feat: added scheduled fetching of latest CVE data

Signed-off-by: VedRatan <[email protected]>
5GSEC · Sep 4, 2024 · 232a1b1 · 232a1b1
1 parent 0230bed
commit 232a1b1
Show file tree

Hide file tree

Showing 6 changed files with 51 additions and 20 deletions.
diff --git a/pkg/adapter/nimbus-kyverno/go.mod b/pkg/adapter/nimbus-kyverno/go.mod
@@ -195,6 +195,7 @@ require (
 	github.com/puzpuzpuz/xsync/v2 v2.5.1 // indirect
 	github.com/r3labs/diff v1.1.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
+	github.com/robfig/cron/v3 v3.0.1
 	github.com/sagikazarmark/locafero v0.3.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect

diff --git a/pkg/adapter/nimbus-kyverno/go.sum b/pkg/adapter/nimbus-kyverno/go.sum
@@ -1225,6 +1225,9 @@ github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5X
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/richardartoul/molecule v1.0.1-0.20221107223329-32cfee06a052 h1:Qp27Idfgi6ACvFQat5+VJvlYToylpM/hcyLBI3WaKPA=
 github.com/richardartoul/molecule v1.0.1-0.20221107223329-32cfee06a052/go.mod h1:uvX/8buq8uVeiZiFht+0lqSLBHF+uGV8BrTv8W/SIwk=
+github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=
+github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
+github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=

diff --git a/pkg/adapter/nimbus-kyverno/processor/kpbuilder.go b/pkg/adapter/nimbus-kyverno/processor/kpbuilder.go
@@ -14,10 +14,10 @@ import (
 	"github.com/5GSEC/nimbus/pkg/adapter/idpool"
 	"github.com/5GSEC/nimbus/pkg/adapter/k8s"
 	"github.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno/utils"
+	"github.com/robfig/cron/v3"
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	"go.uber.org/multierr"
-	"gopkg.in/yaml.v2"
 	v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -89,10 +89,45 @@ func buildKpFor(id string, np *v1alpha1.NimbusPolicy) ([]kyvernov1.Policy, error
 			return kps, err
 		}
 		kps = append(kps, kpols...)
+		watchCVES(np)
 	}
 	return kps, nil
 }
 
+func watchCVES(np *v1alpha1.NimbusPolicy) {
+	rule := np.Spec.NimbusRules[0].Rule
+	schedule := "0 0 * * *"
+	if rule.Params["schedule"] != nil {
+		schedule = rule.Params["schedule"][0]
+	}
+    // Schedule the deletion of the Nimbus policy
+    c := cron.New()
+    _, err := c.AddFunc(schedule, func() {
+        fmt.Println("Checking for CVE updates and updation of policies")
+        err := deleteNimbusPolicy(np)
+        if err != nil {
+            fmt.Println(err)
+        }
+    })
+    if err != nil {
+        panic(err)
+    }
+    c.Start()
+
+}
+
+
+
+func deleteNimbusPolicy(np *v1alpha1.NimbusPolicy) error {
+    nimbusPolicyGVR := schema.GroupVersionResource{Group: "intent.security.nimbus.com", Version: "v1alpha1", Resource: "nimbuspolicies"}
+	err := client.Resource(nimbusPolicyGVR).Namespace(np.Namespace).Delete(context.TODO(), np.Name,metav1.DeleteOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to delete Nimbus Policy: %s", err.Error())
+	}
+	fmt.Println("Nimbus policy deleted successfully")
+    return nil
+}
+
 func escapeToHost(np *v1alpha1.NimbusPolicy) kyvernov1.Policy {
 	rule := np.Spec.NimbusRules[0].Rule
 	var psa_level api.Level = api.LevelBaseline
@@ -319,20 +354,17 @@ func virtualPatch(np *v1alpha1.NimbusPolicy) ([]kyvernov1.Policy, error) {
 	//  tbd
 	// schedule := rule.Params["schedule"][0]
 	var kps []kyvernov1.Policy
-	resp, err := utils.GetVirtualPatchData[[]map[string]any]()
+	resp, err := utils.FetchVirtualPatchData[[]map[string]any]()
 	if err != nil {
-		return nil, fmt.Errorf("failed to fetch the response from knoxguard: %s", err.Error())
+		return kps, err
 	}
 	for _, currObj := range resp {
 		image := currObj["image"].(string)
-		fmt.Println(image)
-		fmt.Println("------------------------------------------------------------------")
 		cves := currObj["cves"].([]any)
 		for _, obj := range cves {
 			cveData := obj.(map[string]any)
 			cve := cveData["cve"].(string)
 			if utils.Contains(requiredCVES, cve) {
-				fmt.Println(cveData["virtual_patch"])
 				// create generate kyverno policies which will generate the native virtual patch policies based on the CVE's
 				karmorPolCount := 1
 				kyvPolCount := 1
@@ -372,12 +404,6 @@ func generatePol(polengine string, cve string, image string, np *v1alpha1.Nimbus
 	labels := np.Spec.Selector.MatchLabels
 	cve = strings.ToLower(cve)
 	uid := np.ObjectMeta.GetUID()
-	// Marshal the data into YAML
-	yamlData, err := yaml.Marshal(&policyData)
-	if err != nil {
-		fmt.Println("unable to parse the response to YAML: ", err.Error())
-		return pol
-	}
 	ownerShipList := []any{
 		map[string]any{
 			"apiVersion":         "intent.security.nimbus.com/v1alpha1",
@@ -521,8 +547,6 @@ func generatePol(polengine string, cve string, image string, np *v1alpha1.Nimbus
 		delete(rule, "match")
 		rule["match"] = newMatchMap
 
