commit	6b1b2c7787a0fde7093c588c65f15d464adbf6de	[log] [tgz]
author	Adrià Vilanova Martínez <me@avm99963.com>	Wed Apr 05 01:48:30 2023 +0200
committer	Adrià Vilanova Martínez <me@avm99963.com>	Wed Apr 05 01:48:30 2023 +0200
tree	76ee1a619299db3748b8f7785c7a00c1812b5f28
parent	e99c92a71870de8548d7ee6aa0da9a0f10c92dc4 [diff]

tree: 76ee1a619299db3748b8f7785c7a00c1812b5f28

README.md

Vulnzy Bot

A bot which is responsible for managing the vulnerability reports published at https://iavm.xyz/b/vulnz.

Tasks

The bot performs the following tasks:

Automatically publish vulnerability reports after the deadline

The bot will search private (restricted) vulnerability reports and will do the following:

If the report has the "DoNotPublish" label, don't automatically publish it.
If the report was marked with status "Fixed" or "Verified" more than 30 days ago, publish it.
If the report isn't marked as "Fixed"/"Verified" and the "Reported" value is previous to the current time subtracting the number of days set in the "Deadline" field, publish it.

In all the calculations above, a grace period of 1 day is added (so in reality it's 31 days instead of 30, and Deadline + 1 day instead of Deadline).

Add a disclosure alert 5 days before it is automatically disclosed

The bot will add a comment to a vulnerability report 5 days before it is automatically disclosed as explained in the previous section.

Set up

Set up Git Watcher:
- Create a service account in your Google Cloud project.
- Give it permission to use the Monorail API.
- Give it appropiate permissions in each Monorail project.
- Create subdirectory //secret/ and download the service accounts credentials JSON file to //secret/credentials.json.
- Copy the .env.sample file to .env and edit it to your liking.
- Run make docker-prod and docker-compose up -d.