vulnerability-lookup/pyvariot
13
1
Fork 0
mirror of https://github.com/cve-search/pyvariot.git synced 2024-11-26 16:57:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

new: Initial commit

Browse source
This commit is contained in:
Raphaël Vinot 2024-06-07 15:54:49 +02:00
parent cc1d36fb8e
commit af60692c0c
12 changed files with 273 additions and 98 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
LICENSE
View file

@ -1,6 +1,8 @@
BSD 3-Clause License
Copyright (c) 2020, Lookyloo
Copyright (c) 2024, Raphaël Vinot
Copyright (c) 2024, CVE Search
Copyright (c) 2024, CIRCL - Computer Incident Response Center Luxembourg
All rights reserved.
Redistribution and use in source and binary forms, with or without

8
README.md
View file

@ -1,18 +1,18 @@
# Python client and module for Project Template
# Python client and module to query the VARIoT IoT vulnerabilities and exploits databases
This is a simple template used in all the web based APIs in this repository, and a few others.
This is a Python client and module to query the [VARIoT IoT vulnerabilities and exploits databases](https://www.variotdbs.pl/api/).
## Installation
```bash
pip install pyproject
pip install pyvariot
```
## Usage
### Command line
You can use the `client` command to do a thing:
You can use the `variot` command to query the database:
```bash
```

4
docs/source/api_reference.rst
View file

@ -4,11 +4,11 @@ API reference
.. toctree::
:maxdepth: 2
.. automodule:: pyproject
.. automodule:: pyvariot
:members:
PyProject
---------
.. autoclass:: PyProject
.. autoclass:: PyVARIoT
:members:

6
docs/source/conf.py
View file

@ -17,9 +17,9 @@
# -- Project information -----------------------------------------------------
project = 'PyProject'
copyright = '2021, Lookyloo team'
author = 'Lookyloo team'
project = 'PyVARIoT'
copyright = '2021, CVE Search'
author = 'CVE Search team'
# The full version, including alpha/beta/rc tags
release = 'v0.0.1'

17
docs/source/index.rst
View file

@ -1,12 +1,7 @@
.. PyLookyloo documentation master file, created by
sphinx-quickstart on Tue Mar 23 12:28:17 2021.
You can adapt this file completely to your liking, but it should at least
contain the root `toctree` directive.
Welcome to PyVARIoT's documentation!
====================================
Welcome to PyProject's documentation!
=============================================
This is the client API for `PyProject <https://github.com/Lookyloo/project_template>`_:
This is the client API for `PyVARIoT <https://github.com/cve-search/variot>`_:
foo
@ -16,15 +11,15 @@ Installation
The package is available on PyPi, so you can install it with::
pip install pyproject
pip install pyvariot
Usage
-----
You can use `client` as a python script::
You can use `variot` as a python script::
$ client -h
$ variot -h
Or as a library:

6
pyproject.toml
View file

@ -1,7 +1,7 @@
[tool.poetry]
name = "pyproject"
name = "pyvariot"
version = "0.0.1"
description = "Python CLI and module for project"
description = "Python CLI and module to query the VARIoT IoT vulnerabilities and exploits databases"
authors = ["Raphaël Vinot <raphael.vinot@circl.lu>"]
license = "BSD-3-Clause"
@ -24,7 +24,7 @@ classifiers = [
]
[tool.poetry.scripts]
client = 'pyproject:main'
pyvariot = 'pyvariot:main'
[tool.poetry.dependencies]
python = "^3.10"

26
pyproject/__init__.py
View file

@ -1,26 +0,0 @@
from __future__ import annotations
import argparse
import json
import sys
from .api import PyProject
__all__ = ['PyProject']
def main() -> None:
parser = argparse.ArgumentParser(description='Query a thing.')
parser.add_argument('--url', type=str, required=True, help='URL of the instance.')
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument('--redis_up', action='store_true', help='Check if redis is up.')
args = parser.parse_args()
client = PyProject(args.url)
if not client.is_up:
print(f'Unable to reach {client.root_url}. Is the server up?')
sys.exit(1)
if args.redis_up:
response = client.redis_up()
print(json.dumps(response, indent=2))

