Context

TPA-ExploitIQ integration.

Plan

• The integration (First phase) will happen in the SBOM Details Page (Vulnerabilities Tab)
• The Vulnerability table will contain a new action Button Create ExploitIQ report per each row.
  • When the user clicks on that button then Trustify (backend) should send the SBOM together with the Vulnerability to the ExploitIQ REST API
  • ExploitIQ will receive the request and generate a reportId that represents the output of the Analysis of the SBOM in the context of the Vulnerability selected. We need to save this reportId somewhere in the database so the UI can use that ID to redirect the user to the ExploitIQ report

Technical details

• The ExploitIQ REST API can only be reached using Authorization: Bearer ****
• The ExploitIQ team will provide us an offline token. This token needs to be injected into Trustify just like we inject any property like DB Password or OIDC Urls. The backend will use this token to communicate with ExploitIQ

The whole interaction with ExploitIQ will only involve 2 things:

1. Create ExploitIQ Report

This will allow us to analyze a vulnerability in the context of an SBOM.
The flow will be:

• The UI sends a POST request to the Trustify backend indicating the sbomId + VulnerabilityID.
• The Trustify backend needs to send a POST request to ExploitIQ. The POST to exploitIQ should be:

POST https://exploitIQdomain.com/reports/new using Content-Type: application/json and Authorization: Bearer ***

{
  "vulnerabilities" : [ "CVE-2024-0406" ],
  "sbom" : {
   // the SBOM in JSON format
  },
  "sbom_info_type" : "manual", // sbom_info_type should always be "manual" 
  "metadata" : { }
}

• The previous request will generate a response like:

{
  "id": "68c00eae2ce57055b0734cb3",
  "reportId": "888037a451286b9c919c88d4c00c3f7a"
}

We need to save in the database the previous response. So far, I think we only need to save the id and not the reportId.

• The trustify backend server needs to expose the ExploitIQ response somehow though its rest api.. This step is important as the UI will need to know if any particular vulnerability, in the context of an SBOM, has been analyzed by ExploitIQ already or not

2. Report Status extraction

This will allow us to check the status of any analysis in ExploitIQ. Trustify would be just a bridge between Trustify clients and the ExploitIQ rest api.

The flow would be:

• The trustify UI user goes to the SBOM details page
• The UI fetches all IDs of previously reports generated (last step of the previous section)
• The UI tries to know the status of a report in ExploitIQ => the UI sends a GET request to the trustify backend
• the trustify backend works as a bridge between the UI and the ExploitIQ rest api and does:

GET https://exploitIQdomain.com/reports/{id}

It will be required that the trustify backend uses Authorization: Bearer *** for sending the previous request.

Whatever is the response of ExploitIQ, it should be exposed by the trustify rest endpoint.