Added UI for configuring the NVD and GitHub actions.

stevespringett · stevespringett · commit c28a139d68e4 · 2022-01-26T17:14:38.000-06:00
#1153 #1225
diff --git a/src/i18n/locales/en.json b/src/i18n/locales/en.json
@@ -287,6 +287,10 @@
     "npm_audit": "NPM Audit",
     "oss_index": "Sonatype OSS Index",
     "vulndb": "VulnDB",
+    "vuln_sources": "Vulnerability Sources",
+    "nvd": "NVD",
+    "national_vulnerability_database": "National Vulnerability Database",
+    "github_advisories": "GitHub Advisories",
     "repositories": "Repositories",
     "cargo": "Cargo",
     "composer": "Composer",
@@ -345,6 +349,11 @@
     "analyzer_ossindex_desc": "OSS Index is a service provided by Sonatype which identifies vulnerabilities in third-party components. Dependency-Track integrates natively with the OSS Index service to provide highly accurate results. Use of this analyzer requires a valid PackageURL for the components being analyzed.",
     "analyzer_vulndb_enable": "Enable VulnDB analyzer",
     "analyzer_vulndb_desc": "VulnDB is a commercial service from Risk Based Security which identifies vulnerabilities in third-party components. Dependency-Track integrates natively with the VulnDB service to provide highly accurate results. Use of this analyzer requires a valid CPE for the components being analyzed.",
+    "vulnsource_nvd_enable": "Enable National Vulnerability Database mirroring",
+    "vulnsource_nvd_desc": "The National Vulnerability Database (NVD) is the largest publicly available source of vulnerability intelligence. It is maintained by a group within the National Institute of Standards and Technology (NIST) and builds upon the work of MITRE and others. Vulnerabilities in the NVD are called Common Vulnerabilities and Exposures (CVE). There are over 100,000 CVEs documented in the NVD spanning from the 1990’s to the present.",
+    "vulnsource_nvd_feeds_url": "NVD Feeds URL",
+    "vulnsource_github_advisories_enable": "Enable GitHub Advisory mirroring",
+    "vulnsource_github_advisories_desc": "GitHub Advisories is a centralized source of vulnerability intelligence specific to GitHub projects. GitHub advisories may \nor may not be documented in the National Vulnerability Database.",
     "registered_email_address": "Registered email address",
     "api_token": "API token",
     "consumer_key": "Consumer key",
diff --git a/src/views/administration/AdminMenu.vue b/src/views/administration/AdminMenu.vue
@@ -88,6 +88,23 @@
               }
             ]
           },
+          {
+            name: this.$t('admin.vuln_sources'),
+            id: "vulnSourceMenu",
+            permission: SYSTEM_CONFIGURATION,
+            children: [
+              {
+                component: "VulnSourceNvd",
+                name: this.$t('admin.national_vulnerability_database'),
+                href: "#vulnsourceNvdTab"
+              },
+              {
+                component: "VulnSourceGitHubAdvisories",
+                name: this.$t('admin.github_advisories'),
+                href: "#vulnsourceGitHubAdvisoriesTab"
+              }
+            ]
+          },
           {
             name: this.$t('admin.repositories'),
             id: "repositoriesMenu",
diff --git a/src/views/administration/Administration.vue b/src/views/administration/Administration.vue
@@ -28,6 +28,9 @@
   import NpmAuditAnalyzer from "./analyzers/NpmAuditAnalyzer";
   import OssIndexAnalyzer from "./analyzers/OssIndexAnalyzer";
   import VulnDbAnalyzer from "./analyzers/VulnDbAnalyzer";
+  // Vulnerability sources
+  import VulnSourceNvd from "./vuln-sources/VulnSourceNvd";
+  import VulnSourceGitHubAdvisories from "./vuln-sources/VulnSourceGitHubAdvisories";
   // Repositories
   import Cargo from "./repositories/Cargo";
   import Composer from "./repositories/Composer";
@@ -60,6 +63,7 @@
       AdminMenu,
       General, BomFormats, Email, InternalComponents,
       InternalAnalyzer, NpmAuditAnalyzer, OssIndexAnalyzer, VulnDbAnalyzer,
+      VulnSourceNvd, VulnSourceGitHubAdvisories,
       Cargo, Composer, Gem, GoModules, Hex, Maven, Npm, Nuget, Python,
       Alerts, Templates,
       FortifySsc, DefectDojo, KennaSecurity,
diff --git a/src/views/administration/vuln-sources/VulnSourceGitHubAdvisories.vue b/src/views/administration/vuln-sources/VulnSourceGitHubAdvisories.vue
@@ -0,0 +1,71 @@
+<template>
+  <b-card no-body :header="header">
+    <b-card-body>
+      <c-switch id="vulnsourceEnabled" color="primary" v-model="vulnsourceEnabled" label v-bind="labelIcon" />{{$t('admin.vulnsource_github_advisories_enable')}}
