まじかよ?って感じなんだけど、同僚の@hibomaが気づいてくれた。そりゃopensearchで引けるのはそりゃそうなんだろうけどって思うけど、クライアントサイドから見るとエンドポイント複数あるの結構だるくね?って思いの方が強い。
僕らの場合は結構いくつかのリポジトリで使ってたから変換用のエンドポイントをSinatraでぴっとやった。
I can’t believe it! My colleague @hiboma noticed it. While it makes sense that you can retrieve vulnerabilities with OpenSearch, from a client-side perspective, having multiple endpoints is quite inconvenient.
In our case, we used the vulnerability endpoint in several repositories, so we quickly set up a conversion endpoint using Sinatra.
from japanese
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 | # server.rb require 'sinatra' require 'faraday' require 'oj' set :server , :puma # OpenSearchへの検索リクエストを行う関数 def search_vulnerabilities(agent_id, page, per_page) connection = Faraday. new ( headers: { 'Content-Type' => 'application/json' } ) from = page * per_page # Pagination offset body = { query: { bool: { must: [ { match: { "agent.id" : agent_id } } ] } }, from: from, size: per_page } response = connection.post do |req| req.url '/wazuh-states-vulnerabilities-*/_search' req.body = Oj.dump(body, mode: :compat ) end Oj.load(response.body) end get '/health' do status 200 body '' end get '/vulnerability/:agent_id' do agent_id = params[ 'agent_id' ] page = (params[ 'offset' ] || 0 ).to_i per_page = (params[ 'limit' ] || 500 ).to_i result = search_vulnerabilities(agent_id, page, per_page) affected_items = result[ 'hits' ][ 'hits' ].map do |hit| { cve: hit[ '_source' ][ 'vulnerability' ][ 'id' ], architecture: hit[ '_source' ][ 'package' ][ 'architecture' ], version: hit[ '_source' ][ 'package' ][ 'version' ], name: hit[ '_source' ][ 'package' ][ 'name' ] } end response_body = { data: { affected_items: affected_items, total_affected_items: result[ 'hits' ][ 'total' ][ 'value' ], total_failed_items: 0 , failed_items: [] }, message: 'All selected vulnerabilities were returned' , error: 0 } content_type :json Oj.dump(response_body, mode: :compat ) end |
とりあえず現在は一つだけだからピッと書いたけど、今後も増えるようならOSSにしたり、あれこれしたい。
For now, I’ve written it quickly since there’s only one endpoint to handle. However, if more endpoints are added in the future, I plan to make it open source and consider other improvements.
from japanese