✨ New vulnmgmt resources

Signed-off-by: Christian Zunker <[email protected]>
mondoohq · Nov 27, 2023 · 31170b9 · 31170b9
1 parent 2249856
commit 31170b9
Show file tree

Hide file tree

Showing 18 changed files with 1,153 additions and 13 deletions.
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -44,9 +44,10 @@
       "cwd": "${workspaceRoot}/",
       "args": [
         "run",
-        // "local",
         "-c",
-        "asset.eol"
+        "vulnmgmt.advisories",
+        "--config",
+        "/home/christian/demo.agent.credentials.json"
       ],
     },
     {

diff --git a/Makefile b/Makefile
@@ -74,6 +74,8 @@ prep/tools: prep/tools/protolint
 
 cnquery/generate: clean/proto llx/generate shared/generate providers explorer/generate sbom/generate
 
+cnquery/generate/core: clean/proto llx/generate shared/generate providers/proto providers/build/mock providers/build/core explorer/generate
+
 define buildProvider
 	$(eval $@_HOME = $(1))
 	$(eval $@_NAME = $(shell basename ${$@_HOME}))

diff --git a/go.mod b/go.mod
@@ -141,6 +141,7 @@ require (
 	github.com/sagikazarmark/locafero v0.3.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sergi/go-diff v1.3.1 // indirect
+	github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466 // indirect
 	github.com/skeema/knownhosts v1.2.1 // indirect
 	github.com/smarty/assertions v1.15.1 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
@@ -224,7 +225,7 @@ require (
 	github.com/fzipp/gocyclo v0.6.0 // indirect
 	github.com/getsentry/sentry-go v0.25.0 // indirect
 	github.com/go-critic/go-critic v0.9.0 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.1 // indirect
 	github.com/go-logr/logr v1.3.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
@@ -367,6 +368,7 @@ require (
 	github.com/yeya24/promlinter v0.2.0 // indirect
 	github.com/ykadowak/zerologlint v0.1.3 // indirect
 	gitlab.com/bosi/decorder v0.4.1 // indirect
+	go.mondoo.com/mondoo-go v0.0.0-20231115081401-e27ff48607b6
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.21.0 // indirect
 	go.tmz.dev/musttag v0.7.2 // indirect
@@ -375,7 +377,7 @@ require (
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
 	golang.org/x/exp/typeparams v0.0.0-20231006140011-7918f672742d // indirect
 	golang.org/x/mod v0.14.0
-	golang.org/x/oauth2 v0.13.0 // indirect
+	golang.org/x/oauth2 v0.14.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	google.golang.org/api v0.149.0 // indirect
@@ -398,3 +400,5 @@ require (
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect
 )
+
+replace go.mondoo.com/mondoo-go => /home/christian/workspace/mondoo/github.com/mondoo-go
diff --git a/go.sum b/go.sum
@@ -390,8 +390,8 @@ github.com/go-git/go-git/v5 v5.10.0/go.mod h1:1FOZ/pQnqw24ghP2n7cunVl0ON55BsjPYv
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo=
-github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
+github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA=
+github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
@@ -985,6 +985,8 @@ github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c h1:W65qqJCIOVP4jpqP
 github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c/go.mod h1:/PevMnwAxekIXwN8qQyfc5gl2NlkB3CQlkizAbOkeBs=
 github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
 github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ=
+github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466 h1:17JxqqJY66GmZVHkmAsGEkcIu0oCe3AM420QDgGwZx0=
+github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466/go.mod h1:9dIRpgIY7hVhoqfe0/FcYp0bpInZaT7dc3BYOprrIUE=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
@@ -1291,8 +1293,8 @@ golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY=
-golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0=
+golang.org/x/oauth2 v0.14.0 h1:P0Vrf/2538nmC0H+pEQ3MNFRRnVR7RlqyVw+bvm26z0=
+golang.org/x/oauth2 v0.14.0/go.mod h1:lAtNWgaWfL4cm7j2OV8TxGi9Qb7ECORx8DktCY74OwM=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

