Skip to content

Commit

Permalink
feat: remove NVD dependency (#87)
Browse files Browse the repository at this point in the history 
Signed-off-by: Ruben Romero Montes <[email protected]>
  • Loading branch information
@ruromero
ruromero authored Jun 18, 2024
1 parent 1caa7a5 commit 316e111
Show file tree
Hide file tree
Showing 41 changed files with 153 additions and 2,429 deletions.
23 changes: 7 additions & 16 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# ONGuard

The ONGuard (OSV - NVD Guard) service integrates OSV and NVD in order to retrieve CVE vulnerabilities from
The ONGuard (OSV Guard) service integrates OSV in order to retrieve CVE vulnerabilities from
the given set of package urls (purls).

Upon receiving a collection of `purls`:
Expand Down Expand Up @@ -42,17 +42,15 @@ the OSV Service will return with a collection of vulnerabilities.
```

We need to expand each of these vulnerability IDs and for that the service will call retrieve the OSV data
that contains useful remediation information, aliases (including the CVE), summary and title but we also need to
retrieve the CVSS metrics and this data is retrieved from the NVD service.
that contains useful remediation information, aliases (including the CVE), summary, title and metrics.

That means the service has to perform 2 requests:
- OSV /vulns/{vulnId}
- NVD /rest/json/cves/2.0?cveId={cveId}

As you can imagine. That implies (2 * number of vulnerabilities) + 1 requests for each request. Where in a normal-sized
Java project with 150 dependencies (direct and transitive) will be 201 HTTP requests.
As you can imagine. That implies (number of vulnerabilities) + 1 requests for each request. Where in a normal-sized
Java project with 150 dependencies (direct and transitive) will be 101 HTTP requests.

For that we have added a Redis cache in order to save the aggregated data and also to cache the requests to OSV.
For that we have added a Redis cache in order to cache the individual requests to OSV.

The final result of the aggregated data will look like this:

Expand Down Expand Up @@ -111,13 +109,6 @@ The OpenAPI Schema can be retrieved in the management endpoint at http://localho

## Running the application

### Required parameters

The NVD database has a rate limit that is more permissive when using an api Key. You can get one by filling in [this form](https://nvd.nist.gov/developers/request-an-api-key)

Once you apply and receive it you can configure it with the following configuration parameter: `api.nvd.key=<your_api_key>`


### Running the application locally

The application depends on Redis and uses the JSON capability. You can either connect to an existing instance or use the `TestContainers` framework to spin up one for you.
Expand All @@ -127,7 +118,7 @@ The application depends on Redis and uses the JSON capability. You can either co
In this case, as it is the default configuration, you only need to provide the apiKey.

```shell script
./mvnw compile quarkus:dev -Dapi.nvd.key=<your_key>
./mvnw compile quarkus:dev
```

* Note: If you're having issues with Podman and TestContainers you can check the [Quarkus Blog](https://quarkus.io/blog/quarkus-devservices-testcontainers-podman/) and the [Quarkus Podman guide](https://quarkus.io/guides/podman)
Expand All @@ -143,7 +134,7 @@ podman run -d --rm -p 6379:6379 -p 8001:8001 --name redis-stack redis/redis-stac
You can run your application in dev mode that enables live coding using:

