Enhance webhook integration to support SBOM and vulnerability events, refactor asset version service, and update related interfaces

Signed-off-by: Rafi <refaei.shikho@hotmail.com>

Author: refoo0

cmd/devguard/api/api.go

@@ -417,7 +417,7 @@ func BuildRouter(db core.DB) *echo.Echo {
 	componentProjectRepository := repositories.NewComponentProjectRepository(db)
 	componentService := component.NewComponentService(&depsDevService, componentProjectRepository, componentRepository)
 
-	assetVersionService := assetversion.NewService(assetVersionRepository, componentRepository, dependencyVulnRepository, firstPartyVulnRepository, dependencyVulnService, firstPartyVulnService, assetRepository, vulnEventRepository, &componentService)
+	assetVersionService := assetversion.NewService(assetVersionRepository, componentRepository, dependencyVulnRepository, firstPartyVulnRepository, dependencyVulnService, firstPartyVulnService, assetRepository, projectRepository, orgRepository, vulnEventRepository, &componentService, thirdPartyIntegration)
 	statisticsService := statistics.NewService(statisticsRepository, componentRepository, assetRiskAggregationRepository, dependencyVulnRepository, assetVersionRepository, projectRepository, repositories.NewProjectRiskHistoryRepository(db))
 	invitationRepository := repositories.NewInvitationRepository(db)
 

internal/core/assetversion/asset_version_service.go

@@ -18,6 +18,7 @@ import (
 	"github.com/l3montree-dev/devguard/internal/core"
 	"github.com/l3montree-dev/devguard/internal/core/normalize"
 	"github.com/l3montree-dev/devguard/internal/core/risk"
+	"github.com/l3montree-dev/devguard/internal/core/vuln"
 	"github.com/l3montree-dev/devguard/internal/database"
 	"github.com/openvex/go-vex/pkg/vex"
 
@@ -36,12 +37,15 @@ type service struct {
 	firstPartyVulnService    core.FirstPartyVulnService
 	assetVersionRepository   core.AssetVersionRepository
 	assetRepository          core.AssetRepository
+	projectRepository        core.ProjectRepository
+	orgRepository            core.OrganizationRepository
 	vulnEventRepository      core.VulnEventRepository
 	componentService         core.ComponentService
 	httpClient               *http.Client
+	thirdPartyIntegration    core.ThirdPartyIntegration
 }
 
-func NewService(assetVersionRepository core.AssetVersionRepository, componentRepository core.ComponentRepository, dependencyVulnRepository core.DependencyVulnRepository, firstPartyVulnRepository core.FirstPartyVulnRepository, dependencyVulnService core.DependencyVulnService, firstPartyVulnService core.FirstPartyVulnService, assetRepository core.AssetRepository, vulnEventRepository core.VulnEventRepository, componentService core.ComponentService) *service {
+func NewService(assetVersionRepository core.AssetVersionRepository, componentRepository core.ComponentRepository, dependencyVulnRepository core.DependencyVulnRepository, firstPartyVulnRepository core.FirstPartyVulnRepository, dependencyVulnService core.DependencyVulnService, firstPartyVulnService core.FirstPartyVulnService, assetRepository core.AssetRepository, projectRepository core.ProjectRepository, orgRepository core.OrganizationRepository, vulnEventRepository core.VulnEventRepository, componentService core.ComponentService, thirdPartyIntegration core.ThirdPartyIntegration) *service {
 	return &service{
 		assetVersionRepository:   assetVersionRepository,
 		componentRepository:      componentRepository,
@@ -53,6 +57,9 @@ func NewService(assetVersionRepository core.AssetVersionRepository, componentRep
 		componentService:         componentService,
 		assetRepository:          assetRepository,
 		httpClient:               &http.Client{},
+		thirdPartyIntegration:    thirdPartyIntegration,
+		projectRepository:        projectRepository,
+		orgRepository:            orgRepository,
 	}
 }
 
@@ -196,6 +203,29 @@ func (s *service) handleFirstPartyVulnResult(userID string, scannerID string, as
 		return vuln.State == models.VulnStateOpen
 	})
 
