Deepfence communication

Makefile

@@ -18,7 +18,7 @@ export IMAGE_REPOSITORY?=quay.io/deepfenceio
 export DF_IMG_TAG?=latest
 export STEAMPIPE_IMG_TAG?=0.23.x
 export IS_DEV_BUILD?=false
-export VERSION?=v2.5.2
+export VERSION?=v2.5.3
 export AGENT_BINARY_BUILD=$(DEEPFENCE_FARGATE_DIR)/build
 export AGENT_BINARY_BUILD_RELATIVE=deepfence_agent/agent-binary/build
 export AGENT_BINARY_DIST=$(DEEPFENCE_FARGATE_DIR)/dist

README.md

@@ -12,6 +12,9 @@
 
 # ThreatMapper - Runtime Threat Management and Attack Path Enumeration for Cloud Native
 
+> [!IMPORTANT]
+> [Upcoming Changes to ThreatMapper Threat Intel Feeds](https://www.deepfence.io/blog/upcoming-changes-to-threatmapper-threat-intel-feeds-what-you-need-to-know)
+
 Deepfence ThreatMapper hunts for threats in your production platforms, and ranks these threats based on their risk-of-exploit. It uncovers vulnerable software components, exposed secrets and deviations from good security practice. ThreatMapper uses a combination of agent-based inspection and agent-less monitoring to provide the widest possible coverage to detect threats.
 