```shell script
./mvnw compile quarkus:dev -Dapi.nvd.key=<your_key> -Dquarkus.redis.hosts=redis://localhost:6379/
./mvnw compile quarkus:dev -Dquarkus.redis.hosts=redis://localhost:6379/
```

## Packaging and running the application
Expand Down
83 changes: 0 additions & 83 deletions deploy/onguard.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,6 @@ spec:
memory: "128Mi"
cpu: "500m"
env:
- name: API_NVD_APIKEY
valueFrom:
secretKeyRef:
name: exhort-onguard-secret
key: api-nvd-apikey
- name: DB_REDIS_HOST
valueFrom:
secretKeyRef:
Expand Down Expand Up @@ -75,81 +70,3 @@ spec:
targetPort: 9000
selector:
app: onguard
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: onguard-ingester
labels:
app: onguard-ingester
spec:
replicas: 1
selector:
matchLabels:
app: onguard-ingester
template:
metadata:
labels:
app: onguard-ingester
spec:
containers:
- name: onguard-ingester
image: onguard:latest
imagePullPolicy: IfNotPresent
ports:
- name: management
containerPort: 9000
protocol: TCP
resources:
limits:
memory: "128Mi"
cpu: "500m"
env:
- name: DB_REDIS_HOST
valueFrom:
secretKeyRef:
name: exhort-onguard-secret
key: db.host
- name: DB_REDIS_PORT
valueFrom:
secretKeyRef:
name: exhort-onguard-secret
key: db.port
- name: API_NVD_APIKEY
valueFrom:
secretKeyRef:
name: exhort-onguard-secret
key: api-nvd-apikey
- name: QUARKUS_PROFILE
value: ingester,prod
- name: ONGUARD_PASSWORD
valueFrom:
secretKeyRef:
name: exhort-onguard-secret
key: admin.pwd
livenessProbe:
httpGet:
path: /q/health/live
port: 9000
initialDelaySeconds: 1
readinessProbe:
httpGet:
path: /q/health/ready
port: 9000
initialDelaySeconds: 5
periodSeconds: 20
---
apiVersion: v1
kind: Service
metadata:
name: onguard-ingester
labels:
app: onguard-ingester
spec:
ports:
- name: management
port: 9000
protocol: TCP
targetPort: 9000
selector:
app: onguard-ingester
140 changes: 0 additions & 140 deletions deploy/openshift/template.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,124 +87,6 @@ objects:
containerPort: '${{MANAGEMENT_PORT}}'
protocol: TCP
env:
- name: API_NVD_APIKEY
valueFrom:
secretKeyRef:
name: exhort-secret
key: api-nvd-apikey
- name: DB_REDIS_HOST
valueFrom:
secretKeyRef:
name: '${ELASTICACHE_SECRET}'
key: db.endpoint
- name: DB_REDIS_PORT
valueFrom:
secretKeyRef:
name: '${ELASTICACHE_SECRET}'
key: db.port
- name: QUARKUS_HTTP_PORT
value: '8080'
- name: QUARKUS_MANAGEMENT_PORT
value: '9000'
- name: QUARKUS_REDIS_MAX_POOL_SIZE
value: '20'
- name: QUARKUS_REDIS_MAX_POOL_WAITING
value: '100'
securityContext:
runAsNonRoot: true
resources:
limits:
cpu: ${CPU_LIMIT}
memory: ${MEMORY_LIMIT}
requests:
cpu: ${CPU_REQUEST}
memory: ${MEMORY_REQUEST}
imagePullPolicy: Always
restartPolicy: Always
serviceAccountName: '${SERVICE_ACCOUNT_NAME}'
- kind: Service
apiVersion: v1
metadata:
name: '${ING_SERVICE_NAME}'
labels:
app-name: '${ING_APP_NAME}'
spec:
ports:
- name: http
protocol: TCP
appProtocol: http
port: '${{SERVICE_PORT}}'
targetPort: http
- name: management
protocol: TCP
appProtocol: http
port: '${{MANAGEMENT_PORT}}'
targetPort: management
selector:
app: '${ING_APP_NAME}'
- kind: Deployment
apiVersion: apps/v1
metadata:
name: '${ING_APP_NAME}'
spec:
replicas: '${{ING_REPLICAS}}'
selector:
matchLabels:
app: '${ING_APP_NAME}'
template:
metadata:
labels:
app: '${ING_APP_NAME}'
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- '${ING_APP_NAME}'
topologyKey: kubernetes.io/hostname
weight: 90
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- '${ING_APP_NAME}'
topologyKey: topology.kubernetes.io/zone
weight: 100
containers:
- name: app
image: '${IMAGE}:${IMAGE_TAG}'
livenessProbe:
httpGet:
path: /q/health/live
