Exemplo n.º 1
0
from pprint import pprint

logging.basicConfig(
    level=logging.DEBUG,
    format="[%(asctime)s] {%(module)s:%(lineno)d} %(levelname)s - %(message)s"
)

parser = argparse.ArgumentParser("Get a specific component and list its vulnerabilities")
parser.add_argument("--base-url", required=True, help="Hub server URL e.g. https://your.blackduck.url")
parser.add_argument("--token-file", dest='token_file', required=True, help="containing access token")
parser.add_argument("--no-verify", dest='verify', action='store_false', help="disable TLS certificate verification")
args = parser.parse_args()

with open(args.token_file, 'r') as tf:
    access_token = tf.readline().strip()

bd = Client(base_url=args.base_url, token=access_token, verify=args.verify)

params = {
    'q': ["maven:commons-beanutils:commons-beanutils:1.9.3"]
}
search_results = bd.get_items("/api/components", params=params)
for result in search_results:
    pprint(result)
    print(f"{result['componentName']} {result['versionName']}")
    url = result['version']
    component_version = bd.get_json(url)

    for vulnerability in bd.get_resource('vulnerabilities', component_version):
        print(vulnerability['name'])
Exemplo n.º 2
0
bd = Client(base_url=args.base_url, token=access_token, verify=args.verify)

# WARNING:
#   This uses an internal, un-supported API endpoint (see below)
#   and therefore could break in future versions of Black Duck.
#   This script was tested with BD v2021.8.2.
#
# An ER has been filed in Synopsys Jira ticket HUB-26144 to make a
# in-use filter part of a public endpoint for retrieving licenses

inuse_licenses_url = f"{bd.base_url}/api/internal/composite/licenses?filter=inUse:true"

headers = {'Accept': 'application/vnd.blackducksoftware.internal-1+json'}
inuse_licenses_d = {
    l['name']: l
    for l in bd.get_items(inuse_licenses_url, headers=headers)
}

columns = [
    'License Name',
    'License Family',
    'License Approval Status',
    'License Source',
    'License Ownership',
    'Components Using License',
    'Last Updated',
    'Last Status Update',
    'Status Updated By',
    'Created At',
    'Created By',
]
                    required=True,
                    help="containing access token")
parser.add_argument("--no-verify",
                    dest='verify',
                    action='store_false',
                    help="disable TLS certificate verification")
parser.add_argument(
    "cpe_id",
    help=
    "Provide a CPE (2.2 or 2.3 xml format) ID - e.g. \"cpe:2.3:a:apache:log4j:2.11.1:-:*:*:*:*:*:*\" To get a complete dictionary of CPE IDs go to the NIST site, https://nvd.nist.gov/products/cpe"
)
args = parser.parse_args()

logging.basicConfig(format='%(asctime)s:%(levelname)s:%(message)s',
                    stream=sys.stderr,
                    level=logging.DEBUG)
logging.getLogger("requests").setLevel(logging.WARNING)
logging.getLogger("urllib3").setLevel(logging.WARNING)
logging.getLogger("blackduck").setLevel(logging.WARNING)

with open(args.token_file, 'r') as tf:
    access_token = tf.readline().strip()

bd = Client(base_url=args.base_url, token=access_token, verify=args.verify)

cpes = [cpe for cpe in bd.get_items(f"/api/cpes?q={args.cpe_id}")]
if cpes:
    for cpe in cpes:
        cpe['cpe-origins'] = [o for o in bd.get_resource("cpe-origins", cpe)]
        cpe['cpe-versions'] = [v for v in bd.get_resource("cpe-versions", cpe)]
print(json.dumps(cpes))
Exemplo n.º 4
0
}

try:
    r = bd.session.post("/api/projects", json=project_data)
    r.raise_for_status()
    print(f"created project {r.links['project']['url']}")
except requests.HTTPError as err:
    # more fine grained error handling here; otherwise:
    bd.http_error_handler(err)

# GET
params = {
    'q': [f"name:{project_name}"]
}
project_url = None
for project in bd.get_items("/api/projects", params=params):
    if project['name'] == project_name:
        project_url = bd.list_resources(project)['href']
        print(f"project url: {project_url}")

# PUT
project_data = {
    'name': project_name,
    'description': "a different description"
}

try:
    r = bd.session.put(project_url, json=project_data)
    r.raise_for_status()
    print("updated project")
except requests.HTTPError as err: