Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MARP-1294 Create a central monitoring reporting for security issues of axonivy marketplace #251

Open
wants to merge 13 commits into
base: develop
Choose a base branch
from
Open

MARP-1294 Create a central monitoring reporting for security issues of axonivy marketplace #251

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
0015c30
Implement
ndkhanh-axonivy Dec 4, 2024
bd5b0b0
Add tests and refactor code UI
ndkhanh-axonivy Dec 4, 2024
d5d107f
Implement Test for BE
ndkhanh-axonivy Dec 4, 2024
fb068b0
Handle feedbacks
ndkhanh-axonivy Dec 6, 2024
c03eb6e
Handle feedbacks
ndkhanh-axonivy Dec 6, 2024
d5a2306
Handle feedbacks
ndkhanh-axonivy Dec 10, 2024
6cab5cd
Handle feedbacks
ndkhanh-axonivy Dec 10, 2024
d37e64b
Update GitHubUtilsTest.java
ndkhanh-axonivy Dec 10, 2024
ff89fb9
Fix sonar issues
ndkhanh-axonivy Dec 10, 2024
97be794
Fix sonars
ndkhanh-axonivy Dec 10, 2024
8c61d56
Sonar fixes
ndkhanh-axonivy Dec 10, 2024
98cf424
Update security-monitor.component.ts
ndkhanh-axonivy Dec 10, 2024
b7e4f6f
Update test UI
ndkhanh-axonivy Dec 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 9 additions & 4 deletions marketplace-service/src/main/java/com/axonivy/market/constants/GitHubConstants.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,15 +19,20 @@ public static class Json {
public static final String CLIENT_ID = "client_id";
public static final String CLIENT_SECRET = "client_secret";
public static final String CODE = "code";
public static final String USER_ID = "id";
public static final String USER_NAME = "name";
public static final String USER_AVATAR_URL = "avatar_url";
public static final String USER_LOGIN_NAME = "login";
public static final String SEVERITY = "severity";
public static final String SEVERITY_ADVISORY = "security_advisory";
public static final String RULE = "rule";
}

@NoArgsConstructor(access = AccessLevel.PRIVATE)
public static class Url {
private static final String BASE_URL = "https://api.github.com";
public static final String USER = BASE_URL + "/user";
public static final String REPO_SECURITY_ADVISORIES = BASE_URL + "/repos/%s/%s/security-advisories?state=%s";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this constant is not used.

public static final String REPO_DEPENDABOT_ALERTS_OPEN = BASE_URL + "/repos/%s/%s/dependabot/alerts?state=open";
public static final String REPO_SECRET_SCANNING_ALERTS_OPEN =
BASE_URL + "/repos/%s/%s/secret-scanning/alerts?state=open";
public static final String REPO_CODE_SCANNING_ALERTS_OPEN =
BASE_URL + "/repos/%s/%s/code-scanning/alerts?state=open";
}
}
1 change: 1 addition & 0 deletions marketplace-service/src/main/java/com/axonivy/market/constants/RequestMappingConstants.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,4 +32,5 @@ public class RequestMappingConstants {
public static final String LATEST_ARTIFACT_DOWNLOAD_URL_BY_ID = "/{id}/artifact";
public static final String EXTERNAL_DOCUMENT = API + "/externaldocument";
public static final String PRODUCT_MARKETPLACE_DATA = API + "/product-marketplace-data";
public static final String SECURITY_MONITOR = API + "/security-monitor";
}
39 changes: 39 additions & 0 deletions ...tplace-service/src/main/java/com/axonivy/market/controller/SecurityMonitorController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
package com.axonivy.market.controller;

import com.axonivy.market.constants.GitHubConstants;
import com.axonivy.market.github.service.GitHubService;
import com.axonivy.market.github.model.ProductSecurityInfo;
import com.axonivy.market.util.AuthorizationUtils;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.tags.Tag;
import lombok.AllArgsConstructor;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

import java.util.List;

import static com.axonivy.market.constants.RequestMappingConstants.SECURITY_MONITOR;
import static org.springframework.http.HttpHeaders.AUTHORIZATION;

@RestController
@RequestMapping(SECURITY_MONITOR)
@Tag(name = "Security Monitor Controllers", description = "API collection to get Github Marketplace security's detail.")
@AllArgsConstructor
public class SecurityMonitorController {
private final GitHubService gitHubService;

