Only send vulnerability events if the minimum priority is gte to that specified
Fixes #770
This commit is contained in:
Joseph Schorr
parent
5926501e08
commit
ca7d736db2
13 changed files with 175 additions and 156 deletions
|
|
@ -1,51 +0,0 @@
|
|||
import features
|
||||
import logging
|
||||
import requests
|
||||
import json
|
||||
|
||||
from urlparse import urljoin
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
class SecEndpoint(object):
|
||||
""" Helper class for talking to the Sec API. """
|
||||
def __init__(self, app, config_provider):
|
||||
self.app = app
|
||||
self.config_provider = config_provider
|
||||
|
||||
if not features.SECURITY_SCANNER:
|
||||
return
|
||||
|
||||
self.security_config = app.config['SECURITY_SCANNER']
|
||||
|
||||
self.certificate = self._getfilepath('CA_CERTIFICATE_FILENAME') or False
|
||||
self.public_key = self._getfilepath('PUBLIC_KEY_FILENAME')
|
||||
self.private_key = self._getfilepath('PRIVATE_KEY_FILENAME')
|
||||
|
||||
if self.public_key and self.private_key:
|
||||
self.keys = (self.public_key, self.private_key)
|
||||
else:
|
||||
self.keys = None
|
||||
|
||||
def _getfilepath(self, config_key):
|
||||
security_config = self.security_config
|
||||
|
||||
if config_key in security_config:
|
||||
with self.config_provider.get_volume_file(security_config[config_key]) as f:
|
||||
return f.name
|
||||
|
||||
return None
|
||||
|
||||
def call_api(self, relative_url, *args, **kwargs):
|
||||
""" Issues an HTTP call to the sec API at the given relative URL. """
|
||||
security_config = self.security_config
|
||||
api_url = urljoin(security_config['ENDPOINT'], '/' + security_config['API_VERSION']) + '/'
|
||||
url = urljoin(api_url, relative_url % args)
|
||||
|
||||
client = self.app.config['HTTPCLIENT']
|
||||
timeout = security_config.get('API_CALL_TIMEOUT', 1)
|
||||
logger.debug('Looking up sec information: %s', url)
|
||||
|
||||
return client.get(url, params=kwargs, timeout=timeout, cert=self.keys,
|
||||
verify=self.certificate)
|
||||
|
||||
|
|
@ -2,12 +2,103 @@ import features
|
|||
import logging
|
||||
import requests
|
||||
|
||||
from app import app
|
||||
from database import CloseForLongOperation
|
||||
from data.database import CloseForLongOperation
|
||||
from urlparse import urljoin
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
# NOTE: This objects are used directly in the external-notification-data and vulnerability-service
|
||||
# on the frontend, so be careful with changing their existing keys.
|
||||
PRIORITY_LEVELS = {
|
||||
'Unknown': {
|
||||
'title': 'Unknown',
|
||||
'index': '6',
|
||||
'level': 'info',
|
||||
|
||||
'description': 'Unknown is either a security problem that has not been assigned ' +
|
||||
'to a priority yet or a priority that our system did not recognize',
|
||||
'banner_required': False
|
||||
},
|
||||
|
||||
'Negligible': {
|
||||
'title': 'Negligible',
|
||||
'index': '5',
|
||||
'level': 'info',
|
||||
|
||||
'description': 'Negligible is technically a security problem, but is only theoretical ' +
|
||||
'in nature, requires a very special situation, has almost no install base, ' +
|
||||
'or does no real damage.',
|
||||
'banner_required': False
|
||||
},
|
||||
|
||||
'Low': {
|
||||
'title': 'Low',
|
||||
'index': '4',
|
||||
'level': 'warning',
|
||||
|
||||
'description': 'Low is a security problem, but is hard to exploit due to environment, ' +
|
||||
'requires a user-assisted attack, a small install base, or does very ' +
|
||||
'little damage.',
|
||||
'banner_required': False
|
||||
},
|
||||
|
||||
'Medium': {
|
||||
'title': 'Medium',
|
||||
'value': 'Medium',
|
||||
'index': '3',
|
||||
'level': 'warning',
|
||||
|
||||
'description': 'Medium is a real security problem, and is exploitable for many people. ' +
|
||||
'Includes network daemon denial of service attacks, cross-site scripting, ' +
|
||||
'and gaining user privileges.',
|
||||
'banner_required': False
|
||||
},
|
||||
|
||||
'High': {
|
||||
'title': 'High',
|
||||
'value': 'High',
|
||||
'index': '2',
|
||||
'level': 'warning',
|
||||
|
||||
'description': 'High is a real problem, exploitable for many people in a default installation. ' +
|
||||
'Includes serious remote denial of services, local root privilege escalations, ' +
|
||||
'or data loss.',
|
||||
'banner_required': False
|
||||
},
|
||||
|
||||
'Critical': {
|
||||
'title': 'Critical',
|
||||
'value': 'Critical',
|
||||
'index': '1',
|
||||
'level': 'error',
|
||||
|
||||
'description': 'Critical is a world-burning problem, exploitable for nearly all people in ' +
|
||||
'a installation of the package. Includes remote root privilege escalations, ' +
|
||||
'or massive data loss.',
|
||||
'banner_required': True
|
||||
},
|
||||
|
||||
'Defcon1': {
|
||||
'title': 'Defcon 1',
|
||||
'value': 'Defcon1',
|
||||
'index': '0',
|
||||
'level': 'error',
|
||||
|
||||
'description': 'Defcon1 is a Critical problem which has been manually highlighted ' +
|
||||
'by the Quay team. It requires immediate attention.',
|
||||
'banner_required': True
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
def get_priority_for_index(index):
|
||||
for priority in PRIORITY_LEVELS:
|
||||
if PRIORITY_LEVELS[priority]['index'] == index:
|
||||
return priority
|
||||
|
||||
return 'Unknown'
|
||||
|
||||
|
||||
class SecurityScannerAPI(object):
|
||||
""" Helper class for talking to the Security Scan service (Clair). """
|
||||
def __init__(self, app, config_provider):
|
||||
|
|
@ -76,7 +167,7 @@ class SecurityScannerAPI(object):
|
|||
timeout = security_config.get('API_TIMEOUT_SECONDS', 1)
|
||||
logger.debug('Looking up sec information: %s', url)
|
||||
|
||||
with CloseForLongOperation(app.config):
|
||||
with CloseForLongOperation(self.app.config):
|
||||
if body is not None:
|
||||
return client.post(url, json=body, params=kwargs, timeout=timeout, cert=self.keys,
|
||||
verify=self.certificate)
|
||||
|
|
|
|||
Reference in a new issue