Slack works like Discord with threads and details

Author: northdpole

components/reporters/slack/README.md

@@ -1,7 +1,7 @@
 # slack
 
 This component implements a [reporter](https://github.com/smithy-security/smithy/blob/main/sdk/component/component.go)
-that sends a summary of results to slack.
+that sends a summary of results to slack and optionally creates detailed vulnerability threads.
 
 ## Environment variables
 
@@ -13,4 +13,55 @@ as well as the following:
 
 | Environment Variable       | Type   | Required | Default | Description                                                             |
 |----------------------------|--------|----------|---------|-------------------------------------------------------------------------|
-| SLACK\_WEBHOOK     | string | yes      | -       | The slack webhook to POST results to|
+| SLACK\_TOKEN       | string | no       | -       | The slack bot token (required for thread creation mode)|
+| SLACK\_CHANNEL     | string | no       | -       | The slack channel ID (required for thread creation mode)|
+| SLACK\_DEBUG       | bool   | no       | false   | Whether to enable debug logging for the slack client|
+
+## Operation
+
+* Uses `SLACK_TOKEN` and `SLACK_CHANNEL` for Web API access
+* Creates threads with detailed vulnerability information
+* Requires bot setup with appropriate permissions -- read on for details
+* Sends both summary and detailed findings
+
+## Bot Setup for Thread Creation
+
+To use thread creation mode, you need to:
+
+1. Create a Slack app in your workspace
+2. Add the following bot token scopes:
+   * `chat:write` - Send messages to channels
+   * `channels:read` - Read channel information
+3. Install the app to your workspace
+4. Invite the bot to the target channel
+5. Use the bot token as `SLACK_TOKEN`
+6. Use the channel ID as `SLACK_CHANNEL`
+
+## Example Configuration
+
+```yaml
+parameters:
+  - name: "slack_token"
+    type: "string"
+    value: "xoxb-your-bot-token"
+  - name: "slack_channel"
+    type: "string"
+    value: "C1234567890"
+  - name: "create_threads"
+    type: "bool"
+    value: "true"
+```
+
+## FAQ
+
+* Why do I need a bot token?
+  * The bot token is required for thread creation and sending messages to channels. It allows the app to interact with Slack's Web API.
+* Why do I need a channel ID?
+  * The channel ID is required to specify which channel the bot will send messages to. It ensures that the messages are delivered to the correct location.
+  * You can find the channel ID by right-clicking on the channel name in Slack and selecting "Copy Link". The ID is the part after `/archives/` in the URL.
+  * If you are using the Slack APP, the channel ID is located at the very bottom in the channel details pane.
+* Help, I created a token but it doesn't work!
+  * Make sure you have invited the bot to the channel you want to post in. The bot needs to be a member of the channel to send messages.
+  * Ensure that the bot has the necessary permissions (scopes) to send messages and create threads.
+  * Check that you are using the correct token and channel ID in your configuration.
+  * If you didn't add the correct permissions when creating the bot then you need to recreate the bot token and re-invite the bot to the channel. Slack docs do not mention this at the time of writing.

components/reporters/slack/cmd/main.go

@@ -3,13 +3,16 @@ package main
 import (
 	"context"
 	"log"
-	"net/http"
 	"time"
 
 	"github.com/go-errors/errors"
+	"github.com/smithy-security/pkg/retry"
 	"github.com/smithy-security/smithy/sdk/component"
 
