RubyGems - fluent-plugin-jfrog-siem - Versions diffs - 0.1.7 → 2.0.0 - Mend

fluent-plugin-jfrog-siem 0.1.7 → 2.0.0

Files changed (19) hide show

checksums.yaml +4 -4
data/.rspec +1 -0
data/CHANGELOG.md +36 -0
data/Gemfile.lock +90 -0
data/README.md +10 -3
data/Rakefile +1 -1
data/fluent-plugin-jfrog-siem.gemspec +8 -3
data/lib/fluent/plugin/in_jfrog_siem.rb +41 -215
data/lib/fluent/plugin/position_file.rb +32 -0
data/lib/fluent/plugin/violations.json +380 -0
data/lib/fluent/plugin/xray.rb +164 -0
data/spec/position_file_spec.rb +56 -0
data/spec/spec_helper.rb +111 -0
data/spec/xray_spec.rb +135 -0
data/test/helper.rb +1 -0
data/test/plugin/test_in_jfrog_siem.rb +31 -5
metadata +76 -10
data/elastic.conf +0 -18
data/splunk.conf +0 -18

data/lib/fluent/plugin/position_file.rb ADDED Viewed

@@ -0,0 +1,32 @@
+class PositionFile
+  def initialize(pos_file_path)
+    @pos_file_path = pos_file_path
+  end
+  def processed?(violation)
+    File.exist?(pos_file_name(violation)) && found?(violation)
+  end
+  def write(violation)
+    File.open(pos_file_name(violation), 'a') do |f|
+      f << violation_entry(violation)
+      f << "\n"
+    end
+  end
+  private
+  def found?(violation)
+    return File.open(pos_file_name(violation)) { |f| f.find { |line| line.include? violation_entry(violation) } }
+  end
+  def violation_entry(violation)
+    created_date = DateTime.parse(violation['created']).strftime("%Y-%m-%dT%H:%M:%SZ")
+    [created_date, violation['watch_name'], violation['issue_id']].join(',')
+  end
+  def pos_file_name(violation)
+    pos_file_date = DateTime.parse(violation['created']).strftime("%Y-%m-%d")
+    @pos_file_path + "jfrog_siem_log_#{pos_file_date}.siem.pos"
+  end
+end

data/lib/fluent/plugin/violations.json ADDED Viewed

@@ -0,0 +1,380 @@
+{
+  "total_violations":54,
+  "violations":[
+    {
+      "description":"Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check.",
+      "severity":"High",
+      "type":"Security",
+      "infected_components":[
+        "gav://struts:struts:1.1"
+      ],
+      "created":"2021-06-16T21:22:18Z",
+      "watch_name":"maven-watch1",
+      "issue_id":"XRAY-55418",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=ff9cf61f42a095cd97ea0ec0&issue_id=XRAY-55418&comp_id=gav:%2F%2Fstruts:struts:1.1",
+      "impacted_artifacts":[
+        "default/maven-repo-1/struts/struts/1.1/struts-1.1.jar"
+      ]
+    },
+    {
+      "description":"The Apache Software License, Version 1.1",
+      "severity":"High",
+      "type":"License",
+      "infected_components":[
+        "gav://struts:struts:1.1"
+      ],
+      "created":"2021-06-16T21:22:18Z",
+      "watch_name":"license-watch",
+      "issue_id":"Apache-1.1",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=b241c1986818d68993093e35&issue_id=Apache-1.1&comp_id=gav:%2F%2Fstruts:struts:1.1",
+      "impacted_artifacts":[
+        "default/maven-repo-1/struts/struts/1.1/struts-1.1.jar"
+      ]
+    },
+    {
+      "description":"The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.",
+      "severity":"High",
+      "type":"Security",
+      "infected_components":[
+        "gav://struts:struts:1.1"
+      ],
+      "created":"2021-06-16T21:22:18Z",
+      "watch_name":"maven-watch1",
+      "issue_id":"XRAY-55648",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=ff9cf61f42a095cd97ea0ec0&issue_id=XRAY-55648&comp_id=gav:%2F%2Fstruts:struts:1.1",
+      "impacted_artifacts":[
+        "default/maven-repo-1/struts/struts/1.1/struts-1.1.jar"
+      ]
+    },
+    {
+      "description":"Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to \"insufficient quoting of parameters.\"",
+      "severity":"Medium",
+      "type":"Security",
+      "infected_components":[
+        "gav://struts:struts:1.1"
+      ],
+      "created":"2021-06-16T21:22:18Z",
+      "watch_name":"maven-watch1",
+      "issue_id":"XRAY-55444",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=ff9cf61f42a095cd97ea0ec0&issue_id=XRAY-55444&comp_id=gav:%2F%2Fstruts:struts:1.1",
