def create_workspace(app_info): app_id = app_info['guid'] app_name = app_info['profile']['name'] app_teams = app_info['profile']['teams'] workspace_name = get_workspace_name(app_name) log.info('Application name "{}" will have workspace name "{}" due to workspace naming requirements'.format(app_name,workspace_name)) #check to see if workspace already exists existing_workspace = vapi().get_workspace_by_name(workspace_name) if ((existing_workspace != []) and (existing_workspace[0].get('id','') != '')): warning = "There is already a workspace named {} for application guid {}".\ format(workspace_name, app_id) log.warning(warning) print(warning) return 0 #create the workspace with the SCA API workspace_guid = vapi().create_workspace(workspace_name) #assign the teams with the SCA API if app_teams != []: for team in app_teams: team_id = team['team_id'] vapi().add_workspace_team(workspace_guid,team_id) success = "Created workspace named {} with {} teams".format(workspace_name, len(app_teams)) log.info(success)
def update_user(userinfo,role): userguid = userinfo["user_id"] # API users don't have Security Labs access, and don't try to assign to users who already have the role if check_for_api_user(userinfo): print("Skipping API user",userguid) return 0 if check_for_role(userinfo, role): print("Skipping user",userguid,"as role is already present") return 0 ignoreteamrestrictions = 0 if check_for_teams(userinfo) == 0: #check to see if we have an Ignores Team Restrictions bit if ((check_for_role(userinfo, "extseclead") == None) or (check_for_role(userinfo,"extexecutive") == None)) or (check_for_role(userinfo,"extadmin") == None): ignoreteamrestrictions = 1 if ignoreteamrestrictions == 0: print("Cannot assign role to user",userguid,"as user has no assigned teams") return 0 roles = construct_user_roles(userinfo,role) vapi().update_user(userguid,roles) print("Updated user",userguid) return 1
def get_findings(app_info, cwes: List[int], categories: List[int]): log.info('Getting findings for application {} (guid {})'.format( app_info['profile']['name'], app_info['guid'])) all_findings = [] if cwes != None: for cwe in cwes: params = {'cwe': cwe} these_findings = vapi().get_findings(app_info['guid'], scantype='DYNAMIC', annot='FALSE', request_params=params) all_findings.extend(these_findings) elif categories != None: for cat in categories: params = {'finding_category': cat} these_findings = vapi().get_findings(app_info['guid'], scantype='DYNAMIC', annot='FALSE', request_params=params) all_findings.extend(these_findings) else: these_findings = vapi().get_findings(app_info['guid'], scantype='DYNAMIC', annot='FALSE') all_findings.extend(these_findings) return all_findings
def get_incomplete_sandbox_scans(this_app_guid, this_app_id): sandboxes = vapi().get_app_sandboxes(this_app_guid) sandboxscancount = 0 for sandbox in sandboxes: log.debug( "Checking sandboxes for application guid {}".format(this_app_guid)) #check sandbox scan list, need to fall back to XML APIs for this part sandboxscancount = 0 sandboxid = sandbox.get('id') data = vapi().get_build_info( app_id=this_app_id, sandbox_id=sandboxid) #returns most recent build for sandbox builds = etree.fromstring(data) buildid = builds[0].get('build_id') log.debug("Checking application guid {}, sandbox {}, build {}".format( this_app_guid, sandboxid, buildid)) status = builds[0].get('results_ready') if status == 'false': log.info( "Status for sandbox scan {} in sandbox id {} for application {} was {}" .format(buildid, sandboxid, this_app_guid, status)) sandboxscancount += 1 return sandboxscancount
def delete_workspace(workspace): projects = get_project_count(workspace) if projects == 0: log.info("Deleting workspace {} (ID {})".format(workspace['name'],workspace['id'])) vapi().delete_workspace(workspace['id']) return 1 else: log.info("Skipping workspace {} (ID {}) with {} projects".format(workspace['name'],\ workspace['id'],projects)) return 0
