Fetch epss scores (#1087)

**STOP**: Is this a **security vulnerability**? If so, follow
Responsible Disclosure and email us at [email protected]
instead of opening a public PR.

Co-authored-by: Free Wortley <[email protected]>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: 3 people

.gitignore

@@ -12,6 +12,7 @@ node_modules
 docker-compose.*.yaml
 .env.docker
 outputs/
+out/
 .log*
 
 .yarn/*

lunatrace/bsl/hasura/metadata/databases/lunatrace/tables/tables.yaml

@@ -45,6 +45,7 @@
 - "!include vulnerability_affected.yaml"
 - "!include vulnerability_affected_range_event.yaml"
 - "!include vulnerability_affected_version.yaml"
+- "!include vulnerability_cisa_known_exploited.yaml"
 - "!include vulnerability_credit.yaml"
 - "!include vulnerability_cwe.yaml"
 - "!include vulnerability_equivalent.yaml"

lunatrace/bsl/hasura/metadata/databases/lunatrace/tables/vulnerability_cisa_known_exploited.yaml

@@ -0,0 +1,11 @@
+table:
+  name: cisa_known_exploited
+  schema: vulnerability
+computed_fields:
+  - name: vulnerability
+    definition:
+      function:
+        name: cisa_known_exploited_vulnerability
+        schema: vulnerability
+      table_argument: known_exploited
+    comment: Vulnerability referenced by the known exploited vulnerability.

lunatrace/bsl/hasura/metadata/databases/lunatrace/tables/vulnerability_vulnerability.yaml

@@ -70,6 +70,13 @@ array_relationships:
         table:
           name: severity
           schema: vulnerability
+computed_fields:
+  - name: cisa_known_exploited
+    definition:
+      function:
+        name: vulnerability_cisa_known_exploited
+        schema: vulnerability
+      table_argument: vulnerability
 insert_permissions:
   - role: service
     permission:

lunatrace/bsl/hasura/metadata/remote_schemas.yaml

@@ -16,60 +16,60 @@
           scalar JSON
           scalar UUID
           type AuthenticatedRepoCloneUrlOutput {
-          	url: String
+            url: String
           }
           type Mutation {
-          	presignManifestUpload(project_id: UUID!): PresignedUrlResponse
+            presignManifestUpload(project_id: UUID!): PresignedUrlResponse
           }
           type PresignedUrlResponse {
-          	bucket: String!
-          	headers: JSON!
-          	key: String!
-          	url: String!
+            bucket: String!
+            headers: JSON!
+            key: String!
+            url: String!
           }
           type Query {
-          	authenticatedRepoCloneUrl(repoGithubId: Int!): AuthenticatedRepoCloneUrlOutput
-          	fakeQueryToHackHasuraBeingABuggyMess: String
-          	sbomUrl(buildId: UUID!): String
+            authenticatedRepoCloneUrl(repoGithubId: Int!): AuthenticatedRepoCloneUrlOutput
+            fakeQueryToHackHasuraBeingABuggyMess: String
+            sbomUrl(buildId: UUID!): String
           }
           type SbomUploadUrlOutput {
-          	error: Boolean!
-          	uploadUrl: UploadUrl
+            error: Boolean!
+            uploadUrl: UploadUrl
           }
           type UploadUrl {
-          	headers: JSON!
-          	url: String!
+            headers: JSON!
+            url: String!
           }
     - role: service
       definition:
         schema: |
           scalar JSON
           scalar UUID
           type AuthenticatedRepoCloneUrlOutput {
-          	url: String
+            url: String
           }
           type Mutation {
-          	presignManifestUpload(project_id: UUID!): PresignedUrlResponse
+            presignManifestUpload(project_id: UUID!): PresignedUrlResponse
           }
           type PresignedUrlResponse {
-          	bucket: String!
-          	headers: JSON!
-          	key: String!
-          	url: String!
+            bucket: String!
+            headers: JSON!
+            key: String!
+            url: String!
           }
           type Query {
-          	authenticatedRepoCloneUrl(repoGithubId: Int!): AuthenticatedRepoCloneUrlOutput
-          	fakeQueryToHackHasuraBeingABuggyMess: String
-          	presignSbomUpload(orgId: UUID!, buildId: UUID!): SbomUploadUrlOutput
-          	sbomUrl(buildId: UUID!): String
+            authenticatedRepoCloneUrl(repoGithubId: Int!): AuthenticatedRepoCloneUrlOutput
+            fakeQueryToHackHasuraBeingABuggyMess: String
+            presignSbomUpload(orgId: UUID!, buildId: UUID!): SbomUploadUrlOutput
+            sbomUrl(buildId: UUID!): String
           }
           type SbomUploadUrlOutput {
-          	error: Boolean!
-          	uploadUrl: UploadUrl
+            error: Boolean!
+            uploadUrl: UploadUrl
           }
           type UploadUrl {
-          	headers: JSON!
-          	url: String!
+            headers: JSON!
+            url: String!
           }
           input SbomUploadUrlInput {
             orgId: UUID!
@@ -81,13 +81,13 @@
           scalar JSON
           scalar UUID
           type Query {
-          	presignSbomUpload(orgId: UUID!, buildId: UUID!): SbomUploadUrlOutput
+            presignSbomUpload(orgId: UUID!, buildId: UUID!): SbomUploadUrlOutput
           }
           type SbomUploadUrlOutput {
-          	error: Boolean!
-          	uploadUrl: UploadUrl
+            error: Boolean!
+            uploadUrl: UploadUrl
           }
           type UploadUrl {
-          	headers: JSON!
-          	url: String!
+            headers: JSON!
+            url: String!
           }

lunatrace/bsl/hasura/migrations/lunatrace/1672788403469_add_cisa_known_exploited_vulnerabilities/down.sql

