feat(report): GitHub security alerts integration (#775)

feat(report): integrate to GitHub security alerts

report/report.go

@@ -33,6 +33,7 @@ import (
 	"github.com/future-architect/vuls/contrib/owasp-dependency-check/parser"
 	"github.com/future-architect/vuls/cwe"
 	"github.com/future-architect/vuls/exploit"
+	"github.com/future-architect/vuls/github"
 	"github.com/future-architect/vuls/gost"
 	"github.com/future-architect/vuls/models"
 	"github.com/future-architect/vuls/oval"
@@ -144,7 +145,7 @@ func FillCveInfos(dbclient DBClient, rs []models.ScanResult, dir string) ([]mode
 }
 
 // FillCveInfo fill scanResult with cve info.
-func FillCveInfo(dbclient DBClient, r *models.ScanResult, cpeURIs []string) error {
+func FillCveInfo(dbclient DBClient, r *models.ScanResult, cpeURIs []string, integrations ...c.IntegrationConf) error {
 	util.Log.Debugf("need to refresh")
 
 	nCVEs, err := FillWithOval(dbclient.OvalDB, r)
@@ -169,6 +170,17 @@ func FillCveInfo(dbclient DBClient, r *models.ScanResult, cpeURIs []string) erro
 	}
 	util.Log.Infof("%s: %d CVEs are detected with CPE", r.FormatServerName(), nCVEs)
 
+	if len(integrations) != 0 {
+		for k, v := range integrations[0].GitHubConf {
+			c.Conf.Servers[r.ServerName].GitHubRepos[k] = v
+		}
+	}
+	nCVEs, err = fillGitHubSecurityAlerts(r)
+	if err != nil {
+		return fmt.Errorf("Failed to access GitHub Security Alerts: %s", err)
+	}
+	util.Log.Infof("%s: %d CVEs are detected with GitHub Security Alerts", r.FormatServerName(), nCVEs)
+
 	nCVEs, err = FillWithGost(dbclient.GostDB, r)
 	if err != nil {
 		return fmt.Errorf("Failed to fill with gost: %s", err)
@@ -344,6 +356,21 @@ func fillVulnByCpeURIs(driver cvedb.DB, r *models.ScanResult, cpeURIs []string)
 	return nCVEs, nil
 }
 
+// https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/
+func fillGitHubSecurityAlerts(r *models.ScanResult) (nCVEs int, err error) {
+	repos := c.Conf.Servers[r.ServerName].GitHubRepos
+	for ownerRepo, setting := range repos {
+		ss := strings.Split(ownerRepo, "/")
+		owner, repo := ss[0], ss[1]
+		n, err := github.FillGitHubSecurityAlerts(r, owner, repo, setting.Token)
+		if err != nil {
+			return 0, err
+		}
+		nCVEs += n
+	}
+	return nCVEs, nil
+}
+
 func fillCweDict(r *models.ScanResult) {
 	uniqCweIDMap := map[string]bool{}
 	for _, vinfo := range r.ScannedCves {

report/slack.go

@@ -207,6 +207,9 @@ func toSlackAttachments(r models.ScanResult) (attaches []slack.Attachment) {
 		for _, n := range vinfo.CpeURIs {
 			curent = append(curent, n)
 		}
+		for _, n := range vinfo.GitHubSecurityAlerts {
+			curent = append(curent, n.PackageName)
+		}
 
 		new := []string{}
 		for _, affected := range vinfo.AffectedPackages {
@@ -223,6 +226,9 @@ func toSlackAttachments(r models.ScanResult) (attaches []slack.Attachment) {
 		for range vinfo.CpeURIs {
 			new = append(new, "?")
 		}
+		for range vinfo.GitHubSecurityAlerts {
+			new = append(new, "?")
+		}
 
 		a := slack.Attachment{
 			Title:      vinfo.CveID,

report/tui.go

@@ -636,6 +636,7 @@ func summaryLines(r models.ScanResult) string {
 
 		packname := vinfo.AffectedPackages.FormatTuiSummary()
 		packname += strings.Join(vinfo.CpeURIs, ", ")
+		packname += vinfo.GitHubSecurityAlerts.String()
 
 		alert := "  "
 		if vinfo.AlertDict.HasAlert() {
@@ -742,6 +743,10 @@ func setChangelogLayout(g *gocui.Gui) error {
 			lines = append(lines, "* "+uri)
 		}
 
+		for _, alert := range vinfo.GitHubSecurityAlerts {
+			lines = append(lines, "* "+alert.PackageName)
+		}
+
 		for _, adv := range vinfo.DistroAdvisories {
 			lines = append(lines, "\n",
 				"Advisories",

report/util.go

@@ -239,6 +239,10 @@ No CVE-IDs are found in updatable packages.
 			data = append(data, []string{"CPE", name})
 		}
 
+		for _, alert := range vuln.GitHubSecurityAlerts {
+			data = append(data, []string{"GitHub", alert.PackageName})
+		}
+
 		for _, confidence := range vuln.Confidences {
 			data = append(data, []string{"Confidence", confidence.String()})
 		}