from pprint import pprint
logging.basicConfig(
level=logging.DEBUG,
format="[%(asctime)s] {%(module)s:%(lineno)d} %(levelname)s - %(message)s"
)
parser = argparse.ArgumentParser("Get a specific component and list its vulnerabilities")
parser.add_argument("--base-url", required=True, help="Hub server URL e.g. https://your.blackduck.url")
parser.add_argument("--token-file", dest='token_file', required=True, help="containing access token")
parser.add_argument("--no-verify", dest='verify', action='store_false', help="disable TLS certificate verification")
args = parser.parse_args()
with open(args.token_file, 'r') as tf:
access_token = tf.readline().strip()
bd = Client(base_url=args.base_url, token=access_token, verify=args.verify)
params = {
'q': ["maven:commons-beanutils:commons-beanutils:1.9.3"]
}
search_results = bd.get_items("/api/components", params=params)
for result in search_results:
pprint(result)
print(f"{result['componentName']} {result['versionName']}")
url = result['version']
component_version = bd.get_json(url)
for vulnerability in bd.get_resource('vulnerabilities', component_version):
print(vulnerability['name'])
bd = Client(base_url=args.base_url, token=access_token, verify=args.verify)
# WARNING:
# This uses an internal, un-supported API endpoint (see below)
# and therefore could break in future versions of Black Duck.
# This script was tested with BD v2021.8.2.
#
# An ER has been filed in Synopsys Jira ticket HUB-26144 to make a
# in-use filter part of a public endpoint for retrieving licenses
inuse_licenses_url = f"{bd.base_url}/api/internal/composite/licenses?filter=inUse:true"
headers = {'Accept': 'application/vnd.blackducksoftware.internal-1+json'}
inuse_licenses_d = {
l['name']: l
for l in bd.get_items(inuse_licenses_url, headers=headers)
}
columns = [
'License Name',
'License Family',
'License Approval Status',
'License Source',
'License Ownership',
'Components Using License',
'Last Updated',
'Last Status Update',
'Status Updated By',
'Created At',
'Created By',
]
required=True,
help="containing access token")
parser.add_argument("--no-verify",
dest='verify',
action='store_false',
help="disable TLS certificate verification")
parser.add_argument(
"cpe_id",
help=
"Provide a CPE (2.2 or 2.3 xml format) ID - e.g. \"cpe:2.3:a:apache:log4j:2.11.1:-:*:*:*:*:*:*\" To get a complete dictionary of CPE IDs go to the NIST site, https://nvd.nist.gov/products/cpe"
)
args = parser.parse_args()
logging.basicConfig(format='%(asctime)s:%(levelname)s:%(message)s',
stream=sys.stderr,
level=logging.DEBUG)
logging.getLogger("requests").setLevel(logging.WARNING)
logging.getLogger("urllib3").setLevel(logging.WARNING)
logging.getLogger("blackduck").setLevel(logging.WARNING)
with open(args.token_file, 'r') as tf:
access_token = tf.readline().strip()
bd = Client(base_url=args.base_url, token=access_token, verify=args.verify)
cpes = [cpe for cpe in bd.get_items(f"/api/cpes?q={args.cpe_id}")]
if cpes:
for cpe in cpes:
cpe['cpe-origins'] = [o for o in bd.get_resource("cpe-origins", cpe)]
cpe['cpe-versions'] = [v for v in bd.get_resource("cpe-versions", cpe)]
print(json.dumps(cpes))
}
try:
r = bd.session.post("/api/projects", json=project_data)
r.raise_for_status()
print(f"created project {r.links['project']['url']}")
except requests.HTTPError as err:
# more fine grained error handling here; otherwise:
bd.http_error_handler(err)
# GET
params = {
'q': [f"name:{project_name}"]
}
project_url = None
for project in bd.get_items("/api/projects", params=params):
if project['name'] == project_name:
project_url = bd.list_resources(project)['href']
print(f"project url: {project_url}")
# PUT
project_data = {
'name': project_name,
'description': "a different description"
}
try:
r = bd.session.put(project_url, json=project_data)
r.raise_for_status()
print("updated project")
except requests.HTTPError as err: