adjust tools

2020-10-29 00:14:31 -05:00 · 2020-10-29 00:14:31 -05:00 · 335831687c
commit 335831687c
parent 04ce52f2cf
9 changed files with 1311718 additions and 0 deletions
--- a/security_tools/redhat_tools/redhat_oval_definition_parser/oval_stream_data_parser.rb
+++ b/security_tools/redhat_tools/redhat_oval_definition_parser/oval_stream_data_parser.rb
@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'rest-client'
+
+class OvalStreamDataParser
+  attr_accessor :index_data, :api_url
+
+  def initialize
+    @api_url = 'https://access.redhat.com/hydra/rest/securitydata/oval'
+    @index_data = refresh_index
+  end
+
+  def refresh_index
+    response = RestClient::Request.execute(
+      method: :get,
+      url: "#{api_url}/ovalstreams.json",
+      content_type: 'application/json'
+    )
+    if response.code == 200
+      parse_index(response)
+    else
+      puts "Error: HTTP Response code #{response.code} received."
+    end
+  end
+
+  def parse_index(response)
+    JSON.parse(response.body)
+  end
+
+  def list_stream_names
+    index_data.map do |entry|
+      entry['stream']
+    end.sort
+  end
+
+  def list_stream_urls
+    index_data.map do |entry|
+      entry['resourceUrl']
+    end.sort
+  end
+
+  def list_stream_labels
+    index_data.map do |entry|
+      entry['label']
+    end.sort
+  end
+
+  def select_stream_by_label(label)
+    index_data.select { |json| json['label'] == label }
+  end
+
+  def verify_shasum
+    # method that will check the sha256sum of a downloaded file from resourceUrl and ensure they match
+    # step 1:
+    # get original shasum
+    # step 2:
+    # download file
+    # step 3:
+    # run sha256sum against file download
+    # step 4:
+    # run == logic against both sums and return true/false
+  end
+end
--- a/security_tools/redhat_tools/redhat_oval_definition_parser/ovalstreams.json
+++ b/security_tools/redhat_tools/redhat_oval_definition_parser/ovalstreams.json
--- a/security_tools/redhat_tools/redhat_oval_definition_parser/refresh_data_xml.sh
+++ b/security_tools/redhat_tools/redhat_oval_definition_parser/refresh_data_xml.sh
@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+# do a fresh pull of the data
+# the class should also do this when initialized but if you want a seperate script to run quick just to pull you can use this 
+
+wget https://access.redhat.com/hydra/rest/securitydata/oval/ovalstreams.json
--- a/security_tools/redhat_tools/rhel_rpm_to_cve.rb
+++ b/security_tools/redhat_tools/rhel_rpm_to_cve.rb
@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require 'ox'
+require 'json'
+require 'rest-client'
+
+class RhelRpmToCve
+  # filepath == /path/to/rpm-to-cve.xml
+  attr_accessor :filepath, :file, :xml
+
+  def initialize(filepath: nil)
+    @filepath = filepath
+    @file = File.read(filepath) if filepath
+    @xml = Ox.parse(file) if filepath
+    @sec_api_url = 'https://access.redhat.com/hydra/rest/securitydata'
+  end
+
+  def list_pkg_names
+    xml.rpms.locate('?/@rpm')
+  end
+
+  def refresh_rpm_to_cve_file(path)
+    r = RestClient::Request.execute(
+      method: :get,
+      url: "https://www.redhat.com/security/data/metrics/rpm-to-cve.xml"
+    )
+    if r.code == 200
+      File.write(path, r.body)
+    else
+      "Error. HTTP Status code: #{r.code}"
+    end
+  end
+
+  def pkg_exists?(pkg_name)
+    list_pkg_names.include? pkg_name
+  end
+
+  def cves_per_pkg_name(pkg_name)
+    if pkg_exists? pkg_name
+      results = find_pkg(pkg_name).locate('*/cve').map(&:text).compact
+
+      cves = results.map { |cve| cve }
+
+      {
+        rhel_package_name: pkg_name,
+        cves: cves,
+        cve_count: cves.count
+      }
+    else
+      'Package not found.'