def get_latest_build(guid): # Assumes last build is the one to mitigate. Need to check build status app = vapi().get_app(guid) legacy_id = app['id'] build_list = vapi().get_build_list(legacy_id) build_list_root = etree.fromstring(build_list) builds = [] for build in build_list_root: builds.append(build.get('build_id')) #builds.sort() #we can actually have builds out of order if they are created in a different order than published return builds[len(builds) - 1]
def create_team(teamname, businessunit=""): # we will check to see if we already have a team with this name and just return it, if so existingteam = find_team_named(teamname) if len(existingteam) > 0: teamguid = existingteam[0]["team_id"] log.info("Found team named {} with guid {}".format(teamname, teamguid)) return teamguid if businessunit == "": r = vapi().create_team(team_name=teamname) else: r = vapi().create_team(team_name=teamname, business_unit=businessunit) return r["team_id"]
def main(): parser = argparse.ArgumentParser( description='This script adds the specified User role for existing users. It can operate on one user ' 'or all users in the account.') parser.add_argument('-u', '--user_id', required=False, help='User ID (GUID) to update. Ignored if --all is specified.') parser.add_argument('-l', '--all', required=False, help='Set to TRUE to update all users.', default="true") parser.add_argument('-r', '--role', required=False, help='One of SECLAB (default), IDESCAN, ELEARN.', default='SECLAB') args = parser.parse_args() target_user = args.user_id all_users = args.all role = args.role if args.role == 'SECLAB': role = 'securityLabsUser' elif args.role == 'IDESCAN': role = 'greenlightideuser' elif args.role == 'ELEARN': role = 'extelearn' else: print("Role", role, "is not supported. Role must be one of SECLAB, IDESCAN, ELEARN.") return 0 # CHECK FOR CREDENTIALS EXPIRATION creds_expire_days_warning() count=0 if all_users.lower() == "true": data = vapi().get_users() print("Reviewing",len(data),"total users...") for user in data: userguid = user["user_id"] # skip deleted users if user["deleted"] == "true": print("Skipping deleted user",userguid) return 0 data2 = vapi().get_user(userguid) count += update_user(data2,role) next elif target_user is None: print("You must specify a --user_id (guid) if --all is not specified.") exit else: user = vapi().get_user(target_user) count += update_user(user,role) print("Added role to",count,"users")
def generate(period, from_date, to_date, scan_type): params = {} # parse args if period == 'last-day': period = 'yesterday' elif period == 'last-week': period = 'last_week' elif period == 'last-month': period = 'last_month' elif period == 'all-time': period = None if period == 'range': period = None if not (from_date == None): params['from_date'] = from_date if not (to_date == None): params['to_date'] = to_date if not (period == None): params['period'] = period if not (scan_type == None): params['scan_type'] = scan_type if params == {}: paramsobject = None else: paramsobject = params # Initiate the Archer report generation job with provided parameters, returns a token requestdata = vapi().generate_archer(payload=paramsobject) return gettoken(requestdata)
def main(): parser = argparse.ArgumentParser( description= 'This script sets any expiring sandboxes in the scope to auto-recreate. It can operate on one application ' 'or all applications in the account.') parser.add_argument( '-a', '--app_id', required=True, help='App ID to update. Ignored if --all is specified.') parser.add_argument('-l', '--all', action='store_true', help='Set to TRUE to update all applications.') args = parser.parse_args() target_app = args.app_id all_apps = args.all # CHECK FOR CREDENTIALS EXPIRATION creds_expire_days_warning() if all_apps: data = vapi().get_apps() print('Evaluating {} applications for update'.format(len(data))) for app in data: iterations = process_app(app["id"]) if iterations > 0: print("==>Updated {} sandboxes".format(iterations)) else: print("Evaluating application id {} for update".format(target_app)) iterations = process_app(target_app) print("==>Updated {} sandboxes".format(iterations))
