Skip to content

openshift-assisted/cve-automation

BranchesTags
 
 

Repository files navigation

CVE Automation

A system that scans Go repositories for known vulnerabilities and generates patches to fix them. The tool identifies vulnerable Go dependencies in your codebase and automatically creates pull requests with the necessary updates.

What It Does

This system performs two main functions:

  1. Vulnerability Scanning: Examines Go repositories to identify dependencies with known CVEs (Common Vulnerabilities and Exposures). The scanner checks all configured branches and produces a report of vulnerable packages, their versions, and available fixes.

  2. Automated Patching: Takes the vulnerability report and attempts to fix each CVE by updating the affected dependencies. The system tries multiple update strategies to find a working solution, then creates pull requests with the fixes.

Prerequisites

  • Python 3.13.2 or higher
  • Trivy vulnerability scanner
  • Jujutsu (jj) for Git operations
  • GitHub CLI (gh) for PR operations

Installation

Using uv

# Install uv if not already installed
curl -LsSf https://astral.sh/uv/install.sh | sh

# Install dependencies
uv pip install -r requirements.txt

Using Docker

# Build the Docker image
docker build -t cve-automation .

# Run with required environment variables
docker run -e JIRA_API_TOKEN=your_token -e GH_TOKEN=your_token cve-automation

Configuration

Environment Variables

export JIRA_API_TOKEN=your_jira_api_token  # Required for JIRA queries
export GH_TOKEN=your_github_token          # Required for GitHub operations

targets.yaml

Configure repositories to scan:

targets:
  - origin_repo_url: "https://github.com/your-org/your-fork.git"
    upstream_repo_url: "https://github.com/original/repo.git"
    names: 
      - "component-name"
    jira_projects: 
      - "PROJECT"
    branches:
      - name: main
        jira_name: "main"
      - name: release-1.0
        jira_name: "1.0"

Usage

Scanning for Vulnerabilities

# Scan all configured targets
python cve_fetcher.py

# Scan with custom targets file
python cve_fetcher.py --targets custom-targets.yaml --cves output.yaml

# Adjust parallel workers
python cve_fetcher.py --max-workers 16

Creating Patches

# Process CVEs and create patches
python cve_patcher.py

# Use custom CVE file
python cve_patcher.py --cves custom-cves.yaml

# Adjust parallel workers
python cve_patcher.py --max-workers 8

Architecture

The system follows a clean architecture pattern with clear separation between data models, business logic, and external integrations. The core workflow involves scanning repositories for vulnerabilities, analyzing the results, and applying appropriate fix strategies.

Go Update Strategies

When a vulnerable dependency is found, the system attempts to fix it using these strategies in order:

  1. Simple Direct Update: For direct dependencies that need minor or patch version updates. Updates the dependency to a fixed version using standard Go commands.

  2. Direct Major Version Update: For direct dependencies requiring major version changes (e.g., v1 to v2). Handles the module path changes and import statement updates required by Go's semantic versioning.

  3. Introducer Update: For indirect (transitive) dependencies. Identifies which direct dependencies are bringing in the vulnerable package and updates them to versions that use a fixed version of the vulnerable dependency.

  4. Indirect Dependency Update: Converts an indirect dependency to a direct one, allowing explicit version control when the introducer cannot be updated.

  5. Replace Directive: Uses Go's replace directive to force a specific version of a dependency when other strategies fail. This is a last resort as it can cause compatibility issues.

Project Structure

cve-automation-python/
├── core/
│   ├── models/          # Pydantic data models
│   ├── services/        # Business logic
│   │   └── go_strategies/  # Go update strategies
│   ├── repositories/    # Data persistence
│   ├── client/         # Execution environments
│   └── utils/          # Utilities and helpers
├── test/               # Comprehensive test suite
├── cve_fetcher.py      # Main scanning entry point
├── cve_patcher.py      # Main patching entry point
├── targets.yaml        # Repository configuration
└── requirements.txt    # Python dependencies

Development

Running Tests

# Run all tests
pytest

# Run with coverage
pytest --cov=core

# Run specific test
pytest -k "test_name"

Code Quality

# Linting
ruff check .

# Formatting
ruff format .

# Type checking
basedpyright

Docker Support

Building

docker build -t cve-automation .

Running

# Scanning
docker run -e JIRA_API_TOKEN=$JIRA_API_TOKEN \
           -e GH_TOKEN=$GH_TOKEN \
           -v $(pwd)/targets.yaml:/app/targets.yaml \
           cve-automation python cve_fetcher.py

# Patching
docker run -e JIRA_API_TOKEN=$JIRA_API_TOKEN \
           -e GH_TOKEN=$GH_TOKEN \
           -v $(pwd)/cves.yaml:/app/cves.yaml \
           cve-automation python cve_patcher.py

# With persistent cache
docker run -v $(pwd)/.cache:/app/.cache \
           -e JIRA_API_TOKEN=$JIRA_API_TOKEN \
           -e GH_TOKEN=$GH_TOKEN \
           cve-automation

Key Dependencies

  • Jujutsu (jj): Git-compatible VCS that allows concurrent repository operations
  • Trivy: Vulnerability scanner for detecting CVEs in dependencies
  • uv: Python package installer
  • asdf: Tool version manager for handling multiple Go versions
  • Pydantic: Data validation using Python type annotations

Configuration Files

  • targets.yaml: Define repositories and branches to scan
  • cves.yaml: Output file from scanning, input for patching
  • pyproject.toml: Python project configuration

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 99.7%
  • Dockerfile 0.3%