mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 17:05:18 +00:00
181 lines
5.5 KiB
Go
181 lines
5.5 KiB
Go
package service
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/fleetdm/fleet/v4/server/authz"
|
|
"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
|
)
|
|
|
|
var freeValidVulnSortColumns = []string{
|
|
"cve",
|
|
"hosts_count",
|
|
"host_count_updated_at",
|
|
"created_at",
|
|
}
|
|
|
|
type listVulnerabilitiesRequest struct {
|
|
fleet.VulnListOptions
|
|
}
|
|
|
|
type listVulnerabilitiesResponse struct {
|
|
Vulnerabilities []fleet.VulnerabilityWithMetadata `json:"vulnerabilities"`
|
|
Count uint `json:"count"`
|
|
Meta *fleet.PaginationMetadata `json:"meta,omitempty"`
|
|
Err error `json:"error,omitempty"`
|
|
}
|
|
|
|
func (r listVulnerabilitiesResponse) error() error { return r.Err }
|
|
|
|
func listVulnerabilitiesEndpoint(ctx context.Context, req interface{}, svc fleet.Service) (errorer, error) {
|
|
request := req.(*listVulnerabilitiesRequest)
|
|
vulns, meta, err := svc.ListVulnerabilities(ctx, request.VulnListOptions)
|
|
if err != nil {
|
|
return listVulnerabilitiesResponse{Err: err}, nil
|
|
}
|
|
|
|
count, err := svc.CountVulnerabilities(ctx, request.VulnListOptions)
|
|
if err != nil {
|
|
return listVulnerabilitiesResponse{Err: err}, nil
|
|
}
|
|
|
|
return listVulnerabilitiesResponse{
|
|
Vulnerabilities: vulns,
|
|
Meta: meta,
|
|
Count: count,
|
|
}, nil
|
|
}
|
|
|
|
func (svc *Service) ListVulnerabilities(ctx context.Context, opt fleet.VulnListOptions) ([]fleet.VulnerabilityWithMetadata, *fleet.PaginationMetadata, error) {
|
|
if err := svc.authz.Authorize(ctx, &fleet.AuthzSoftwareInventory{
|
|
TeamID: &opt.TeamID,
|
|
}, fleet.ActionRead); err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
if len(opt.ValidSortColumns) == 0 {
|
|
opt.ValidSortColumns = freeValidVulnSortColumns
|
|
}
|
|
|
|
if !opt.HasValidSortColumn() {
|
|
return nil, nil, badRequest("invalid order key")
|
|
}
|
|
|
|
if opt.KnownExploit && !opt.IsEE {
|
|
return nil, nil, fleet.ErrMissingLicense
|
|
}
|
|
|
|
vulns, meta, err := svc.ds.ListVulnerabilities(ctx, opt)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
for i, vuln := range vulns {
|
|
if vuln.Source == fleet.MSRCSource {
|
|
vulns[i].DetailsLink = fmt.Sprintf("https://msrc.microsoft.com/update-guide/en-US/vulnerability/%s", vuln.CVE.CVE)
|
|
} else {
|
|
vulns[i].DetailsLink = fmt.Sprintf("https://nvd.nist.gov/vuln/detail/%s", vuln.CVE.CVE)
|
|
}
|
|
}
|
|
|
|
return vulns, meta, nil
|
|
}
|
|
|
|
func (svc *Service) CountVulnerabilities(ctx context.Context, opts fleet.VulnListOptions) (uint, error) {
|
|
if err := svc.authz.Authorize(ctx, &fleet.AuthzSoftwareInventory{
|
|
TeamID: &opts.TeamID,
|
|
}, fleet.ActionRead); err != nil {
|
|
return 0, err
|
|
}
|
|
|
|
return svc.ds.CountVulnerabilities(ctx, opts)
|
|
}
|
|
|
|
type getVulnerabilityRequest struct {
|
|
CVE string `url:"cve"`
|
|
TeamID *uint `query:"team_id,optional"`
|
|
}
|
|
|
|
