adjust tools

2020-10-29 00:14:31 -05:00 · 2020-10-29 00:14:31 -05:00 · 335831687c
commit 335831687c
parent 04ce52f2cf
9 changed files with 1311718 additions and 0 deletions
--- a/security_tools/redhat_tools/redhat_oval_definition_parser/oval_stream_data_parser.rb
+++ b/security_tools/redhat_tools/redhat_oval_definition_parser/oval_stream_data_parser.rb
@ -0,0 +1,64 @@
 # frozen_string_literal: true
 require 'json'
 require 'rest-client'
 class OvalStreamDataParser
  attr_accessor :index_data, :api_url
  def initialize
    @api_url = 'https://access.redhat.com/hydra/rest/securitydata/oval'
    @index_data = refresh_index
  end
  def refresh_index
    response = RestClient::Request.execute(
      method: :get,
      url: "#{api_url}/ovalstreams.json",
      content_type: 'application/json'
    )
    if response.code == 200
      parse_index(response)
    else
      puts "Error: HTTP Response code #{response.code} received."
    end
  end
  def parse_index(response)
    JSON.parse(response.body)
  end
  def list_stream_names
    index_data.map do |entry|
      entry['stream']
    end.sort
  end
  def list_stream_urls
    index_data.map do |entry|
      entry['resourceUrl']
    end.sort
  end
  def list_stream_labels
    index_data.map do |entry|
      entry['label']
    end.sort
  end
  def select_stream_by_label(label)
    index_data.select { |json| json['label'] == label }
  end
  def verify_shasum
    # method that will check the sha256sum of a downloaded file from resourceUrl and ensure they match
    # step 1:
    # get original shasum
    # step 2:
    # download file
    # step 3:
    # run sha256sum against file download
    # step 4:
    # run == logic against both sums and return true/false
  end
 end
--- a/security_tools/redhat_tools/redhat_oval_definition_parser/ovalstreams.json
+++ b/security_tools/redhat_tools/redhat_oval_definition_parser/ovalstreams.json
--- a/security_tools/redhat_tools/redhat_oval_definition_parser/refresh_data_xml.sh
+++ b/security_tools/redhat_tools/redhat_oval_definition_parser/refresh_data_xml.sh
@ -0,0 +1,5 @@
 #!/usr/bin/env bash
 # do a fresh pull of the data
 # the class should also do this when initialized but if you want a seperate script to run quick just to pull you can use this 
 wget https://access.redhat.com/hydra/rest/securitydata/oval/ovalstreams.json
--- a/security_tools/redhat_tools/rhel_rpm_to_cve.rb
+++ b/security_tools/redhat_tools/rhel_rpm_to_cve.rb
@ -0,0 +1,65 @@
 # frozen_string_literal: true
 require 'ox'
 require 'json'
 require 'rest-client'
 class RhelRpmToCve
  # filepath == /path/to/rpm-to-cve.xml
  attr_accessor :filepath, :file, :xml
  def initialize(filepath: nil)
    @filepath = filepath
    @file = File.read(filepath) if filepath
    @xml = Ox.parse(file) if filepath
    @sec_api_url = 'https://access.redhat.com/hydra/rest/securitydata'
  end
  def list_pkg_names
    xml.rpms.locate('?/@rpm')
  end
  def refresh_rpm_to_cve_file(path)
    r = RestClient::Request.execute(
      method: :get,
      url: "https://www.redhat.com/security/data/metrics/rpm-to-cve.xml"
    )
    if r.code == 200
      File.write(path, r.body)
    else
      "Error. HTTP Status code: #{r.code}"
    end
  end
  def pkg_exists?(pkg_name)
    list_pkg_names.include? pkg_name
  end
  def cves_per_pkg_name(pkg_name)
    if pkg_exists? pkg_name
      results = find_pkg(pkg_name).locate('*/cve').map(&:text).compact
      cves = results.map { |cve| cve }
      {
        rhel_package_name: pkg_name,
        cves: cves,
        cve_count: cves.count
      }
    else
      'Package not found.'