diff --git a/providers-sdk/v1/upstream/gql/client.go b/providers-sdk/v1/upstream/gql/client.go
@@ -0,0 +1,35 @@
+package gql
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"go.mondoo.com/cnquery/v9/providers-sdk/v1/upstream"
+	mondoogql "go.mondoo.com/mondoo-go"
+	"go.mondoo.com/mondoo-go/option"
+)
+
+type MondooClient struct {
+	*mondoogql.Client
+}
+
+// NewClient creates a new GraphQL client for the Mondoo API
+// provide the http client used for rpc, to also pass in the proxy settings
+func NewClient(upstream upstream.UpstreamConfig, httpClient *http.Client) (*MondooClient, error) {
+	gqlEndpoint := upstream.ApiEndpoint + "/query"
+	creds, err := json.Marshal(upstream.Creds)
+	if err != nil {
+		return nil, err
+	}
+	// Initialize the client
+	mondooClient, err := mondoogql.NewClient(
+		option.WithEndpoint(gqlEndpoint),
+		option.WithHTTPClient(httpClient),
+		option.WithServiceAccount(creds),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MondooClient{mondooClient}, nil
+}
diff --git a/providers-sdk/v1/upstream/gql/vulnmgmt_gql.go b/providers-sdk/v1/upstream/gql/vulnmgmt_gql.go
@@ -0,0 +1,211 @@
+// FIXME: ??? should this file move to the resources inside the provider ???
+package gql
+
+import (
+	"context"
+
+	mondoogql "go.mondoo.com/mondoo-go"
+)
+
+// FIXME: move these to the provider
+
+// LastAssessment fetches the las update time of the packages query
+// This is also the lst time the vuln report was updated
+func (c *MondooClient) LastAssessment(mrn string) (string, error) {
+	var m struct {
+		AssetLastPackageUpdateTime struct {
+			LastUpdated string
+		} `graphql:"assetLastPackageUpdateTime(input: $input)"`
+	}
+	err := c.Query(context.Background(), &m, map[string]interface{}{"input": mondoogql.AssetLastPackageUpdateTimeInput{Mrn: mondoogql.String(mrn)}})
+	if err != nil {
+		return "", err
+	}
+	return m.AssetLastPackageUpdateTime.LastUpdated, nil
+}
+
+type VulnReport struct {
+	AssetMrn   string
+	Advisories []*Advisory
+	Cves       []*Cve
+	Packages   []*Package
+}
+
+type Cve struct {
+	Id     string
+	Source struct {
+		Id   string
+		Name string
+		Url  string
+	}
+	Title       string
+	Description string
+	Summary     string
+	PublishedAt string
+	ModifiedAt  string
+	Url         string
+	CvssScore   struct {
+		Id     string
+		Value  int
+		Type   int
+		Vector string
+		Source string
+	}
+	CvssScores []struct {
+		Id     string
+		Value  int
+		Type   int
+		Vector string
+		Source string
+	}
+	Cwe   string
+	State string
+}
+
+type Advisory struct {
+	Id     string
+	Source struct {
+		Id   string
+		Name string
+		Url  string
+	}
+	Title       string
+	Description string
+
+	Cves []struct {
+		Cve
+	}
+	CvssScore struct {
+		Id     string
+		Value  int
+		Type   int
+		Vector string
+		Source string
+	}
+	Vendorscore int
+	PublishedAt string
+	ModifiedAt  string
+}
+
+type Package struct {
+	Id      string
+	Name    string
+	Version string
+	Arch    string
+	Format  string
+
+	Namespace   string
+	Description string
+	Status      string
+	Available   string
+	Origin      string
+
+	Score struct {
+		Id     string
+		Value  int
+		Type   int
+		Vector string
+		Source string
+	}
+
+	Advisories []struct {
+		Advisory
+	}
+	Cves []struct {
+		Cve
+	}
+}
+
+// GetVulnReport fetches the vuln report for a given asset
+func (c *MondooClient) GetVulnReport(mrn string) (*VulnReport, error) {
+	var m struct {
+		AssetVulnerabilityReportResponse struct {
+			AssetVulnerabilityCompactReport struct {
+				AssetMrn   string
+				Advisories []struct {
+					Advisory
+				}
+				Cves []struct {
+					Cve
+				}
+				Packages []struct {
+					Package
+				}
+			} `graphql:"... on AssetVulnerabilityCompactReport"`
+		} `graphql:"assetVulnerabilityCompactReport(input: $input)"`
+	}
+	err := c.Query(context.Background(), &m, map[string]interface{}{"input": mondoogql.AssetVulnerabilityReportInput{AssetMrn: mondoogql.String(mrn)}})
+	if err != nil {
+		return nil, err
+	}
+
+	gqlVulnReport := &VulnReport{
+		AssetMrn:   m.AssetVulnerabilityReportResponse.AssetVulnerabilityCompactReport.AssetMrn,
+		Advisories: make([]*Advisory, len(m.AssetVulnerabilityReportResponse.AssetVulnerabilityCompactReport.Advisories)),
+		Cves:       make([]*Cve, len(m.AssetVulnerabilityReportResponse.AssetVulnerabilityCompactReport.Cves)),
+		Packages:   make([]*Package, len(m.AssetVulnerabilityReportResponse.AssetVulnerabilityCompactReport.Packages)),
+	}
+
+	for i, a := range m.AssetVulnerabilityReportResponse.AssetVulnerabilityCompactReport.Advisories {
+		gqlVulnReport.Advisories[i] = &a.Advisory
+	}
+
+	for i, c := range m.AssetVulnerabilityReportResponse.AssetVulnerabilityCompactReport.Cves {
+		gqlVulnReport.Cves[i] = &c.Cve
+	}
+
+	for i, p := range m.AssetVulnerabilityReportResponse.AssetVulnerabilityCompactReport.Packages {
+		gqlVulnReport.Packages[i] = &p.Package
+	}
+
+	return gqlVulnReport, nil
+}
+
+// GetIncognitoVulnReport fetches the vuln report for an anonymous asset
+// This is a special case were we don't have an MRN, like in cnspec shell
+func (c *MondooClient) GetIncognitoVulnReport(platform mondoogql.PlatformInput, pkgs []mondoogql.PackageInput) (*VulnReport, error) {
+	var m struct {
+		AssetVulnerabilityReportResponse struct {
+			AssetIncognitoVulnerabilityReport struct {
+				Advisories []struct {
+					Advisory
+				}
+				Cves []struct {
+					Cve
+				}
+				Packages []struct {
+					Package
+				}
+			} `graphql:"... on AssetIncognitoVulnerabilityReport"`
+		} `graphql:"analyseIncognitoAssetVulnerabilities(input: $input)"`
+	}
+	gqlInput := mondoogql.AnalyseIncognitoAssetInput{
+		Platform: platform,
+		Packages: pkgs,
+	}
+
+	err := c.Query(context.Background(), &m, map[string]interface{}{"input": gqlInput})
+	if err != nil {
+		return nil, err
+	}
+
+	gqlVulnReport := &VulnReport{
+		Advisories: make([]*Advisory, len(m.AssetVulnerabilityReportResponse.AssetIncognitoVulnerabilityReport.Advisories)),
+		Cves:       make([]*Cve, len(m.AssetVulnerabilityReportResponse.AssetIncognitoVulnerabilityReport.Cves)),
+		Packages:   make([]*Package, len(m.AssetVulnerabilityReportResponse.AssetIncognitoVulnerabilityReport.Packages)),
+	}
+
+	for i, a := range m.AssetVulnerabilityReportResponse.AssetIncognitoVulnerabilityReport.Advisories {
+		gqlVulnReport.Advisories[i] = &a.Advisory
+	}
+
+	for i, c := range m.AssetVulnerabilityReportResponse.AssetIncognitoVulnerabilityReport.Cves {
+		gqlVulnReport.Cves[i] = &c.Cve
+	}
+
+	for i, p := range m.AssetVulnerabilityReportResponse.AssetIncognitoVulnerabilityReport.Packages {
+		gqlVulnReport.Packages[i] = &p.Package
+	}
+
+	return gqlVulnReport, nil
+}
diff --git a/providers/atlassian/config/config.go b/providers/atlassian/config/config.go
@@ -10,7 +10,7 @@ import (
 
