https://github.com/brayanhenao/cve-notifications-app

It is an application that monitors new CVEs that are announced for the dependencies that are being tracked and notify them via Slack Webhook message to a specific channel.
https://github.com/brayanhenao/cve-notifications-app

cve go slack

Last synced: about 2 months ago
JSON representation

It is an application that monitors new CVEs that are announced for the dependencies that are being tracked and notify them via Slack Webhook message to a specific channel.

• Host: GitHub
• URL: https://github.com/brayanhenao/cve-notifications-app
• Owner: brayanhenao
• Created: 2021-08-23T21:46:35.000Z (almost 5 years ago)
• Default Branch: main
• Last Pushed: 2023-02-25T02:40:43.000Z (over 3 years ago)
• Last Synced: 2025-05-26T15:04:46.381Z (about 1 year ago)
• Topics: cve, go, slack
• Language: Go
• Homepage:
• Size: 40 KB
• Stars: 1
• Watchers: 2
• Forks: 1
• Open Issues: 1
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# CVEs notification app

## Introduction

It is an application that monitors new CVEs that are announced for the dependencies that are being tracked.

The notifications are sent via Slack Webhook message to a specific channel.

It is built with:

* Golang.

* GithubActions as CI.

* [Memongo](https://github.com/tryvium-travels/memongo) for in-memory database testing.

* [Afero](https://github.com/spf13/afero), a filesystem framework.

This application will use

the [NVD Nist API](https://csrc.nist.gov/CSRC/media/Projects/National-Vulnerability-Database/documents/web%20service%20documentation/Automation%20Support%20for%20CVE%20Retrieval.pdf)

to obtain the CVEs, performing a search using the CPE (Common Platform Enumeration) of each dependency.

## Core functionalities

#### Fill DB

This application uses a database (MongoDB) in which the information of all the CVEs of the dependencies that are known

at the moment are stored. The ID, Vendor, Product, Severity, and Description are stored.

#### Find new CVEs

Through a scheduled [Cron (Every 2 hours)](.github/workflows/find-new-cves.yml), it will search for new CVEs that are

not in the database. If a new CVE is found, it is notified via a slack Webhook in the channel provided by environment

variable.

![Screen Shot 2021-08-12 at 10 20 03 AM](https://user-images.githubusercontent.com/17348387/129213392-f9c14e4f-6fca-430d-b979-0555fb8360e4.png)

#### Update tracked dependencies

All the dependencies that this app will be monitoring will be stored in a CSV file called

`dependencies.csv`. This Workflow will run every time the file is modified, either a new dependency is added (to add the

new CVEs) or the file is deleted (to remove the CVEs from the database).

## Setup

#### Slack App

This application requires a Slack App with the corresponding _**write**_ permissions to the channel that you want to

inform about new CVEs.

Once the application is created, go to `Incoming Webhooks` and add a new webhook to your workspace. It generates a link

that will be used in the next step.

### Environment Variables

This application requires 2 environment variables to be configured:

* **DB_URI**  : The MongoDB database connection URI.

* **SLACK_WEBHOOK_URL**  : Previously generated Slack Webhook URL.