FAI-12709: Refactor Vanta Source to pull generic vulns + remediations #1759
Conversation
…emediation records.
…uery for cicd vulns
matiaslcoulougian
requested review from
cjwooo,
ypc-faros and
willmarks
as code owners
|
| @@ -1,5 +1,5 @@ | |||
| query cicdArtifactQueryByCommitSha($commitShas: [String], $limit: Int) { | |||
| cicd_Artifact(where: {uid: {_in: $commitShas}}, limit: $limit, distinct_on: uid) { | |||
There was a problem hiding this comment.
isn't this more efficient instead of querying one by one?
| query vcsRepositoryQuery($vcsRepoNames: [String], $limit: Int) { | ||
| vcs_Repository(where: {name: {_in: $vcsRepoNames}}, limit: $limit, distinct_on: name) { | ||
| query vcsRepositoryQuery($vcsRepoName: String!) { | ||
| vcs_Repository(where: {name: {_eq: $vcsRepoName}}, distinct_on: name) { |
| export abstract class VulnerabilityRemediations extends Converter { | ||
| source = 'vanta'; | ||
| readonly destinationModels: ReadonlyArray<DestinationModel> = []; | ||
| severityMap: {[key: string]: number} = { |
There was a problem hiding this comment.
can we document where these category values are coming from?
| import {getQueryFromName} from './utils'; | ||
|
|
||
| export abstract class VulnerabilityRemediations extends Converter { | ||
| source = 'vanta'; |
| "$schema": "http://json-schema.org/draft-04/schema#", | ||
| "type": "object", | ||
| "properties": { | ||
| "data": {} |
| @@ -65,47 +110,180 @@ export class Vanta { | |||
| }; | |||
| try { | |||
| const packed_response: AxiosResponse = await this.getAxiosResponse( | |||
| this.apiUrl, | |||
| this.apiUrl + '/graphql', | |||
There was a problem hiding this comment.
unless we are using this.apiUrl for other things, let's remove it as class property and add baseUrl when we create the axiosInstance
| cursor: string | null, | ||
| slaDeadlineAfterDate: Date | ||
| ): Promise<any> { | ||
| const url = `${this.apiUrl}v1/vulnerabilities`; |
There was a problem hiding this comment.
see comment above to attach this.apiUrl as baseUrl of instance
| } | ||
|
|
||
| return assetMap; | ||
| } | ||
|
|
||
| async getAxiosResponse( |
There was a problem hiding this comment.
Don't think we need this function if we use the faros axiosInstance. It already has retry logic backed in and/or we can pass logic specific to this API.
Even if we need this function it will become cleaner
|
|
||
| for (const vulnerability of data) { | ||
| const asset = assetMap.get(vulnerability.targetId); | ||
| // Image tage scan won't be available if asset is a repository: https://developer.vanta.com/reference/listvulnerableassets#:~:text=has%20been%20scanned.-,imageScanTag,-string%20%7C%20null |
There was a problem hiding this comment.
some weird linting or line breaks
| if (relatedEntity.repository) { | ||
| return [ | ||
| { | ||
| model: 'vcs_RepositoryVulnerability__Update', |
There was a problem hiding this comment.
Do we really need to query the graph for this? Would a blanket update without relatedEntity.repository.name, work? Is there any real risk when we do that?
Description
Replace GraphQL Queries by integration with generic vulnerability endpoints. Add vulnerability update to resolved status.
TODO:
Type of change
Related issues
Migration notes
Extra info