Skip to content

Faraday Application Architecture Documentation

This document provides an overview of the Faraday application architecture. It includes the general architecture, component interactions, queue names, and flow diagrams for basic operations.

General Architecture

%%{init: {'theme': 'forest', "flowchart" : { "curve" : "basis" } } }%% graph TD subgraph "Frontend" UI[Web UI] end subgraph "Backend Services" FS[Faraday Server] WS[WebSocket Service] CW[Celery Workers] CB[Celery Broker] end subgraph "Data Storage" PG[(PostgreSQL Database)] end UI -->|HTTP/REST API| FS UI -->|WebSocket| WS FS -->|Tasks| CB CB -->|Tasks| CW CW -->|Results| FS FS -->|Store/Retrieve Data| PG FS -->|Notifications| WS WS -->|Real-time Updates| UI

Queue Architecture

%%{init: {'theme': 'forest', "flowchart" : { "curve" : "basis" } } }%% graph LR subgraph "Message Queues" VQ[Vulnerability Queue] RQ[Reports Queue] WQ[WebSocket Queue] end subgraph "Producers" FS[Faraday Server] end subgraph "Consumers" VW[Vulnerability Worker] RW[Reports Worker] WS[WebSocket Service] end FS -->|Vulnerability Tasks| VQ FS -->|Report Generation Tasks| RQ FS -->|Notifications| WQ VQ -->|Process| VW RQ -->|Process| RW WQ -->|Broadcast| WS

Component Interactions

%%{init: {'theme': 'forest', "flowchart" : { "curve" : "basis" } } }%% sequenceDiagram participant Client as Client Browser participant FS as Faraday Server participant CB as Celery Broker participant CW as Celery Workers participant WS as WebSocket Service participant DB as PostgreSQL Database Client->>FS: HTTP Request FS->>DB: Query/Update Data FS->>CB: Enqueue Task CB->>CW: Process Task CW->>DB: Store Results CW->>FS: Task Completed FS->>WS: Send Notification WS->>Client: Real-time Update

Vulnerability Creation Flow

%%{init: {'theme': 'forest', "flowchart" : { "curve" : "basis" } } }%% sequenceDiagram participant Client as Client Browser participant FS as Faraday Server participant VQ as Vulnerability Queue participant VW as Vulnerability Worker participant DB as PostgreSQL Database participant WS as WebSocket Service Client->>FS: Create Vulnerability Request FS->>DB: Validate Request FS->>VQ: Enqueue Vulnerability Creation Task VQ->>VW: Process Vulnerability Creation VW->>DB: Store Vulnerability Data VW->>FS: Notify Task Completion FS->>WS: Send Notification WS->>Client: Update UI with New Vulnerability

Vulnerability Deletion Flow

%%{init: {'theme': 'forest', "flowchart" : { "curve" : "basis" } } }%% sequenceDiagram participant Client as Client Browser participant FS as Faraday Server participant DB as PostgreSQL Database participant WS as WebSocket Service Client->>FS: Delete Vulnerability Request FS->>DB: Check Permissions FS->>DB: Mark Vulnerability as Deleted FS->>WS: Send Deletion Notification WS->>Client: Update UI (Remove Vulnerability)

Executive Report Generation Flow

%%{init: {'theme': 'forest', "flowchart" : { "curve" : "basis" } } }%% sequenceDiagram participant Client as Client Browser participant FS as Faraday Server participant RQ as Reports Queue participant RW as Reports Worker participant DB as PostgreSQL Database participant WS as WebSocket Service Client->>FS: Request Executive Report FS->>RQ: Enqueue Report Generation Task RQ->>RW: Process Report Generation RW->>DB: Query Vulnerability Data RW->>FS: Store Generated Report FS->>WS: Send Report Ready Notification WS->>Client: Update UI with Report Link

Technology Stack

  • Frontend: Web-based UI (React.js)
  • Backend: Faraday Server (Python-based)
  • Message Broker: Celery with RabbitMQ/Redis
  • Workers: Celery Workers for asynchronous tasks
  • Real-time Communication: WebSocket service
  • Database: PostgreSQL

Queue Details

  1. Vulnerability Queue: Handles vulnerability creation, updates, and processing tasks
  2. Reports Queue: Manages executive report generation tasks
  3. WebSocket Queue: Handles real-time notifications and updates to clients

Key Processes

  1. Faraday Server: Central component that processes general operations and coordinates between different services
  2. Celery Broker: Manages task queues for asynchronous processing
  3. Celery Workers: Process vulnerability creation and other background tasks
  4. WebSocket Service: Provides real-time updates to the frontend

This architecture enables efficient handling of vulnerability management operations, with asynchronous processing for resource-intensive tasks and real-time updates for a responsive user experience.