+	go func() {
+		pro, err := s.projectRepository.GetProjectByAssetID(asset.ID)
+		if err != nil {
+			slog.Error("could not get project by asset ID", "err", err)
+			return
+		}
+		org, err := s.orgRepository.Read(pro.OrganizationID)
+		if err != nil {
+			slog.Error("could not get organization by ID", "err", err)
+			return
+		}
+
+		if err = s.thirdPartyIntegration.HandleEvent(core.FirstPartyVulnsDetectedEvent{
+			AssetVersion: core.ToAssetVersionObject(*assetVersion),
+			Asset:        core.ToAssetObject(asset),
+			Project:      core.ToProjectObject(pro),
+			Org:          core.ToOrgObject(org),
+			Vulns:        utils.Map(newVulns, vuln.FirstPartyVulnToDto),
+		}); err != nil {
+			slog.Error("could not handle first party vulnerabilities detected event", "err", err)
+		}
+	}()
+
 	return len(newVulns), len(fixedVulns), append(newVulns, comparison.InBoth...), nil
 }
 
@@ -254,6 +284,32 @@ func (s *service) HandleScanResult(asset models.Asset, assetVersion *models.Asse
 
 	assetVersion.Metadata[scannerID] = models.ScannerInformation{LastScan: utils.Ptr(time.Now())}
 
+	go func() {
+		pro, err := s.projectRepository.GetProjectByAssetID(asset.ID)
+		if err != nil {
+			slog.Error("could not get project by asset ID", "err", err)
+			return
+		}
+
+		org, err := s.orgRepository.Read(pro.OrganizationID)
+		if err != nil {
+			slog.Error("could not get organization by ID", "err", err)
+			return
+		}
+
+		if err = s.thirdPartyIntegration.HandleEvent(core.DependencyVulnsDetectedEvent{
+			AssetVersion: core.ToAssetVersionObject(*assetVersion),
+			Asset:        core.ToAssetObject(asset),
+			Project:      core.ToProjectObject(pro),
+			Org:          core.ToOrgObject(org),
+
+			Vulns: utils.Map(opened, vuln.DependencyVulnToDto),
+		}); err != nil {
+			slog.Error("could not handle dependency vulnerabilities detected event", "err", err)
+		}
+
+	}()
+
 	return opened, closed, newState, nil
 }
 
@@ -419,14 +475,14 @@ func buildBomRefMap(bom normalize.SBOM) map[string]cdx.Component {
 	return res
 }
 
-func (s *service) UpdateSBOM(assetVersion models.AssetVersion, scannerID string, sbom normalize.SBOM) (bool, error) {
+func (s *service) UpdateSBOM(assetVersion models.AssetVersion, scannerID string, sbom normalize.SBOM) error {
 
 	sbomUpdated := false
 
 	// load the asset components
 	assetComponents, err := s.componentRepository.LoadComponents(nil, assetVersion.Name, assetVersion.AssetID, "")
 	if err != nil {
-		return sbomUpdated, errors.Wrap(err, "could not load asset components")
+		return errors.Wrap(err, "could not load asset components")
 	}
 
 	existingComponentPurls := make(map[string]bool)
@@ -516,12 +572,12 @@ func (s *service) UpdateSBOM(assetVersion models.AssetVersion, scannerID string,
 
 	// make sure, that the components exist
 	if err := s.componentRepository.CreateBatch(nil, componentsSlice); err != nil {
-		return sbomUpdated, err
+		return err
 	}
 
 	sbomUpdated, err = s.componentRepository.HandleStateDiff(nil, assetVersion.Name, assetVersion.AssetID, assetComponents, dependencies, scannerID)
 	if err != nil {
-		return sbomUpdated, err
+		return err
 	}
 
 	// update the license information in the background
@@ -536,7 +592,43 @@ func (s *service) UpdateSBOM(assetVersion models.AssetVersion, scannerID string,
 		}
 	}()
 
-	return sbomUpdated, nil
+	go func(sbomUpdated bool) {
+
+		if sbomUpdated {
+			asset, err := s.assetRepository.Read(assetVersion.AssetID)
+			if err != nil {
+				slog.Error("could not read asset", "assetID", assetVersion.AssetID, "err", err)
+				return
+			}
+
+			pro, err := s.projectRepository.GetProjectByAssetID(asset.ID)
+			if err != nil {
+				slog.Error("could not get project by asset ID", "err", err)
+				return
+			}
+
+			org, err := s.orgRepository.Read(pro.OrganizationID)
+			if err != nil {
+				slog.Error("could not get organization by ID", "err", err)
+				return
+			}
+
+			if err = s.thirdPartyIntegration.HandleEvent(core.SBOMCreatedEvent{
+				AssetVersion: core.ToAssetVersionObject(assetVersion),
+				Asset:        core.ToAssetObject(asset),
+				Project:      core.ToProjectObject(pro),
+				Org:          core.ToOrgObject(org),
+				SBOM:         sbom.GetCdxBom(),
+			}); err != nil {
+				slog.Error("could not handle SBOM updated event", "err", err)
+			} else {
+				slog.Info("handled SBOM updated event", "assetVersion", assetVersion.Name, "assetID", assetVersion.AssetID)
+			}
+		}
+
+	}(sbomUpdated)
+
+	return nil
 }
 
