-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
90 changed files
with
2,758 additions
and
7,367 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,6 @@ | ||
REDIS_PORT=6379 | ||
REDIS_INSIGHT_PORT=8001 | ||
ES_HOSTS=http://localhost:9200 | ||
ES_PORT=9200 | ||
ES_PASSOWRD=changeme | ||
PORT=8000 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
# base | ||
FROM python:3.11-slim-bookworm as base | ||
|
||
RUN apt-get update \ | ||
&& apt-get install --no-install-recommends -y build-essential | ||
|
||
COPY requirements.txt ./ | ||
|
||
RUN pip install --no-cache-dir -r requirements.txt | ||
|
||
COPY pyproject.toml poetry.lock ./ | ||
|
||
RUN poetry config virtualenvs.create false && \ | ||
poetry install --without dev | ||
|
||
# main | ||
FROM python:3.11-slim-bookworm | ||
|
||
WORKDIR /usr/src/app | ||
|
||
COPY --from=base /usr/local/bin /usr/local/bin | ||
COPY --from=base /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages | ||
|
||
RUN apt-get update \ | ||
&& apt-get install --no-install-recommends -y git | ||
|
||
COPY mihama ./mihama | ||
COPY pyproject.toml gunicorn.conf.py ./ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,26 +1,39 @@ | ||
# mihama | ||
|
||
[osv.dev](https://osv.dev/) API clone for on-premise usage with extra features. | ||
An [osv.dev](https://osv.dev/) clone for on-premise usage. | ||
|
||
## Why? | ||
|
||
osv.dev is an OSS project. ([google/osv.dev](https://github.com/google/osv.dev)) | ||
[google/osv.dev](https://github.com/google/osv.dev) is an OSS project. But it's tightly coupled with GCP. This makes it difficult for a non-GCP user is difficult to deploy their own osv.dev in their premise. | ||
|
||
But it is highly coupled with GCP. So it's difficult to deploy osv.dev on premise. (ref. [Deploy osv.dev on-premise #546](https://github.com/google/osv.dev/issues/546)) | ||
## Overview | ||
|
||
## Supported Sources | ||
```mermaid | ||
flowchart LR | ||
FastAPI --> Elasticsearch[(Elasticsearch)] | ||
ARQ --> Elasticsearch | ||
ARQ --> Redis | ||
ARQ --> OSV-data-sources[(OSV data sources)] | ||
``` | ||
|
||
- [google/osv.dev](https://github.com/google/osv.dev) | ||
- [ossf/malicious-packages](https://github.com/ossf/malicious-packages) | ||
- Elasticsearch as a database | ||
- FastAPI as an backend API | ||
- ARQ as a job queue (for periodic OSV data updates) | ||
- Redis is required to run ARQ. | ||
- OSV data sources: | ||
- [google/osv.dev](https://github.com/google/osv.dev) | ||
- [ossf/malicious-packages](https://github.com/ossf/malicious-packages) | ||
|
||
## Extra features | ||
## Extra Features | ||
|
||
- Query by [CycloneDX](https://cyclonedx.org/) SBOM | ||
- Query by [SPDX](https://spdx.dev/) SBOM | ||
|
||
## Known Limitations | ||
|
||
- Query by `commit` is not supported. | ||
|
||
## Docs | ||
|
||
- [Installation](https://github.com/ninoseki/mihama/wiki/Installation) | ||
- [Configuration](https://github.com/ninoseki/mihama/wiki/Configuration) | ||
- [Known Limitations](https://github.com/ninoseki/mihama/wiki/Known-Limitations) | ||
- [CLI](https://github.com/ninoseki/mihama/wiki/CLI) |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,44 +1,117 @@ | ||
version: "3" | ||
services: | ||
es: | ||
image: docker.elastic.co/elasticsearch/elasticsearch:8.13.0 | ||
container_name: elasticsearch | ||
restart: always | ||
environment: | ||
- bootstrap.memory_lock=true | ||
- discovery.type=single-node | ||
- "ES_JAVA_OPTS=-Xms1024m -Xmx1024m" | ||
- xpack.security.enabled=true | ||
- ELASTIC_PASSWORD=${ELASTIC_PASSWORD:-changeme} | ||
volumes: | ||
- es-data:/usr/share/elasticsearch/data | ||
ports: | ||
- ${ES_PORT:-9200}:9200 | ||
healthcheck: | ||
test: | ||
[ | ||
"CMD-SHELL", | ||
"curl --silent --fail -u elastic:${ELASTIC_PASSWORD:-changeme} localhost:9200/_cluster/health || exit 1", | ||
] | ||
interval: 30s | ||
timeout: 30s | ||
retries: 3 | ||
|
||
setup: | ||
image: docker.elastic.co/elasticsearch/elasticsearch:8.13.0 | ||
environment: | ||
