diff --git a/sql/README.md b/sql/README.md index ced784508..dfa7052d9 100644 --- a/sql/README.md +++ b/sql/README.md @@ -1,6 +1,8 @@ # SQL Queries for GitHub Enterprise Server -:warning: Run these directly against your GitHub Enterprise Server database at your own risk. A safer method to run these is outlined [here](USAGE.md). +:warning: While these are all read-only queries and do not write to the database, run these directly against your GitHub Enterprise Server database at your own risk. A safer method to run these is outlined [here](USAGE.md). + +Each query has a comment at the top of the file elaborating what it does, etc. ## Audit queries @@ -20,6 +22,10 @@ The `audit` folder has queries that are all around auditing credentials, webhook The `security` folder has queries that are all around dependency alerts and any other security features. +- `active-repo-report.sql` - A list of all detected HIGH and CRITICAL vulnerabilities from repos pushed to in the past 90 days. It also returns who owns it and further details on the exact vulnerability. The threshold of time and severity to return is adjustable. +- `vuln-critical-count.sql` - A count of repositories affected by each CRITICAL vulnerability. +- `vuln-report.sql` - A report of all detected vulnerabilities in every single repo in GHES, who owns it, when it was last pushed to, the platform of the vulnerability, and the GHSA/MITRE/WhiteSource info on it. This can be a very large report. + ## Usage queries The `usage` folder has queries that are all around usage of various features in GitHub Enterprise Server. diff --git a/sql/security/active-repo-report.sql b/sql/security/active-repo-report.sql new file mode 100644 index 000000000..e0452ce1c --- /dev/null +++ b/sql/security/active-repo-report.sql @@ -0,0 +1,34 @@ +/* + * This pulls a list of all detected HIGH and CRITICAL vulnerabilities from + * repositories pushed to in the past 90 days. It also returns who owns it and + * further details on the exact vulnerability. + * + * If you comment line 34, it will both root and fork repositories. As is, + * it will only report root repos. + */ +SELECT + r.name AS repo_name, + u.login AS repo_owner, + u.type AS owner_type, + pushed_at AS last_update, + platform, + severity, + cve_id, + ghsa_id, + white_source_id, + external_reference +FROM + github_enterprise.repository_vulnerability_alerts z +JOIN github_enterprise.vulnerabilities v ON + z.vulnerability_id = v.id +JOIN github_enterprise.repositories r ON + z.repository_id = r.id +JOIN github_enterprise.users u ON + r.owner_id = u.id +WHERE + (v.severity = "critical" + OR v.severity = "high") + AND DATEDIFF(NOW(), r.pushed_at) < 91 + AND r.parent_id IS NULL +ORDER BY + last_update DESC; \ No newline at end of file diff --git a/sql/security/vuln-critical-count.sql b/sql/security/vuln-critical-count.sql new file mode 100644 index 000000000..64ed4ba31 --- /dev/null +++ b/sql/security/vuln-critical-count.sql @@ -0,0 +1,22 @@ +/* + * This pulls a count of repos affected by each _critical_ vulnerability. + */ +SELECT + v.id, + v.cve_id, + v.ghsa_id, + v.white_source_id, + v.published_at as published, + v.external_reference, + v.platform as ecosystem, + COUNT(z.vulnerability_id) as repo_count +FROM + github_enterprise.repository_vulnerability_alerts z +JOIN github_enterprise.vulnerabilities v ON + z.vulnerability_id = v.id +WHERE + v.severity = 'critical' +GROUP BY + v.id +ORDER BY + COUNT(z.vulnerability_id) DESC; \ No newline at end of file diff --git a/sql/security/vuln-report.sql b/sql/security/vuln-report.sql new file mode 100644 index 000000000..c00ec846c --- /dev/null +++ b/sql/security/vuln-report.sql @@ -0,0 +1,26 @@ +/* + * This pulls a list of all detected vulnerabilities, what it is, who owns the + * associated repo, and when the repo was last updated. This can be a very + * large report! + */ +SELECT + r.name as repo_name, + u.login as repo_owner, + u.type as owner_type, + pushed_at as last_update, + platform, + severity, + cve_id, + ghsa_id, + white_source_id, + external_reference +FROM + github_enterprise.repository_vulnerability_alerts z +JOIN github_enterprise.vulnerabilities v ON + z.vulnerability_id = v.id +JOIN github_enterprise.repositories r ON + z.repository_id = r.id +JOIN github_enterprise.users u ON + r.owner_id = u.id +ORDER BY + last_update DESC; \ No newline at end of file