Merge pull request #33 from hazcod/dev

hazcod · web-flow · commit dbe74a21dd50 · 2021-10-27T08:04:25.000+02:00
Feature: Falcon ExprtAI Severity filtering
diff --git a/README.md b/README.md
@@ -49,6 +49,8 @@ falcon:
   min_cve_base_score: 0
   # the CVEs you want to ignore
   skip_cves: ["CVE-2019-15315"]
+  # the minimum exprtAI severity you want to filter for
+  min_exprtai_severity: medium
 
 # vmware workspace one
 ws1:
diff --git a/config/config.go b/config/config.go
@@ -30,6 +30,7 @@ type Config struct {
 		SkipSeverities []string `yaml:"skip_severities" env:"FALCON_SKIP_SEVERITIES"`
 		MinCVEBaseScore int `yaml:"min_cve_base_score" env:"FALCON_MIN_CVE_BASE_SCORE"`
 		SkipCVEs []string `yaml:"skip_cves" env:"FALCON_SKIP_CVES"`
+		MinExprtAISeverity string `yaml:"min_exprtai_severity" env:"FALCON_MIN_EXPRTAI_SEVERITYs"`
 	} `yaml:"falcon"`
 
 	WS1 struct {
diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/hazcod/crowdstrike-spotlight-slacker
 go 1.16
 
 require (
-	github.com/crowdstrike/gofalcon v0.2.11
+	github.com/crowdstrike/gofalcon v0.2.14-0.20211026142948-62733f384b4d
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.8.1
diff --git a/go.sum b/go.sum
@@ -56,8 +56,8 @@ github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMn
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/crowdstrike/gofalcon v0.2.11 h1:pF/sRRZQmsWwndktkT2X0BAIbYhMQRXIZDxkB5ssy3g=
-github.com/crowdstrike/gofalcon v0.2.11/go.mod h1:cnJxuFcSaHBJJRTASY+BRhsUXaJku2JOURUjihHxwLo=
+github.com/crowdstrike/gofalcon v0.2.14-0.20211026142948-62733f384b4d h1:7xkFSX7JX4v2LqGqzuTyrwoWCco2OrdMrcifVHmfRyM=
+github.com/crowdstrike/gofalcon v0.2.14-0.20211026142948-62733f384b4d/go.mod h1:cnJxuFcSaHBJJRTASY+BRhsUXaJku2JOURUjihHxwLo=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
diff --git a/pkg/falcon/extractor.go b/pkg/falcon/extractor.go
@@ -40,7 +40,7 @@ type UserDeviceFinding struct {
 	Mitigations		    []string
 }
 
-func getUniqueDeviceID(hostInfo models.DomainAPIVulnerabilityHostInfoV2) (string, error) {
+func getUniqueDeviceID(hostInfo models.DomainAPIVulnerabilityHostFacetV2) (string, error) {
 	b, err := json.Marshal(&hostInfo)
 	if err != nil {
 		return "", err
@@ -118,11 +118,21 @@ func appendUnique(main, adder []string) []string {
 	return main
 }
 
-func remove(a []string, i int) []string {
-	a[i] = a[len(a)-1] // Copy last element to index i.
-	a[len(a)-1] = ""   // Erase last element (write zero value).
-	a = a[:len(a)-1]   // Truncate slice.
-	return a
+func getSeverityScore(severity string) (int, error) {
+	switch strings.TrimSpace(strings.ToLower(severity)) {
+	case "":
+		return 0, nil
+	case "low":
+		return 0, nil
+	case "medium":
+		return 1, nil
+	case "high":
+		return 2, nil
+	case "critical":
+		return 3, nil
+	}
+
+	return -1, errors.New("unknown severity: " + severity)
 }
 
 func GetMessages(config *config.Config, ctx context.Context) (results map[string]FalconResult, err error) {
@@ -140,11 +150,12 @@ func GetMessages(config *config.Config, ctx context.Context) (results map[string
 		return nil, errors.Wrap(err, "could not initialize Falcon client")
 	}
 