@GetMapping
@Operation(hidden = true)
public ResponseEntity<Object> getGitHubMarketplaceSecurity(
@RequestHeader(value = AUTHORIZATION) String authorizationHeader) {
String token = AuthorizationUtils.getBearerToken(authorizationHeader);
gitHubService.validateUserInOrganizationAndTeam(token, GitHubConstants.AXONIVY_MARKET_ORGANIZATION_NAME,
GitHubConstants.AXONIVY_MARKET_TEAM_NAME);
List<ProductSecurityInfo> securityInfoList = gitHubService.getSecurityDetailsForAllProducts(token,
GitHubConstants.AXONIVY_MARKET_ORGANIZATION_NAME);
return ResponseEntity.ok(securityInfoList);
}
}
10 changes: 10 additions & 0 deletions marketplace-service/src/main/java/com/axonivy/market/enums/AccessLevel.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
package com.axonivy.market.enums;

import lombok.AllArgsConstructor;
import lombok.Getter;

@Getter
@AllArgsConstructor
public enum AccessLevel {
NO_PERMISSION, ENABLED, DISABLED
}
16 changes: 16 additions & 0 deletions marketplace-service/src/main/java/com/axonivy/market/github/model/CodeScanning.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
package com.axonivy.market.github.model;

import com.axonivy.market.enums.AccessLevel;
import lombok.Getter;
import lombok.NoArgsConstructor;
import lombok.Setter;

import java.util.Map;

@Getter
@Setter
@NoArgsConstructor
public class CodeScanning {
private Map<String, Integer> alerts;
private AccessLevel status;
}
16 changes: 16 additions & 0 deletions marketplace-service/src/main/java/com/axonivy/market/github/model/Dependabot.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
package com.axonivy.market.github.model;

import com.axonivy.market.enums.AccessLevel;
import lombok.Getter;
import lombok.NoArgsConstructor;
import lombok.Setter;

import java.util.Map;

@Getter
@Setter
@NoArgsConstructor
public class Dependabot {
private Map<String, Integer> alerts;
private AccessLevel status;
}
25 changes: 25 additions & 0 deletions marketplace-service/src/main/java/com/axonivy/market/github/model/ProductSecurityInfo.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
package com.axonivy.market.github.model;

import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.NoArgsConstructor;
import lombok.Setter;

import java.util.Date;
import java.util.Map;

@Getter
@Setter
@NoArgsConstructor
@AllArgsConstructor
public class ProductSecurityInfo {
private String repoName;
private boolean isArchived;
private String visibility;
private boolean branchProtectionEnabled;
private Date lastCommitDate;
private String latestCommitSHA;
private Dependabot dependabot;
private SecretScanning secretsScanning;
private CodeScanning codeScanning;
}
14 changes: 14 additions & 0 deletions marketplace-service/src/main/java/com/axonivy/market/github/model/SecretScanning.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
package com.axonivy.market.github.model;

import com.axonivy.market.enums.AccessLevel;
import lombok.Getter;
import lombok.NoArgsConstructor;
import lombok.Setter;

@Getter
@Setter
@NoArgsConstructor
public class SecretScanning {
private Integer numberOfAlerts;
private AccessLevel status;
}
3 changes: 3 additions & 0 deletions marketplace-service/src/main/java/com/axonivy/market/github/service/GitHubService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
import com.axonivy.market.exceptions.model.UnauthorizedException;
import com.axonivy.market.github.model.GitHubAccessTokenResponse;
import com.axonivy.market.github.model.GitHubProperty;
import com.axonivy.market.github.model.ProductSecurityInfo;
import org.kohsuke.github.GHContent;
import org.kohsuke.github.GHOrganization;
import org.kohsuke.github.GHRepository;
Expand Down Expand Up @@ -37,4 +38,6 @@ GitHubAccessTokenResponse getAccessToken(String code, GitHubProperty gitHubPrope
User getAndUpdateUser(String accessToken);

void validateUserInOrganizationAndTeam(String accessToken, String team, String org) throws UnauthorizedException;

List<ProductSecurityInfo> getSecurityDetailsForAllProducts(String accessToken, String orgName);
}
Loading
Loading