Slack works like Discord with threads and details

Author: northdpole

components/reporters/slack/README.md

@@ -1,7 +1,7 @@
 # slack
 
 This component implements a [reporter](https://github.com/smithy-security/smithy/blob/main/sdk/component/component.go)
-that sends a summary of results to slack.
+that sends a summary of results to slack and optionally creates detailed vulnerability threads.
 
 ## Environment variables
 
@@ -13,4 +13,55 @@ as well as the following:
 
 | Environment Variable       | Type   | Required | Default | Description                                                             |
 |----------------------------|--------|----------|---------|-------------------------------------------------------------------------|
-| SLACK\_WEBHOOK     | string | yes      | -       | The slack webhook to POST results to|
+| SLACK\_TOKEN       | string | no       | -       | The slack bot token (required for thread creation mode)|
+| SLACK\_CHANNEL     | string | no       | -       | The slack channel ID (required for thread creation mode)|
+| SLACK\_DEBUG       | bool   | no       | false   | Whether to enable debug logging for the slack client|
+
+## Operation
+
+* Uses `SLACK_TOKEN` and `SLACK_CHANNEL` for Web API access
+* Creates threads with detailed vulnerability information
+* Requires bot setup with appropriate permissions -- read on for details
+* Sends both summary and detailed findings
+
+## Bot Setup for Thread Creation
+
+To use thread creation mode, you need to:
+
+1. Create a Slack app in your workspace
+2. Add the following bot token scopes:
+   * `chat:write` - Send messages to channels
+   * `channels:read` - Read channel information
+3. Install the app to your workspace
+4. Invite the bot to the target channel
+5. Use the bot token as `SLACK_TOKEN`
+6. Use the channel ID as `SLACK_CHANNEL`
+
+## Example Configuration
+
+```yaml
+parameters:
+  - name: "slack_token"
+    type: "string"
+    value: "xoxb-your-bot-token"
+  - name: "slack_channel"
+    type: "string"
+    value: "C1234567890"
+  - name: "create_threads"
+    type: "bool"
+    value: "true"
+```
+
+## FAQ
+
+* Why do I need a bot token?
+  * The bot token is required for thread creation and sending messages to channels. It allows the app to interact with Slack's Web API.
+* Why do I need a channel ID?
+  * The channel ID is required to specify which channel the bot will send messages to. It ensures that the messages are delivered to the correct location.
+  * You can find the channel ID by right-clicking on the channel name in Slack and selecting "Copy Link". The ID is the part after `/archives/` in the URL.
+  * If you are using the Slack APP, the channel ID is located at the very bottom in the channel details pane.
+* Help, I created a token but it doesn't work!
+  * Make sure you have invited the bot to the channel you want to post in. The bot needs to be a member of the channel to send messages.
+  * Ensure that the bot has the necessary permissions (scopes) to send messages and create threads.
+  * Check that you are using the correct token and channel ID in your configuration.
+  * If you didn't add the correct permissions when creating the bot then you need to recreate the bot token and re-invite the bot to the channel. Slack docs do not mention this at the time of writing.

components/reporters/slack/cmd/main.go

@@ -3,13 +3,16 @@ package main
 import (
 	"context"
 	"log"
-	"net/http"
 	"time"
 
 	"github.com/go-errors/errors"
+	"github.com/smithy-security/pkg/retry"
 	"github.com/smithy-security/smithy/sdk/component"
 
+	componentlogger "github.com/smithy-security/smithy/sdk/logger"
+
 	"github.com/smithy-security/smithy/components/reporters/slack/internal/reporter"
+	"github.com/smithy-security/smithy/components/reporters/slack/internal/reporter/slack"
 )
 
 func main() {
@@ -25,16 +28,30 @@ func Main(ctx context.Context, opts ...component.RunnerOption) error {
 	opts = append(opts, component.RunnerWithComponentName("slack"))
 	config, err := reporter.NewConf(nil)
 	if err != nil {
-		return err
+		return errors.Errorf("failed to get config: %w", err)
+	}
+
+	config.SlackClientConfig.BaseClient, err = retry.NewClient(
+		retry.Config{
+			Logger: componentlogger.LoggerFromContext(ctx),
+		},
+	)
+	if err != nil {
+		return errors.Errorf("failed to create retry client: %w", err)
 	}
-	c := http.Client{}
-	slackLogger, err := reporter.NewSlackLogger(config, &c)
+
+	sl, err := slack.NewClient(config.SlackClientConfig)
+	if err != nil {
+		return errors.Errorf("failed to create slack client: %w", err)
+	}
+	slackReporter, err := reporter.NewSlackReporter(config, sl)
 	if err != nil {
-		return err
+		return errors.Errorf("failed to create slack reporter: %w", err)
 	}
+
 	if err := component.RunReporter(
 		ctx,
-		slackLogger,
+		slackReporter,
 		opts...,
 	); err != nil {
 		return errors.Errorf("could not run reporter: %w", err)