+	componentlogger "github.com/smithy-security/smithy/sdk/logger"
+
 	"github.com/smithy-security/smithy/components/reporters/slack/internal/reporter"
+	"github.com/smithy-security/smithy/components/reporters/slack/internal/reporter/slack"
 )
 
 func main() {
@@ -25,16 +28,30 @@ func Main(ctx context.Context, opts ...component.RunnerOption) error {
 	opts = append(opts, component.RunnerWithComponentName("slack"))
 	config, err := reporter.NewConf(nil)
 	if err != nil {
-		return err
+		return errors.Errorf("failed to get config: %w", err)
+	}
+
+	config.SlackClientConfig.BaseClient, err = retry.NewClient(
+		retry.Config{
+			Logger: componentlogger.LoggerFromContext(ctx),
+		},
+	)
+	if err != nil {
+		return errors.Errorf("failed to create retry client: %w", err)
 	}
-	c := http.Client{}
-	slackLogger, err := reporter.NewSlackLogger(config, &c)
+
+	sl, err := slack.NewClient(ctx, config.SlackClientConfig)
+	if err != nil {
+		return errors.Errorf("failed to create slack client: %w", err)
+	}
+	slackReporter, err := reporter.NewSlackReporter(config, sl)
 	if err != nil {
-		return err
+		return errors.Errorf("failed to create slack reporter: %w", err)
 	}
+
 	if err := component.RunReporter(
 		ctx,
-		slackLogger,
+		slackReporter,
 		opts...,
 	); err != nil {
 		return errors.Errorf("could not run reporter: %w", err)

components/reporters/slack/component.yaml

@@ -5,9 +5,21 @@ parameters:
   - name: "slack_webhook"
     type: "string"
     value: ""
+  - name: "slack_token"
+    type: "string"
+    value: ""
+  - name: "slack_channel"
+    type: "string"
+    value: ""
+  - name: "debug"
+    type: "string"
+    value: "false"
 steps:
   - name: "slack"
     image: "components/reporters/slack"
     executable: "/bin/app"
     env_vars:
       SLACK_WEBHOOK: "{{ .parameters.slack_webhook }}"
+      SLACK_TOKEN: "{{ .parameters.slack_token }}"
+      SLACK_CHANNEL: "{{ .parameters.slack_channel }}"
+      SLACK_DEBUG: "{{ .parameters.debug }}"