- KIBANA_PASSWORD=${KIBANA_PASSWORD:-changeme} | ||
- ELASTIC_PASSWORD=${ELASTIC_PASSWORD:-changeme} | ||
command: > | ||
bash -c ' | ||
echo "Waiting for Elasticsearch availability";j | ||
until curl -s http://es:9200 | grep -q "missing authentication credentials"; do sleep 30; done; | ||
echo "Setting kibana_system password"; | ||
until curl -s -X POST -u "elastic:${ELASTIC_PASSWORD:-changeme}" -H "Content-Type: application/json" http://es:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD:-changeme}\"}" | grep -q "^{}"; do sleep 10; done; | ||
echo "All done!"; | ||
' | ||
depends_on: | ||
es: | ||
condition: service_healthy | ||
|
||
kibana: | ||
image: docker.elastic.co/kibana/kibana:8.13.0 | ||
restart: always | ||
ports: | ||
- ${KIBANA_PORT:-5601}:5601 | ||
environment: | ||
- ELASTICSEARCH_HOSTS=http://es:9200 | ||
- ELASTICSEARCH_USERNAME=kibana_system | ||
- ELASTICSEARCH_PASSWORD=${ELASTIC_PASSWORD:-changeme} | ||
- KIBANA_PASSWORD=${KIBANA_PASSWORD:-changeme} | ||
healthcheck: | ||
test: | ||
[ | ||
"CMD-SHELL", | ||
"curl --silent --fail -u elastic:${ELASTIC_PASSWORD:-changeme} http://localhost:5601/", | ||
] | ||
interval: 30s | ||
timeout: 10s | ||
retries: 5 | ||
depends_on: | ||
es: | ||
condition: service_healthy | ||
setup: | ||
condition: service_completed_successfully | ||
|
||
redis: | ||
image: "redis/redis-stack:6.2.6-v7" | ||
restart: always | ||
ports: | ||
- ${REDIS_PORT:-6379}:6379 | ||
- ${REDIS_INSIGHT_PORT:-8001}:8001 | ||
healthcheck: | ||
test: ["CMD", "redis-cli", "ping"] | ||
interval: 30s | ||
timeout: 10s | ||
retries: 3 | ||
volumes: | ||
- redis-data:/data | ||
|
||
worker: | ||
build: | ||
context: ./ | ||
dockerfile: default.Dockerfile | ||
command: poetry run arq mihama.arq.worker.ArqWorkerSettings | ||
dockerfile: Dockerfile | ||
command: arq mihama.arq.worker.ArqWorkerSettings | ||
environment: | ||
- TESTING=${TESTING:-False} | ||
- DEBUG=${DEBUG:-False} | ||
- REDIS_OM_URL=redis://redis:${REDIS_PORT:-6379} | ||
- ARQ_REDIS_URL=redis://redis:${REDIS_PORT:-6379} | ||
- REDIS_URL=redis://redis:${REDIS_PORT:-6379} | ||
- ES_HOSTS=http://es:9200 | ||
- ES_PASSOWRD=${ES_PASSOWRD:-changeme} | ||
restart: always | ||
depends_on: | ||
- redis | ||
es: | ||
condition: service_healthy | ||
redis: | ||
condition: service_healthy | ||
|
||
api: | ||
build: | ||
context: ./ | ||
dockerfile: default.Dockerfile | ||
command: poetry run gunicorn -k uvicorn.workers.UvicornWorker mihama.main:app | ||
dockerfile: Dockerfile | ||
command: gunicorn -k uvicorn.workers.UvicornWorker mihama.main:app | ||
ports: | ||
- ${PORT:-8000}:${PORT:-8000} | ||
environment: | ||
- TESTING=${TESTING:-False} | ||
- DEBUG=${DEBUG:-False} | ||
- PORT=${PORT:-8000} | ||
- REDIS_OM_URL=redis://redis:${REDIS_PORT:-6379} | ||
- REDIS_ARQ_URL=redis://redis:${REDIS_PORT:-6379} | ||
- REDIS_URL=redis://redis:${REDIS_PORT:-6379} | ||
- ES_HOSTS=http://es:9200 | ||
- ES_PASSOWRD=${ES_PASSOWRD:-changeme} | ||
restart: always | ||
depends_on: | ||
- redis | ||
es: | ||
condition: service_healthy | ||
|
||
volumes: | ||
redis-data: | ||
es-data: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,17 +1,16 @@ | ||
from fastapi import APIRouter | ||
|
||
from mihama import schemas | ||
from mihama.api.v1.query import batch_query | ||
from mihama import crud, deps, schemas | ||
|
||
router = APIRouter() | ||
|
||
|
||
@router.post( | ||
"/querybatch", | ||
response_model=schemas.BatchResponse, | ||
response_model_exclude_none=True, | ||
description="Query vulnerabilities by CycloneDX SBOM. (Components inside should have package URL to work)", | ||
) | ||
async def querybatch(bom: schemas.CycloneDX) -> schemas.BatchResponse: | ||
queries = bom.to_batch_query() | ||
return await batch_query(queries=queries) | ||
async def querybatch( | ||
bom: schemas.CycloneDX, *, es: deps.Elasticsearch | ||
) -> schemas.BatchResponse: | ||
return await crud.vulnerability.querybatch(es, queries=bom.to_queries()) |
Oops, something went wrong.