From b6458d8ed6b077880f633e1648c74d97fba04dc6 Mon Sep 17 00:00:00 2001 From: Ronald Arias Date: Wed, 25 Oct 2023 14:40:34 -0500 Subject: [PATCH] INT-9372 - change secretScanningAlerts to be Finding (#278) Co-authored-by: Ronald Arias --- docs/jupiterone.md | 110 ++++++++++++++++-------------- src/config.ts | 1 + src/constants.ts | 10 +-- src/steps/secretScanningAlerts.ts | 4 +- src/sync/converters.ts | 6 +- 5 files changed, 70 insertions(+), 61 deletions(-) diff --git a/docs/jupiterone.md b/docs/jupiterone.md index 32e84b03..8a67b4d0 100644 --- a/docs/jupiterone.md +++ b/docs/jupiterone.md @@ -32,6 +32,10 @@ execution_. This is an accumulative process resulting in existing `issues` and `pull requests` which have been ingested, but are not changing, remain in the graph. +### **Note on `secret scanning findings`:** + +Secret scanning findings are by default assigned a critical severity + ## Requirements - JupiterOne requires the JupiterOne GitHub app with read-only permissions be @@ -151,64 +155,64 @@ https://github.com/JupiterOne/sdk/blob/main/docs/integrations/development.md The following entities are created: -| Resources | Entity `_type` | Entity `_class` | -| ----------------------------- | ------------------------------- | --------------- | -| Account | `github_account` | `Account` | -| GitHub Code Scanning Alerts | `github_code_scanning_finding` | `Finding` | -| GitHub Env Secret | `github_env_secret` | `Secret` | -| GitHub Secret Scanning Alert | `github_secret_scanning_alert` | `Alert` | -| GitHub Vulnerability Alert | `github_finding` | `Finding` | -| Github App | `github_app` | `Application` | -| Github Branch Protection Rule | `github_branch_protection_rule` | `Rule` | -| Github Environment | `github_environment` | `Configuration` | -| Github Issue | `github_issue` | `Issue` | -| Github Org Secret | `github_org_secret` | `Secret` | -| Github Pull Request | `github_pullrequest` | `PR` | -| Github Repo | `github_repo` | `CodeRepo` | -| Github Repo Secret | `github_repo_secret` | `Secret` | -| Github Team | `github_team` | `UserGroup` | -| Github User | `github_user` | `User` | +| Resources | Entity `_type` | Entity `_class` | +| ----------------------------- | -------------------------------- | --------------- | +| Account | `github_account` | `Account` | +| GitHub Code Scanning Alerts | `github_code_scanning_finding` | `Finding` | +| GitHub Env Secret | `github_env_secret` | `Secret` | +| GitHub Secret Scanning Alert | `github_secret_scanning_finding` | `Finding` | +| GitHub Vulnerability Alert | `github_finding` | `Finding` | +| Github App | `github_app` | `Application` | +| Github Branch Protection Rule | `github_branch_protection_rule` | `Rule` | +| Github Environment | `github_environment` | `Configuration` | +| Github Issue | `github_issue` | `Issue` | +| Github Org Secret | `github_org_secret` | `Secret` | +| Github Pull Request | `github_pullrequest` | `PR` | +| Github Repo | `github_repo` | `CodeRepo` | +| Github Repo Secret | `github_repo_secret` | `Secret` | +| Github Team | `github_team` | `UserGroup` | +| Github User | `github_user` | `User` | ### Relationships The following relationships are created: -| Source Entity `_type` | Relationship `_class` | Target Entity `_type` | -| --------------------- | --------------------- | ------------------------------- | -| `github_account` | **INSTALLED** | `github_app` | -| `github_account` | **HAS** | `github_org_secret` | -| `github_account` | **OWNS** | `github_repo` | -| `github_account` | **HAS** | `github_team` | -| `github_account` | **HAS** | `github_user` | -| `github_app` | **OVERRIDES** | `github_branch_protection_rule` | -| `github_env_secret` | **OVERRIDES** | `github_org_secret` | -| `github_env_secret` | **OVERRIDES** | `github_repo_secret` | -| `github_environment` | **HAS** | `github_env_secret` | -| `github_pullrequest` | **CONTAINS** | `github_pullrequest` | -| `github_repo` | **HAS** | `github_branch_protection_rule` | -| `github_repo` | **HAS** | `github_code_scanning_finding` | -| `github_repo` | **USES** | `github_env_secret` | -| `github_repo` | **HAS** | `github_environment` | -| `github_repo` | **HAS** | `github_finding` | -| `github_repo` | **HAS** | `github_issue` | -| `github_repo` | **USES** | `github_org_secret` | -| `github_repo` | **HAS** | `github_pullrequest` | -| `github_repo` | **HAS** | `github_repo_secret` | -| `github_repo` | **USES** | `github_repo_secret` | -| `github_repo` | **HAS** | `github_secret_scanning_alert` | -| `github_repo` | **ALLOWS** | `github_team` | -| `github_repo` | **ALLOWS** | `github_user` | -| `github_repo_secret` | **OVERRIDES** | `github_org_secret` | -| `github_team` | **OVERRIDES** | `github_branch_protection_rule` | -| `github_team` | **HAS** | `github_user` | -| `github_user` | **MANAGES** | `github_account` | -| `github_user` | **OVERRIDES** | `github_branch_protection_rule` | -| `github_user` | **ASSIGNED** | `github_issue` | -| `github_user` | **CREATED** | `github_issue` | -| `github_user` | **APPROVED** | `github_pullrequest` | -| `github_user` | **OPENED** | `github_pullrequest` | -| `github_user` | **REVIEWED** | `github_pullrequest` | -| `github_user` | **MANAGES** | `github_team` | +| Source Entity `_type` | Relationship `_class` | Target Entity `_type` | +| --------------------- | --------------------- | -------------------------------- | +| `github_account` | **INSTALLED** | `github_app` | +| `github_account` | **HAS** | `github_org_secret` | +| `github_account` | **OWNS** | `github_repo` | +| `github_account` | **HAS** | `github_team` | +| `github_account` | **HAS** | `github_user` | +| `github_app` | **OVERRIDES** | `github_branch_protection_rule` | +| `github_env_secret` | **OVERRIDES** | `github_org_secret` | +| `github_env_secret` | **OVERRIDES** | `github_repo_secret` | +| `github_environment` | **HAS** | `github_env_secret` | +| `github_pullrequest` | **CONTAINS** | `github_pullrequest` | +| `github_repo` | **HAS** | `github_branch_protection_rule` | +| `github_repo` | **HAS** | `github_code_scanning_finding` | +| `github_repo` | **USES** | `github_env_secret` | +| `github_repo` | **HAS** | `github_environment` | +| `github_repo` | **HAS** | `github_finding` | +| `github_repo` | **HAS** | `github_issue` | +| `github_repo` | **USES** | `github_org_secret` | +| `github_repo` | **HAS** | `github_pullrequest` | +| `github_repo` | **HAS** | `github_repo_secret` | +| `github_repo` | **USES** | `github_repo_secret` | +| `github_repo` | **HAS** | `github_secret_scanning_finding` | +| `github_repo` | **ALLOWS** | `github_team` | +| `github_repo` | **ALLOWS** | `github_user` | +| `github_repo_secret` | **OVERRIDES** | `github_org_secret` | +| `github_team` | **OVERRIDES** | `github_branch_protection_rule` | +| `github_team` | **HAS** | `github_user` | +| `github_user` | **MANAGES** | `github_account` | +| `github_user` | **OVERRIDES** | `github_branch_protection_rule` | +| `github_user` | **ASSIGNED** | `github_issue` | +| `github_user` | **CREATED** | `github_issue` | +| `github_user` | **APPROVED** | `github_pullrequest` | +| `github_user` | **OPENED** | `github_pullrequest` | +| `github_user` | **REVIEWED** | `github_pullrequest` | +| `github_user` | **MANAGES** | `github_team` | ### Mapped