+      "impacted_artifacts":[
+        "default/maven-repo-1/struts/struts/1.1/struts-1.1.jar"
+      ]
+    },
+    {
+      "description":"Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message.",
+      "severity":"Medium",
+      "type":"Security",
+      "infected_components":[
+        "gav://struts:struts:1.1"
+      ],
+      "created":"2021-06-16T21:22:18Z",
+      "watch_name":"maven-watch1",
+      "issue_id":"XRAY-55420",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=ff9cf61f42a095cd97ea0ec0&issue_id=XRAY-55420&comp_id=gav:%2F%2Fstruts:struts:1.1",
+      "impacted_artifacts":[
+        "default/maven-repo-1/struts/struts/1.1/struts-1.1.jar"
+      ]
+    },
+    {
+      "description":"ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.",
+      "severity":"High",
+      "type":"Security",
+      "infected_components":[
+        "gav://struts:struts:1.1"
+      ],
+      "created":"2021-06-16T21:22:18Z",
+      "watch_name":"maven-watch1",
+      "issue_id":"XRAY-55419",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=ff9cf61f42a095cd97ea0ec0&issue_id=XRAY-55419&comp_id=gav:%2F%2Fstruts:struts:1.1",
+      "impacted_artifacts":[
+        "default/maven-repo-1/struts/struts/1.1/struts-1.1.jar"
+      ]
+    },
+    {
+      "description":"The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.",
+      "severity":"High",
+      "type":"Security",
+      "infected_components":[
+        "gav://struts:struts:1.2.4"
+      ],
+      "created":"2021-06-16T21:22:27Z",
+      "watch_name":"maven-watch-2",
+      "issue_id":"XRAY-55648",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=2a3ee020bf1a86b84d122c0c&issue_id=XRAY-55648&comp_id=gav:%2F%2Fstruts:struts:1.2.4",
+      "impacted_artifacts":[
+        "default/maven-repo-2/struts/struts/1.2.4/struts-1.2.4.jar"
+      ]
+    },
+    {
+      "description":"ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.",
+      "severity":"High",
+      "type":"Security",
+      "infected_components":[
+        "gav://struts:struts:1.2.4"
+      ],
+      "created":"2021-06-16T21:22:27Z",
+      "watch_name":"maven-watch-2",
+      "issue_id":"XRAY-55419",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=2a3ee020bf1a86b84d122c0c&issue_id=XRAY-55419&comp_id=gav:%2F%2Fstruts:struts:1.2.4",
+      "impacted_artifacts":[
+        "default/maven-repo-2/struts/struts/1.2.4/struts-1.2.4.jar"
+      ]
+    },
+    {
+      "description":"Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message.",
+      "severity":"Medium",
+      "type":"Security",
+      "infected_components":[
+        "gav://struts:struts:1.2.4"
+      ],
+      "created":"2021-06-16T21:22:27Z",
+      "watch_name":"maven-watch-2",
+      "issue_id":"XRAY-55420",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=2a3ee020bf1a86b84d122c0c&issue_id=XRAY-55420&comp_id=gav:%2F%2Fstruts:struts:1.2.4",
+      "impacted_artifacts":[
+        "default/maven-repo-2/struts/struts/1.2.4/struts-1.2.4.jar"
+      ]
+    },
+    {
+      "description":"The Apache Software License, Version 2.0",
+      "severity":"High",
+      "type":"License",
+      "infected_components":[
+        "gav://struts:struts:1.2.4"
+      ],
+      "created":"2021-06-16T21:22:27Z",
+      "watch_name":"license-watch",
+      "issue_id":"Apache-2.0",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=b241c1986818d68993093e35&issue_id=Apache-2.0&comp_id=gav:%2F%2Fstruts:struts:1.2.4",
+      "impacted_artifacts":[
+        "default/maven-repo-2/struts/struts/1.2.4/struts-1.2.4.jar"
+      ]
+    },
+    {
+      "description":"Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to \"insufficient quoting of parameters.\"",
+      "severity":"Medium",
+      "type":"Security",
+      "infected_components":[
+        "gav://struts:struts:1.2.4"
+      ],
+      "created":"2021-06-16T21:22:27Z",
+      "watch_name":"maven-watch-2",