45
pyproject/api.py
View file

@ -1,45 +0,0 @@
#!/usr/bin/env python3
from __future__ import annotations
from importlib.metadata import version
from typing import Any
from urllib.parse import urljoin, urlparse
import requests
class PyProject():
def __init__(self, root_url: str, useragent: str | None=None,
*, proxies: dict[str, str] | None=None):
'''Query a specific instance.
:param root_url: URL of the instance to query.
:param useragent: The User Agent used by requests to run the HTTP requests against the instance.
:param proxies: The proxies to use to connect to theinstance - More details: https://requests.readthedocs.io/en/latest/user/advanced/#proxies
'''
self.root_url = root_url
if not urlparse(self.root_url).scheme:
self.root_url = 'http://' + self.root_url
if not self.root_url.endswith('/'):
self.root_url += '/'
self.session = requests.session()
self.session.headers['user-agent'] = useragent if useragent else f'PyProject / {version("pyproject")}'
if proxies:
self.session.proxies.update(proxies)
@property
def is_up(self) -> bool:
'''Test if the given instance is accessible'''
try:
r = self.session.head(self.root_url)
except requests.exceptions.ConnectionError:
return False
return r.status_code == 200
def redis_up(self) -> dict[str, Any]:
'''Check if redis is up and running'''
r = self.session.get(urljoin(self.root_url, 'redis_up'))
return r.json()

39
pyvariot/__init__.py Normal file
View file

@ -0,0 +1,39 @@
from __future__ import annotations
import argparse
import json
import sys
from .api import PyVARIoT
__all__ = ['PyVARIoT']
def main() -> None:
parser = argparse.ArgumentParser(description='Get a vulnerability or an exploit by ID.')
parser.add_argument('--url', type=str, help='URL of the instance.')
parser.add_argument('--apikey', type=str, help='Your personal API key.')
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument('--vulnerability_id', type=str, help='ID of the vulnerability.')
group.add_argument('--exploit_id', type=str, help='ID of the exploit.')
args = parser.parse_args()
if args.url:
client = PyVARIoT(args.url)
else:
client = PyVARIoT()
if args.apikey:
client.apikey = args.apikey
if not client.is_up:
print(f'Unable to reach {client.root_url}. Is the server up?')
sys.exit(1)
if args.vulnerability_id:
vulnerability = client.get_vulnerability(args.vulnerability_id)
print(json.dumps(vulnerability, indent=2))
if args.exploit_id:
exploit = client.get_exploit(args.exploit_id)
print(json.dumps(exploit, indent=2))

168
pyvariot/api.py Normal file
View file

@ -0,0 +1,168 @@
#!/usr/bin/env python3
from __future__ import annotations
from datetime import datetime
from importlib.metadata import version
from typing import Any, Generator
from urllib.parse import urljoin, urlparse, parse_qsl
from pathlib import PurePosixPath
import requests
class PyVARIoT():
def __init__(self, root_url: str='https://www.variotdbs.pl/', useragent: str | None=None,
*, proxies: dict[str, str] | None=None):
'''Query a specific instance.
:param root_url: URL of the instance to query.
:param useragent: The User Agent used by requests to run the HTTP requests against the instance.
:param proxies: The proxies to use to connect to theinstance - More details: https://requests.readthedocs.io/en/latest/user/advanced/#proxies
'''
self.root_url = root_url
if not urlparse(self.root_url).scheme:
self.root_url = 'http://' + self.root_url
if not self.root_url.endswith('/'):
self.root_url += '/'
self.session = requests.session()
self.session.headers['user-agent'] = useragent if useragent else f'PyVARIoT / {version("pyvariot")}'
if proxies:
self.session.proxies.update(proxies)
self._apikey: str | None = None
@property
def apikey(self) -> str | None:
return self._apikey
@apikey.setter
def apikey(self, apikey: str) -> None:
'''Set the API key to use for the requests.
:params apikey: The API key to use for the requests.
'''
self._apikey = apikey
self.session.headers['Authorization'] = f'Token {self._apikey}'
@property
def is_up(self) -> bool:
'''Test if the given instance is accessible'''
try:
r = self.session.head(self.root_url)
except requests.exceptions.ConnectionError:
return False
return r.status_code == 200
def get_vulnerability(self, vulnerability_id: str, /, *, jsonld: bool=False) -> dict[str, Any]:
'''Get a vulnerability by its ID.
:param vulnerability_id: The ID of the vulnerability to get.
:param jsonld: Whether to return the JSON-LD representation of the vulnerability.
'''
r = self.session.get(urljoin(self.root_url, str(PurePosixPath('api', 'vuln', vulnerability_id))),
params={'jsonld': jsonld})
return r.json()
def get_exploit(self, exploit_id: str, /, *, jsonld: bool=False) -> dict[str, Any]:
'''Get an exploit by its ID.
:param exploit_id: The ID of the exploit to get.
:param jsonld: Whether to return the JSON-LD representation of the exploit.
'''
r = self.session.get(urljoin(self.root_url, str(PurePosixPath('api', 'exploit', exploit_id))),
params={'jsonld': jsonld})
return r.json()
def __prepare_params(self, jsonld: bool=False, since: datetime | None=None, before: datetime | None=None,
limit: int | None=None, offset: int | None=None) -> dict[str, bool | str | int]:
'''Prepare the parameters for the requests.'''
params: dict[str, bool | str | int] = {'jsonld': jsonld}
if since:
params['since'] = since.isoformat()
if before:
params['before'] = before.isoformat()
if limit:
params['limit'] = limit
if offset:
params['offset'] = offset
return params
def get_vulnerabilities(self, /, *, jsonld: bool=False,
since: datetime | None=None, before: datetime | None,
limit: int | None=None, offset: int | None=None) -> dict[str, Any]:
'''Get vulnerabilities on an interval.
:param jsonld: Whether to return the JSON-LD representation of the vulnerabilities.
:param since: The date from which to get the vulnerabilities.
:param before: The date until which to get the vulnerabilities.
:param limit: The maximum number of vulnerabilities to get in one call.
:param offset: The offset to start getting the vulnerabilities.
'''
params = self.__prepare_params(jsonld, since, before, limit, offset)
r = self.session.get(urljoin(self.root_url, str(PurePosixPath('api', 'vulns'))),
params=params)
return r.json()
def get_vulnerabilities_iter(self, /, *, jsonld: bool=False,
since: datetime | None=None, before: datetime | None,
limit: int | None=None, offset: int | None=None) -> Generator[dict[str, Any], None, None]:
'''Get vulnerabilities on an interval, automatically iterates over all the matching vulerabilities.
:param jsonld: Whether to return the JSON-LD representation of the vulnerabilities.
:param since: The date from which to get the vulnerabilities.
:param before: The date until which to get the vulnerabilities.
:param limit: The maximum number of vulnerabilities to get in one call.
:param offset: The offset to start getting the vulnerabilities.
'''
while True:
r = self.get_vulnerabilities(jsonld=jsonld, since=since, before=before, limit=limit, offset=offset)
if not r:
break
for vuln in r['results']:
yield vuln
if not r['next']:
break
next_params = dict(parse_qsl(urlparse(r['next']).query))
since = datetime.fromisoformat(next_params['since'])
before = datetime.fromisoformat(next_params['before'])
limit = int(next_params['limit'])
offset = int(next_params['offset'])
jsonld = False if next_params['offset'] == 'False' else True
def get_exploits(self, /, *, jsonld: bool=False,
since: datetime | None=None, before: datetime | None,
limit: int | None=None, offset: int | None=None) -> dict[str, Any]:
'''Get exploits on an interval.
:param jsonld: Whether to return the JSON-LD representation of the exploits.
:param since: The date from which to get the exploits.
:param before: The date until which to get the exploits.
:param limit: The maximum number of exploits to get in one call.
:param offset: The offset to start getting the exploits.
'''
params = self.__prepare_params(jsonld, since, before, limit, offset)
r = self.session.get(urljoin(self.root_url, str(PurePosixPath('api', 'exploits'))),
params=params)
return r.json()
def get_exploits_iter(self, /, *, jsonld: bool=False,
since: datetime | None=None, before: datetime | None,
limit: int | None=None, offset: int | None=None) -> Generator[dict[str, Any], None, None]:
'''Get exploits on an interval, automatically iterates over all the matching exploits.
:param jsonld: Whether to return the JSON-LD representation of the exploits.
:param since: The date from which to get the exploits.
:param before: The date until which to get the exploits.
:param limit: The maximum number of exploits to get in one call.
:param offset: The offset to start getting the exploits.
'''
while True:
r = self.get_exploits(jsonld=jsonld, since=since, before=before, limit=limit, offset=offset)
if not r:
break
for exploit in r['results']:
yield exploit
if not r['next']:
break
next_params = dict(parse_qsl(urlparse(r['next']).query))
since = datetime.fromisoformat(next_params['since'])
before = datetime.fromisoformat(next_params['before'])
limit = int(next_params['limit'])
offset = int(next_params['offset'])
jsonld = False if next_params['offset'] == 'False' else True