Faraday CLI

Faraday CLI provides an interface for interacting with a terminal that allows the user to execute commands which results will be loaded inside Faraday Server. The CLI also allows the user to upload tool reports, create workspaces and configure your instance.

Faraday Agent

The Faraday Agents allows to automate the upload of different data to the server, such as integration with other applications or services; or execute some tools that the Faraday plugins can process. Moreover, the Agents can be executed on any remote computer and its Executors can be written in any language.

Burp / Zap Addons

Faraday has Burp/Zap Extensions that run inside the third party application. Using Faraday addons provides flexibility to ingress information inside Faraday Server from other applications.

Database schema

classDiagram %% Core Entities Workspace "1" -- "*" Host : contains Workspace "1" -- "*" Vulnerability : contains Workspace "1" -- "*" Service : contains Host "1" -- "*" Service : has Host "1" -- "*" Vulnerability : has Service "1" -- "*" Vulnerability : has Vulnerability <|-- VulnerabilityWeb : extends Vulnerability <|-- VulnerabilityCode : extends %% User and Permissions User "*" -- "*" Workspace : has access to User "1" -- "*" Command : executes User "1" -- "*" Comment : creates %% Metadata and References Vulnerability "*" -- "*" Reference : has Vulnerability "*" -- "*" CVE : associated with Vulnerability "*" -- "*" Tag : tagged with Host "*" -- "*" Tag : tagged with Service "*" -- "*" Tag : tagged with %% Agents and Commands Agent "1" -- "*" AgentExecution : runs Command "1" -- "*" CommandObject : creates %% Enrichment EnrichmentCve "*" -- "*" EnrichmentCwe : associated with EnrichmentOwasp "*" -- "*" EnrichmentCwe : contains %% Class definitions class Workspace { +int id +string name +string description +bool active +bool readonly +datetime create_date +datetime update_date } class Host { +int id +int workspace_id +string name +string os +string ip +string description +string owned +string creator +datetime create_date +datetime update_date } class Service { +int id +int host_id +string name +string description +int port +string protocol +string status +string version +datetime create_date +datetime update_date } class Vulnerability { +int id +int workspace_id +int host_id +int service_id +string name +string description +string severity +string status +string resolution +string cvss2_vector_string +string cvss3_vector_string +string cvss4_vector_string +float cvss2_base_score +float cvss3_base_score +float cvss4_base_score +bool confirmed +datetime create_date +datetime update_date } class VulnerabilityWeb { +string website +string path +string method +string parameter_name +string request +string response } class VulnerabilityCode { +int source_code_id +string file_name +int line_number +string function_name } class User { +int id +string username +string password +string email +bool active +bool is_ldap +datetime create_date +datetime update_date } class Command { +int id +int workspace_id +string command +string tool +string params +string user +datetime create_date +datetime update_date } class Agent { +int id +int workspace_id +string name +string active +datetime create_date +datetime update_date } class Tag { +int id +string name +string slug } class Reference { +int id +string name +string url } class CVE { +int id +string name } class EnrichmentCve { +int id +string name +string description +string cvss2_vector_string +string cvss3_vector_string +string cvss4_vector_string +float cvss2_base_score +float cvss3_base_score +float cvss4_base_score +float epss +bool trending } class EnrichmentCwe { +int id +string name +string description +int top_position } class EnrichmentOwasp { +int id +string name +string description +date release +bool latest }

Components

Component Link
Frontend Frontend
Faraday Server Faraday Server
FaradayCli Faraday Cli
Faraday Agent Dispatcher Faraday Dispatcher ( Agents )
Faraday Agent Parameter Types Faraday Parameter Types
API Docs API Docs
Plugins Faraday Plugins
Burp Add-on Faraday Burp
ZAP Add-on Faraday Zap