Merge branch 'dev'

infobyte · Feb 8, 2024 · 73a7cec · 73a7cec
2 parents bb3abe0 + e491093
commit 73a7cec
Show file tree

Hide file tree

Showing 11 changed files with 132 additions and 18 deletions.
diff --git a/.gitlab/ci/build_ci/.build-gitlab-ci.yml b/.gitlab/ci/build_ci/.build-gitlab-ci.yml
@@ -18,16 +18,16 @@
 #    - !reference [.devel-branch-manual, rules]
 #    - when: never
 #
-#docker-build-main:
-#  extends: .docker-build-base
-#  variables:
-#    IMAGE_TAG: "faraday-agent-dispatcher"
-#    BASE_IMAGE_TAG: "base"
-#  rules:
-#    - !reference [.dev-staging-master-manual, rules]
-#    - !reference [.daily-control, rules]
-#    - when: never
-#
+docker-build-main:
+  extends: .docker-build-base
+  variables:
+    IMAGE_TAG: "latest"
+    BASE_IMAGE_TAG: "base-tag"
+  rules:
+    - !reference [.dev-staging-master-manual, rules]
+    - !reference [.daily-control, rules]
+    - when: never
+
 #docker-build-tag:
 #  extends: .docker-build-base
 #  variables:

diff --git a/CHANGELOG/3.2.0/206.md b/CHANGELOG/3.2.0/206.md
@@ -0,0 +1 @@
+[ADD] Add dependabot agent. #206
diff --git a/CHANGELOG/3.2.0/date.md b/CHANGELOG/3.2.0/date.md
@@ -0,0 +1 @@
+Feb 8th, 2024
diff --git a/RELEASE.md b/RELEASE.md
@@ -1,3 +1,7 @@
+3.2.0 [Feb 8th, 2024]:
+---
+ * [ADD] Add dependabot agent. #206
+
 3.0.1 [Dec 22th, 2023]:
 ---
  * [FIX] Fix on_diconnect method and limit python-socketio to 5.8.0 #199

diff --git a/faraday_agent_dispatcher/__init__.py b/faraday_agent_dispatcher/__init__.py
@@ -20,4 +20,4 @@
 
 __author__ = """Faraday Development Team"""
 __email__ = "[email protected]"
-__version__ = "3.0.1"
+__version__ = "3.2.0"
diff --git a/faraday_agent_dispatcher/cli/wizard.py b/faraday_agent_dispatcher/cli/wizard.py
@@ -154,7 +154,6 @@ async def get_base_repo(self) -> dict:
             for executor in os.listdir(executor_folder())
             if re.match("(.*_manifest.json|__pycache__)", executor) is None
         ]
-
         executors_names = list(
             map(
                 lambda x: re.search(r"(^[a-zA-Z0-9_-]+)(?:\..*)*$", x).group(1),

diff --git a/faraday_agent_dispatcher/dispatcher.py b/faraday_agent_dispatcher/dispatcher.py
@@ -537,7 +537,7 @@ async def create_process(executor: Executor, args: dict, plugin_args: dict):
             stdout=asyncio.subprocess.PIPE,
             stderr=asyncio.subprocess.PIPE,
             env=env,
-            limit=executor.max_size
+            limit=executor.max_size,
             # If the config is not set, use async.io default
         )
         return process

diff --git a/faraday_agent_dispatcher/dispatcher_io.py b/faraday_agent_dispatcher/dispatcher_io.py
@@ -525,7 +525,7 @@ async def create_process(executor: Executor, args: dict, plugin_args: dict):
             stdout=asyncio.subprocess.PIPE,
             stderr=asyncio.subprocess.PIPE,
             env=env,
-            limit=executor.max_size
+            limit=executor.max_size,
             # If the config is not set, use async.io default
         )
         return process

diff --git a/faraday_agent_dispatcher/static/executors/official/dependabot.py b/faraday_agent_dispatcher/static/executors/official/dependabot.py
@@ -0,0 +1,109 @@
+import http
+import json
+
+import requests
+import os
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+def main():
+    DEPENDABOT_OWNER = os.getenv("EXECUTOR_CONFIG_DEPENDABOT_OWNER")
+    DEPENDABOT_REPOSITORY = os.getenv("EXECUTOR_CONFIG_DEPENDABOT_REPOSITORY")
+    DEPENDABOT_TOKEN = os.getenv("DEPENDABOT_TOKEN")
+
+    vuln_tag = os.getenv("AGENT_CONFIG_VULN_TAG", [])
+    if vuln_tag:
+        vuln_tag = vuln_tag.split(",")
+    host_tag = os.getenv("AGENT_CONFIG_HOSTNAME_TAG", [])
+    if host_tag:
+        host_tag = host_tag.split(",")
+
+    # TODO: should validate config?
+    dependabot_url = f"https://api.github.com/repos/{DEPENDABOT_OWNER}/{DEPENDABOT_REPOSITORY}/dependabot/alerts"
+    dependabot_auth = {"Authorization": f"Bearer {DEPENDABOT_TOKEN}"}
+    repo_url = f"https://github.com/{DEPENDABOT_OWNER}/{DEPENDABOT_REPOSITORY}"
+
+    CVSS_3_PREFIX = "CVSS:3"
+
+    response = requests.get(dependabot_url, headers=dependabot_auth)
+
+    if response.status_code == http.HTTPStatus.OK:
+        security_events = response.json()
+        hosts_ips = list({security_event["dependency"]["manifest_path"] for security_event in security_events})
+        hosts = []
+
+        for ip in hosts_ips:
+            host_vulns = []
+            for security_event in security_events:
+                if security_event["dependency"]["manifest_path"] == ip:
+                    vulnerability_data = security_event["security_advisory"]
+
+                    if security_event["state"] != "open":
+                        logger.warning(f"Vulnerability {security_event['number']} already closed...")
+                        continue
+
+                    security_vulnerability = security_event.get("security_vulnerability")
+
+                    extended_description = ""
+                    if security_vulnerability:
+                        first_patched_version = security_vulnerability.get("first_patched_version", "N/A")
+                        first_patched_version_identifier = first_patched_version.get("identifier")
+                        package = security_vulnerability.get("package", None)
+                        ecosystem = package.get("ecosystem", "N/A")
+                        name = package.get("name", "N/A")
+                        vulnerable_version_range = security_vulnerability.get("vulnerable_version_range", "N/A")
+                        extended_description = (
+                            f"URL: [{security_event['html_url']}]({security_event['html_url']})\n"
+                            f"```\n"
+                            f"Package: {name} ({ecosystem})\n"
+                            f"Affected versions: {vulnerable_version_range} \n"
+                            f"Patched version: {first_patched_version_identifier}\n"
+                            f"```"
+                        )
+                    vulnerability = {
+                        "name": f"{vulnerability_data['summary']}",
+                        "desc": f"{extended_description}\n{vulnerability_data['description']}\n",
+                        "severity": f"{vulnerability_data['severity']}",
+                        "type": "Vulnerability",
+                        "impact": {
+                            "accountability": False,
+                            "availability": False,
+                        },
+                        "cwe": [cwe["cwe_id"] for cwe in vulnerability_data["cwes"]],
+                        "cve": [cve["value"] for cve in vulnerability_data["identifiers"] if cve["type"] == "CVE"],
+                        "refs": [
+                            {"name": reference["url"], "type": "other"}
+                            for reference in vulnerability_data["references"]
+                        ],
+                        "status": "open" if security_event["state"] == "open" else "closed",
+                        "tags": vuln_tag,
+                    }
+
+                    cvss_vector_string = vulnerability_data["cvss"]["vector_string"]
+
+                    if cvss_vector_string:
+                        if cvss_vector_string.startswith(CVSS_3_PREFIX):
+                            vulnerability.update({"cvss3": {"vector_string": cvss_vector_string}})
+                        else:
+                            vulnerability.update({"cvss2": {"vector_string": cvss_vector_string.strip("CVSS:")[-1]}})
+
+                    host_vulns.append(vulnerability)
+
+            hosts.append(
+                {
+                    "ip": f"{DEPENDABOT_OWNER}/{DEPENDABOT_REPOSITORY}/{ip}",
+                    "description": f"Dependabot recommendations on file {ip}\n\nRepository: {repo_url}",
+                    "hostnames": [],
+                    "vulnerabilities": host_vulns,
+                    "tags": host_tag,
+                }
+            )
+
+        data = {"hosts": hosts}
+        print(json.dumps(data))
+
+
+if __name__ == "__main__":
+    main()
diff --git a/setup.py b/setup.py
@@ -41,7 +41,7 @@
     "faraday-plugins>=1.15.1",
     "python-owasp-zap-v2.4",
     "python-gvm",
-    "faraday_agent_parameters_types>=1.3.1",
+    "faraday_agent_parameters_types>=1.4.0",
     "pyyaml",
     "psutil",
     "pytenable",

diff --git a/tests/unittests/test_agent_dispatcher.py b/tests/unittests/test_agent_dispatcher.py
@@ -273,9 +273,9 @@ async def test_run_once(
 
         if "varenvs" in executor_options:
             for varenv in executor_options["varenvs"]:
-                configuration[Sections.AGENT][Sections.EXECUTORS][ex][Sections.EXECUTOR_VARENVS][
-                    varenv
-                ] = executor_options["varenvs"][varenv]
+                configuration[Sections.AGENT][Sections.EXECUTORS][ex][Sections.EXECUTOR_VARENVS][varenv] = (
+                    executor_options["varenvs"][varenv]
+                )
 
         max_size = str(64 * 1024) if "max_size" not in executor_options else executor_options["max_size"]
         configuration[Sections.AGENT][Sections.EXECUTORS][ex]["max_size"] = max_size