def main(): parser = argparse.ArgumentParser( description='This script sets up a new workspace in Veracode SCA for the application profile(s) \ specified in the arguments, and assigns teams based on the application profile settings.') parser.add_argument('-a', '--app_id', help='App GUID for which to set up a workspace. Ignored if -l is provided.') parser.add_argument('--all', action="store_true", help='If specified, set up workspaces for all applications.') parser.add_argument('--cleanup', action="store_true", help='If specified, delete all workspaces with no projects.') args = parser.parse_args() # CHECK FOR CREDENTIALS EXPIRATION creds_expire_days_warning() # set up args app_id = args.app_id app_all = args.all cleanup = args.cleanup if app_all: apps = vapi().get_apps() print("Evaluating {} applications for workspace creation".format(len(apps))) for app_info in apps: create_workspace(app_info) elif cleanup: delete_workspaces() else: if app_id == None: print('You must provide an app_id or set --all or --cleanup to "TRUE".') return 0 app_info = get_app_info(app_id) create_workspace(app_info)
def main(): # CHECK FOR CREDENTIALS EXPIRATION creds_expire_days_warning() data = vapi().get_users() for user in data: data2 = vapi().get_user(user["user_id"]) if "api_credentials" in data2: date_time_str = parse(data2["api_credentials"]["expiration_ts"]) date = date_time_str.date() time = date_time_str.time() print("User {} API Credentials expiration date is {} {}".format( user["user_name"], str(date), str(time))) else: print("User {} has no API credentials".format(user["user_name"]))
def process_app(the_app_id): log.info("Getting sandbox info for application {}".format(the_app_id)) data2 = vapi().get_sandbox_list(the_app_id) if len(data2) == 0: return 0 sandbox_list = etree.fromstring(data2) sandbox_count = len(sandbox_list) if sandbox_count == 1: count_noun = "sandbox" else: count_noun = "sandboxes" log.info("app_id {} has {} {}".format(the_app_id, sandbox_count, count_noun)) if sandbox_count == 0: return 0 iteration = 0 for sandbox in sandbox_list: sandbox_name = sandbox.get('sandbox_name') auto_recreate = sandbox.get('auto_recreate') expires = sandbox.get('expires') sandbox_id = sandbox.get('sandbox_id') if expires == None: continue #can't set auto_recreate on a non-expiring sandbox if auto_recreate == 'true': continue #don't set auto_recreate again log.info("Updating auto_recreate for sandbox {}, sandbox id {}".format( sandbox_name, sandbox_id)) updated = vapi().update_sandbox(sandbox_id, "autorecreate", True) if updated == None: return 0 #something went wrong updated_xml = etree.fromstring(updated) log.info('==>Sandbox {} auto_recreate = {}'.format( sandbox_name, updated_xml.get('auto_recreate'))) iteration += 1 return iteration
def creds_expire_days_warning(): creds = vapi().get_creds() exp = datetime.datetime.strptime(creds['expiration_ts'], "%Y-%m-%dT%H:%M:%S.%f%z") delta = exp - datetime.datetime.now().astimezone( ) #we get a datetime with timezone... if (delta.days < 7): print('These API credentials expire ', creds['expiration_ts'])
def find_app_named(appname): apps = vapi().get_app_by_name(appname) if len(apps) == 0: return [] for app in apps: if app["profile"]["name"] == appname: return [app]
def create_app(appname, teamguid, businesscriticality="HIGH", businessunit=""): if len(find_app_named(appname)) > 0: errormsg = "There is already an application named {}".format(appname) log.warning(errormsg) print(errormsg) return 0 if businessunit == "": r = vapi().create_app(app_name=appname, business_criticality=businesscriticality, teams=[teamguid]) else: r = vapi().create_app(app_name=appname, business_criticality=businesscriticality, teams=[teamguid], business_unit=businessunit) return r["guid"]
