webhookIntegration := &models.WebhookIntegration{
 		Name:        &data.Name,
@@ -126,7 +131,7 @@ func (w *WebhookIntegration) TestAndSave(ctx core.Context) error {
 		SbomEnabled: data.SbomEnabled,
 		VulnEnabled: data.VulnEnabled,
 		OrgID:       core.GetOrg(ctx).GetID(),
-		/* 	ProjectID:   &projectID, */
+		ProjectID:   projectID, // Set project ID if available
 	}
 
 	if err := w.webhookRepository.Save(nil, webhookIntegration); err != nil {
@@ -144,7 +149,43 @@ func (w *WebhookIntegration) TestAndSave(ctx core.Context) error {
 	})
 }
 
+func (w *WebhookIntegration) getWebhooks(ctx echo.Context) ([]models.WebhookIntegration, error) {
+	orgID := core.GetOrg(ctx).GetID()
+	project := core.GetProject(ctx)
+
+	webhooks, err := w.webhookRepository.FindByOrgIDAndProjectID(orgID, project.ID)
+	if err != nil {
+		slog.Error("failed to find webhooks", "err", err)
+		return nil, err
+	}
+
+	return webhooks, nil
+}
+
 func (w *WebhookIntegration) HandleEvent(event any) error {
+
+	switch event := event.(type) {
+	case core.SBOMCreatedEvent:
+
+		webhooks, err := w.getWebhooks(event.Ctx)
+		if err != nil {
+			slog.Error("failed to find webhooks for SBOM created event", "err", err)
+			return err
+		}
+
+		for _, webhook := range webhooks {
+			client := NewWebhookClient(webhook.URL, webhook.Secret)
+			if webhook.SbomEnabled {
+				//send sbom
+				if err := client.SendSBOM(event.SBOM); err != nil {
+					slog.Error("failed to send SBOM to webhook", "webhookID", webhook.ID, "err", err)
+					return err
+				}
+				slog.Info("SBOM sent to webhook", "webhookID", webhook.ID)
+			}
+		}
+	}
+
 	return nil
 }
 

internal/core/thirdparty_integration_events.go

@@ -1,6 +1,7 @@
 package core
 
 import (
+	cdx "github.com/CycloneDX/cyclonedx-go"
 	"github.com/l3montree-dev/devguard/internal/database/models"
 )
 
@@ -13,3 +14,8 @@ type VulnEvent struct {
 	Ctx   Context
 	Event models.VulnEvent
 }
+
+type SBOMCreatedEvent struct {
+	Ctx  Context
+	SBOM cdx.BOM
+}

internal/core/vulndb/scan/scan_controller.go

@@ -77,7 +77,7 @@ type FirstPartyScanResponse struct {
 	FirstPartyVulns []vuln.FirstPartyVulnDTO `json:"firstPartyVulns"`
 }
 
-func (s *HTTPController) DependencyVulnScan(c core.Context, bom normalize.SBOM) (ScanResponse, error) {
+func (s *HTTPController) DependencyVulnScan(c core.Context, bom normalize.SBOM) (bool, ScanResponse, error) {
 	monitoring.DependencyVulnScanAmount.Inc()
 	startTime := time.Now()
 	defer func() {
@@ -103,21 +103,24 @@ func (s *HTTPController) DependencyVulnScan(c core.Context, bom normalize.SBOM)
 	assetVersion, err := s.assetVersionRepository.FindOrCreate(assetVersionName, asset.ID, tag == "1", utils.EmptyThenNil(defaultBranch))
 	if err != nil {
 		slog.Error("could not find or create asset version", "err", err)
-		return scanResults, err
+		return false, scanResults, err
 	}
 
 	scannerID := c.Request().Header.Get("X-Scanner")
 	if scannerID == "" {
 		slog.Error("no X-Scanner header found")
-		return scanResults, fmt.Errorf("no X-Scanner header found")
+		return false, scanResults, fmt.Errorf("no X-Scanner header found")
 	}
 
 	// update the sbom in the database in parallel
-	if err := s.assetVersionService.UpdateSBOM(assetVersion, scannerID, normalizedBom); err != nil {
+	sbomUpdated, err := s.assetVersionService.UpdateSBOM(assetVersion, scannerID, normalizedBom)
+	if err != nil {
 		slog.Error("could not update sbom", "err", err)
-		return scanResults, err
+		return false, scanResults, err
 	}
-	return s.ScanNormalizedSBOM(org, project, asset, assetVersion, normalizedBom, scannerID, userID)
+
+	scanResponse, scanErr := s.ScanNormalizedSBOM(org, project, asset, assetVersion, normalizedBom, scannerID, userID)
+	return sbomUpdated, scanResponse, scanErr
 }
 
 func (s *HTTPController) ScanNormalizedSBOM(org models.Org, project models.Project, asset models.Asset, assetVersion models.AssetVersion, normalizedBom normalize.SBOM, scannerID string, userID string) (ScanResponse, error) {
@@ -234,10 +237,20 @@ func (s *HTTPController) ScanDependencyVulnFromProject(c core.Context) error {
 		return err
 	}
 
