INT-4151 - Add Property Fields to Hackerone Findings #60
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
eXtremeX
force-pushed
the
feature/add-property-fields
branch
from
76eb4b5 to
54a168e
Compare
eXtremeX
changed the title
src/client.ts
Outdated
| handleError: (err, context) => { | ||
| const rateLimitType = err.response.headers.get('X-RateLimit-Type'); | ||
| // only retry on 429 && per second limit | ||
| if (!(err.status === 429 && rateLimitType === 'QPS')) { |
There was a problem hiding this comment.
Could we expand the comment to mention why we are only retrying this type of rate limit?
There was a problem hiding this comment.
Great catch - this was incorrect, a mistake while we were referencing different graph project for the boilerplate-y parts. Have been fixed now.
| PROGRAM_ASSET: { | ||
| resourceName: 'Program Asset', | ||
| _type: 'hackerone_program_asset', | ||
| _class: ['Entity'], // TBD: A better fitting class |
There was a problem hiding this comment.
Do we need to provide additional data modeling details?
There was a problem hiding this comment.
Yep we weren't sure about what class to use here, here are examples of the Program Assets (known as structuredScopes in HackerOne API docs):
structuredScope {
id: '274636',
type: 'structured-scope',
attributes: {
asset_type: 'URL',
asset_identifier: 'blog.jupiterone.com',
eligible_for_bounty: false,
eligible_for_submission: false,
instruction: null,
max_severity: 'none',
created_at: '2022-12-06T06:48:25.623Z',
updated_at: '2022-12-06T06:48:25.623Z',
reference: null
}
}
structuredScope {
id: '274637',
type: 'structured-scope',
attributes: {
asset_type: 'OTHER',
asset_identifier: 'Other assets',
eligible_for_bounty: false,
eligible_for_submission: true,
instruction: 'If you have found a vulnerability in a JupiterOne demo site or app not contained within this list, you can still submit, and JupiterOne demo will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.',
max_severity: 'critical',
created_at: '2022-12-06T06:48:25.842Z',
updated_at: '2022-12-06T06:48:25.842Z',
reference: null
}
}
structuredScope {
id: '274635',
type: 'structured-scope',
attributes: {
asset_type: 'APPLE_STORE_APP_ID',
asset_identifier: 'com.jupiterone_demo.ios',
eligible_for_bounty: true,
eligible_for_submission: true,
instruction: 'JupiterOne demo for iOS and iPadOS, available on the [App Store](http://www.apple.com/)',
max_severity: 'critical',
created_at: '2022-12-06T06:48:25.589Z',
updated_at: '2022-12-06T06:48:25.589Z',
reference: null
}
}
Perhaps "Resource"?
| @@ -73,14 +157,14 @@ export const MappedRelationships: Record< | |||
| StepMappedRelationshipMetadata | |||
| > = { | |||
| FINDING_EXPLOITS_WEAKNESS: { | |||
| _type: 'hackerone_finding_exploits_weakness', | |||
| _type: 'hackerone_report_exploits_weakness', | |||
There was a problem hiding this comment.
Is this fixing undeclared types?
There was a problem hiding this comment.
There are no undeclared types currently, even if that line is left unchanged. The reason behind that change was that hackerone report entity has type of hackerone_report so the hackerone_finding felt like typo, unless it was intentional?
src/steps/program-asset/converter.ts
Outdated
| maxSeverity: data.attributes.max_severity, | ||
| createdOn: parseTimePropertyValue(data.attributes.created_at), | ||
| updatedOn: parseTimePropertyValue(data.attributes.updated_at), | ||
| reference: data.attributes.reference, |
There was a problem hiding this comment.
I think we should name this property references. If I recall correctly, that's what it gets called in the data-model.
Added
recommendation,reference,description, andimpactfields tohackerone_report