-		fmt.Println("rule after modification: ", rule["match"])
-
 		// appending the image matching precondition to the existing preconditions
 		preCndMap := rule["preconditions"].(map[string]any)
 		conditionsList, ok := preCndMap["any"].([]any)
@@ -632,8 +656,5 @@ func generatePol(polengine string, cve string, image string, np *v1alpha1.Nimbus
 		}
 	}
 
-
-	// Print the YAML data
-	fmt.Println(string(yamlData))
 	return pol
 }
diff --git a/pkg/adapter/nimbus-kyverno/utils/utils.go b/pkg/adapter/nimbus-kyverno/utils/utils.go
@@ -9,13 +9,17 @@ import (
 	"os"
 	"reflect"
 	"strings"
+	"sync"
 
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+var VirtualPatchData []map[string]any
+var mu sync.RWMutex
+
 func GetGVK(kind string) string {
 	// Map to store the mappings of kinds to their corresponding API versions
 	kindToAPIVersion := map[string]string{
@@ -125,7 +129,7 @@ func Title(input string) string {
     return toTitle.String(input)
 }
 
-func GetVirtualPatchData[T any]()(T, error) {
+func FetchVirtualPatchData[T any]()(T, error) {
 	var out T
 	// Open the JSON file
 	file, err := os.Open("../../../vp.json")
@@ -167,4 +171,4 @@ func ParseImageString(imageString string) (string, string) {
     }
 
     return repository, tag
-}
+}
diff --git a/pkg/adapter/nimbus-kyverno/watcher/kpwatcher.go b/pkg/adapter/nimbus-kyverno/watcher/kpwatcher.go
@@ -11,6 +11,7 @@ import (
 	"github.com/5GSEC/nimbus/pkg/adapter/common"
 	"github.com/5GSEC/nimbus/pkg/adapter/k8s"
 	"github.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno/utils"
+
 	adapterutil "github.com/5GSEC/nimbus/pkg/adapter/util"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"

diff --git a/vp.json b/vp.json
@@ -99,7 +99,8 @@
                 "spec": {
                     "podSelector": {
                         "matchLabels": {
-                            "role": "db"
+                            "role": "db",
+                            "app": "dsfsdf"
                         }
                     },
                     "policyTypes": [