+      <b-validated-input-group-form-input
+        id="github-advisories-apitoken"
+        :label="$t('admin.api_token')"
+        input-group-size="mb-3"
+        rules="required"
+        type="password"
+        v-model="apitoken"
+        lazy="true"
+      />
+      <hr/>
+      {{ $t('admin.vulnsource_github_advisories_desc') }}
+    </b-card-body>
+    <b-card-footer>
+      <b-button variant="outline-primary" class="px-4" @click="saveChanges">{{ $t('message.update') }}</b-button>
+    </b-card-footer>
+  </b-card>
+</template>
+
+<script>
+import { Switch as cSwitch } from '@coreui/vue';
+import BValidatedInputGroupFormInput from '../../../forms/BValidatedInputGroupFormInput';
+import common from "../../../shared/common";
+import configPropertyMixin from "../mixins/configPropertyMixin";
+
+export default {
+  mixins: [configPropertyMixin],
+  props: {
+    header: String
+  },
+  components: {
+    cSwitch,
+    BValidatedInputGroupFormInput
+  },
+  data() {
+    return {
+      vulnsourceEnabled: false,
+      apitoken: '',
+      labelIcon: {
+        dataOn: '\u2713',
+        dataOff: '\u2715'
+      },
+    }
+  },
+  methods: {
+    saveChanges: function() {
+      this.updateConfigProperties([
+        {groupName: 'vuln-source', propertyName: 'github.advisories.enabled', propertyValue: this.vulnsourceEnabled},
+        {groupName: 'vuln-source', propertyName: 'github.advisories.access.token', propertyValue: this.apitoken}
+      ]);
+    }
+  },
+  created () {
+    this.axios.get(this.configUrl).then((response) => {
+      let configItems = response.data.filter(function (item) { return item.groupName === "vuln-source" });
+      for (let i=0; i<configItems.length; i++) {
+        let item = configItems[i];
+        switch (item.propertyName) {
+          case "github.advisories.enabled":
+            this.vulnsourceEnabled = common.toBoolean(item.propertyValue); break;
+          case "github.advisories.access.token":
+            this.apitoken = item.propertyValue; break;
+        }
+      }
+    });
+  }
+}
+</script>
diff --git a/src/views/administration/vuln-sources/VulnSourceNvd.vue b/src/views/administration/vuln-sources/VulnSourceNvd.vue
@@ -0,0 +1,71 @@
+<template>
+  <b-card no-body :header="header">
+    <b-card-body>
+      <c-switch id="vulnsourceEnabled" color="primary" v-model="vulnsourceEnabled" label v-bind="labelIcon" />{{$t('admin.vulnsource_nvd_enable')}}
+      <b-validated-input-group-form-input
+        id="nvd-feeds-url"
+        :label="$t('admin.vulnsource_nvd_feeds_url')"
+        input-group-size="mb-3"
+        rules="required"
+        type="text"
+        v-model="nvdFeedsUrl"
+        lazy="true"
+      />
+      <hr/>
+      {{ $t('admin.vulnsource_nvd_desc') }}
+    </b-card-body>
+    <b-card-footer>
+      <b-button variant="outline-primary" class="px-4" @click="saveChanges">{{ $t('message.update') }}</b-button>
+    </b-card-footer>
+  </b-card>
+</template>
+
+<script>
+import { Switch as cSwitch } from '@coreui/vue';
+import BValidatedInputGroupFormInput from '../../../forms/BValidatedInputGroupFormInput';
+import common from "../../../shared/common";
+import configPropertyMixin from "../mixins/configPropertyMixin";
+
+export default {
+  mixins: [configPropertyMixin],
+  props: {
+    header: String
+  },
+  components: {
+    cSwitch,
+    BValidatedInputGroupFormInput
+  },
+  data() {
+    return {
+      vulnsourceEnabled: false,
+      nvdFeedsUrl: '',
+      labelIcon: {
+        dataOn: '\u2713',
+        dataOff: '\u2715'
+      },
+    }
+  },
+  methods: {
+    saveChanges: function() {
+      this.updateConfigProperties([
+        {groupName: 'vuln-source', propertyName: 'nvd.enabled', propertyValue: this.scannerEnabled},
+        {groupName: 'vuln-source', propertyName: 'nvd.feeds.url', propertyValue: this.username}
+      ]);
+    }
+  },
+  created () {
+    this.axios.get(this.configUrl).then((response) => {
+      let configItems = response.data.filter(function (item) { return item.groupName === "vuln-source" });
+      for (let i=0; i<configItems.length; i++) {
+        let item = configItems[i];
+        switch (item.propertyName) {
+          case "nvd.enabled":
+            this.vulnsourceEnabled = common.toBoolean(item.propertyValue); break;
+          case "nvd.feeds.url":
+            this.nvdFeedsUrl = item.propertyValue; break;
+        }
+      }
+    });
+  }
+}
+</script>
