cve-notification-app

README

Buildpacks CVEs Notification App

Introduction

The Buildpacks CVEs Notification App v2 is a modernized application designed to monitor new CVEs (Common Vulnerabilities and Exposures) that are announced for the dependencies being tracked. It provides timely notifications and allows for easy management and integration with various tools and platforms.

Key Features

• Monitors new CVEs for specified dependencies.
• Notifies teams via Slack and other channels.
• Stores CVE data in MongoDB for historical tracking and analysis.
• Provides a CLI for integration with CI pipelines.
• Exposes a REST API for interaction with other systems.
• Includes a web-based UI for administrative tasks.

Technologies Used

• Golang: Core application logic.
• React + Vite: Web UI development.
• GitHub Actions: Continuous Integration (CI) pipeline.
• Memongo: In-memory MongoDB for testing.
• Afero: Filesystem framework.
• NVD Nist API: To retrieve CVE information.

Core Functionalities

Database Management

• Fill DB: Populates MongoDB with CVE data, including ID, Vendor, Product, Severity, and Description.
• Find New CVEs: Uses a scheduled Cron job (every 2 hours) to find and notify about new CVEs not present in the database.

Dependency Tracking

• Update Tracked Dependencies: Manages dependencies through a dependencies.csv file. Updates are processed to add or remove CVEs from the database.

Notifications

• Slack Notifications: Sends notifications to a specified Slack channel using a webhook.

New Structure and Functionalities

Components

• actions: Directory for action scripts.
• api: REST API for interacting with other applications.
• cli: Command Line Interface for integration with CI pipelines.
• common: Common utility functions and helpers.
• core: Central logic for CVE handling and database operations.
• services: Services for interacting with external systems.
• utils: Additional utility functions.
• web: Web-based interface for administrative tasks.

New Features

• REST API:

  • Public view for monitored dependencies.
  • Protected view for creating and managing CVE notification integrations.
  • Endpoints secured with advanced authentication and authorization.

• Web UI:

  • User-friendly interface for managing dependencies and viewing CVE data.

Setup

This application requires the following environment variables to be configured:

• DB_URI: The MongoDB database connection URI.
• SLACK_WEBHOOK_URL: Slack App webhook URL for sending notifications.

Running the Application

Using the CLI

1. Clone the repository:

git clone <repository-url>
cd <repository-name>/cve-notification-app/cli

1. Build the application:

go build -o app
./app

1. Run the CLI commands:

Available commands:

• fill-db: Populates the MongoDB database with CVE data.
• find-new-cves: Finds and notifies about new CVEs not present in the database.
• update-tracked-dependencies: Manages dependencies through a dependencies.csv file.
• configure: Configures the application with MongoDB and Slack webhook URLs.
• help: Displays help information.

./app <command>

Using the API

1. Start the API server:

cd <repository-name>/cve-notification-app/api/cmd
go run main.go

1. Access the API endpoints:

You can access the API Documentation in the following URL

Postman Document

Using the Web UI

This application requires the following environment variables to be configured:

• VITE_API_URL: The base URL for the API server (it can be the own API server explained above).

1. Start the UI server:

cd <repository-name>/cve-notification-app/web
npm install
npm run dev

1. Access the Web UI:

You can access the Web UI using the following URL:

http://localhost:5173

Conclusion

The Buildpacks CVEs Notification App is a powerful tool for monitoring and managing CVEs for dependencies. It provides a comprehensive solution for tracking vulnerabilities, sending notifications, and integrating with other systems. With its modern architecture and advanced features, it is a valuable asset for any development team.