-	queryResult, err := client.SpotlightVulnerabilities.QueryVulnerabilities(
-		&spotlight_vulnerabilities.QueryVulnerabilitiesParams{
+	queryResult, err := client.SpotlightVulnerabilities.CombinedQueryVulnerabilities(
+		&spotlight_vulnerabilities.CombinedQueryVulnerabilitiesParams{
 			Context: ctx,
 			Filter:  "status:'open'",
 			Limit:   &falconAPIMaxRecords,
+			Facet: []string{"host_info", "cve", "remediation"},
 		},
 	)
 	if err != nil {
@@ -155,137 +166,148 @@ func GetMessages(config *config.Config, ctx context.Context) (results map[string
 		return nil, errors.New("QueryVulnerabilities result was nil")
 	}
 
-	var vulnIDs []string
-	vulnIDs = append(vulnIDs, queryResult.GetPayload().Resources...)
-
-	if len(vulnIDs) == 0 {
-		return results, nil
-	}
-
-	logrus.WithField("vulns", len(vulnIDs)).Info("found vulnerabilities")
-
-	getResult, err := client.SpotlightVulnerabilities.GetVulnerabilities(
-		&spotlight_vulnerabilities.GetVulnerabilitiesParams{
-			Ids:     vulnIDs,
-			Context: context.Background(),
-		},
-	)
-	if err != nil || getResult == nil {
-		return nil, errors.Wrap(err, "could not get Falcon vulnerabilities")
-	}
-
-	if len(getResult.GetPayload().Resources) != len(vulnIDs) {
-		logrus.Warn("result payload not as large as vuln list")
-	}
-
 	var hostTags []string
 	devices := map[string]UserDevice{}
 
-	var mitigationIDs []string
-
-	for _, vuln := range getResult.GetPayload().Resources {
+	minExpertAIScore := 0
+	if newScore, err := getSeverityScore(config.Falcon.MinExprtAISeverity); err != nil {
+		return nil, errors.Wrap(err, "unknown minimum exprtai severity specified")
+	} else { minExpertAIScore = newScore }
 
-		if len(vuln.Remediation.Ids) == 0 && config.Falcon.SkipNoMitigation {
-			logrus.WithField("app", *vuln.App.ProductNameVersion).
-				Debug("skipping vulnerability without remediation")
+	for _, vuln := range queryResult.GetPayload().Resources {
 
+		if vuln.Apps == nil {
 			continue
 		}
 
-		if *vuln.Cve.ID != "" && len(config.Falcon.SkipCVEs) > 0 {
-			vulnIgnore := false
+		for _, vulnApp := range vuln.Apps {
 
-			for _, cve := range config.Falcon.SkipCVEs {
-				if strings.EqualFold(cve, *vuln.Cve.ID) {
-					vulnIgnore = true
-					break
-				}
-			}
+			if (vulnApp.Remediation == nil || len(vulnApp.Remediation.Ids) == 0) && config.Falcon.SkipNoMitigation {
+				logrus.WithField("rem", fmt.Sprintf("%+v", vulnApp.Remediation)).Debug("rem")
+
+				logrus.WithField("app", vulnApp.ProductNameVersion).
+					Debug("skipping vulnerability without remediation")
 
-			if vulnIgnore {
-				logrus.WithField("cve", *vuln.Cve.ID).WithField("host", *vuln.HostInfo.Hostname).
-					Warn("skipping CVE")
 				continue
 			}
-		}
 
-		mitigationIDs = appendUnique(mitigationIDs, vuln.Remediation.Ids)
+			if *vuln.Cve.ID != "" && len(config.Falcon.SkipCVEs) > 0 {
+				vulnIgnore := false
 
-		uniqueDeviceID, err := getUniqueDeviceID(*vuln.HostInfo)
-		if err != nil {
-			logrus.WithError(err).Error("could not calculate unique device id")
+				for _, cve := range config.Falcon.SkipCVEs {
+					if strings.EqualFold(cve, *vuln.Cve.ID) {
+						vulnIgnore = true
+						break
+					}
+				}
 
