Merge pull request #1 from ngcloudsec/feature/datesearch

Readme update

contrib/helm/README.md

@@ -3,5 +3,5 @@
 Install threat-db API server via helm charts
 
 ```
-helm install threat-db oci://ghcr.io/ngcloudsec/charts/threat-db --version 0.2.0
+helm install threat-db oci://ghcr.io/ngcloudsec/charts/threat-db --version 0.3.0
 ```

contrib/helm/threat-db/Chart.yaml

@@ -4,6 +4,6 @@ description: A graphql server for vulnerabilities powered by dgraph
 
 type: application
 
-version: 0.2.0
+version: 0.3.0
 
-appVersion: "0.2.0"
+appVersion: "0.3.0"

contrib/helm/threat-db/templates/statefulset.yaml

@@ -0,0 +1,104 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ include "threat-db.fullname" . }}
+  labels:
+    {{- include "threat-db.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "threat-db.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "threat-db.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "threat-db.serviceAccountName" . }}
+      securityContext:
+        fsGroup: {{ .Values.podSecurityContext.fsGroup }}
+        runAsUser: {{ .Values.podSecurityContext.runAsUser }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          env:
+          - name: DGRAPH_GRAPHQL_HOST
+            valueFrom:
+              configMapKeyRef:
+                name: config-map
+                key: DGRAPH_GRAPHQL_HOST
+          - name: DGRAPH_RPC_HOST
+            valueFrom:
+              configMapKeyRef:
+                name: config-map
+                key: DGRAPH_RPC_HOST
+          - name: JWT_SECRET_KEY
+            valueFrom:
+              secretKeyRef:
+                name: secret-map
+                key: JWT_SECRET_KEY
+          startupProbe:
+            {{- toYaml .Values.startupProbe | nindent 12 }}
+          livenessProbe:
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
+          volumeMounts:
+          - name: tmpdir
+            mountPath: /tmp
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      volumes:
+      - name: tmpdir
+        persistentVolumeClaim:
+          claimName: tmpdir
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+
+  volumeClaimTemplates:
+    - metadata:
+        name: tmpdir
+        annotations:
+          volume.alpha.kubernetes.io/storage-class: anything
+      spec:
+        accessModes:
+        {{- range .Values.persistence.accessModes }}
+          - {{ . | quote }}
+        {{- end }}
+        resources:
+          requests:
+            storage: {{ .Values.persistence.size | quote }}
+        {{- if .Values.persistence.storageClass }}
+      {{- if (eq "-" .Values.persistence.storageClass) }}
+        storageClassName: ""
+      {{- else }}
+        storageClassName: {{ .Values.persistence.storageClass | quote }}
+      {{- end -}}
+      {{- end -}}

contrib/microk8s/INSTALL.md

@@ -200,7 +200,7 @@ dev-db-dgraph-zero             ClusterIP   10.152.183.112   <none>        5080/T
 
 ```
 # microk8s helm uninstall threat-db-api
-microk8s helm install threat-db-api oci://ghcr.io/ngcloudsec/charts/threat-db --version 0.2.0 --set persistence.storageClass="ssd-hostpath" --set persistence.size="1Gi"
+microk8s helm install threat-db-api oci://ghcr.io/ngcloudsec/charts/threat-db --version 0.3.0 --set persistence.storageClass="ssd-hostpath" --set persistence.size="1Gi"
 microk8s kubectl get pods
 ```
 

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "threat-db"
-version = "0.2.0"
+version = "0.3.0"
 description = "A graphql server for vulnerabilities powered by dgraph"
 authors = ["Team ngcloudsec <[email protected]>"]
 license = "Apache-2.0"

queries-graphql.md

@@ -335,3 +335,40 @@ query {
   }
 }
 ```
+
+Components with critical and high exploitable vulnerabilities
+
+```
+query {
+  queryComponent(first:10) @cascade {
+    name
+    group
+    version
+    purl
+    appearsIn {
+      serialNumber
+      metadata {
+        component {
+          purl
+          name
+        }
+      }
+    }
+    vulnerabilities(filter: {
+        has: properties,
+        and: {severity: {in: [critical, high]}}
+      }) {
+      id
+      severity
+      cvss_score
+      description
+      version
+      fix_version
+      analysis(filter: {state: {allofterms: "exploitable"}}) {
+        state
+        detail
+      }
+    }
+  }
+}
+```

skaffold.yaml

@@ -14,4 +14,4 @@ deploy:
       chartPath: contrib/helm/threat-db
       valuesFiles:
       - contrib/helm/threat-db/values.yaml
-      version: 0.2.0
+      version: 0.3.0

threat_db/api.py

@@ -10,9 +10,9 @@
     jwt_required,
 )
 from uwsgidecorators import filemon
+
 import threat_db.graphclient as graph_client
 import threat_db.loader as data_loader
-
 from threat_db.config import JWT_ACCESS_TOKEN_EXPIRES_HOURS
 from threat_db.logger import LOG
 
@@ -136,7 +136,12 @@ def proxy_graphql():
 
         @filemon(THREATDB_DATA_DIR)
         def data_drop(signum):
-            data_loader.start(client, THREATDB_DATA_DIR, remove_on_success=True)
+            try:
+                data_loader.start(client, THREATDB_DATA_DIR, remove_on_success=True)
+            except Exception:
+                LOG.debug(
+                    f"Error processing the files in {THREATDB_DATA_DIR}. This is usually due to duplicate invocations."
+                )
 
     else:
         LOG.warn(