def get_modules_from_summary(app_guid): log.info('Getting modules for {}'.format(app_guid)) summary_report = vapi().get_summary_report(app_guid) static_analysis = summary_report.get('static-analysis') if static_analysis != None: modules = static_analysis.get('modules').get('module') return [module['name'] for module in modules] else: return []
def downloadreport(token): # this will retry until the report is ready, with a 15 second wait between retries response = vapi().download_archer(token) # handle case where response is empty if (reportlength(response) == 0): return None return response
def update_mitigation_info(build_id, flaw_id_list, action, comment, results_to_app_id): r = vapi().set_mitigation_info(build_id, flaw_id_list, action, comment) if '<error' in r.decode("UTF-8"): logging.info( 'Error updating mitigation_info for {} in Build ID {}: {}'.format( str(flaw_id_list), str(build_id), r.decode('UTF-8'))) sys.exit( '[*] Error updating mitigation_info for {} in Build ID {}'.format( str(flaw_id_list), str(build_id))) logging.info( 'Updated mitigation information to {} for Flaw ID {} in {} in Build ID {}'.format(action,\ str(flaw_id_list), results_to_app_id, build_id))
def get_user_list(usernames): #get list of guids user_list = [] for name in usernames: userinfo = vapi().get_user_by_name( name) # note that this call always returns a list of 1, or 0 if len(userinfo) == 0: errorstring = "No user found with name {}".format(name) print(errorstring) log.warning(errorstring) #log continue userguid = userinfo[0]["user_id"] user_list.append(userguid) return user_list
def create_api_user(apiname, email, teamguid): existinguser = find_user_named(apiname) if len(existinguser) > 0: # return existing user rather than creating new one userguid = existinguser[0]["user_id"] log.info("Found a user named {} with guid {}".format( apiname, userguid)) return userguid r = vapi().create_user(email=email, firstname=apiname, lastname="API User", type="API", roles=[], teams=[teamguid], username=apiname) return r["user_id"]
def prompt_for_app(prompt_text): appguid = "" app_name_search = input(prompt_text) app_candidates = vapi().get_app_by_name(app_name_search) if len(app_candidates) == 0: print("No matches were found!") elif len(app_candidates) > 1: print("Please choose an application:") for idx, appitem in enumerate(app_candidates, start=1): print("{}) {}".format(idx, appitem["profile"]["name"])) i = input("Enter number: ") try: if 0 < int(i) <= len(app_candidates): appguid = app_candidates[int(i) - 1].get('guid') except ValueError: appguid = "" else: appguid = app_candidates[0].get('guid') return appguid
def get_request_response(findings_list): # build a list of dicts containing the detailed finding info and request/response log.info('Getting finding details...') finding_details_list = [] for finding in findings_list: log.info('Getting finding details for finding {})'.format( finding['issue_id'])) finding_details = {'finding': finding} try: finding_request_response = vapi().get_dynamic_flaw_info( finding['context_guid'], finding['issue_id']) finding_details['request_response'] = finding_request_response finding_details_list.append(finding_details) except reqexcept.RequestException: # this call may 404 if the request/response information is no longer available for an older finding status = "Findings details not available for finding {}, skipping".format( finding['issue_id']) log.exception(status) print(status) return finding_details_list
def get_app(app_guid): return vapi().get_app(app_guid)
def get_application_name(guid): app = vapi().get_app(guid) return app['profile']['name']
def findings_api(app_guid): return vapi().get_findings(app_guid, scantype='ALL', annot='TRUE')
def get_workspaces(): return vapi().get_workspaces()
def get_all_apps(): applist = vapi().get_apps() return applist
def get_app_info(guid): log.debug('Getting application info for guid {}'.format(guid)) app_info = vapi().get_app(guid) return app_info
def get_findings(app_guid): log.info('Getting findings for {}'.format(app_guid)) return vapi().get_findings(app_guid, scantype='STATIC', annot='FALSE')