def GetBuildsData(app_id, sandbox_id): buildlist = [] for i in range(3): try: response = requests.get( api_base + "/getbuildlist.do?app_id=%s&sandbox_id=%s" % (app_id, sandbox_id), auth=RequestsAuthPluginVeracodeHMAC(), headers=veracode_headers) break except Exception as e: print(str(e) + ": Error caused for getbuildlist.do API") buidlist = ElementTree.fromstring(response.content) for i in reversed(buidlist): for j in range(3): try: response = requests.get( api_base + "/getbuildinfo.do?app_id=%s&build_id=%s&sandbox_id=%s" % (app_id, i.attrib['build_id'], sandbox_id), auth=RequestsAuthPluginVeracodeHMAC(), headers=veracode_headers) break except Exception as e: print(str(e) + ": Error caused for getbuildinfo.do API") buildinfo = ElementTree.fromstring(response.content) for k in buildinfo: if k.attrib['results_ready'] == 'true': buildlist.append(i.attrib['build_id']) print("Total builds: %d" % len(buildlist)) return buildlist
def _rest_request(self, url, method, params=None): # base request method for a REST request if method not in ["GET", "POST"]: raise VeracodeAPIError("Unsupported HTTP method") try: session = requests.Session() session.mount(self.base_rest_url, HTTPAdapter(max_retries=3)) request = requests.Request(method, self.base_rest_url + url, params=params, auth=RequestsAuthPluginVeracodeHMAC(), headers={"User-Agent": "api.py"}) prepared_request = request.prepare() r = session.send(prepared_request, proxies=self.proxies) if r.status_code == 500 or r.status_code == 504: time.sleep(1) r = requests.Request(method, url, params=params, auth=RequestsAuthPluginVeracodeHMAC()) if not r.ok: print("Error retrieving data. HTTP status code: {}".format( r.status_code)) if r.status_code == 401: print( "Check that your Veracode API account credentials are correct." ) raise requests.exceptions.RequestException() else: return r.json() except requests.exceptions.RequestException as e: logging.exception("Connection error") raise VeracodeAPIError(e)
def get_findings(guid, app, found_after, modified_after): all_findings = [] app_base_uri = base_uri + "/{}" uri = app_base_uri.format(guid) response = requests.get(uri, auth=RequestsAuthPluginVeracodeHMAC()) if not response.ok: print("Error retrieving application data. HTTP status code: {}".format( response.status_code)) raise requests.exceptions.RequestException() page_data = response.json() findings_uri = page_data.get('_links', {}).get('findings', {}).get('href') if found_after: findings_uri = "{}&found_after={}".format(findings_uri, found_after) if modified_after: findings_uri = "{}&modified_after={}".format(findings_uri, modified_after) page = 0 more_pages = True print("Retrieving findings for application: {}".format(app)) uri = findings_uri while more_pages: response = requests.get(uri, auth=RequestsAuthPluginVeracodeHMAC()) if not response.ok: if response.status_code == 401: print( "Check that your Veracode API account credentials are correct." ) if response.status_code != 404: print("API Failure: URI {} Response Code {} Response Info {}". format(uri, response.status_code, response.content)) raise requests.exceptions.RequestException() page_data = response.json() total_pages = page_data.get('page', {}).get('total_pages', 0) findings_page = page_data.get('_embedded', {}).get('findings', []) all_findings += findings_page page += 1 more_pages = page < total_pages if "&page=" not in findings_uri: findings_uri = findings_uri + "&page={}" uri = findings_uri.format(page) return all_findings
def scan_now(self, scan_name): # Get Scan metadata and the current schedule details log.info("Updating scan named '%s' to scan ASAP", scan_name) (analysis_summary, scan_details, analysis_details, latest_occurrence, audit_data) = self.get_analysis(scan_name, export=False, recurse=True) scan_id = scan_details["_embedded"]["scans"][0]["scan_id"] current_schedule = analysis_details["schedule"] log.debug("Current Scan Schedule: %s", json.dumps(current_schedule)) url = analysis_details["_links"]["self"]["href"] # Build schedule structure schedule_data = {"schedule": {"now": True, "duration": { "length": 3, "unit": "DAY" }}} log.debug("New schedule data: %s", schedule_data) # Send scan config update REST call parm = "?method=PATCH" url = url + parm log.info("Updating scan by sending a PUT request to %s", url) log.debug("PUT Body: " + json.dumps(schedule_data, sort_keys=True, indent=4)) response = requests.put(url, auth=RequestsAuthPluginVeracodeHMAC(), headers=self.headers, json=schedule_data, verify=verifyCert) if response.ok: log.info("Successful response: %s", str(response)) return response else: log.error("Request to update scan schedule failed with %s code: %s", response.status_code, response.text) sys.exit(1)