+      "issue_id":"XRAY-55444",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=2a3ee020bf1a86b84d122c0c&issue_id=XRAY-55444&comp_id=gav:%2F%2Fstruts:struts:1.2.4",
+      "impacted_artifacts":[
+        "default/maven-repo-2/struts/struts/1.2.4/struts-1.2.4.jar"
+      ]
+    },
+    {
+      "description":"Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check.",
+      "severity":"High",
+      "type":"Security",
+      "infected_components":[
+        "gav://struts:struts:1.2.4"
+      ],
+      "created":"2021-06-16T21:22:27Z",
+      "watch_name":"maven-watch-2",
+      "issue_id":"XRAY-55418",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=2a3ee020bf1a86b84d122c0c&issue_id=XRAY-55418&comp_id=gav:%2F%2Fstruts:struts:1.2.4",
+      "impacted_artifacts":[
+        "default/maven-repo-2/struts/struts/1.2.4/struts-1.2.4.jar"
+      ]
+    },
+    {
+      "description":"Unicode Terms of Use",
+      "severity":"High",
+      "type":"License",
+      "infected_components":[
+        "gav://org.apache.struts:struts2-core:2.0.9"
+      ],
+      "created":"2021-06-16T21:22:37Z",
+      "watch_name":"license-watch",
+      "issue_id":"Unicode-TOU",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=b241c1986818d68993093e35&issue_id=Unicode-TOU&comp_id=gav:%2F%2Forg.apache.struts:struts2-core:2.0.9",
+      "impacted_artifacts":[
+        "default/maven-repo-3/org/apache/struts/struts2-core/2.0.9/struts2-core-2.0.9.jar"
+      ]
+    },
+    {
+      "description":"BSD 3-Clause \"New\" or \"Revised\" License",
+      "severity":"High",
+      "type":"License",
+      "infected_components":[
+        "gav://org.apache.struts:struts2-core:2.0.9"
+      ],
+      "created":"2021-06-16T21:22:37Z",
+      "watch_name":"license-watch",
+      "issue_id":"BSD-3-Clause",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=b241c1986818d68993093e35&issue_id=BSD-3-Clause&comp_id=gav:%2F%2Forg.apache.struts:struts2-core:2.0.9",
+      "impacted_artifacts":[
+        "default/maven-repo-3/org/apache/struts/struts2-core/2.0.9/struts2-core-2.0.9.jar"
+      ]
+    },
+    {
+      "description":"The Apache Software License, Version 2.0",
+      "severity":"High",
+      "type":"License",
+      "infected_components":[
+        "gav://org.apache.struts:struts2-core:2.0.9"
+      ],
+      "created":"2021-06-16T21:22:37Z",
+      "watch_name":"license-watch",
+      "issue_id":"Apache-2.0",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=b241c1986818d68993093e35&issue_id=Apache-2.0&comp_id=gav:%2F%2Forg.apache.struts:struts2-core:2.0.9",
+      "impacted_artifacts":[
+        "default/maven-repo-3/org/apache/struts/struts2-core/2.0.9/struts2-core-2.0.9.jar"
+      ]
+    },
+    {
+      "description":"The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the \"#\" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.",
+      "severity":"Medium",
+      "type":"Security",
+      "infected_components":[
+        "gav://org.apache.struts:struts2-core:2.0.9"
+      ],
+      "created":"2021-06-16T21:22:37Z",
+      "watch_name":"maven-watch-3",
+      "issue_id":"XRAY-55471",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=2c5ecab8172f24086f4b3bf4&issue_id=XRAY-55471&comp_id=gav:%2F%2Forg.apache.struts:struts2-core:2.0.9",
+      "impacted_artifacts":[
+        "default/maven-repo-3/org/apache/struts/struts2-core/2.0.9/struts2-core-2.0.9.jar"
+      ]
+    },
+    {
+      "description":"Academic Free License v2.1",
+      "severity":"High",
+      "type":"License",
+      "infected_components":[
+        "gav://org.apache.struts:struts2-core:2.0.9"
+      ],
+      "created":"2021-06-16T21:22:37Z",
+      "watch_name":"license-watch",
+      "issue_id":"AFL-2.1",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=b241c1986818d68993093e35&issue_id=AFL-2.1&comp_id=gav:%2F%2Forg.apache.struts:struts2-core:2.0.9",
+      "impacted_artifacts":[
+        "default/maven-repo-3/org/apache/struts/struts2-core/2.0.9/struts2-core-2.0.9.jar"
+      ]
+    },
+    {
