Merge pull request #1078 from lunasec-io/environmental-cvss-backend

Environmental cvss backend

.github/workflows/lunatrace-deploy-prod.yaml

@@ -2,6 +2,14 @@ name: LunaTrace Deploy Production
 
 on:
   workflow_dispatch:
+    inputs:
+      migrate:
+        type: choice
+        description: Run migrations as part of the job? (keep an eye on it if you do)
+        options:
+          - no
+          - yes
+        default: no
 
 concurrency: production
 
@@ -31,6 +39,10 @@ jobs:
         env:
           IS_LUNASEC_CI: true
         run: yarn install --immutable --inline-builds
+      - name: migrate
+        if: inputs.migrate == 'yes'
+        working-directory: lunatrace/bsl/hasura
+        run: HASURA_GRAPHQL_ENDPOINT=https://lunatrace.lunasec.io/api/hasura HASURA_GRAPHQL_ADMIN_SECRET="$(aws secretsmanager get-secret-value --secret-id lunatrace-HasuraAdminSecret | jq -r .SecretString)" hasura migrate apply
       - name: deploy
         run: |-
           set -euox pipefail

lunatrace/bsl/backend/package.json

@@ -67,6 +67,7 @@
     "concurrently": "^7.0.0",
     "config": "^3.3.6",
     "cors": "^2.8.5",
+    "cvss": "~1.0.5",
     "deepmerge": "^4.2.2",
     "dotenv": "^10.0.0",
     "eventsource": "^2.0.0",
@@ -82,6 +83,7 @@
     "jwks-rsa": "^2.0.5",
     "jwt-decode": "^3.1.2",
     "markdown-table": "2.0.0",
+    "minimatch": "~5.1.2",
     "murmurhash-native": "^3.5.0",
     "node-fetch": "2",
     "nodemon": "^2.0.15",
@@ -99,6 +101,7 @@
     "tslog": "^3.3.3",
     "uuid": "^8.3.2",
     "validator": "^13.7.0",
+    "vuln-vects": "~1.1.0",
     "zod": "~3.20.2"
   },
   "devDependencies": {
@@ -113,6 +116,7 @@
     "@types/axios": "^0.14.0",
     "@types/config": "^0.0.41",
     "@types/cors": "^2.8.12",
+    "@types/cvss": "~1.0.0",
     "@types/deepmerge": "^2.2.0",
     "@types/eventsource": "^1.1.8",
     "@types/express": "^4.17.13",
@@ -122,6 +126,7 @@
     "@types/jsonwebtoken": "~8.5.8",
     "@types/jwk-to-pem": "~2.0.1",
     "@types/markdown-table": "2.0.0",
+    "@types/minimatch": "~5.1.2",
     "@types/node": "^14.0.0",
     "@types/semver": "^7.3.9",
     "@types/tar": "~6.1.3",

lunatrace/bsl/backend/src/config/load-environment-vars.ts

@@ -52,15 +52,15 @@ function checkEnvVar<E extends EnvVar<z.Schema>>(varConf: E): z.infer<E['castTo'
 
 type VarName = keyof typeof commonEnvVarKeys;
 type EnvVars = {
-  [name in VarName]: z.infer<typeof commonEnvVarKeys[name]['castTo']>;
+  [name in VarName]: z.infer<(typeof commonEnvVarKeys)[name]['castTo']>;
 };
 
 // Build the env vars and store them in the require cache as an export of this file
 const partialEnvironmentVars: Partial<EnvVars> = {};
 
 Object.keys(commonEnvVarKeys).forEach((keyName) => {
   const varName = keyName as VarName;
-  const varConf: EnvVar<typeof commonEnvVarKeys[typeof varName]['castTo']> = commonEnvVarKeys[varName];
+  const varConf: EnvVar<(typeof commonEnvVarKeys)[typeof varName]['castTo']> = commonEnvVarKeys[varName];
   // I can't figure out why this ignore is needed, but so be it
   // eslint-disable-next-line @typescript-eslint/ban-ts-comment
   // @ts-ignore

lunatrace/bsl/backend/src/graphql-yoga/resolvers/vulnerable-releases-from-build.ts

@@ -14,7 +14,7 @@
 import { GraphQLYogaError } from '@graphql-yoga/node';
 import { SeverityNamesOsv, severityOrderOsv } from '@lunatrace/lunatrace-common';
 
-import { vulnerabilityTreeFromHasura } from '../../models/vulnerability-dependency-tree/vulnerability-tree-from-hasura';
+import { loadTree } from '../../models/vulnerability-dependency-tree/load-tree';
 import { log } from '../../utils/log';
 import { QueryResolvers } from '../generated-resolver-types';
 import { checkBuildsAreAuthorized, throwIfUnauthenticated } from '../helpers/auth-helpers';
@@ -38,9 +38,7 @@ export const vulnerableReleasesFromBuildResolver: BuildVulnerabilitiesResolver =
     );
   }
 
-  const previewChains = args.previewChains !== null ? args.previewChains : false;
-
-  const depTree = await vulnerabilityTreeFromHasura(logger, buildId, minimumSeverity);
+  const depTree = await loadTree(logger, buildId, minimumSeverity);
   if (depTree.error) {
     logger.error('unable to build dependency tree', {
       error: depTree.msg,
@@ -50,7 +48,7 @@ export const vulnerableReleasesFromBuildResolver: BuildVulnerabilitiesResolver =
 
   logger.info('building vulnerable releases');
 
-  const vulnerableReleases = depTree.res.getVulnerableReleases(previewChains);
+  const vulnerableReleases = depTree.res.getVulnerableReleases();
 
   logger.info('finished processing tree');
   return vulnerableReleases;

lunatrace/bsl/backend/src/graphql-yoga/schema.graphql

@@ -15,7 +15,7 @@ type Query {
     ): AuthenticatedRepoCloneUrlOutput
     fakeQueryToHackHasuraBeingABuggyMess: String
     availableOrgsWithRepos: [OrgWithRepos!]
-    vulnerableReleasesFromBuild(buildId: uuid!, minimumSeverity: String, previewChains: Boolean): [BuildData_VulnerableRelease!]
+    vulnerableReleasesFromBuild(buildId: uuid!, minimumSeverity: String): [BuildData_VulnerableRelease!]
 }
 
 type Mutation {
@@ -95,11 +95,19 @@ type BuildData_VulnerableRelease {
     guides: [BuildData_Guide!]!
     fix_versions: [String!]!
     paths: [String!]!
+    adjustment: BuildData_Adjustment #optional
 }
 
+type BuildData_Adjustment {
+    adjusted_from_cvss_score: Float
+    adjusted_from_severity_name: String
+    path_matched: String!
+    adjustments_applied: [String!]!
+}
+
+
 type BuildData_IgnoredVulnerability {
     note: String!
-    locations: [String!]!
 }
 
 type BuildData_AffectedByVulnerability {
@@ -111,6 +119,7 @@ type BuildData_AffectedByVulnerability {
     trivially_updatable_to: String
     fix_versions: [String!]!
     path: String!
+    adjustment: BuildData_Adjustment #optional
 }
 
 type BuildData_Location {