 func (s *service) BuildSBOM(assetVersion models.AssetVersion, version string, organizationName string, components []models.ComponentDependency) *cdx.BOM {

internal/core/common_interfaces.go

@@ -252,7 +252,7 @@ type AssetVersionService interface {
 	BuildVeX(asset models.Asset, assetVersion models.AssetVersion, orgName string, dependencyVulns []models.DependencyVuln) *cdx.BOM
 	GetAssetVersionsByAssetID(assetID uuid.UUID) ([]models.AssetVersion, error)
 	HandleFirstPartyVulnResult(asset models.Asset, assetVersion *models.AssetVersion, sarifScan common.SarifResult, scannerID string, userID string) (int, int, []models.FirstPartyVuln, error)
-	UpdateSBOM(assetVersion models.AssetVersion, scannerID string, sbom normalize.SBOM) (bool, error)
+	UpdateSBOM(assetVersion models.AssetVersion, scannerID string, sbom normalize.SBOM) error
 	HandleScanResult(asset models.Asset, assetVersion *models.AssetVersion, vulns []models.VulnInPackage, scannerID string, userID string) (opened []models.DependencyVuln, closed []models.DependencyVuln, newState []models.DependencyVuln, err error)
 	BuildOpenVeX(asset models.Asset, assetVersion models.AssetVersion, organizationSlug string, dependencyVulns []models.DependencyVuln) vex.VEX
 }

internal/core/daemon/scan_daemon.go

@@ -11,6 +11,8 @@ import (
 	"github.com/l3montree-dev/devguard/internal/core/integrations"
 	"github.com/l3montree-dev/devguard/internal/core/integrations/githubint"
 	"github.com/l3montree-dev/devguard/internal/core/integrations/gitlabint"
+	"github.com/l3montree-dev/devguard/internal/core/integrations/jiraint"
+	"github.com/l3montree-dev/devguard/internal/core/integrations/webhook"
 	"github.com/l3montree-dev/devguard/internal/core/normalize"
 	"github.com/l3montree-dev/devguard/internal/core/statistics"
 	"github.com/l3montree-dev/devguard/internal/core/vuln"
@@ -47,17 +49,20 @@ func ScanAssetVersions(db core.DB, rbacProvider core.RBACProvider) error {
 		gitlabOauth2Integrations,
 	)
 
+	webhookIntegration := webhook.NewWebhookIntegration(db)
+
+	jiraIntegration := jiraint.NewJiraIntegration(db)
 	gitlabIntegration := gitlabint.NewGitlabIntegration(db, gitlabOauth2Integrations, rbacProvider, gitlabClientFactory)
 
 	githubIntegration := githubint.NewGithubIntegration(db)
-	thirdPartyIntegration := integrations.NewThirdPartyIntegrations(githubIntegration, gitlabIntegration)
+	thirdPartyIntegration := integrations.NewThirdPartyIntegrations(githubIntegration, gitlabIntegration, jiraIntegration, webhookIntegration)
 
 	dependencyVulnService := vuln.NewService(dependencyVulnRepository, vulnEventRepository, assetRepository, cveRepository, orgRepository, projectRepository, thirdPartyIntegration, assetVersionRepository)
 	firstPartyVulnService := vuln.NewFirstPartyVulnService(firstPartyVulnerabilityRepository, vulnEventRepository, assetRepository)
 	depsDevService := vulndb.NewDepsDevService()
 	componentService := component.NewComponentService(&depsDevService, componentProjectRepository, componentRepository)
 
-	assetVersionService := assetversion.NewService(assetVersionRepository, componentRepository, dependencyVulnRepository, firstPartyVulnerabilityRepository, dependencyVulnService, firstPartyVulnService, assetRepository, vulnEventRepository, &componentService)
+	assetVersionService := assetversion.NewService(assetVersionRepository, componentRepository, dependencyVulnRepository, firstPartyVulnerabilityRepository, dependencyVulnService, firstPartyVulnService, assetRepository, projectRepository, orgRepository, vulnEventRepository, &componentService, thirdPartyIntegration)
 
 	statisticsService := statistics.NewService(statisticsRepository, componentRepository, assetRiskHistoryRepository, dependencyVulnRepository, assetVersionRepository, projectRepository, projectRiskHistoryRepository)
 