0
pyproject/py.typed → pyvariot/py.typed
View file

48
tests/test_web.py
View file

@ -2,14 +2,56 @@
import unittest
from pyproject import PyProject
from datetime import datetime, timezone
from pyvariot import PyVARIoT
class TestBasic(unittest.TestCase):
def setUp(self) -> None:
self.client = PyProject(root_url="http://127.0.0.1:9999")
self.client = PyVARIoT()
# self.client.apikey = ''
def test_up(self) -> None:
self.assertTrue(self.client.is_up)
self.assertTrue(self.client.redis_up())
def test_get_vulnerability(self) -> None:
vuln = self.client.get_vulnerability('VAR-202405-2633')
self.assertEqual(vuln['id'], 'VAR-202405-2633')
vuln = self.client.get_vulnerability('VAR-202405-2633', jsonld=True)
self.assertEqual(vuln['id'], 'VAR-202405-2633')
self.assertEqual(vuln['affected_products']['@context']['@vocab'], 'https://www.variotdbs.pl/ref/affected_products#')
def test_get_exploit(self) -> None:
exploit = self.client.get_exploit('VAR-E-202403-0059')
self.assertEqual(exploit['id'], 'VAR-E-202403-0059')
exploit = self.client.get_exploit('VAR-E-202403-0059', jsonld=True)
self.assertEqual(exploit['id'], 'VAR-E-202403-0059')
self.assertEqual(exploit['affected_products']['@context']['@vocab'], 'https://www.variotdbs.pl/ref/affected_products#')
def test_get_vulnerabilities(self) -> None:
since = datetime(2024, 6, 2, 22, tzinfo=timezone.utc)
before = datetime(2024, 6, 2, 23, tzinfo=timezone.utc)
limit = 1
offset = 0
vulns = self.client.get_vulnerabilities(since=since, before=before, limit=limit, offset=offset)
self.assertEqual(len(vulns['results']), 1)
def test_get_vulnerabilities_iter(self) -> None:
since = datetime(2024, 6, 2, 22, tzinfo=timezone.utc)
before = datetime(2024, 6, 2, 23, tzinfo=timezone.utc)
limit = 20
vulns_ids = []
for vuln in self.client.get_vulnerabilities_iter(since=since, before=before, limit=limit):
vulns_ids.append(vuln['id'])
self.assertEqual(len(vulns_ids), 29)
def test_get_exploits_iter(self) -> None:
since = datetime(2023, 12, 13, 13, tzinfo=timezone.utc)
before = datetime(2023, 12, 13, 14, tzinfo=timezone.utc)
limit = 5
exploits_ids = []
for exploit in self.client.get_exploits_iter(since=since, before=before, limit=limit):
exploits_ids.append(exploit['id'])
self.assertEqual(len(exploits_ids), 11)