-	scanResults, err := s.DependencyVulnScan(c, normalize.FromCdxBom(bom, true))
+	sbomUpdated, scanResults, err := s.DependencyVulnScan(c, normalize.FromCdxBom(bom, true))
 	if err != nil {
 		return err
 	}
+	if sbomUpdated {
+		thirdPartyIntegrations := core.GetThirdPartyIntegration(c)
+		if err = thirdPartyIntegrations.HandleEvent(core.SBOMCreatedEvent{
+			Ctx:  c,
+			SBOM: *bom,
+		}); err != nil {
+			slog.Error("could not handle manual mitigation event", "err", err)
+		}
+
+	}
 	return c.JSON(200, scanResults)
 }
 
@@ -261,10 +274,20 @@ func (s *HTTPController) ScanSbomFile(c core.Context) error {
 		return err
 	}
 
-	scanResults, err := s.DependencyVulnScan(c, normalize.FromCdxBom(bom, true))
+	sbomUpdated, scanResults, err := s.DependencyVulnScan(c, normalize.FromCdxBom(bom, true))
 	if err != nil {
 		return err
 	}
+	if sbomUpdated {
+		thirdPartyIntegrations := core.GetThirdPartyIntegration(c)
+		if err = thirdPartyIntegrations.HandleEvent(core.SBOMCreatedEvent{
+			Ctx:  c,
+			SBOM: *bom,
+		}); err != nil {
+			slog.Error("could not handle manual mitigation event", "err", err)
+		}
+
+	}
 	return c.JSON(200, scanResults)
 
 }

internal/database/models/project_model.go

@@ -39,6 +39,8 @@ type Project struct {
 
 	ExternalEntityID         *string `json:"externalEntityId" gorm:"uniqueIndex:unique_external_entity;"`
 	ExternalEntityProviderID *string `json:"externalEntityProviderId" gorm:"uniqueIndex:unique_external_entity;"`
+
+	Webhooks []WebhookIntegration `json:"webhooks" gorm:"foreignKey:ProjectID;"`
 }
 
 func (m Project) TableName() string {

internal/database/models/webhook_model.go

@@ -19,10 +19,8 @@ type WebhookIntegration struct {
 	Org   Org       `json:"org" gorm:"foreignKey:OrgID;constraint:OnDelete:CASCADE;"`
 	OrgID uuid.UUID `json:"orgId" gorm:"column:org_id"`
 
-	/*
-		 	ProjectID *uuid.UUID `json:"projectId" gorm:"column:project_id"`
-			Project   *Project   `json:"project" gorm:"foreignKey:ProjectID;constraint:OnDelete:CASCADE;"`
-	*/
+	ProjectID *uuid.UUID `json:"projectId" gorm:"column:project_id;nullable"`
+	Project   *Project   `json:"project" gorm:"foreignKey:ProjectID;constraint:OnDelete:CASCADE;"`
 }
 
 func (WebhookIntegration) TableName() string {

internal/database/repositories/component_repository.go

@@ -313,7 +313,10 @@ func (c *componentRepository) FindByPurl(tx core.DB, purl string) (models.Compon
 	return component, err
 }
 
-func (c *componentRepository) HandleStateDiff(tx core.DB, assetVersionName string, assetID uuid.UUID, oldState []models.ComponentDependency, newState []models.ComponentDependency, scannerID string) error {
+func (c *componentRepository) HandleStateDiff(tx core.DB, assetVersionName string, assetID uuid.UUID, oldState []models.ComponentDependency, newState []models.ComponentDependency, scannerID string) (bool, error) {
+
+	stateChanged := false
+
 	comparison := utils.CompareSlices(oldState, newState, func(dep models.ComponentDependency) string {
 		return utils.SafeDereference(dep.ComponentPurl) + "->" + dep.DependencyPurl
 	})
@@ -322,7 +325,11 @@ func (c *componentRepository) HandleStateDiff(tx core.DB, assetVersionName strin
 	added := comparison.OnlyInB
 	needToBeChanged := comparison.InBoth
 
-	return c.GetDB(tx).Transaction(func(tx *gorm.DB) error {
+	if len(removed) > 0 || len(added) > 0 || len(needToBeChanged) > 0 {
+		stateChanged = true
+	}
+
+	return stateChanged, c.GetDB(tx).Transaction(func(tx *gorm.DB) error {
 		//We remove the scanner id from all components in removed and if it was the only scanner id we remove the component
 		toDelete, toSave := diffComponents(tx, c, removed, scannerID)
 

internal/database/repositories/webhook_repository.go

@@ -24,13 +24,18 @@ func NewWebhookRepository(db core.DB) *webhookRepository {
 		Repository: newGormRepository[uuid.UUID, models.WebhookIntegration](db),
 	}
 }
-func (r *webhookRepository) FindByOrganizationID(orgID uuid.UUID) ([]models.WebhookIntegration, error) {
+func (r *webhookRepository) FindByOrgIDAndProjectID(orgID uuid.UUID, projectID uuid.UUID) ([]models.WebhookIntegration, error) {
 	var integrations []models.WebhookIntegration
-	if err := r.db.Find(&integrations, "org_id = ?", orgID).Error; err != nil {
+
+	query := r.db.Where("organization_id = ? AND project_id IS NULL", orgID).Or("organization_id = ? AND project_id = ?", orgID, projectID)
+
+	if err := query.Find(&integrations).Error; err != nil {
 		return nil, err
 	}
+
 	return integrations, nil
 }
+
 func (r *webhookRepository) GetClientByIntegrationID(integrationID uuid.UUID) (models.WebhookIntegration, error) {
 	var integration models.WebhookIntegration
 	if err := r.db.First(&integration, "id = ?", integrationID).Error; err != nil {