type getVulnerabilityResponse struct {
|
|
Vulnerability *fleet.VulnerabilityWithMetadata `json:"vulnerability"`
|
|
OSVersions []*fleet.VulnerableOS `json:"os_versions"`
|
|
Software []*fleet.VulnerableSoftware `json:"software"`
|
|
Err error `json:"error,omitempty"`
|
|
}
|
|
|
|
func (r getVulnerabilityResponse) error() error { return r.Err }
|
|
|
|
func getVulnerabilityEndpoint(ctx context.Context, req interface{}, svc fleet.Service) (errorer, error) {
|
|
request := req.(*getVulnerabilityRequest)
|
|
|
|
vuln, err := svc.Vulnerability(ctx, request.CVE, request.TeamID, false)
|
|
if err != nil {
|
|
return getVulnerabilityResponse{Err: err}, nil
|
|
}
|
|
|
|
if vuln.Source == fleet.MSRCSource {
|
|
vuln.DetailsLink = fmt.Sprintf("https://msrc.microsoft.com/update-guide/en-US/vulnerability/%s", vuln.CVE.CVE)
|
|
} else {
|
|
vuln.DetailsLink = fmt.Sprintf("https://nvd.nist.gov/vuln/detail/%s", vuln.CVE.CVE)
|
|
}
|
|
|
|
osVersions, _, err := svc.ListOSVersionsByCVE(ctx, vuln.CVE.CVE, request.TeamID)
|
|
if err != nil {
|
|
return getVulnerabilityResponse{Err: err}, nil
|
|
}
|
|
|
|
software, _, err := svc.ListSoftwareByCVE(ctx, vuln.CVE.CVE, request.TeamID)
|
|
if err != nil {
|
|
return getVulnerabilityResponse{Err: err}, nil
|
|
}
|
|
|
|
return getVulnerabilityResponse{
|
|
Vulnerability: vuln,
|
|
OSVersions: osVersions,
|
|
Software: software,
|
|
}, nil
|
|
}
|
|
|
|
func (svc *Service) Vulnerability(ctx context.Context, cve string, teamID *uint, useCVSScores bool) (*fleet.VulnerabilityWithMetadata, error) {
|
|
if err := svc.authz.Authorize(ctx, &fleet.AuthzSoftwareInventory{TeamID: teamID}, fleet.ActionRead); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if err := svc.authz.Authorize(ctx, &fleet.Host{TeamID: teamID}, fleet.ActionRead); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if teamID != nil {
|
|
exists, err := svc.ds.TeamExists(ctx, *teamID)
|
|
if err != nil {
|
|
return nil, ctxerr.Wrap(ctx, err, "checking if team exists")
|
|
} else if !exists {
|
|
return nil, authz.ForbiddenWithInternal("team does not exist", nil, nil, nil)
|
|
}
|
|
}
|
|
|
|
vuln, err := svc.ds.Vulnerability(ctx, cve, teamID, useCVSScores)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return vuln, nil
|
|
}
|
|
|
|
func (svc *Service) ListOSVersionsByCVE(ctx context.Context, cve string, teamID *uint) (result []*fleet.VulnerableOS, updatedAt time.Time, err error) {
|
|
if err := svc.authz.Authorize(ctx, &fleet.Host{TeamID: teamID}, fleet.ActionRead); err != nil {
|
|
return nil, updatedAt, err
|
|
}
|
|
return svc.ds.OSVersionsByCVE(ctx, cve, teamID)
|
|
}
|
|
|
|
func (svc *Service) ListSoftwareByCVE(ctx context.Context, cve string, teamID *uint) (result []*fleet.VulnerableSoftware, updatedAt time.Time, err error) {
|
|
if err := svc.authz.Authorize(ctx, &fleet.AuthzSoftwareInventory{TeamID: teamID}, fleet.ActionRead); err != nil {
|
|
return nil, updatedAt, err
|
|
}
|
|
return svc.ds.SoftwareByCVE(ctx, cve, teamID)
|
|
}
|