internal/core/integrations/webhook/webhook_client.go

@@ -6,12 +6,32 @@ package webhook
 import (
 	"bytes"
 	"context"
+	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"time"
 
 	cdx "github.com/CycloneDX/cyclonedx-go"
+	"github.com/l3montree-dev/devguard/internal/core"
+	"github.com/l3montree-dev/devguard/internal/core/vuln"
+)
+
+type WebhookStruct struct {
+	Organization core.OrgObject          `json:"organization"`
+	Project      core.ProjectObject      `json:"project"`
+	Asset        core.AssetObject        `json:"asset"`
+	AssetVersion core.AssetVersionObject `json:"assetVersion"`
+	Payload      any                     `json:"payload"`
+	Type         WebhookType             `json:"type"`
+}
+
+type WebhookType string
+
+const (
+	WebhookTypeSBOM                      WebhookType = "sbom"
+	WebhookTypeFirstPartyVulnerabilities WebhookType = "firstPartyVulnerabilities"
+	WebhookTypeDependencyVulnerabilities WebhookType = "dependencyVulnerabilities"
 )
 
 type webhookClient struct {
@@ -33,6 +53,7 @@ func (c *webhookClient) CreateRequest(method, url string, body io.Reader) (*http
 
 	req, err := http.NewRequestWithContext(ctx, method, url, body)
 	if err != nil {
+		fmt.Println("Error creating request:", err)
 		return nil, err
 	}
 
@@ -45,9 +66,77 @@ func (c *webhookClient) CreateRequest(method, url string, body io.Reader) (*http
 	return http.DefaultClient.Do(req)
 }
 
-func (c *webhookClient) SendSBOM(SBOM cdx.BOM) error {
+func (c *webhookClient) SendSBOM(SBOM cdx.BOM, org core.OrgObject, project core.ProjectObject, asset core.AssetObject, assetVersion core.AssetVersionObject) error {
+
+	body := WebhookStruct{
+		Organization: org,
+		Project:      project,
+		Asset:        asset,
+		AssetVersion: assetVersion,
+		Payload:      SBOM,
+		Type:         WebhookTypeSBOM,
+	}
+
+	var buf bytes.Buffer
+	err := json.NewEncoder(&buf).Encode(body)
+	if err != nil {
+		return err
+	}
+
+	resp, err := c.CreateRequest("POST", c.URL, &buf)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("failed to send SBOM, status: %s", resp.Status)
+	}
+
+	return nil
+}
+
+func (c *webhookClient) SendFirstPartyVulnerabilities(vuln []vuln.FirstPartyVulnDTO, org core.OrgObject, project core.ProjectObject, asset core.AssetObject, assetVersion core.AssetVersionObject) error {
+
+	body := WebhookStruct{
+		Organization: org,
+		Project:      project,
+		Asset:        asset,
+		AssetVersion: assetVersion,
+		Payload:      vuln,
+		Type:         WebhookTypeFirstPartyVulnerabilities,
+	}
+
+	var buf bytes.Buffer
+	err := json.NewEncoder(&buf).Encode(body)
+	if err != nil {
+		return err
+	}
+
+	resp, err := c.CreateRequest("POST", c.URL, &buf)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("failed to send vulnerability, status: %s,", resp.Status)
+	}
+
+	return nil
+}
+
+func (c *webhookClient) SendDependencyVulnerabilities(vuln []vuln.DependencyVulnDTO, org core.OrgObject, project core.ProjectObject, asset core.AssetObject, assetVersion core.AssetVersionObject) error {
+
+	body := WebhookStruct{
+		Organization: org,
+		Project:      project,
+		Asset:        asset,
+		AssetVersion: assetVersion,
+		Payload:      vuln,
+		Type:         WebhookTypeDependencyVulnerabilities,
+	}
+
 	var buf bytes.Buffer
-	err := cdx.NewBOMEncoder(&buf, cdx.BOMFileFormatJSON).Encode(&SBOM)
+	err := json.NewEncoder(&buf).Encode(body)
 	if err != nil {
 		return err
 	}
@@ -58,8 +147,7 @@ func (c *webhookClient) SendSBOM(SBOM cdx.BOM) error {
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
-		body, _ := io.ReadAll(resp.Body)
-		return fmt.Errorf("failed to send SBOM, status: %s, body: %s", resp.Status, body)
+		return fmt.Errorf("failed to send vulnerability, status: %s", resp.Status)
 	}
 
 	return nil