def set_scanner_variable(verbose, key, value): """Creates a new scanner variable with the passed reference key and value. Note that this example uses a POST - use a PUT on /scanner_variables/{id} if you wish to maintain the id. This example only creates a variable with a specified reference key, but it is optional - if not passed selenium scripts will need to reference the value by id, for example ${5868c121991c64a90ef97f8709649086}.""" if not value: # obligatory XKCD reference: https://xkcd.com/936/ value = "correct horse battery staple" if not key: key = "PASSWORD" print(f"Setting scanner variable {key}") request_body = { "description": "Example variable", "reference_key": key, "value": value } if verbose: print(f"Sending {json.dumps(request_body)}") response = requests.post(api_base + "/scanner_variables", auth=RequestsAuthPluginVeracodeHMAC(), headers=headers, json=request_body) if verbose and response.ok: data = response.json() print(data) if not response.ok: print(f"Error setting scanner variable: {str(response)}") data = response.json() print(data)
def _request(self, url, method, params=None): # base request method for XML APIs, handles what little error handling there is around these APIs if method not in ["GET", "POST"]: raise VeracodeAPIError("Unsupported HTTP method") try: session = requests.Session() session.mount(self.baseurl, HTTPAdapter(max_retries=3)) request = requests.Request(method, url, params=params, auth=RequestsAuthPluginVeracodeHMAC(), headers={"User-Agent": "api.py"}) prepared_request = request.prepare() r = session.send(prepared_request, proxies=self.proxies) if 200 >= r.status_code <= 299: if r.content is None: logging.debug( "HTTP response body empty:\r\n{}\r\n{}\r\n{}\r\n\r\n{}\r\n{}\r\n{}\r\n" .format(r.request.url, r.request.headers, r.request.body, r.status_code, r.headers, r.content)) raise VeracodeAPIError("HTTP response body is empty") else: return r.content else: logging.debug( "HTTP error for request:\r\n{}\r\n{}\r\n{}\r\n\r\n{}\r\n{}\r\n{}\r\n" .format(r.request.url, r.request.headers, r.request.body, r.status_code, r.headers, r.content)) raise VeracodeAPIError("HTTP error: {}".format(r.status_code)) except requests.exceptions.RequestException as e: logging.exception("Connection error") raise VeracodeAPIError(e)
def get_findings(guid, app): # For now, findings do not show compliance against the policy. Need a new API link to view results against policy all_findings = [] base_findings_uri = base_uri + "/{}/findings?page={}" page = 0 more_pages = True print("Retrieving findings for application: {}".format(app)) while more_pages: uri = base_findings_uri.format(guid, page) response = requests.get(uri, auth=RequestsAuthPluginVeracodeHMAC()) if not response.ok: print( "Error retrieving findings for application GUID {}. HTTP status code: {}" .format(guid, response.status_code)) if response.status_code == 401: print( "Check that your Veracode API account credentials are correct." ) raise requests.exceptions.RequestException() page_data = response.json() total_pages = page_data.get('page', {}).get('total_pages', 0) findings_page = page_data.get('_embedded', {}).get('findings', []) all_findings += findings_page page += 1 more_pages = page < total_pages - 1 return all_findings
def _upload_request(self, url, filename, params=None): try: files = {'file': open(filename, 'rb')} r = requests.post(url, auth=RequestsAuthPluginVeracodeHMAC( self.api_key_id, self.api_key_secret), files=files, params=params, proxies=self.proxies) if 200 >= r.status_code <= 299: if r.content is None: logging.debug( "HTTP response body empty:\r\n{}\r\n{}\r\n{}\r\n\r\n{}\r\n{}\r\n{}\r\n" .format(r.request.url, r.request.headers, r.request.body, r.status_code, r.headers, r.content)) raise VeracodeAPIError("HTTP response body is empty") else: return r.content else: logging.debug( "HTTP error for request:\r\n{}\r\n{}\r\n{}\r\n\r\n{}\r\n{}\r\n{}\r\n" .format(r.request.url, r.request.headers, r.request.body, r.status_code, r.headers, r.content)) raise VeracodeAPIError("HTTP error: {}".format(r.status_code)) except requests.exceptions.RequestException as e: logging.exception("Connection error") raise VeracodeAPIError(e)
def _get_request(self, url, params=None): try: r = requests.get(url, params=params, auth=RequestsAuthPluginVeracodeHMAC(), proxies=self.proxies) if 200 >= r.status_code <= 299: if r.content is None: logging.debug( "HTTP response body empty:\r\n{}\r\n{}\r\n{}\r\n\r\n{}\r\n{}\r\n{}\r\n" .format(r.request.url, r.request.headers, r.request.body, r.status_code, r.headers, r.content)) raise VeracodeAPIError("HTTP response body is empty") else: return r.content else: logging.debug( "HTTP error for request:\r\n{}\r\n{}\r\n{}\r\n\r\n{}\r\n{}\r\n{}\r\n" .format(r.request.url, r.request.headers, r.request.body, r.status_code, r.headers, r.content)) raise VeracodeAPIError("HTTP error: {}".format(r.status_code)) except requests.exceptions.RequestException as e: logging.exception("Connection error") raise VeracodeAPIError(e)
def export(self, data_dir): page_num = 0 total_pages = 0 done = False apps = [] while (not done): data = self.get_paged_app_data(RequestsAuthPluginVeracodeHMAC(), page_num) JsonExport.saveFormatted(data, data_dir + "Data"+str(page_num)) try: total_pages = data["page"]["total_pages"] log.info("Got page %d of %d", page_num+1, total_pages) for app in data["_embedded"]["applications"]: log.debug("Got app data for profile %s", app["profile"]["name"]) apps.append(app) page_num = page_num + 1 if (page_num >= total_pages): done = True except KeyError as e: # TODO: Handle Key Error exception properly log.debug("KeyError exception: %s", e) done = True self.to_string(apps[0], f"App 1 of {len(apps)}") json_file_base = data_dir + "Apps" JsonExport.saveFormatted(apps, json_file_base) log.info("Saved %d Veracode App Profiles to %s.json", len(apps), json_file_base)
def get(self, context, **options): """ Return get response """ url = self.quote(self.createPath(self.host, context)) headers = self.headers headers['Content-Type'] = options.get('contentType', None) headers['Accept'] = options.get('contentType', None) try: logging.debug('[get] url = "%s"' % url) response = requests.get(url, auth=RequestsAuthPluginVeracodeHMAC( api_key_id=self.api_key_id, api_key_secret=self.api_key_secret), headers=headers) logging.debug('[get] response...') logging.debug(response) except requests.RequestException as e: logging.error('[get] url = "%s" request failed' % url) logging.error(e) raise e return response.status_code, response.content
def get_apps(): all_apps = [] apps_base_uri = base_uri + "?page={}" page = 0 more_pages = True print("Retrieving applications list") while more_pages: uri = apps_base_uri.format(page) response = requests.get(uri, auth=RequestsAuthPluginVeracodeHMAC()) if not response.ok: print("Error retrieving application data. HTTP status code: {}". format(response.status_code)) if response.status_code == 401: print( "Check that your Veracode API account credentials are correct." ) raise requests.exceptions.RequestException() page_data = response.json() total_pages = page_data.get('page', {}).get('total_pages', 0) apps_page = page_data.get('_embedded', {}).get('applications', []) all_apps += apps_page page += 1 more_pages = page < total_pages - 1 return all_apps
def make_api_call(url): try: return requests.get(url, auth=RequestsAuthPluginVeracodeHMAC(), headers=headers) except requests.RequestException as e: print("Whoops!") print(e) sys.exit(1)
def http_get(uri): if cmdsettings.verbose: print(f"URI: {uri}") response = requests.get(uri, auth=RequestsAuthPluginVeracodeHMAC(), headers=headers) # Error handling if response.status_code == 200: print("successfully request.") return response
