Peter at progress/notify new cves#53
Closed
peter-at-progress wants to merge 8 commits intomainfrom
Closed
Conversation
The hab pkg install command defaults to the 'base' channel when no --channel flag is specified. However, the code was skipping the --channel flag when HAB_CHANNEL='stable', causing failures for packages that only exist in the 'stable' channel (not 'base'). Changes: - Always include --channel flag when hab_channel is set (including 'stable') - Add hab version logging for debugging channel behavior changes - Add comment clarifying hab's default channel behavior This fixes habitat package installation failures like: 'No releases of chef-platform/shell-interpreter exist in the base channel'
Signed-off-by: Peter Arsenault <parsenau@progress.com>
Implements automated CVE notification system that queries the vulnerability analytics database for newly discovered CVEs and sends enriched notifications to Microsoft Teams (with dispatcher pattern for future email/Jira channels). Key features: - Queries native_cve_details for CVEs first observed in last 25 hours - Enriches findings with full Grype match objects from chef-vuln-scan-data - Formats notifications as Teams Adaptive Cards with CVSS, EPSS, fix info - Supports dry-run mode for testing without sending notifications - Configurable severity threshold (Critical, High, Medium, Low) Components: - notify.py: Core detection, enrichment, and notification dispatcher - action.yml: GitHub Action wrapper with input definitions - README.md: Technical documentation and usage examples - SETUP.md: Deployment guide with testing instructions Designed for use with chef-vuln-scan-orchestrator workflow that runs daily at 10:00 UTC after nightly scans complete. Signed-off-by: peter-at-progress <parsenau@progress.com> Signed-off-by: Peter Arsenault <parsenau@progress.com>
Clarifies that the notification workflow uses a read-only database connection by renaming the secret from DATABASE_URL to DATABASE_URL_RO. Changes: - Updated action.yml description to emphasize read-only access - Updated README.md and SETUP.md secret tables and references - Changed workflow example to use DATABASE_URL_RO The action only performs SELECT queries on scan_runs, native_cve_details, and native_scan_results tables. No write permissions required. Signed-off-by: peter-at-progress <parsenau@progress.com> Signed-off-by: Peter Arsenault <parsenau@progress.com>
Grype returns CWEs as a list of dicts with structure {"id": "CWE-79"},
not as plain strings. Updated get_cwes() to handle both formats.
Fixes TypeError: sequence item 0: expected str instance, dict found
Signed-off-by: peter-at-progress <parsenau@progress.com>
Signed-off-by: Peter Arsenault <parsenau@progress.com>
Adds formatted markdown summary output to workflow Summary tab showing: - CVE ID with severity badge emoji (🔴🟠🟡🟢) - Product, version, channel, download site details - Affected package and CVSS/EPSS metrics - Description preview, CWEs, install paths, PURL - Reference URLs and collapsible scan metadata Also improves notification log messages to include product/channel context: - Before: "[DRY RUN] Would send Teams notification for CVE-2025-1234" - After: "[DRY RUN] Would send Teams notification for CVE-2025-1234 in chef/stable" This helps differentiate multiple CVEs in workflow logs and provides stakeholders with a clear preview of notification content. Signed-off-by: peter-at-progress <parsenau@progress.com> Signed-off-by: Peter Arsenault <parsenau@progress.com>
Configure token in /hab/etc/cli.toml so it persists for all Habitat processes including those spawned by systemd during chef-automate deploy. Previously the token was only passed as an environment variable to the docker exec command, but systemd services don't inherit these variables. Signed-off-by: Peter Arsenault <parsenau@progress.com>
…ction Remove literal postgresql:// URL examples and replace with component-based format documentation to prevent security scanner false positives while maintaining clarity for users. Signed-off-by: Peter Arsenault <parsenau@progress.com>
peter-at-progress
force-pushed
the
peter-at-progress/notify-new-cves
branch
from
980c4e1 to
8e0396b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Related Issue
Types of changes
Checklist:
Gemfile.lockhas changed, I have used--conservativeto do it and included the full output in the Description above.