@@ -0,0 +1,5 @@
+
+DROP TABLE IF EXISTS vulnerability.cisa_known_exploited CASCADE;
+DROP INDEX IF EXISTS vulnerability_equivalent_b_idx;
+DROP FUNCTION vulnerability.cisa_known_exploited_vulnerability;
+DROP FUNCTION vulnerability.vulnerability_cisa_known_exploited;

lunatrace/bsl/hasura/migrations/lunatrace/1672788403469_add_cisa_known_exploited_vulnerabilities/up.sql

@@ -0,0 +1,37 @@
+-- Indexes to speed up EPSS inserter
+CREATE INDEX IF NOT EXISTS vulnerability_equivalent_b_idx ON vulnerability.equivalent (b);
+
+CREATE INDEX IF NOT EXISTS vulnerability_vulnerability_source_id_idx ON vulnerability.vulnerability (source_id);
+
+-- Table to hold the CISA Known Exploited vulnerabilities
+CREATE TABLE IF NOT EXISTS vulnerability.cisa_known_exploited (
+    "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+    cve TEXT UNIQUE,
+    vendor_project text NOT NULL,
+    product text NOT NULL,
+    vulnerability_name text NOT NULL,
+    date_added date NOT NULL,
+    short_description text NOT NULL,
+    required_action text NOT NULL,
+    due_date date NOT NULL,
+    notes text NOT NULL,
+    PRIMARY KEY ("id"),
+    CHECK (cve LIKE 'CVE-%')
+);
+
+CREATE OR REPLACE FUNCTION vulnerability.cisa_known_exploited_vulnerability(known_exploited vulnerability.cisa_known_exploited)
+    RETURNS SETOF vulnerability.vulnerability AS $$
+    SELECT *
+    FROM vulnerability.vulnerability
+    WHERE source_id = known_exploited.cve
+$$ LANGUAGE sql STABLE;
+
+CREATE OR REPLACE FUNCTION vulnerability.vulnerability_cisa_known_exploited(vulnerability vulnerability.vulnerability)
+ RETURNS SETOF vulnerability.cisa_known_exploited
+ LANGUAGE sql
+ STABLE
+AS $function$
+    SELECT *
+    FROM vulnerability.cisa_known_exploited
+    WHERE cve = vulnerability.source_id
+$function$

lunatrace/bsl/ingest-worker/.gitignore

@@ -1,2 +1,3 @@
 bin/
 .lunatrace.yaml
+build/

lunatrace/bsl/ingest-worker/cmd/ingestworker/cisa/cisa.go

@@ -0,0 +1,51 @@
+// Copyright by LunaSec (owned by Refinery Labs, Inc)
+//
+// Licensed under the Business Source License v1.1
+// (the "License"); you may not use this file except in compliance with the
+// License. You may obtain a copy of the License at
+//
+// https://github.com/lunasec-io/lunasec/blob/master/licenses/BSL-LunaTrace.txt
+//
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package cisa
+
+import (
+	"github.com/ajvpot/clifx"
+	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/pkg/cisa"
+	"github.com/rs/zerolog/log"
+	"github.com/urfave/cli/v2"
+	"go.uber.org/fx"
+)
+
+type Params struct {
+	fx.In
+
+	Ingester cisa.CISAKnownVulnIngester
+}
+
+func NewCommand(p Params) clifx.CommandResult {
+	return clifx.CommandResult{
+		Command: &cli.Command{
+			Name: "cisa",
+			Subcommands: []*cli.Command{
+				{
+					Name:        "ingest",
+					Usage:       "[file or directory]",
+					Flags:       []cli.Flag{},
+					Subcommands: []*cli.Command{},
+					Action: func(ctx *cli.Context) error {
+						log.Info().
+							Msg("Updating CISA Known Vulnerabilities")
+						err := p.Ingester.Ingest(ctx.Context)
+						if err == nil {
+							log.Info().
+								Msg("Updated CISA Known Vulnerabilities")
+						}
+						return err
+					},
+				},
+			},
+		},
+	}
+}

lunatrace/bsl/ingest-worker/cmd/ingestworker/main.go

@@ -11,10 +11,12 @@
 package main
 
 import (
+	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/cmd/ingestworker/cisa"
 	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/cmd/ingestworker/cwe"
 	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/cmd/ingestworker/epss"
 	packageCommand "github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/cmd/ingestworker/package"
 	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/cmd/ingestworker/vulnerability"
+	cisa2 "github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/pkg/cisa"
 	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/pkg/config/ingestworker"
 	cwe2 "github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/pkg/cwe"
 	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/pkg/dbfx"
@@ -52,6 +54,7 @@ func main() {
 		fx.Provide(
 			cwe2.NewCWEIngester,
 			epss2.NewEPSSIngester,
+			cisa2.NewCISAKnownVulnIngester,
 		),
 
 		// todo make a module
@@ -78,6 +81,7 @@ func main() {
 			vulnerability.NewCommand,
 			cwe.NewCommand,
 			epss.NewCommand,
+			cisa.NewCommand,
 		),
 		fx.Provide(
 			packageCommand.NewCommand,