 var Config = plugin.Provider{
 	Name:    "atlassian",
-	ID:      "go.mondoo.com/cnquery/providers/atlassian",
+	ID:      "go.mondoo.com/cnquery/v9/providers/atlassian",
 	Version: "9.1.4",
 	ConnectionTypes: []string{
 		provider.DefaultConnectionType,

diff --git a/providers/atlassian/go.mod b/providers/atlassian/go.mod
@@ -49,7 +49,7 @@ require (
 	github.com/dvsekhvalnov/jose2go v1.5.0 // indirect
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/getsentry/sentry-go v0.25.0 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.1 // indirect
 	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
 	github.com/gofrs/uuid v4.4.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
@@ -108,7 +108,7 @@ require (
 	go.opencensus.io v0.24.0 // indirect
 	golang.org/x/crypto v0.15.0 // indirect
 	golang.org/x/net v0.18.0 // indirect
-	golang.org/x/oauth2 v0.13.0 // indirect
+	golang.org/x/oauth2 v0.14.0 // indirect
 	golang.org/x/sync v0.5.0 // indirect
 	golang.org/x/sys v0.14.0 // indirect
 	golang.org/x/term v0.14.0 // indirect

diff --git a/providers/atlassian/go.sum b/providers/atlassian/go.sum
@@ -142,6 +142,8 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo=
 github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
+github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA=
+github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
 github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
 github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
@@ -505,6 +507,8 @@ golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY=
 golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0=
+golang.org/x/oauth2 v0.14.0 h1:P0Vrf/2538nmC0H+pEQ3MNFRRnVR7RlqyVw+bvm26z0=
+golang.org/x/oauth2 v0.14.0/go.mod h1:lAtNWgaWfL4cm7j2OV8TxGi9Qb7ECORx8DktCY74OwM=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

diff --git a/providers/core/resources/core.lr b/providers/core/resources/core.lr
@@ -58,6 +58,9 @@ asset.eol @defaults("date") {
   date time
 }
 
+// Vulnerability Information
+vulnmgmt {}
+
 // Date and time functions
 time {
   // The current time on the local system