def delete_scanner_variable(verbose, scanner_variable_id): """Deletes the specified scanner variable by id (example '5868c121991c64a90ef97f8709649086'""" print(f"Deleting scanner variable {scanner_variable_id}") path = api_base + "/scanner_variables/" + scanner_variable_id response = requests.delete(path, auth=RequestsAuthPluginVeracodeHMAC(), headers=headers) if verbose and response.ok: print(f"Status code: {response.status_code}") if not response.ok: print(f"Error deleting scanner variable: {str(response)}") data = response.json() print(data)
def GetAppId(application_name="APPLICATION NAME"): for i in range(3): try: response = requests.get(api_base + "/getapplist.do", auth=RequestsAuthPluginVeracodeHMAC(), headers=veracode_headers) break except Exception as e: print(str(e) + ": Error caused for getapplist.do API") application_list = ElementTree.fromstring(response.content) for list in application_list: if list.attrib['app_name'] == application_name: return list.attrib['app_id'] print("Could not find Application id exiting the program") sys.exit(1)
def GetSandboxId(app_id, sandboxname): for i in range(3): try: response = requests.get(api_base + "/getsandboxlist.do?app_id=%s" % app_id, auth=RequestsAuthPluginVeracodeHMAC(), headers=veracode_headers) break except Exception as e: print(str(e) + ": Error caused for getsandboxlist.do API") sandbox_list = ElementTree.fromstring(response.content) for list in sandbox_list: if list.attrib['sandbox_name'] == sandboxname: return list.attrib['sandbox_id'] print("Could not find sandbox id exiting the program") sys.exit(1)
def __prepared_request(self, method, query, file=None): logger.debug('{}, {}, STARTED'.format(self.__end_point, query)) session = requests.Session() session.mount(self.__server, HTTPAdapter(max_retries=3)) request = requests.Request(method, self.__server, params=query, files=file, auth=RequestsAuthPluginVeracodeHMAC()) prepared_request = request.prepare() res = session.send(prepared_request) logger.debug('{}, {}, COMPLETED'.format(self.__end_point, query)) logger.info('request URL: {}'.format(res.request.path_url)) return res
def list_scanner_variables(verbose): """Lists the scanner variables that are defined at the organization level. """ print("Account-scoped scanner variables:") path = api_base + "/scanner_variables" response = requests.get(path, auth=RequestsAuthPluginVeracodeHMAC(), headers=headers) data = response.json() if verbose: print(data) if len(data["_embedded"]["scanner_variables"]) == 0: print("No variables defined.") for variable in data["_embedded"]["scanner_variables"]: print( f"{variable['reference_key']} = {variable['value']} [id = {variable['scanner_variable_id']}]" )
def __prepared_request(self, method, query, file=None): logger.debug('{}, {}, STARTED'.format(self.__end_point, query)) session = requests.Session() session.mount(self.__server, HTTPAdapter(max_retries=3)) request = requests.Request(method, self.__server, params=query, files=file, auth=RequestsAuthPluginVeracodeHMAC()) prepared_request = request.prepare() # Merge environment settings into session # This allows things like, REQUESTS_CA_BUNDLE, to be used settings = session.merge_environment_settings( prepared_request.url, {}, None, None, None) res = session.send(prepared_request, **settings) logger.debug('{}, {}, COMPLETED'.format(self.__end_point, query)) logger.info('request URL: {}'.format(res.request.path_url)) return res
def get_da_analyses(): if cmdsettings.verbose: print(f"get_da_analyses") content = None path = api_base + f"analyses" response = requests.get(path, auth=RequestsAuthPluginVeracodeHMAC(), headers=headers) if response.status_code == 200: content = response.json() if cmdsettings.verbose: print(f"status code {response.status_code}") result = response.text if result is not None: print(json.dumps(result, indent=4, sort_keys=True)) return content