+      "description":"ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \\u0023 representation for the # character.",
+      "severity":"Medium",
+      "type":"Security",
+      "infected_components":[
+        "gav://org.apache.struts:struts2-core:2.0.9"
+      ],
+      "created":"2021-06-16T21:22:38Z",
+      "watch_name":"maven-watch-3",
+      "issue_id":"XRAY-55446",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=2c5ecab8172f24086f4b3bf4&issue_id=XRAY-55446&comp_id=gav:%2F%2Forg.apache.struts:struts2-core:2.0.9",
+      "impacted_artifacts":[
+        "default/maven-repo-3/org/apache/struts/struts2-core/2.0.9/struts2-core-2.0.9.jar"
+      ]
+    },
+    {
+      "description":"Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) \" (double quote) characters in the href attribute of an s:a tag and (2) parameters in the action attribute of an s:url tag.",
+      "severity":"Medium",
+      "type":"Security",
+      "infected_components":[
+        "gav://org.apache.struts:struts2-core:2.0.9"
+      ],
+      "created":"2021-06-16T21:22:38Z",
+      "watch_name":"maven-watch-3",
+      "issue_id":"XRAY-55448",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=2c5ecab8172f24086f4b3bf4&issue_id=XRAY-55448&comp_id=gav:%2F%2Forg.apache.struts:struts2-core:2.0.9",
+      "impacted_artifacts":[
+        "default/maven-repo-3/org/apache/struts/struts2-core/2.0.9/struts2-core-2.0.9.jar"
+      ]
+    },
+    {
+      "description":"Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.",
+      "severity":"Critical",
+      "type":"Security",
+      "infected_components":[
+        "gav://org.apache.struts:struts2-core:2.0.9"
+      ],
+      "created":"2021-06-16T21:22:38Z",
+      "watch_name":"maven-watch-3",
+      "issue_id":"XRAY-129844",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=2c5ecab8172f24086f4b3bf4&issue_id=XRAY-129844&comp_id=gav:%2F%2Forg.apache.struts:struts2-core:2.0.9",
+      "impacted_artifacts":[
+        "default/maven-repo-3/org/apache/struts/struts2-core/2.0.9/struts2-core-2.0.9.jar"
+      ]
+    },
+    {
+      "description":"The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.",
+      "severity":"High",
+      "type":"Security",
+      "infected_components":[
+        "gav://org.apache.struts:struts2-core:2.0.9"
+      ],
+      "created":"2021-06-16T21:22:38Z",
+      "watch_name":"maven-watch-3",
+      "issue_id":"XRAY-55522",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=2c5ecab8172f24086f4b3bf4&issue_id=XRAY-55522&comp_id=gav:%2F%2Forg.apache.struts:struts2-core:2.0.9",
+      "impacted_artifacts":[
+        "default/maven-repo-3/org/apache/struts/struts2-core/2.0.9/struts2-core-2.0.9.jar"
+      ]
+    },
+    {
+      "description":"Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both \"${}\" and \"%{}\" sequences, which causes the OGNL code to be evaluated twice.",
+      "severity":"High",
+      "type":"Security",
+      "infected_components":[
+        "gav://org.apache.struts:struts2-core:2.0.9"
+      ],
+      "created":"2021-06-16T21:22:38Z",
+      "watch_name":"maven-watch-3",
+      "issue_id":"XRAY-55575",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=2c5ecab8172f24086f4b3bf4&issue_id=XRAY-55575&comp_id=gav:%2F%2Forg.apache.struts:struts2-core:2.0.9",
+      "impacted_artifacts":[
+        "default/maven-repo-3/org/apache/struts/struts2-core/2.0.9/struts2-core-2.0.9.jar"
+      ]
+    },
+    {
+      "description":"Apache Struts JSP Page Handling Unspecified XSS",
+      "severity":"Medium",
+      "type":"Security",
+      "infected_components":[
+        "gav://org.apache.struts:struts2-core:2.0.9"
+      ],
+      "created":"2021-06-16T21:22:38Z",
+      "watch_name":"maven-watch-3",
+      "issue_id":"XRAY-81164",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=2c5ecab8172f24086f4b3bf4&issue_id=XRAY-81164&comp_id=gav:%2F%2Forg.apache.struts:struts2-core:2.0.9",
+      "impacted_artifacts":[
+        "default/maven-repo-3/org/apache/struts/struts2-core/2.0.9/struts2-core-2.0.9.jar"
