logging.basicConfig(
level=logging.DEBUG,
format="[%(asctime)s] {%(module)s:%(lineno)d} %(levelname)s - %(message)s")
parser = argparse.ArgumentParser("Get a single vulnerability by id")
parser.add_argument("--base-url",
required=True,
help="Hub server URL e.g. https://your.blackduck.url")
parser.add_argument("--token-file",
dest='token_file',
required=True,
help="containing access token")
parser.add_argument("--no-verify",
dest='verify',
action='store_false',
help="disable TLS certificate verification")
parser.add_argument(
"--vulnerability",
help="vulnerability id e.g. CVE-2016-4009 or BDSA-2014-0129")
args = parser.parse_args()
with open(args.token_file, 'r') as tf:
access_token = tf.readline().strip()
bd = Client(base_url=args.base_url, token=access_token, verify=args.verify)
vulnerability = bd.get_json(f"/api/vulnerabilities/{args.vulnerability}")
print(f"Details about {vulnerability['name']}")
pprint(vulnerability)
from pprint import pprint
logging.basicConfig(
level=logging.DEBUG,
format="[%(asctime)s] {%(module)s:%(lineno)d} %(levelname)s - %(message)s"
)
parser = argparse.ArgumentParser("Get a specific component and list its vulnerabilities")
parser.add_argument("--base-url", required=True, help="Hub server URL e.g. https://your.blackduck.url")
parser.add_argument("--token-file", dest='token_file', required=True, help="containing access token")
parser.add_argument("--no-verify", dest='verify', action='store_false', help="disable TLS certificate verification")
args = parser.parse_args()
with open(args.token_file, 'r') as tf:
access_token = tf.readline().strip()
bd = Client(base_url=args.base_url, token=access_token, verify=args.verify)
params = {
'q': ["maven:commons-beanutils:commons-beanutils:1.9.3"]
}
search_results = bd.get_items("/api/components", params=params)
for result in search_results:
pprint(result)
print(f"{result['componentName']} {result['versionName']}")
url = result['version']
component_version = bd.get_json(url)
for vulnerability in bd.get_resource('vulnerabilities', component_version):
print(vulnerability['name'])
if v['versionName'] == args.version_name
]
assert len(
versions
) == 1, f"There should be one, and only one version named {args.version_name}. We found {len(versions)}"
version = versions[0]
logging.debug(f"Found {project['name']}:{version['versionName']}")
all_bom_component_vulns = []
for bom_component_vuln in bd.get_resource('vulnerable-components', version):
vuln_name = bom_component_vuln['vulnerabilityWithRemediation'][
'vulnerabilityName']
vuln_source = bom_component_vuln['vulnerabilityWithRemediation']['source']
upgrade_guidance = bd.get_json(
f"{bom_component_vuln['componentVersion']}/upgrade-guidance")
bom_component_vuln['upgrade_guidance'] = upgrade_guidance
vuln_details = bd.get_json(f"/api/vulnerabilities/{vuln_name}")
bom_component_vuln['vulnerability_details'] = vuln_details
if 'related-vulnerability' in bd.list_resources(vuln_details):
related_vuln = bd.get_resource("related-vulnerability",
vuln_details,
items=False)
else:
related_vuln = None
bom_component_vuln['related_vulnerability'] = related_vuln
all_bom_component_vulns.append(bom_component_vuln)
if args.csv_file:
version = versions[0]
logging.debug(f"Found {project['name']}:{version['versionName']}")
all_bom_components_lic_info = dict()
for bom_component in bd.get_resource('components', version):
if 'componentVersionName' in bom_component:
bom_component_name = f"{bom_component['componentName']}:{bom_component['componentVersionName']}"
else:
# version unknown, so we default to the component name
bom_component_name = f"{bom_component['componentName']}"
license_info = bom_component.get('licenses', [])
for license in license_info:
license_details = list()
if 'license' in license:
license_details.append(bd.session.get(license['license']).json())
elif 'licenses' in license:
for lic in license['licenses']:
if 'license' in lic:
license_details.append(bd.get_json(lic['license']))
else:
logging.warning(f"License {license.get('licenseDisplay', 'Unknown')} had no 'license' key (aka link)")
else:
logging.warning(f"License {license.get('licenseDisplay', 'Unknown')} had no 'license' key (aka link)")
license['license_details'] = license_details
all_bom_components_lic_info.update({bom_component_name: license_info})
print(json.dumps(all_bom_components_lic_info))