port: '${{MANAGEMENT_PORT}}'
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /q/health/ready
port: '${{MANAGEMENT_PORT}}'
initialDelaySeconds: 5
periodSeconds: 10
ports:
- name: http
containerPort: '${{SERVICE_PORT}}'
protocol: TCP
- name: management
containerPort: '${{MANAGEMENT_PORT}}'
protocol: TCP
env:
- name: API_NVD_APIKEY
valueFrom:
secretKeyRef:
name: exhort-secret
key: api-nvd-apikey
- name: DB_REDIS_HOST
valueFrom:
secretKeyRef:
Expand All @@ -219,13 +101,6 @@ objects:
value: '8080'
- name: QUARKUS_MANAGEMENT_PORT
value: '9000'
- name: QUARKUS_PROFILE
value: ingester,prod
- name: ONGUARD_PASSWORD
valueFrom:
secretKeyRef:
name: exhort-secret
key: admin.pwd
- name: QUARKUS_REDIS_MAX_POOL_SIZE
value: '20'
- name: QUARKUS_REDIS_MAX_POOL_WAITING
Expand All @@ -248,21 +123,11 @@ parameters:
description: Application name
value: onguard
required: true
- name: ING_APP_NAME
displayName: Ingester Application name
description: Ingester Application name
value: onguard-ingester
required: true
- name: REPLICAS
displayName: Replicas
description: Number of desired pods
value: '1'
required: true
- name: ING_REPLICAS
displayName: Ingester Replicas
description: Number of desired pods for the ingester service
value: '1'
required: true
- name: IMAGE
displayName: Container image name
description: Container image name
Expand All @@ -287,11 +152,6 @@ parameters:
description: Service name
value: onguard
required: true
- name: ING_SERVICE_NAME
displayName: Ingester Service Name
description: Ingester Service Name
value: onguard-ingester
required: true
- name: SERVICE_PORT
displayName: Service port
description: Service port
Expand Down
3 changes: 1 addition & 2 deletions devfile.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,12 @@ metadata:
supportUrl: https://github.com/RHEcosystemAppEng/onguard/issues
website: https://github.com/RHEcosystemAppEng/onguard
displayName: ONGUard
description: ONGuard Service that aggregates data from OSV and NVD
description: ONGuard Service that aggregates data from OSV
tags:
- Exhort
- RHTPA
- Java
- Quarkus
- NVD
- OSV
projectType: Quarkus
language: Java
Expand Down
12 changes: 7 additions & 5 deletions pom.xml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
<?xml version="1.0"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.redhat.ecosystemappeng.onguard</groupId>
<artifactId>onguard</artifactId>
Expand Down Expand Up @@ -90,8 +92,8 @@
<artifactId>quarkus-smallrye-health</artifactId>
</dependency>
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-micrometer-registry-prometheus</artifactId>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-micrometer-registry-prometheus</artifactId>
</dependency>
<dependency>
<groupId>io.quarkus</groupId>
Expand Down Expand Up @@ -139,9 +141,9 @@
<dependency>
<groupId>org.wiremock</groupId>
<artifactId>wiremock-standalone</artifactId>
<version>${wiremock.version}</version>
<version>${wiremock.version}</version>
<scope>test</scope>
</dependency>
</dependency>
</dependencies>
<build>
<pluginManagement>
Expand Down
2 changes: 1 addition & 1 deletion src/main/docker/Dockerfile.multi-stage
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ LABEL io.k8s.description="Red Hat Trusted Profile Analyzer - ONGuard Service"
LABEL io.k8s.display-name="RHTPA ONGuard service"
LABEL io.openshift.tags="rhtpa exhort onguard"
LABEL summary="The RHTPA ONGuard Service exposes an API for retrieving vulnerability data \
from OSV and NVD databases"
from OSV database"

WORKDIR /work/
COPY --from=build /code/target/*-runner /work/application
Expand Down
Loading

0 comments on commit 316e111

Please sign in to comment.