+      ]
+    },
+    {
+      "description":"Apache Struts <s:textfield> Tag <s:include> Handling XSS",
+      "severity":"Medium",
+      "type":"Security",
+      "infected_components":[
+        "gav://org.apache.struts:struts2-core:2.0.9"
+      ],
+      "created":"2021-06-16T21:22:38Z",
+      "watch_name":"maven-watch-3",
+      "issue_id":"XRAY-81187",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=2c5ecab8172f24086f4b3bf4&issue_id=XRAY-81187&comp_id=gav:%2F%2Forg.apache.struts:struts2-core:2.0.9",
+      "impacted_artifacts":[
+        "default/maven-repo-3/org/apache/struts/struts2-core/2.0.9/struts2-core-2.0.9.jar"
+      ]
+    },
+    {
+      "description":"Apache Struts EL / OGNL Interpretation Unspecified Remote Code Execution",
+      "severity":"High",
+      "type":"Security",
+      "infected_components":[
+        "gav://org.apache.struts:struts2-core:2.0.9"
+      ],
+      "created":"2021-06-16T21:22:38Z",
+      "watch_name":"maven-watch-3",
+      "issue_id":"XRAY-87424",
+      "violation_details_url":"http://localhost:8046/xray/api/v1/violations?watch_id=2c5ecab8172f24086f4b3bf4&issue_id=XRAY-87424&comp_id=gav:%2F%2Forg.apache.struts:struts2-core:2.0.9",
+      "impacted_artifacts":[
+        "default/maven-repo-3/org/apache/struts/struts2-core/2.0.9/struts2-core-2.0.9.jar"
+      ]
+    }
+  ]
+}

data/lib/fluent/plugin/xray.rb ADDED Viewed

@@ -0,0 +1,164 @@
+require 'concurrent'
+require 'concurrent-edge'
+require 'json'
+require "fluent/plugin/position_file"
+class Xray
+  def initialize(jpd_url, username, api_key, wait_interval, batch_size, pos_file_path, router, tag)
+    @jpd_url = jpd_url
+    @username = username
+    @api_key = api_key
+    @wait_interval = wait_interval
+    @batch_size = batch_size
+    @pos_file_path = pos_file_path
+    @router = router
+    @tag = tag
+  end
+  def violations(date_since)
+    violations_channel = Concurrent::Channel.new(capacity: @batch_size)
+    page_number = 1
+    timer_task = Concurrent::TimerTask.new(execution_interval: @wait_interval, timeout_interval: 30) do
+      xray_json = {"filters": { "created_from": date_since }, "pagination": {"order_by": "created","limit": @batch_size ,"offset": page_number } }
+      resp = get_violations(xray_json)
+      page_violation_count = resp['violations'].length
+      puts "Total violations count is #{resp['total_violations']}"
+      if resp['total_violations'] > 0
+        puts "Number of Violations in page #{page_number} are #{page_violation_count}"
+        resp['violations'].each {|v| violations_channel = process(v, violations_channel) }
+        page_number += 1 if next_page?(page_violation_count)
+      end
+    end
+    timer_task.execute
+    violations_channel
+  end
+  def violation_details(violations_channel)
+    violations_channel.each do |v|
+      Concurrent::Promises.future(v) do |v|
+        pull_violation_details(v['violation_details_url'])
+        pos_file = PositionFile.new(@pos_file_path)
+        pos_file.write(v)
+      end
+    end
+  end
+  def pull_violation_details(xray_violation_detail_url)
+    begin
+      detailResp_json = data_normalization(get_violations_detail(xray_violation_detail_url))
+      time = Fluent::Engine.now
+      @router.emit(@tag, time, detailResp_json)
+    rescue => e
+      puts "error: #{e}"
+      raise Fluent::ConfigError, "Error pulling violation details url #{xray_violation_detail_url}: #{e}"
+    end
+  end
+  def get_violations_detail(xray_violation_detail_url)
+    response = RestClient::Request.new(
+        :method => :get,
+        :url => xray_violation_detail_url,
+        :user => @username,
+        :password => @api_key
+    ).execute do |response, request, result|
+      case response.code
+      when 200
+        return JSON.parse(response.to_s)
+      else
+        puts "error: #{response.to_json}"
+        raise Fluent::ConfigError, "Cannot reach Artifactory URL to pull Xray SIEM violations."