def get_data_request(self, url, filename="JsonData", export=False): try: #scan_details_url = data["_embedded"]["analyses"][0]["_links"]["scans"]["href"] log.debug("Sending request to %s", url) response = requests.get(url, auth=RequestsAuthPluginVeracodeHMAC(), headers=self.headers, verify=verifyCert) if response.ok: if (export): json_file_base = data_dir + filename JsonExport.saveFormatted(response.json(), json_file_base) log.info("Saved data to %s.json", json_file_base) return response.json() else: log.error("Request for %s failed with %s code", filename, response.text) #sys.exit(1) except requests.RequestException as e: log.error("Request for %s failed.", filename) print(e)
def create_scan(self, scan_request_data): api_base="https://api.veracode.com/was/configservice/v1/analyses" try: param1 = "?run_verification=true" url= api_base + param1 log.info("Creating a new scan by sending a POST request to %s", url) log.debug("POST Body: " + json.dumps(scan_request_data, sort_keys=True, indent=4)) response = requests.post(url, auth=RequestsAuthPluginVeracodeHMAC(), headers=self.headers, json=scan_request_data, verify=verifyCert) if response.ok: log.info("Successful response: %s", str(response)) return response else: log.error("Request to create scan failed with %s code: %s", response.status_code, response.text) sys.exit(1) except requests.RequestException as e: log.error("Request for application list failed.") print(e) sys.exit(1)
def update_crawl_script(self, scan_name, crawl_script_filename): # Get Scan metadata and details log.info("Updating crawl script for scan named '%s' from %s", scan_name, crawl_script_filename) (analysis_summary, scan_details, analysis_details, latest_occurrence, audit_data) = self.get_analysis(scan_name, export=False, recurse=True) log.debug("Scan Details: %s", scan_details) scan_id = scan_details["_embedded"]["scans"][0]["scan_id"] url = scan_details["_embedded"]["scans"][0]["_links"]["scan_config"]["href"] #log.debug("Analysis Details: %s", analysis_details) # Get crawl script data log.debug("Reading crawl script data from %s", crawl_script_filename) f = open(crawl_script_filename, "r") crawl_script_data = f.read() # Build JSON body to send log.debug("New crawl script data: %s", crawl_script_data) scan_config = {} scan_config["crawl_configuration"] = \ { "scripts": [ \ { "crawl_script_data":{ \ "script_body": crawl_script_data, \ "script_type": "SELENIUM" \ }\ }], \ "disabled": False \ } # Send scan config update REST call parm = "&method=PATCH" # using "&" because url already has a parameter url = url + parm log.info("Updating scan %s by sending a PUT request to %s", scan_name, url) log.debug("PUT Body: " + json.dumps(scan_config, sort_keys=True, indent=4)) response = requests.put(url, auth=RequestsAuthPluginVeracodeHMAC(), headers=self.headers, json=scan_config, verify=verifyCert) if response.ok: log.info("Successful response: %s", str(response)) return response else: log.error("Request to update crawl script failed with %s code: %s", response.status_code, response.text) sys.exit(1)
def get_da_platform_applications(application_name): if cmdsettings.verbose: print(f"get_da_platform_applications(): {application_name}") content = None url = api_base + f"platform_applications" parameters = f"application_name={application_name}" response = requests.get(url, params=parameters, auth=RequestsAuthPluginVeracodeHMAC(), headers=headers) if response.status_code == 200: content = response.json() if cmdsettings.verbose: print(f"status code {response.status_code}") result = response.text if result is not None: print(json.dumps(result, indent=4, sort_keys=True)) return content
def main(): parser = argparse.ArgumentParser( description='This script deletes a Sandbox if you have appropriate permissions - Note: this is not undoable') parser.add_argument('-a', '--app', help='App name to delete sandbox in',required=True) parser.add_argument('-s', '--sandbox', default="", help='Sandbox name to delete',required=True) args = parser.parse_args() data = VeracodeAPI().get_app_list() results = etree.fromstring(data) found = False for app in results: if (app.attrib["app_name"] == args.app) and (args.sandbox != ""): sandbox_list=VeracodeAPI().get_sandbox_list(app.attrib["app_id"]) sandboxes = etree.fromstring(sandbox_list) for sandbox in sandboxes: if sandbox.attrib["sandbox_name"] == args.sandbox: found = True try: response = requests.get(api_target, auth=RequestsAuthPluginVeracodeHMAC(), headers={"User-Agent": "api.py"},params={'sandbox_id': sandbox.attrib["sandbox_id"]}) except requests.RequestException as e: print("Error occured") print(e) sys.exit(1) if response.ok: print("Sandbox deleted") exit(0) else: print(response.status_code) exit(1) else: print ('Sandbox: '+args.sandbox+' of app: '+args.app+' not found!') exit(1) if (not found): print ('App: '+args.app+' with sandbox: '+args.sandbox+' does not exist') exit(1)