components/reporters/slack/component.yaml

@@ -5,9 +5,21 @@ parameters:
   - name: "slack_webhook"
     type: "string"
     value: ""
+  - name: "slack_token"
+    type: "string"
+    value: ""
+  - name: "slack_channel"
+    type: "string"
+    value: ""
+  - name: "debug"
+    type: "string"
+    value: "false"
 steps:
   - name: "slack"
     image: "components/reporters/slack"
     executable: "/bin/app"
     env_vars:
       SLACK_WEBHOOK: "{{ .parameters.slack_webhook }}"
+      SLACK_TOKEN: "{{ .parameters.slack_token }}"
+      SLACK_CHANNEL: "{{ .parameters.slack_channel }}"
+      SLACK_DEBUG: "{{ .parameters.debug }}"

components/reporters/slack/internal/reporter/issue.go

@@ -0,0 +1,190 @@
+package reporter
+
+import (
+	"bytes"
+	_ "embed"
+	"strings"
+	"text/template"
+
+	"github.com/go-errors/errors"
+	vf "github.com/smithy-security/smithy/sdk/component/vulnerability-finding"
+	ocsffindinginfo "github.com/smithy-security/smithy/sdk/gen/ocsf_ext/finding_info/v1"
+	ocsf "github.com/smithy-security/smithy/sdk/gen/ocsf_schema/v1"
+	"google.golang.org/protobuf/encoding/protojson"
+
+	"github.com/smithy-security/smithy/components/reporters/slack/internal/reporter/util"
+)
+
+//go:embed issue.tpl
+var issueTpl string
+
+type IssueData struct {
+	Description      string
+	Title            string
+	FindingID        uint64
+	FindingLink      string
+	TargetName       string
+	TargetLink       string
+	IsRepository     bool
+	IsPurl           bool
+	Confidence       string
+	CWE              string
+	CWELink          string
+	CVE              string
+	Tool             string
+	RunName          string
+	RunLink          string
+	FindingPath      string
+	FindingStartLine uint32
+	FindingEndLine   uint32
+	Reference        string
+}
+
+func (r slackReporter) getMsgs(findings []*vf.VulnerabilityFinding) ([]string, error) {
+	tpl, err := template.New("issue").Parse(issueTpl)
+	if err != nil {
+		return nil, errors.Errorf("could not parse thread template: %w", err)
+	}
+
+	const (
+		unknownValue = "unknown"
+		unsetValue   = "-"
+	)
+
+	var msgs []string
+	for _, finding := range findings {
+		var (
+			findingPath, targetName, targetLink, reference, confidence = unknownValue, unknownValue, unknownValue, unknownValue, unknownValue
+			findingStartLine, findingEndLine                           uint32
+			isRepository, isPurl                                       bool
+		)
+
+		if finding.Finding.GetConfidence() != "" {
+			confidence = r.getConfidence(finding.Finding.GetConfidenceId())
+		}
+
+		if len(finding.Finding.GetFindingInfo().DataSources) > 0 {
+			var dataSource ocsffindinginfo.DataSource
+			if err := protojson.Unmarshal([]byte(finding.Finding.GetFindingInfo().DataSources[0]), &dataSource); err != nil {
+				return nil, errors.Errorf("could not unmarshal finding data source from finding info: %w", err)
+			}
+
+			if dataSource.GetTargetType() == ocsffindinginfo.DataSource_TARGET_TYPE_REPOSITORY {
+				reference = dataSource.GetSourceCodeMetadata().GetReference()
+
+				switch dataSource.GetUri().GetUriSchema() {
+				case ocsffindinginfo.DataSource_URI_SCHEMA_FILE:
+					isRepository = true
+					findingStartLine = dataSource.GetFileFindingLocationData().GetStartLine()
+					findingEndLine = dataSource.GetFileFindingLocationData().GetEndLine()
+					findingPath = dataSource.GetUri().GetPath()
+					targetName = dataSource.GetSourceCodeMetadata().GetRepositoryUrl()
+					var err error
+					targetLink, err = util.MakeRepositoryLink(&dataSource)
+					if err != nil {
+						return nil, errors.Errorf("could not get repo target link: %w", err)
+					}
+				case ocsffindinginfo.DataSource_URI_SCHEMA_PURL:
+					isPurl = true
+					targetName = dataSource.GetPurlFindingLocationData().String()
+					targetLink = dataSource.GetPurlFindingLocationData().String()
+					findingPath = dataSource.GetPurlFindingLocationData().String()
+				}
+			}
+		}
+
+		targetName = strings.TrimPrefix(targetLink, "https://")
+
+		for _, f := range finding.Finding.GetVulnerabilities() {
+			var (
+				findingLink = util.MakeFindingLink(
+					r.conf.SmithyDashURL.Host,
+					finding.ID,
+				)
+				runLink = util.MakeRunLink(
+					r.conf.SmithyDashURL.Host,
+					r.conf.SmithyInstanceID,
+				)
+				tool, cwe, cweLink, cve = unknownValue, unsetValue, unsetValue, unsetValue
+			)
+
+			if f.GetVendorName() != "" {
+				tool = f.GetVendorName()
+			}
+
+			if f.GetCwe().GetCaption() != "" {
+				cwe = f.GetCwe().GetCaption()
+			}
+
+			if f.GetCwe().GetSrcUrl() != "" {
+				cweLink = f.GetCwe().GetSrcUrl()
+			}
+
+			if f.GetCve().GetUid() != "" {
+				cve = f.GetCve().GetUid()
+			}
+
+			var buf bytes.Buffer
+			if err := tpl.Execute(
+				&buf,
+				IssueData{
+					Title:            f.GetTitle(),
+					Description:      f.GetDesc(),
+					FindingID:        finding.ID,
+					FindingLink:      findingLink,
+					Tool:             tool,
+					TargetLink:       targetLink,
+					TargetName:       targetName,
+					IsRepository:     isRepository,
+					IsPurl:           isPurl,
+					Confidence:       confidence,
+					CWE:              cwe,
+					CWELink:          cweLink,
+					CVE:              cve,
+					RunName:          r.conf.SmithyInstanceName,
+					RunLink:          runLink,
+					FindingPath:      findingPath,
+					FindingStartLine: findingStartLine,
+					FindingEndLine:   findingEndLine,
+					Reference:        reference,
+				},
+			); err != nil {
+				return nil, errors.Errorf("could not execute issue description template: %w", err)
+			}
+
+			msgs = append(msgs, buf.String())
+		}
+	}
+
+	return msgs, nil
+}
+
+func (r slackReporter) getPriority(severity string) string {
+	switch severity {
+	case ocsf.VulnerabilityFinding_SEVERITY_ID_LOW.String(),
+		ocsf.VulnerabilityFinding_SEVERITY_ID_INFORMATIONAL.String(),
+		ocsf.VulnerabilityFinding_SEVERITY_ID_OTHER.String():
+		return "Low"
+	case ocsf.VulnerabilityFinding_SEVERITY_ID_MEDIUM.String():
+		return "Medium"
+	case ocsf.VulnerabilityFinding_SEVERITY_ID_HIGH.String():
+		return "High"
+	case ocsf.VulnerabilityFinding_SEVERITY_ID_FATAL.String(),
+		ocsf.VulnerabilityFinding_SEVERITY_ID_CRITICAL.String():
+		return "Highest"
+	}
+	return severity
+}
+
+func (r slackReporter) getConfidence(confidence ocsf.VulnerabilityFinding_ConfidenceId) string {
+	switch confidence {
+	case ocsf.VulnerabilityFinding_CONFIDENCE_ID_LOW,
+		ocsf.VulnerabilityFinding_CONFIDENCE_ID_OTHER:
+		return "Low"
+	case ocsf.VulnerabilityFinding_CONFIDENCE_ID_MEDIUM:
+		return "Medium"
+	case ocsf.VulnerabilityFinding_CONFIDENCE_ID_HIGH:
+		return "High"
+	}
+	return "Unknown"
+}

components/reporters/slack/internal/reporter/issue.tpl

@@ -0,0 +1,18 @@
+Smithy detected a vulnerability in *[{{ .TargetName }}]({{ .TargetLink }})*.
+
+{{ if ne .Title "" }}*{{ .Title }}:*{{ end }}
+{{ if ne .Description "" }}{{ .Description }}.{{ end }}
+
+{{ if .IsRepository }}
+*Location:* *{{ .FindingPath }}* between line {{ .FindingStartLine }} and {{ .FindingEndLine }} on branch *{{ .Reference }}*.
+{{ else if .IsPurl }}
+*Location:* *{{ .FindingPath }}*.
+{{ end }}
+
+*Finding info:*
+- *ID:* [{{ .FindingID }}]({{ .FindingLink }})
+- *Confidence:* {{ .Confidence }}
+- *CWE:* [{{ .CWE }}]({{ .CWELink }})
+- *CVE:* {{ .CVE }}
+- *Reporting Tool:* {{ .Tool }}
+- *Detected by Run:* [{{ .RunName }}]({{ .RunLink }})