components/reporters/slack/internal/reporter/issue.go

@@ -0,0 +1,212 @@
+package reporter
+
+import (
+	"bytes"
+	_ "embed"
+	"strings"
+	"text/template"
+
+	"github.com/go-errors/errors"
+	vf "github.com/smithy-security/smithy/sdk/component/vulnerability-finding"
+	ocsffindinginfo "github.com/smithy-security/smithy/sdk/gen/ocsf_ext/finding_info/v1"
+	ocsf "github.com/smithy-security/smithy/sdk/gen/ocsf_schema/v1"
+	"google.golang.org/protobuf/encoding/protojson"
+
+	"github.com/smithy-security/smithy/components/reporters/slack/internal/reporter/util"
+)
+
+//go:embed issue.tpl
+var issueTpl string
+
+const (
+	unknownValue = "unknown"
+	unsetValue   = "-"
+)
+
+// IssueData holds all the information needed to create a Slack issue message from a VulnerabilityFinding and Vulnerability instance.
+// It is designed to be used with text/template to generate formatted messages.
+type IssueData struct {
+	Description      string
+	Title            string
+	FindingID        uint64
+	FindingLink      string
+	TargetName       string
+	TargetLink       string
+	IsRepository     bool
+	IsPurl           bool
+	Confidence       string
+	Priority         string
+	CWE              string
+	CWELink          string
+	CVE              string
+	Tool             string
+	RunName          string
+	RunLink          string
+	FindingPath      string
+	FindingStartLine uint32
+	FindingEndLine   uint32
+	Reference        string
+}
+
+// NewIssueData creates a new IssueData struct from a VulnerabilityFinding and configuration.
+// It sets default values for most of the IssueData fields, and extracts relevant information for elements that are common across vulns from a single scan (e.g. time started or runID)
+func NewIssueData(finding *vf.VulnerabilityFinding, conf *Conf) (*IssueData, error) {
+	if finding == nil || finding.Finding == nil {
+		return nil, errors.New("finding or finding.Finding is nil")
+	}
+
+	if conf == nil {
+		return nil, errors.New("configuration is nil")
+	}
+
+	var (
+		findingPath, targetLink, reference, confidence, severity, title, description = unknownValue, unknownValue, unknownValue, unknownValue, unknownValue, unsetValue, unsetValue
+		findingStartLine, findingEndLine                                             uint32
+		isRepository, isPurl                                                         bool
+		findingLink                                                                  = util.MakeFindingLink(conf.SmithyDashURL.Host, finding.ID)
+		runLink                                                                      = util.MakeRunLink(conf.SmithyDashURL.Host, conf.SmithyInstanceID)
+	)
+
+	if len(finding.Finding.GetFindingInfo().DataSources) > 0 {
+		var dataSource ocsffindinginfo.DataSource
+		if err := protojson.Unmarshal([]byte(finding.Finding.GetFindingInfo().DataSources[0]), &dataSource); err != nil {
+			return nil, errors.Errorf("could not unmarshal finding data source from finding info: %w", err)
+		}
+
+		if dataSource.GetTargetType() == ocsffindinginfo.DataSource_TARGET_TYPE_REPOSITORY {
+			reference = dataSource.GetSourceCodeMetadata().GetReference()
+
+			switch dataSource.GetUri().GetUriSchema() {
+			case ocsffindinginfo.DataSource_URI_SCHEMA_FILE:
+				isRepository = true
+				findingStartLine = dataSource.GetFileFindingLocationData().GetStartLine()
+				findingEndLine = dataSource.GetFileFindingLocationData().GetEndLine()
+				findingPath = dataSource.GetUri().GetPath()
+				var err error
+				targetLink, err = util.MakeRepositoryLink(&dataSource)
+				if err != nil {
+					return nil, errors.Errorf("could not get repo target link: %w", err)
+				}
+			case ocsffindinginfo.DataSource_URI_SCHEMA_PURL:
+				isPurl = true
+				targetLink = dataSource.GetPurlFindingLocationData().String()
+				findingPath = dataSource.GetPurlFindingLocationData().String()
+			default:
+				return nil, errors.Errorf("unsupported data source uri schema: %s", dataSource.GetUri().GetUriSchema().String())
+			}
+
+		}
+	}
+
+	issueData := &IssueData{
+		FindingID:        finding.ID,
+		FindingLink:      findingLink,
+		TargetLink:       targetLink,
+		TargetName:       strings.TrimPrefix(targetLink, "https://"),
+		IsRepository:     isRepository,
+		IsPurl:           isPurl,