    end
  end
  def find_pkg(pkg_name)
    xml.rpms.locate("rpm[@rpm=#{pkg_name}]").first
  end
  def convert_to_json
    pkgs = list_pkg_names
    pkgs_and_cves = pkgs.map do |pkg_name|
      cves_per_pkg_name(pkg_name)
    end
    pkgs_and_cves.to_json
  end
 end
--- a/security_tools/redhat_tools/rhel_security_api_client.rb
+++ b/security_tools/redhat_tools/rhel_security_api_client.rb
@ -0,0 +1,44 @@
 # Documentation link:
 # https://access.redhat.com/documentation/en-us/red_hat_security_data_api/1.0/html/red_hat_security_data_api/overview
 # frozen_string_literal: true
 require 'rest-client'
 require 'json'
 class RhelSecurityApiClient
  attr_accessor :base_url
  def initialize
    @base_url = 'https://access.redhat.com/hydra/rest/securitydata'
  end
  # params is a hash that looks like
  # {:params => {:key => value}}
  def request(path, params)
    r = RestClient::Request.execute(
      method: :get,
      url: "#{base_url}#{path}",
      headers: params
    )
    if r.code == 200
      parse_response(r)
    else
      "Error HTTP Code: #{r.code}"
    end
  end
  def parse_response(response)
    JSON.parse(response.body)
  end
  def cve_pkg_adv(array_of_json_cves)
    array_of_json_cves.map do |json|
      {
        cve_id: json['CVE'],
        advisories: json['advisories'],
        affected_packages: json['affected_packages']
      }
    end
  end
 end
--- a/security_tools/redhat_tools/rpm-to-cve.xml
+++ b/security_tools/redhat_tools/rpm-to-cve.xml
--- a/security_tools/redhat_tools/rpm_pkg_audit.rb
+++ b/security_tools/redhat_tools/rpm_pkg_audit.rb
@ -0,0 +1,54 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
 require 'optparse'
 require 'json'
 require './rhel_rpm_to_cve'
 require './rhel_security_api_client'
 ARGV << '-h' if ARGV.empty?
 data_file = './rpm-to-cve.xml'
 options = {}
 parser = OptionParser.new do |parser|
  parser.banner = 'Usage: rpm_pkg_audit.rb [options]'
  parser.on('-p', '--pkg PKGNAME', 'Takes a base pkg name and returns cves from redhats security API.') do |pkg|
    options[:pkg] = pkg
  end
  parser.on('-l', '--list', 'List packages in the XML datafile.') do |list|
    options[:list] = list
  end
  parser.on('-x', '--xmlpkg PKGNAME', 'The pkg name you want to audit from xml file rpm-to-cve.xml') do |xmlpkg|
    options[:xmlpkg] = xmlpkg
  end
  parser.on('-r', '--refresh', 'Refresh rpm-to-cve.xml file with latest pkgs and cves') do |_refresh|
    options[:refresh] = true
  end
 end
 parser.parse!
 if options[:pkg]
  pkg_name = options[:pkg]
 elsif options[:xmlpkg]
  xmlpkg_name = options[:xmlpkg]
 end
 rpm_auditer = RhelRpmToCve.new(filepath: data_file)
 rhel_api_client = RhelSecurityApiClient.new
 if xmlpkg_name
  json = rpm_auditer.cves_per_pkg_name(pkg_name).to_json
  puts JSON.pretty_generate(JSON.parse(json))
 elsif pkg_name
  params = { params: { package: pkg_name } }
  json_response = rhel_api_client.request('/cve.json', params)
  cve_pkgs_and_adv = rhel_api_client.cve_pkg_adv(json_response)
  puts JSON.pretty_generate(cve_pkgs_and_adv)
 elsif options[:refresh]
  rpm_auditer.refresh_rpm_to_cve_file('./rpm-to-cve.xml')
 else options.key?(:list)
  puts rpm_auditer.list_pkg_names.sort
 end
--- a/security_tools/redhat_tools/sax_parser.rb
+++ b/security_tools/redhat_tools/sax_parser.rb
@ -0,0 +1,36 @@
 #!/usr/bin/env ruby
 require 'ox'
 class SaxParser < Ox::Sax
  def initialize
    @elements = []
  end
  def start_element(name)
    #puts "start: #{name}"
  end
  def current_element
    @elements.last
  end
  def end_element(name)
    #puts "end: #{name}"
  end
  def attr(name, value)
    #puts "  #{name} => #{value}"
  end
  def text(value)
    #puts "text: #{value}"
  end
 end
 file = File.read('./rpm-to-cve.xml')
 handler = SaxParser.new()
 Ox.sax_parse(handler, file)
--- a/security_tools/redhat_tools/update_rpms_to_cve_xml.sh
+++ b/security_tools/redhat_tools/update_rpms_to_cve_xml.sh
@ -0,0 +1,4 @@
 #!/usr/bin/env bash
 # refresh the latest rpm to cve xml mapping file from redhat security page
 wget -O rpm-to-cve.xml https://www.redhat.com/security/data/metrics/rpm-to-cve.xml