Merge pull request #69 from hatstand/add-security-advisory
Add github security advisory event
This commit is contained in:
Dean Karn
GitHub
@@ -60,6 +60,7 @@ const (
|
|||||||
PushEvent Event = "push"
|
PushEvent Event = "push"
|
||||||
ReleaseEvent Event = "release"
|
ReleaseEvent Event = "release"
|
||||||
RepositoryEvent Event = "repository"
|
RepositoryEvent Event = "repository"
|
||||||
|
SecurityAdvisoryEvent Event = "security_advisory"
|
||||||
StatusEvent Event = "status"
|
StatusEvent Event = "status"
|
||||||
TeamEvent Event = "team"
|
TeamEvent Event = "team"
|
||||||
TeamAddEvent Event = "team_add"
|
TeamAddEvent Event = "team_add"
|
||||||
@@ -288,6 +289,10 @@ func (hook Webhook) Parse(r *http.Request, events ...Event) (interface{}, error)
|
|||||||
var pl RepositoryPayload
|
var pl RepositoryPayload
|
||||||
err = json.Unmarshal([]byte(payload), &pl)
|
err = json.Unmarshal([]byte(payload), &pl)
|
||||||
return pl, err
|
return pl, err
|
||||||
|
case SecurityAdvisoryEvent:
|
||||||
|
var pl SecurityAdvisoryPayload
|
||||||
|
err = json.Unmarshal([]byte(payload), &pl)
|
||||||
|
return pl, err
|
||||||
case StatusEvent:
|
case StatusEvent:
|
||||||
var pl StatusPayload
|
var pl StatusPayload
|
||||||
err = json.Unmarshal([]byte(payload), &pl)
|
err = json.Unmarshal([]byte(payload), &pl)
|
||||||
|
|||||||
@@ -453,6 +453,16 @@ func TestWebhooks(t *testing.T) {
|
|||||||
"X-Hub-Signature": []string{"sha1=df442a8af41edd2d42ccdd997938d1d111b0f94e"},
|
"X-Hub-Signature": []string{"sha1=df442a8af41edd2d42ccdd997938d1d111b0f94e"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "SecurityAdvisoryEvent",
|
||||||
|
event: SecurityAdvisoryEvent,
|
||||||
|
typ: SecurityAdvisoryPayload{},
|
||||||
|
filename: "../testdata/github/security-advisory.json",
|
||||||
|
headers: http.Header{
|
||||||
|
"X-Github-Event": []string{"security_advisory"},
|
||||||
|
"X-Hub-Signature": []string{"sha1=6a71f24fa69f55469843a91dc3a5c3e29714a565"},
|
||||||
|
},
|
||||||
|
},
|
||||||
{
|
{
|
||||||
name: "StatusEvent",
|
name: "StatusEvent",
|
||||||
event: StatusEvent,
|
event: StatusEvent,
|
||||||
|
|||||||
@@ -5077,6 +5077,38 @@ type RepositoryPayload struct {
|
|||||||
} `json:"sender"`
|
} `json:"sender"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// SecurityAdvisoryPayload contains the information for GitHub's security_advisory hook event.
|
||||||
|
type SecurityAdvisoryPayload struct {
|
||||||
|
Action string `json:"action"`
|
||||||
|
SecurityAdvisory struct {
|
||||||
|
GHSAID string `json:"ghsa_id"`
|
||||||
|
Summary string `json:"summary"`
|
||||||
|
Description string `json:"description"`
|
||||||
|
Severity string `json:"string"`
|
||||||
|
Identifiers []struct {
|
||||||
|
Value string `json:"value"`
|
||||||
|
Type string `json:"type"`
|
||||||
|
} `json:"identifiers"`
|
||||||
|
References []struct {
|
||||||
|
URL string `json:"url"`
|
||||||
|
} `json:"references"`
|
||||||
|
PublishedAt time.Time `json:"published_at"`
|
||||||
|
UpdatedAt time.Time `json:"updated_at"`
|
||||||
|
WithdrawnAt *time.Time `json:"withdrawn_at"`
|
||||||
|
Vulnerabilities []struct {
|
||||||
|
Package struct {
|
||||||
|
Ecosystem string `json:"ecosystem"`
|
||||||
|
Name string `json:"name"`
|
||||||
|
}
|
||||||
|
Severity string `json:"severity"`
|
||||||
|
VulnerableVersionRange string `json:"vulnerable_version_range"`
|
||||||
|
FirstPatchedVersion *struct {
|
||||||
|
Identifier string `json:"identifier"`
|
||||||
|
} `json:"first_patched_version"`
|
||||||
|
} `json:"vulnerabilities"`
|
||||||
|
} `json:"security_advisory"`
|
||||||
|
}
|
||||||
|
|
||||||
// StatusPayload contains the information for GitHub's status hook event
|
// StatusPayload contains the information for GitHub's status hook event
|
||||||
type StatusPayload struct {
|
type StatusPayload struct {
|
||||||
ID int64 `json:"id"`
|
ID int64 `json:"id"`
|
||||||
|
|||||||
+51
@@ -0,0 +1,51 @@
|
|||||||
|
{
|
||||||
|
"action": "published",
|
||||||
|
"security_advisory": {
|
||||||
|
"ghsa_id": "GHSA-rf4j-j272-fj86",
|
||||||
|
"summary": "Moderate severity vulnerability that affects django",
|
||||||
|
"description": "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.",
|
||||||
|
"severity": "moderate",
|
||||||
|
"identifiers": [
|
||||||
|
{
|
||||||
|
"value": "GHSA-rf4j-j272-fj86",
|
||||||
|
"type": "GHSA"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"value": "CVE-2018-6188",
|
||||||
|
"type": "CVE"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"references": [
|
||||||
|
{
|
||||||
|
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"published_at": "2018-10-03T21:13:54Z",
|
||||||
|
"updated_at": "2018-10-03T21:13:54Z",
|
||||||
|
"withdrawn_at": null,
|
||||||
|
"vulnerabilities": [
|
||||||
|
{
|
||||||
|
"package": {
|
||||||
|
"ecosystem": "pip",
|
||||||
|
"name": "django"
|
||||||
|
},
|
||||||
|
"severity": "moderate",
|
||||||
|
"vulnerable_version_range": ">= 2.0.0, < 2.0.2",
|
||||||
|
"first_patched_version": {
|
||||||
|
"identifier": "2.0.2"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"package": {
|
||||||
|
"ecosystem": "pip",
|
||||||
|
"name": "django"
|
||||||
|
},
|
||||||
|
"severity": "moderate",
|
||||||
|
"vulnerable_version_range": ">= 1.11.8, < 1.11.10",
|
||||||
|
"first_patched_version": {
|
||||||
|
"identifier": "1.11.10"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user