def patch_update_analysis(analysis_id, json_payload): bReturn = False if cmdsettings.verbose: print("patch_update_analysis") print(json_payload) if cmdsettings.dry_run is False: scan_path = api_base + "analyses/" + analysis_id + "?method=PATCH" response = requests.put(scan_path, auth=RequestsAuthPluginVeracodeHMAC(), headers=headers, json=json.loads(json_payload)) if cmdsettings.verbose: print(f"status code: {response.status_code}") content = response.text if content is not None: print("content:" + content) if response.status_code == 204: bReturn = True return bReturn
import sys import json import requests from veracode_api_signing.plugin_requests import RequestsAuthPluginVeracodeHMAC api_base = "https://api.veracode.com/srcclr/v3" headers = {"User-Agent": "Create Workspace Example"} if __name__ == "__main__": try: response = requests.put( api_base + "/workspaces/87ede3a7-941d-4442-beee-2e122de58f1d/teams/84132", auth=RequestsAuthPluginVeracodeHMAC(), headers=headers) except requests.RequestException as e: print("Failed...") print(e) sys.exit(1) if response.ok: print(response.status_code) else: print(response.status_code) print(response.content)
import sys import requests from veracode_api_signing.plugin_requests import RequestsAuthPluginVeracodeHMAC api_base = "https://api.veracode.com/srcclr/v3" headers = {"User-Agent": "Get Workspaces Example"} if __name__ == "__main__": try: response = requests.get(api_base + "/workspaces", auth=RequestsAuthPluginVeracodeHMAC(), headers=headers) except requests.RequestException as e: print("Failed...") print(e) sys.exit(1) if response.ok: data = response.json() for ws in data["_embedded"]["workspaces"]: print (ws["name"] + " --- " + ws["id"]) else: print(response.status_code)
def http_request( # pylint: disable=too-many-statements *, verb: str, url: str, data: str = None, params: Dict = None, headers: Dict = None, ) -> InsecureElementTree.Element: """ Make API requests """ try: LOG.debug("Querying the %s endpoint with a %s", url, verb) if verb == "get": response = requests.get( url, params=params, headers=headers, auth=RequestsAuthPluginVeracodeHMAC(), ) if verb == "post": response = requests.post( url, data=data, params=params, headers=headers, auth=RequestsAuthPluginVeracodeHMAC(), ) LOG.debug("Received a status code of %s", response.status_code) LOG.debug("Received content of %s", response.content) if response.status_code != 200: LOG.error("Encountered an issue with the response status code") response.raise_for_status() except HTTPError as http_err: function_name = cast(types.FrameType, inspect.currentframe()).f_code.co_name LOG.error("%s encountered a HTTP error: %s", function_name, http_err) raise http_err except ConnectionError as conn_err: function_name = cast(types.FrameType, inspect.currentframe()).f_code.co_name LOG.error("%s encountered a connection error: %s", function_name, conn_err) raise conn_err except Timeout as time_err: function_name = cast(types.FrameType, inspect.currentframe()).f_code.co_name LOG.error("%s encountered a timeout error: %s", function_name, time_err) raise time_err except TooManyRedirects as redir_err: function_name = cast(types.FrameType, inspect.currentframe()).f_code.co_name LOG.error("%s encountered too many redirects: %s", function_name, redir_err) raise redir_err except RequestException as req_err: function_name = cast(types.FrameType, inspect.currentframe()).f_code.co_name LOG.error("%s encountered a request exception error: %s", function_name, req_err) raise req_err # Parse the XML response parsed_xml = parse_xml(content=response.content) return parsed_xml