-			continue
-		}
+				if vulnIgnore {
+					logrus.WithField("cve", *vuln.Cve.ID).
+						WithField("host", *vuln.HostInfo.Hostname).
+						Warn("skipping CVE")
+					continue
+				}
+			}
+
+			uniqueDeviceID, err := getUniqueDeviceID(*vuln.HostInfo)
+			if err != nil {
+				logrus.WithError(err).Error("could not calculate unique device id")
 
-		if config.Falcon.MinCVEBaseScore > 0 {
-			if int(*vuln.Cve.BaseScore) < config.Falcon.MinCVEBaseScore {
-				logrus.WithField("cve_score", *vuln.Cve.BaseScore).Debug("skipping vulnerability")
 				continue
 			}
-		}
 
-		if len(config.Falcon.SkipSeverities) > 0 {
-			vulnSev := strings.ToLower(*vuln.Cve.Severity)
-			skip := false
+			if config.Falcon.MinCVEBaseScore > 0 {
+				if int(vuln.Cve.BaseScore) < config.Falcon.MinCVEBaseScore {
+					logrus.WithField("cve_score", vuln.Cve.BaseScore).Debug("skipping vulnerability")
+					continue
+				}
+			}
 
-			for _, sev := range config.Falcon.SkipSeverities {
-				if strings.EqualFold(sev, vulnSev) {
-					logrus.WithField("host", *vuln.HostInfo.Hostname).WithField("cve_score", *vuln.Cve.BaseScore).
-						WithField("severity", *vuln.Cve.Severity).WithField("cve", *vuln.Cve.ID).
-						Debug("skipping vulnerability")
-					skip = true
-					break
+			if config.Falcon.MinExprtAISeverity != "" {
+				vulnExpertAISevScore, err := getSeverityScore(config.Falcon.MinExprtAISeverity)
+				if err != nil {
+					logrus.WithField("exprtai_score", vuln.Cve.ExprtRating).WithError(err).
+						Error("unknown exprtai score")
+				} else {
+					if vulnExpertAISevScore < minExpertAIScore {
+						logrus.WithField("min_exprtai_severity", config.Falcon.MinExprtAISeverity).
+							WithField("exprtai_severity", vuln.Cve.ExprtRating).Debug("skipping vulnerability")
+						continue
+					}
 				}
 			}
 
-			if skip { continue }
-		}
+			if len(config.Falcon.SkipSeverities) > 0 {
+				vulnSev := strings.ToLower(vuln.Cve.Severity)
+				skip := false
+
+				for _, sev := range config.Falcon.SkipSeverities {
+					if strings.EqualFold(sev, vulnSev) {
+						logrus.WithField("host", *vuln.HostInfo.Hostname).WithField("cve_score", vuln.Cve.BaseScore).
+							WithField("severity", vuln.Cve.Severity).WithField("cve", *vuln.Cve.ID).
+							Debug("skipping vulnerability")
+						skip = true
+						break
+					}
+				}
+
+				if skip {
+					continue
+				}
+			}
 
-		logrus.WithField("host", *vuln.HostInfo.Hostname).WithField("cve_score", *vuln.Cve.BaseScore).
-			WithField("severity", *vuln.Cve.Severity).WithField("cve", *vuln.Cve.ID).
-			Debug("adding vulnerability")
+			logrus.WithField("host", *vuln.HostInfo.Hostname).WithField("cve_score", vuln.Cve.BaseScore).
+				WithField("severity", vuln.Cve.Severity).WithField("cve", *vuln.Cve.ID).
+				Debug("adding vulnerability")
 
-		deviceFinding := UserDeviceFinding{
-			ProductName:         *vuln.App.ProductNameVersion,
-			CveID:               *vuln.Cve.ID,
-			CveSeverity:         *vuln.Cve.Severity,
-			TimestampFound:      *vuln.CreatedTimestamp,
-			Mitigations:		 vuln.Remediation.Ids,
-		}
+			deviceFinding := UserDeviceFinding{
+				ProductName:    *vulnApp.ProductNameVersion,
+				CveID:          *vuln.Cve.ID,
+				CveSeverity:    vuln.Cve.Severity,
+				TimestampFound: *vuln.CreatedTimestamp,
+			}
 
-		if _, ok := devices[uniqueDeviceID]; !ok {
-			devices[uniqueDeviceID] = UserDevice{
-				MachineName: fmt.Sprintf(
-					"%s %s",
-					*vuln.HostInfo.OsVersion,
-					*vuln.HostInfo.Hostname,
-				),
-				Tags:     vuln.HostInfo.Tags,
-				Findings: []UserDeviceFinding{},
+			for _, mitigation := range vuln.Remediation.Entities {
+				if strings.HasPrefix(strings.ToLower(*mitigation.Action), "no fix available for ") {
+					continue
+				}
+
+				deviceFinding.Mitigations = appendUnique(deviceFinding.Mitigations, []string{*mitigation.Action})
+			}
+
+			if _, ok := devices[uniqueDeviceID]; !ok {
+				devices[uniqueDeviceID] = UserDevice{
+					MachineName: fmt.Sprintf(
+						"%s %s",
+						*vuln.HostInfo.OsVersion,
+						*vuln.HostInfo.Hostname,
+					),
+					Tags:     vuln.HostInfo.Tags,
+					Findings: []UserDeviceFinding{},
+				}
 			}
-		}
 
-		device := devices[uniqueDeviceID]
+			device := devices[uniqueDeviceID]
 
-		findingExists := false
+			findingExists := false
 
-		for _, finding := range device.Findings {
-			if strings.EqualFold(finding.ProductName, deviceFinding.ProductName) {
-				findingExists = true
-				break
+			for _, finding := range device.Findings {
+				if strings.EqualFold(finding.ProductName, deviceFinding.ProductName) {
+					findingExists = true
+					break
+				}
 			}
-		}
 
-		if !findingExists {
-			device.Findings = append(device.Findings, deviceFinding)
-		}
+			if !findingExists {
+				device.Findings = append(device.Findings, deviceFinding)
+			}
 
-		device.Tags = appendUnique(device.Tags, vuln.HostInfo.Tags)
+			device.Tags = appendUnique(device.Tags, vuln.HostInfo.Tags)
 
-		devices[uniqueDeviceID] = device
+			devices[uniqueDeviceID] = device
 
-		hostTags = append(hostTags, device.Tags...)
+			hostTags = append(hostTags, device.Tags...)
+		}
 	}
 
 	if len(devices) == 0 {
@@ -296,43 +318,6 @@ func GetMessages(config *config.Config, ctx context.Context) (results map[string
 		return nil, errors.New("no tags found on decices")
 	}
 
-	logrus.WithField("remediations", len(mitigationIDs)).Debug("retrieving remediations")
-
-	remResp, err := client.SpotlightVulnerabilities.GetRemediationsV2(&spotlight_vulnerabilities.GetRemediationsV2Params{
-		Ids:        mitigationIDs,
-		Context:    ctx,
-	})
-
-	if err != nil {
-		return nil, errors.Wrap(err, "could not retrieve remediations")
-	}
-
-	remediations := make(map[string]string)
-
-	for _, remRes := range remResp.GetPayload().Resources {
-		logrus.Tracef("%s -> %s", *remRes.ID, *remRes.Action)
-		remediations[*remRes.ID] = *remRes.Action
-	}
-
-	// remove useless mitigations that start with 'no fix available for'
-	for a, device := range devices {
-		for b, finding := range device.Findings {
-			for c, rem := range finding.Mitigations {
-				remText, remFound := remediations[rem]
-
-				if !remFound || strings.HasPrefix(strings.ToLower(remText), "no fix available for") {
-					logrus.WithField("rem", rem).WithField("rem_text", remText).WithField("device", device.MachineName).
-						Warn("skipping mitigation")
-
-					devices[a].Findings[b].Mitigations = remove(finding.Mitigations, c)
-					continue
-				}
-
-				finding.Mitigations[c] = remText
-			}
-		}
-	}
-
 	logrus.WithField("devices", len(devices)).Info("found vulnerable devices")
 
 	for _, device := range devices {