Relationships diff --git a/src/config.ts b/src/config.ts index eb293614..c8340237 100644 --- a/src/config.ts +++ b/src/config.ts @@ -286,5 +286,6 @@ export const ingestionConfig: IntegrationIngestionConfigFieldMap = { title: 'GitHub Secret Scanning Alerts', description: 'Alerts for potential leaks of known secrets in public repositories', + defaultsToDisabled: true, }, }; diff --git a/src/constants.ts b/src/constants.ts index b17bb021..6ad67110 100644 --- a/src/constants.ts +++ b/src/constants.ts @@ -384,8 +384,8 @@ export const GithubEntities: Record< }, GITHUB_SECRET_SCANNING_ALERT: { resourceName: 'GitHub Secret Scanning Alert', - _type: 'github_secret_scanning_alert', - _class: ['Alert'], + _type: 'github_secret_scanning_finding', + _class: ['Finding'], }, CVE: { resourceName: 'CVE', @@ -455,7 +455,7 @@ export const Relationships: Record< | 'REPO_USES_ORG_SECRET' | 'ACCOUNT_HAS_ORG_SECRET' | 'REPO_USES_ORG_SECRET' - | 'REPO_HAS_SECRET_SCANNING_ALERT', + | 'REPO_HAS_SECRET_SCANNING_FINDING', StepRelationshipMetadata > = { TEAM_HAS_USER: { @@ -663,8 +663,8 @@ export const Relationships: Record< _class: RelationshipClass.USES, targetType: GithubEntities.GITHUB_ORG_SECRET._type, }, - REPO_HAS_SECRET_SCANNING_ALERT: { - _type: 'github_repo_has_secret_scanning_alert', + REPO_HAS_SECRET_SCANNING_FINDING: { + _type: 'github_repo_has_secret_scanning_finding', sourceType: GithubEntities.GITHUB_REPO._type, _class: RelationshipClass.HAS, targetType: GithubEntities.GITHUB_SECRET_SCANNING_ALERT._type, diff --git a/src/steps/secretScanningAlerts.ts b/src/steps/secretScanningAlerts.ts index 92f58dfb..19eb24cb 100644 --- a/src/steps/secretScanningAlerts.ts +++ b/src/steps/secretScanningAlerts.ts @@ -53,9 +53,9 @@ export async function fetchSecretScanningAlerts({ export const secretScanningAlertsSteps: IntegrationStep[] = [ { id: Steps.FETCH_SECRET_SCANNING_ALERTS, - name: 'Fetch Secret Scanning Alerts', + name: 'Fetch Secret Scanning Findings', entities: [GithubEntities.GITHUB_SECRET_SCANNING_ALERT], - relationships: [Relationships.REPO_HAS_SECRET_SCANNING_ALERT], + relationships: [Relationships.REPO_HAS_SECRET_SCANNING_FINDING], dependsOn: [Steps.FETCH_REPOS], ingestionSourceId: IngestionSources.SECRET_SCANNING_ALERTS, executionHandler: fetchSecretScanningAlerts, diff --git a/src/sync/converters.ts b/src/sync/converters.ts index 3e8f9698..63ea3e88 100755 --- a/src/sync/converters.ts +++ b/src/sync/converters.ts @@ -192,7 +192,7 @@ export function createCodeScanningFindingEntity( } export function getSecretScanningAlertKey(id: string) { - return `github_secret_scanning_alert:${id}`; + return `github_secret_scanning_finding:${id}`; } export function createSecretScanningAlertEntity( @@ -207,9 +207,13 @@ export function createSecretScanningAlertEntity( _key: getSecretScanningAlertKey(String(data.number)), displayName: data.secret_type_display_name, name: data.secret_type_display_name, + severity: 'CRITICAL', + numericSeverity: 10, + category: 'application', number: data.number, url: data.html_url, state: data.state, + open: data.state === 'open', resolution: data.resolution, secretType: data.secret_type, secretTypeDisplayName: data.secret_type_display_name,