jamesnetherton commented on code in PR #8730: URL: https://github.com/apache/camel-quarkus/pull/8730#discussion_r3356314116
########## extensions/ocsf/deployment/src/main/java/org/apache/camel/quarkus/component/ocsf/deployment/OcsfProcessor.java: ########## @@ -0,0 +1,69 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.quarkus.component.ocsf.deployment; + +import io.quarkus.deployment.annotations.BuildProducer; +import io.quarkus.deployment.annotations.BuildStep; +import io.quarkus.deployment.builditem.CombinedIndexBuildItem; +import io.quarkus.deployment.builditem.FeatureBuildItem; +import io.quarkus.deployment.builditem.IndexDependencyBuildItem; +import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem; +import org.jboss.jandex.IndexView; + +class OcsfProcessor { + + private static final String FEATURE = "camel-ocsf"; + + @BuildStep + FeatureBuildItem feature() { + return new FeatureBuildItem(FEATURE); + } + + @BuildStep + IndexDependencyBuildItem registerDependencyForIndex() { + return new IndexDependencyBuildItem("org.apache.camel", "camel-ocsf"); + } + + @BuildStep + void registerForReflection(CombinedIndexBuildItem combinedIndex, + BuildProducer<ReflectiveClassBuildItem> reflectiveClass) { + IndexView index = combinedIndex.getIndex(); + + // Register all OCSF model classes for reflection (generated from JSON schemas) + String[] modelClasses = index.getKnownClasses().stream() + .map(ci -> ci.name().toString()) + .filter(n -> n.startsWith("org.apache.camel.dataformat.ocsf.model")) + .sorted() + .toArray(String[]::new); + + reflectiveClass.produce(ReflectiveClassBuildItem.builder(modelClasses) + .methods() + .fields() + .build()); + + // Register the OCSF DataFormat class + reflectiveClass.produce(ReflectiveClassBuildItem.builder("org.apache.camel.dataformat.ocsf.OcsfDataFormat") + .build()); Review Comment: Should not be needed. ########## extensions/ocsf/deployment/src/main/java/org/apache/camel/quarkus/component/ocsf/deployment/OcsfProcessor.java: ########## @@ -0,0 +1,69 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.quarkus.component.ocsf.deployment; + +import io.quarkus.deployment.annotations.BuildProducer; +import io.quarkus.deployment.annotations.BuildStep; +import io.quarkus.deployment.builditem.CombinedIndexBuildItem; +import io.quarkus.deployment.builditem.FeatureBuildItem; +import io.quarkus.deployment.builditem.IndexDependencyBuildItem; +import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem; +import org.jboss.jandex.IndexView; + +class OcsfProcessor { + + private static final String FEATURE = "camel-ocsf"; + + @BuildStep + FeatureBuildItem feature() { + return new FeatureBuildItem(FEATURE); + } + + @BuildStep + IndexDependencyBuildItem registerDependencyForIndex() { + return new IndexDependencyBuildItem("org.apache.camel", "camel-ocsf"); + } + + @BuildStep + void registerForReflection(CombinedIndexBuildItem combinedIndex, + BuildProducer<ReflectiveClassBuildItem> reflectiveClass) { + IndexView index = combinedIndex.getIndex(); + + // Register all OCSF model classes for reflection (generated from JSON schemas) + String[] modelClasses = index.getKnownClasses().stream() + .map(ci -> ci.name().toString()) + .filter(n -> n.startsWith("org.apache.camel.dataformat.ocsf.model")) + .sorted() + .toArray(String[]::new); + + reflectiveClass.produce(ReflectiveClassBuildItem.builder(modelClasses) + .methods() + .fields() + .build()); + + // Register the OCSF DataFormat class + reflectiveClass.produce(ReflectiveClassBuildItem.builder("org.apache.camel.dataformat.ocsf.OcsfDataFormat") + .build()); + + // Register Jackson classes needed for OCSF + reflectiveClass.produce(ReflectiveClassBuildItem.builder("com.fasterxml.jackson.databind.JsonNode") + .build()); + reflectiveClass.produce( + ReflectiveClassBuildItem.builder("com.fasterxml.jackson.datatype.jsr310.JavaTimeModule") + .build()); Review Comment: If you add a dependency on `quarkus-jackson`, this code can probably be