 With ThreatMapper's **ThreatGraph** visualization, you can then identify the issues that present the greatest risk to the security of your applications, and prioritize these for planned protection or remediation.
@@ -93,10 +96,10 @@ docker run -dit \
     -e http_proxy="" \
     -e https_proxy="" \
     -e no_proxy="" \
-    quay.io/deepfenceio/deepfence_agent_ce:2.5.2
+    quay.io/deepfenceio/deepfence_agent_ce:2.5.3
 ```
 
-Note: Image tag `quay.io/deepfenceio/deepfence_agent_ce:2.5.2-multiarch` is supported in amd64 and arm64/v8 architectures.
+Note: Image tag `quay.io/deepfenceio/deepfence_agent_ce:2.5.3-multiarch` is supported in amd64 and arm64/v8 architectures.
 
 On a Kubernetes platform, the sensors are installed using [helm chart](https://community.deepfence.io/threatmapper/docs/v2.5/sensors/kubernetes/)
 

deepfence_server/apiDocs/operation.go

@@ -895,6 +895,13 @@ func (d *OpenAPIDocs) AddSettingsOperations() {
 	d.AddOperation("getAgentBinaryDownloadURL", http.MethodGet, "/deepfence/agent-deployment/binary/download-url",
 		"Get agent binary download url", "Get agent binary download url",
 		http.StatusOK, []string{tagSettings}, bearerToken, nil, new(GetAgentBinaryDownloadURLResponse))
+
+	d.AddOperation("getDeepfenceCommunicationMessages", http.MethodGet, "/deepfence/deepfence-communication/message",
+		"Get Deepfence communication messages", "Get Deepfence communication messages",
+		http.StatusOK, []string{tagSettings}, bearerToken, nil, new([]DeepfenceCommunication))
+	d.AddOperation("markDeepfenceCommunicationRead", http.MethodPut, "/deepfence/deepfence-communication/message/{id}/read",
+		"Mark Deepfence communication message read", "Mark Deepfence communication message read",
+		http.StatusNoContent, []string{tagSettings}, bearerToken, new(DeepfenceCommunicationID), nil)
 }
 
 func (d *OpenAPIDocs) AddLicenseOperations() {

deepfence_server/handler/deepfence_communication.go

@@ -0,0 +1,81 @@
+package handler
+
+import (
+	"net/http"
+	"strconv"
+
+	"github.com/deepfence/ThreatMapper/deepfence_server/model"
+	"github.com/deepfence/ThreatMapper/deepfence_utils/directory"
+	"github.com/deepfence/ThreatMapper/deepfence_utils/log"
+	"github.com/go-chi/chi/v5"
+	httpext "github.com/go-playground/pkg/v5/net/http"
+)
+
+func (h *Handler) GetDeepfenceCommunication(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	pgClient, err := directory.PostgresClient(ctx)
+	if err != nil {
+		log.Error().Msgf("%v", err)
+		h.respondError(&InternalServerError{err}, w)
+		return
+	}
+
+	messages := []model.DeepfenceCommunication{}
+	deepfenceCommunication, err := pgClient.GetUnreadDeepfenceCommunication(ctx)
+	if err != nil {
+		log.Error().Msgf("%v", err)
+		h.respondError(&InternalServerError{err}, w)
+		return
+	}
+	for _, m := range deepfenceCommunication {
+		messages = append(messages, model.DeepfenceCommunication{
+			ID:            m.ID,
+			Title:         m.Title,
+			Content:       m.Content,
+			Link:          m.Link,
+			LinkTitle:     m.LinkTitle,
+			ButtonContent: m.ButtonContent,
+			Read:          m.Read,
+			CreatedAt:     m.CreatedAt,
+			UpdatedAt:     m.UpdatedAt,
+		})
+	}
+	err = httpext.JSON(w, http.StatusOK, messages)
+	if err != nil {
+		log.Error().Msgf("%v", err)
+	}
+}
+
+func (h *Handler) MarkDeepfenceCommunicationAsRead(w http.ResponseWriter, r *http.Request) {
+	defer r.Body.Close()
+	messageID, err := strconv.ParseInt(chi.URLParam(r, "id"), 10, 64)
+	if err != nil {
+		log.Error().Msgf("%v", err)
+		h.respondError(&BadDecoding{err}, w)
+		return
+	}
+	req := model.DeepfenceCommunicationID{
+		ID: messageID,
+	}
+	err = h.Validator.Struct(req)
+	if err != nil {
+		log.Error().Msgf("%v", err)
+		h.respondError(&ValidatorError{err: err}, w)
+		return
+	}
+
+	ctx := r.Context()
+	pgClient, err := directory.PostgresClient(ctx)
+	if err != nil {
+		log.Error().Msgf("%v", err)
+		h.respondError(&InternalServerError{err}, w)
+		return
+	}
+	err = pgClient.MarkDeepfenceCommunicationRead(ctx, req.ID)
+	if err != nil {
+		log.Error().Msgf("%v", err)
+		h.respondError(err, w)
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}

deepfence_server/model/setting.go

@@ -1,5 +1,9 @@
 package model
 
+import (
+	"time"
+)
+
 const (
 	EmailConfigurationKey = "email_configuration"
 	EmailSettingSES       = "amazon_ses"
@@ -17,3 +21,19 @@ type GetAgentBinaryDownloadURLResponse struct {
 	StartAgentScriptDownloadURL     string `json:"start_agent_script_download_url"`
 	UninstallAgentScriptDownloadURL string `json:"uninstall_agent_script_download_url"`
 }
+
+type DeepfenceCommunicationID struct {
+	ID int64 `path:"id"`
+}
+
+type DeepfenceCommunication struct {
+	ID            int64     `json:"id"`
+	Title         string    `json:"title"`
+	Content       string    `json:"content"`
+	Link          string    `json:"link"`
+	LinkTitle     string    `json:"link_title"`
+	ButtonContent string    `json:"button_content"`
+	Read          bool      `json:"read"`
+	CreatedAt     time.Time `json:"created_at"`
+	UpdatedAt     time.Time `json:"updated_at"`
+}

deepfence_server/router/router.go

@@ -508,6 +508,11 @@ func SetupRoutes(r *chi.Mux, serverPort string, serveOpenapiDocs bool, ingestC c
 				})
 			})
 
+			r.Route("/deepfence-communication/message", func(r chi.Router) {
+				r.Get("/", dfHandler.AuthHandler(ResourceReport, PermissionRead, dfHandler.GetDeepfenceCommunication))
+				r.Put("/{id}/read", dfHandler.AuthHandler(ResourceReport, PermissionRead, dfHandler.MarkDeepfenceCommunicationAsRead))
+			})
+
 			r.Route("/diagnosis", func(r chi.Router) {
 				r.Get("/notification", dfHandler.AuthHandler(ResourceDiagnosis, PermissionRead, dfHandler.DiagnosticNotification))
 				r.Post("/console-logs", dfHandler.AuthHandler(ResourceDiagnosis, PermissionGenerate, dfHandler.GenerateConsoleDiagnosticLogs))

deepfence_utils/postgresql/migrate/0008_create_deepfence_communication_table.sql

@@ -0,0 +1,28 @@
+-- +goose Up
+
+-- +goose StatementBegin
+CREATE TABLE public.deepfence_communication
+(
+    id             bigint PRIMARY KEY,
+    title          text                                               NOT NULL,
+    content        text                                               NOT NULL,
+    link           text                                               NOT NULL,
+    link_title     text                                               NOT NULL,
+    button_content text                                               NOT NULL,
+    read           bool                     DEFAULT FALSE             NOT NULL,
+    created_at     timestamp with time zone DEFAULT CURRENT_TIMESTAMP NOT NULL,
+    updated_at     timestamp with time zone DEFAULT CURRENT_TIMESTAMP NOT NULL
+);
+
+CREATE TRIGGER deepfence_communication_updated_at
+    BEFORE UPDATE
+    ON deepfence_communication
+    FOR EACH ROW
+EXECUTE PROCEDURE update_modified_column();
+-- +goose StatementEnd
+
+-- +goose Down
+
+-- +goose StatementBegin
+DROP TABLE IF EXISTS deepfence_communication;
+-- +goose StatementEnd