added nats sdk

[vijeyash1]

No description provided.

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
Authn/Authz Analyzer	❕	6 findings
AppSec Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request focus on improving the security and reliability of the Kubviz application, a Kubernetes monitoring and observability tool. The changes primarily involve updating the NATS messaging system integration, enhancing error handling, and improving the testability of various plugins and components.

Key security-related improvements include:

1. Replacing the direct use of the github.com/nats-io/nats.go package with a custom NATS SDK (github.com/intelops/kubviz/pkg/nats/sdk) to provide a more secure and abstracted NATS client integration.
2. Improving error handling and logging throughout the codebase to ensure that errors are properly reported and do not expose sensitive information.
3. Introducing mocking and testing frameworks to improve the testability of security-sensitive components, such as the Trivy vulnerability scanner integration and the Rakkess resource access checker.
4. Enhancing the handling of Kubernetes resources, such as ensuring that all resources are properly discovered and that namespace-less resources are handled correctly.
5. Improving the security of the Trivy SBOM (Software Bill of Materials) generation and publication to the NATS messaging system.

Overall, the changes in this pull request demonstrate a strong focus on application security and reliability, which is essential for a Kubernetes monitoring and observability tool like Kubviz.

Files Changed:

1. agent/kubviz/plugins/ketall/ketall_test.go: Updates the ketall package tests to use the custom NATS SDK and introduces mock implementations for Kubernetes client interfaces.
2. agent/kubviz/k8smetrics_agent.go: Replaces the direct use of the nats.go package with the custom NATS SDK, removes unnecessary environment variables, and improves the handling of the OpenTelemetry tracer.
3. agent/kubviz/plugins/ketall/ketall.go: Updates the ketall package to use the custom NATS SDK and improves the handling of Kubernetes resource discovery.
4. agent/kubviz/plugins/events/event_metrics_utils.go: Replaces the use of the nats.go package with the custom NATS SDK for publishing Kubernetes event metrics.
5. agent/kubviz/plugins/kubepreupgrade/kubePreUpgrade.go: Implements the functionality to detect deprecated and deleted Kubernetes APIs and publish the results to the NATS messaging system.
6. agent/kubviz/plugins/kuberhealthy/kuberhealthy.go: Updates the Kuberhealthy plugin to use the custom NATS SDK and improves the handling of Kuberhealthy metrics publication.
7. agent/kubviz/plugins/kubescore/kube_score.go: Modifies the kube-score plugin to use the custom NATS SDK and improves the handling of command execution and NATS publishing.
8. agent/kubviz/plugins/outdated/outdated.go: Updates the outdated plugin to use the custom NATS SDK and introduces improvements to the handling of image name and tag truncation.
9. agent/kubviz/plugins/rakkess/rakees_agent.go: Replaces the use of the nats.go package with the custom NATS SDK in the Rakkess (Resource Access Checker) agent.
10. agent/kubviz/plugins/trivy/trivy.go and agent/kubviz/plugins/trivy/trivy_image.go: Updates the Trivy plugin to use the custom NATS SDK and enhances the handling of Trivy scans and SBOM (Software Bill of Materials) generation.
11. pkg/nats/sdk/client.go, pkg/nats/sdk/config.go, and pkg/nats/sdk/utils.go: Implements the custom NATS SDK, including secure connection configuration, authentication, and TLS certificate handling.

Powered by DryRun Security