CVEs notification app

Introduction

It is an application that monitors new CVEs that are announced for the dependencies that are being tracked.

The notifications are sent via Slack Webhook message to a specific channel.

It is built with:

• Golang.
• GithubActions as CI.
• Memongo for in-memory database testing.
• Afero, a filesystem framework.

This application will use the NVD Nist API to obtain the CVEs, performing a search using the CPE (Common Platform Enumeration) of each dependency.

Core functionalities

Fill DB

This application uses a database (MongoDB) in which the information of all the CVEs of the dependencies that are known at the moment are stored. The ID, Vendor, Product, Severity, and Description are stored.

Find new CVEs

Through a scheduled Cron (Every 2 hours), it will search for new CVEs that are not in the database. If a new CVE is found, it is notified via a slack Webhook in the channel provided by environment variable.

Update tracked dependencies

All the dependencies that this app will be monitoring will be stored in a CSV file called dependencies.csv. This Workflow will run every time the file is modified, either a new dependency is added (to add the new CVEs) or the file is deleted (to remove the CVEs from the database).

Setup

Slack App

This application requires a Slack App with the corresponding write permissions to the channel that you want to inform about new CVEs.

Once the application is created, go to Incoming Webhooks and add a new webhook to your workspace. It generates a link that will be used in the next step.

Environment Variables

This application requires 2 environment variables to be configured:

• DB_URI : The MongoDB database connection URI.
• SLACK_WEBHOOK_URL : Previously generated Slack Webhook URL.