+		Confidence:       confidence,
+		RunName:          conf.SmithyInstanceName,
+		RunLink:          runLink,
+		FindingPath:      findingPath,
+		FindingStartLine: findingStartLine,
+		FindingEndLine:   findingEndLine,
+		Reference:        reference,
+		Priority:         severity,
+		Title:            title,
+		Description:      description,
+	}
+
+	if finding.Finding.GetConfidence() != "" {
+		issueData.Confidence = issueData.getConfidence(finding.Finding.GetConfidenceId())
+	}
+
+	// Set default, overridable values for Priority and Description
+	if finding.Finding.GetSeverity() != "" {
+		issueData.Priority = issueData.getPriority(finding.Finding.GetSeverity())
+	}
+
+	if finding.Finding.GetMessage() != "" {
+		issueData.Description = finding.Finding.GetMessage()
+	}
+
+	return issueData, nil
+}
+
+// NewVulnerability enriches the current IssueData with a new Vulnerability instance from the IssueData.
+// It sets default values for Tool, CWE, CWELink, and CVE, and extracts relevant information from the Vulnerability instance to populate the IssueData fields.
+// It overrides Title, Description, and Priority fields if the Vulnerability instance provides values for them.
+func (i IssueData) EnrichWithNewVulnerability(vulnerability *ocsf.Vulnerability) (*IssueData, error) {
+
+	i.Tool, i.CWE, i.CWELink, i.CVE = unknownValue, unsetValue, unsetValue, unsetValue
+
+	if vulnerability.GetVendorName() != "" {
+		i.Tool = vulnerability.GetVendorName()
+	}
+
+	if vulnerability.GetCwe().GetCaption() != "" {
+		i.CWE = vulnerability.GetCwe().GetCaption()
+	}
+
+	if vulnerability.GetCwe().GetSrcUrl() != "" {
+		i.CWELink = vulnerability.GetCwe().GetSrcUrl()
+	}
+
+	if vulnerability.GetCve().GetUid() != "" {
+		i.CVE = vulnerability.GetCve().GetUid()
+	}
+
+	// Override Title, Description, and Priority if the vulnerability provides them
+	if vulnerability.GetSeverity() != "" {
+		i.Priority = i.getPriority(vulnerability.GetSeverity())
+	}
+
+	if vulnerability.GetDesc() != "" {
+		i.Description = vulnerability.GetDesc()
+	}
+
+	if vulnerability.GetTitle() != "" {
+		i.Title = vulnerability.GetTitle()
+	}
+
+	return &i, nil
+}
+
+// String executes the provided template with the IssueData and returns the resulting string.
+func (i IssueData) String(tpl *template.Template) (string, error) {
+	var buf bytes.Buffer
+	if err := tpl.Execute(&buf, i); err != nil {
+		return "", errors.Errorf("could not execute issue description template: %w", err)
+	}
+	return buf.String(), nil
+}
+
+func (i IssueData) getPriority(severity string) string {
+	switch severity {
+	case ocsf.VulnerabilityFinding_SEVERITY_ID_LOW.String(),
+		ocsf.VulnerabilityFinding_SEVERITY_ID_INFORMATIONAL.String(),
+		ocsf.VulnerabilityFinding_SEVERITY_ID_OTHER.String():
+		return "Low"
+	case ocsf.VulnerabilityFinding_SEVERITY_ID_MEDIUM.String():
+		return "Medium"
+	case ocsf.VulnerabilityFinding_SEVERITY_ID_HIGH.String():
+		return "High"
+	case ocsf.VulnerabilityFinding_SEVERITY_ID_FATAL.String(),
+		ocsf.VulnerabilityFinding_SEVERITY_ID_CRITICAL.String():
+		return "Highest"
+	}
+	return severity
+}
+
+func (i IssueData) getConfidence(confidence ocsf.VulnerabilityFinding_ConfidenceId) string {
+	switch confidence {
+	case ocsf.VulnerabilityFinding_CONFIDENCE_ID_LOW,
+		ocsf.VulnerabilityFinding_CONFIDENCE_ID_OTHER:
+		return "Low"
+	case ocsf.VulnerabilityFinding_CONFIDENCE_ID_MEDIUM:
+		return "Medium"
+	case ocsf.VulnerabilityFinding_CONFIDENCE_ID_HIGH:
+		return "High"
+	}
+	return "Unknown"
+}

components/reporters/slack/internal/reporter/issue.tpl

@@ -0,0 +1,18 @@
+Smithy detected a vulnerability in *[{{ .TargetName }}]({{ .TargetLink }})*.
+
+{{ if ne .Title "" }}*{{ .Title }}:*{{ end }}
+{{ if ne .Description "" }}{{ .Description }}.{{ end }}
+
+{{ if .IsRepository }}
+*Location:* *{{ .FindingPath }}* between line {{ .FindingStartLine }} and {{ .FindingEndLine }} on branch *{{ .Reference }}*.
+{{ else if .IsPurl }}
+*Location:* *{{ .FindingPath }}*.
+{{ end }}
+
+*Finding info:*
+- *ID:* [{{ .FindingID }}]({{ .FindingLink }})
+- *Confidence:* {{ .Confidence }}
+- *CWE:* [{{ .CWE }}]({{ .CWELink }})
+- *CVE:* {{ .CVE }}
+- *Reporting Tool:* {{ .Tool }}
+- *Detected by Run:* [{{ .RunName }}]({{ .RunLink }})