+      end
+    end
+  end
+  def data_normalization(detailResp_json)
+    cve = []
+    cvss_v2_list = []
+    cvss_v3_list = []
+    policy_list = []
+    rule_list = []
+    impacted_artifact_url_list = []
+    if detailResp_json.key?('properties')
+      properties = detailResp_json['properties']
+      for index in 0..properties.length-1 do
+        if properties[index].key?('cve')
+          cve.push(properties[index]['cve'])
+        end
+        if properties[index].key?('cvss_v2')
+          cvss_v2_list.push(properties[index]['cvss_v2'])
+        end
+        if properties[index].key?('cvss_v3')
+          cvss_v3_list.push(properties[index]['cvss_v3'])
+        end
+      end
+      detailResp_json["cve"] = cve.sort.reverse[0]
+      cvss_v2 = cvss_v2_list.sort.reverse[0]
+      cvss_v3 = cvss_v3_list.sort.reverse[0]
+      if !cvss_v3.nil?
+        cvss = cvss_v3
+      elsif !cvss_v2.nil?
+        cvss = cvss_v2
+      end
+      cvss_score = cvss[0..2]
+      cvss_version = cvss.split(':')[1][0..2]
+      detailResp_json["cvss_score"] = cvss_score
+      detailResp_json["cvss_version"] = cvss_version
+    end
+    if detailResp_json.key?('matched_policies')
+      matched_policies = detailResp_json['matched_policies']
+      for index in 0..matched_policies.length-1 do
+        if matched_policies[index].key?('policy')
+          policy_list.push(matched_policies[index]['policy'])
+        end
+        if matched_policies[index].key?('rule')
+          rule_list.push(matched_policies[index]['rule'])
+        end
+      end
+      detailResp_json['policies'] = policy_list
+      detailResp_json['rules'] = rule_list
+    end
+    detailResp_json['impacted_artifacts'].each do |impacted_artifact|
+      matchdata = impacted_artifact.match /default\/(?<repo_name>[^\/]*)\/(?<path>.*)/
+      impacted_artifact_url = matchdata['repo_name'] + ":" + matchdata['path'] + " "
+      impacted_artifact_url_list.append(impacted_artifact_url)
+    end
+    detailResp_json['impacted_artifacts_url'] = impacted_artifact_url_list
+    return detailResp_json
+  end
+  def process(violation, violations_channel)
+    pos_file = PositionFile.new(@pos_file_path)
+    violations_channel << violation unless pos_file.processed?(violation)
+    violations_channel
+  end
+  private
+  def get_violations(xray_json)
+    response = RestClient::Request.new(
+        :method => :post,
+        :url => @jpd_url + "/xray/api/v1/violations",
+        :payload => xray_json.to_json,
+        :user => @username,
+        :password => @api_key,
+        :headers => { :accept => :json, :content_type => :json }
+    ).execute do |response, request, result|
+      case response.code
+      when 200
+        return JSON.parse(response.to_str)
+      else
+        puts "error: #{response.to_json}"
+        raise Fluent::ConfigError, "Cannot reach Artifactory URL to pull Xray SIEM violations. #{response.to_json}"
+      end
+    end
+  end
+  def next_page?(count)
+    count == @batch_size
+  end
+end