removed. ########## extensions/ocsf/deployment/src/main/java/org/apache/camel/quarkus/component/ocsf/deployment/OcsfProcessor.java: ########## @@ -0,0 +1,69 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.quarkus.component.ocsf.deployment; + +import io.quarkus.deployment.annotations.BuildProducer; +import io.quarkus.deployment.annotations.BuildStep; +import io.quarkus.deployment.builditem.CombinedIndexBuildItem; +import io.quarkus.deployment.builditem.FeatureBuildItem; +import io.quarkus.deployment.builditem.IndexDependencyBuildItem; +import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem; +import org.jboss.jandex.IndexView; + +class OcsfProcessor { + + private static final String FEATURE = "camel-ocsf"; + + @BuildStep + FeatureBuildItem feature() { + return new FeatureBuildItem(FEATURE); + } + + @BuildStep + IndexDependencyBuildItem registerDependencyForIndex() { + return new IndexDependencyBuildItem("org.apache.camel", "camel-ocsf"); + } Review Comment: Not needed as all Camel component dependencies have a Jandex index. ########## extensions/ocsf/runtime/src/main/doc/configuration.adoc: ########## @@ -0,0 +1,3 @@ +Beyond the standard Camel OCSF DataFormat options, the Quarkus extension does not add any additional configuration options. + +Refer to the xref:{cq-camel-components}:dataformats:ocsf-dataformat.adoc[Camel OCSF DataFormat documentation] for all available options. Review Comment: Might be best to remove this file. Doesn't really add any value. ########## extensions/ocsf/runtime/src/main/doc/usage.adoc: ########## @@ -0,0 +1,86 @@ +The OCSF (Open Cybersecurity Schema Framework) extension provides support for marshalling and unmarshalling security events following the OCSF specification. + +== Basic Usage + +=== Marshalling OCSF Events + +[source,java] +---- +from("direct:start") + .marshal().ocsf() + .to("kafka:security-events"); +---- + +=== Unmarshalling OCSF Events + +[source,java] +---- +from("kafka:security-events") + .unmarshal().ocsf() + .to("direct:process"); +---- + +=== Unmarshalling to a Specific Event Class + +[source,java] +---- +from("kafka:security-events") + .unmarshal().ocsf(DetectionFinding.class) + .to("direct:process"); +---- + +== Supported OCSF Event Classes + +This extension includes support for 34 OCSF event classes including: + +* *Findings*: `DetectionFinding`, `SecurityFinding`, `VulnerabilityFinding`, `ComplianceFinding` +* *System Activity*: `FileActivity`, `ProcessActivity`, `KernelActivity`, `MemoryActivity` +* *Network Activity*: `NetworkActivity`, `HttpActivity`, `DnsActivity`, `SshActivity` +* *IAM*: `Authentication`, `AuthorizeSession`, `AccountChange`, `GroupManagement` +* *Application Activity*: `ApiActivity`, `DatastoreActivity`, `WebResourcesActivity` + +All event classes extend `OcsfEvent` which provides common attributes like `time`, `severity_id`, `class_uid`, and `metadata`. + +== Example: Creating a Detection Finding + +[source,java] +---- +import org.apache.camel.dataformat.ocsf.model.DetectionFinding; +import org.apache.camel.dataformat.ocsf.model.FindingInfo; +import org.apache.camel.dataformat.ocsf.OcsfConstants; + +DetectionFinding finding = new DetectionFinding(); +finding.setActivityId(OcsfConstants.ACTIVITY_CREATE); +finding.setSeverityId(OcsfConstants.SEVERITY_HIGH); +finding.setTime(System.currentTimeMillis()); +finding.setIsAlert(true); + +FindingInfo info = new FindingInfo(); +info.setTitle("Malware Detection"); +info.setDesc("Potential malware detected on endpoint"); +finding.setFindingInfo(info); + +from("direct:start") + .setBody(constant(finding)) + .marshal().ocsf() + .to("splunk-hec:..."); +---- + +== Native Mode Support + +The OCSF extension fully supports native mode compilation. All OCSF model classes are automatically registered for reflection during the build process. + +== Using with AWS Security Hub Review Comment: We should probably remove this section as aws-securityhub is not yet supported. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
