Gitiles
Code Review Sign In
gerrit.avm99963.com / gomodules / vulnzybot / e99c92a71870de8548d7ee6aa0da9a0f10c92dc4
commite99c92a71870de8548d7ee6aa0da9a0f10c92dc4[log] [tgz]
authorAdrià Vilanova Martínez <me@avm99963.com>Tue Apr 04 02:55:34 2023 +0200
committerAdrià Vilanova Martínez <me@avm99963.com>Tue Apr 04 03:09:20 2023 +0200
treeb7f67a743cb0f5f001d99fd8a8928c966cc440ec
parent6318eabf951e5c60cfec904bb949cc739fd9dbb9 [diff]
Add ability to tweet published reports

When a report is automatically published, if a Twitter access token is
set, a Tweet will be published with the title of the report and a link
to the full report.

Change-Id: Ife68d49c4d04a40b1a41a964225fd47dd514d819
8 files changed
tree: b7f67a743cb0f5f001d99fd8a8928c966cc440ec
  1. .env.sample
  2. .gitignore
  3. .gitreview
  4. crontab
  5. dateUtils.go
  6. docker-compose.yml
  7. Dockerfile
  8. go.mod
  9. go.sum
  10. Makefile
  11. README.md
  12. stringUtils.go
  13. vulnzybot.go
README.md

Vulnzy Bot

A bot which is responsible for managing the vulnerability reports published at https://iavm.xyz/b/vulnz.

Tasks

The bot performs the following tasks:

Automatically publish vulnerability reports after the deadline

The bot will search private (restricted) vulnerability reports and will do the following:

  • If the report has the "DoNotPublish" label, don't automatically publish it.
  • If the report was marked with status "Fixed" or "Verified" more than 30 days ago, publish it.
  • If the report isn't marked as "Fixed"/"Verified" and the "Reported" value is previous to the current time subtracting the number of days set in the "Deadline" field, publish it.

In all the calculations above, a grace period of 1 day is added (so in reality it's 31 days instead of 30, and Deadline + 1 day instead of Deadline).

Add a disclosure alert 5 days before it is automatically disclosed

The bot will add a comment to a vulnerability report 5 days before it is automatically disclosed as explained in the previous section.

Set up

  1. Set up Git Watcher:
    • Create a service account in your Google Cloud project.
    • Give it permission to use the Monorail API.
    • Give it appropiate permissions in each Monorail project.
    • Create subdirectory //secret/ and download the service accounts credentials JSON file to //secret/credentials.json.
    • Copy the .env.sample file to .env and edit it to your liking.
    • Run make docker-prod and docker-compose up -d.