+    end
+  end
+
+  def find_pkg(pkg_name)
+    xml.rpms.locate("rpm[@rpm=#{pkg_name}]").first
+  end
+
+  def convert_to_json
+    pkgs = list_pkg_names
+    pkgs_and_cves = pkgs.map do |pkg_name|
+      cves_per_pkg_name(pkg_name)
+    end
+    pkgs_and_cves.to_json
+  end
+end
--- a/security_tools/redhat_tools/rhel_security_api_client.rb
+++ b/security_tools/redhat_tools/rhel_security_api_client.rb
@ -0,0 +1,44 @@
+# Documentation link:
+# https://access.redhat.com/documentation/en-us/red_hat_security_data_api/1.0/html/red_hat_security_data_api/overview
+
+# frozen_string_literal: true
+
+require 'rest-client'
+require 'json'
+
+class RhelSecurityApiClient
+  attr_accessor :base_url
+
+  def initialize
+    @base_url = 'https://access.redhat.com/hydra/rest/securitydata'
+  end
+
+  # params is a hash that looks like
+  # {:params => {:key => value}}
+  def request(path, params)
+    r = RestClient::Request.execute(
+      method: :get,
+      url: "#{base_url}#{path}",
+      headers: params
+    )
+    if r.code == 200
+      parse_response(r)
+    else
+      "Error HTTP Code: #{r.code}"
+    end
+  end
+
+  def parse_response(response)
+    JSON.parse(response.body)
+  end
+
+  def cve_pkg_adv(array_of_json_cves)
+    array_of_json_cves.map do |json|
+      {
+        cve_id: json['CVE'],
+        advisories: json['advisories'],
+        affected_packages: json['affected_packages']
+      }
+    end
+  end
+end
--- a/security_tools/redhat_tools/rpm-to-cve.xml
+++ b/security_tools/redhat_tools/rpm-to-cve.xml
--- a/security_tools/redhat_tools/rpm_pkg_audit.rb
+++ b/security_tools/redhat_tools/rpm_pkg_audit.rb
@ -0,0 +1,54 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'optparse'
+require 'json'
+require './rhel_rpm_to_cve'
+require './rhel_security_api_client'
+
+ARGV << '-h' if ARGV.empty?
+
+data_file = './rpm-to-cve.xml'
+
+options = {}
+
+parser = OptionParser.new do |parser|
+  parser.banner = 'Usage: rpm_pkg_audit.rb [options]'
+  parser.on('-p', '--pkg PKGNAME', 'Takes a base pkg name and returns cves from redhats security API.') do |pkg|
+    options[:pkg] = pkg
+  end
+  parser.on('-l', '--list', 'List packages in the XML datafile.') do |list|
+    options[:list] = list
+  end
+  parser.on('-x', '--xmlpkg PKGNAME', 'The pkg name you want to audit from xml file rpm-to-cve.xml') do |xmlpkg|
+    options[:xmlpkg] = xmlpkg
+  end
+  parser.on('-r', '--refresh', 'Refresh rpm-to-cve.xml file with latest pkgs and cves') do |_refresh|
+    options[:refresh] = true
+  end
+end
+
+parser.parse!
+
+if options[:pkg]
+  pkg_name = options[:pkg]
+elsif options[:xmlpkg]
+  xmlpkg_name = options[:xmlpkg]
+end
+
+rpm_auditer = RhelRpmToCve.new(filepath: data_file)
+rhel_api_client = RhelSecurityApiClient.new
+
+if xmlpkg_name
+  json = rpm_auditer.cves_per_pkg_name(pkg_name).to_json
+  puts JSON.pretty_generate(JSON.parse(json))
+elsif pkg_name
+  params = { params: { package: pkg_name } }
+  json_response = rhel_api_client.request('/cve.json', params)
+  cve_pkgs_and_adv = rhel_api_client.cve_pkg_adv(json_response)
+  puts JSON.pretty_generate(cve_pkgs_and_adv)
+elsif options[:refresh]
+  rpm_auditer.refresh_rpm_to_cve_file('./rpm-to-cve.xml')
+else options.key?(:list)
+  puts rpm_auditer.list_pkg_names.sort
+end
--- a/security_tools/redhat_tools/sax_parser.rb
+++ b/security_tools/redhat_tools/sax_parser.rb
@ -0,0 +1,36 @@
+#!/usr/bin/env ruby
+
+require 'ox'
+
+class SaxParser < Ox::Sax
+
+  def initialize
+    @elements = []
+  end
+
+  def start_element(name)
+    #puts "start: #{name}"
+  end
+
+  def current_element
+    @elements.last
+  end
+
+  def end_element(name)
+    #puts "end: #{name}"
+  end
+
+  def attr(name, value)
+    #puts "  #{name} => #{value}"
+  end
+
+  def text(value)
+    #puts "text: #{value}"
+  end
+
+end
+
+file = File.read('./rpm-to-cve.xml')
+handler = SaxParser.new()
+
+Ox.sax_parse(handler, file)
--- a/security_tools/redhat_tools/update_rpms_to_cve_xml.sh
+++ b/security_tools/redhat_tools/update_rpms_to_cve_xml.sh
@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+# refresh the latest rpm to cve xml mapping file from redhat security page
+
+wget -O rpm-to-cve.xml https://www.redhat.com/security/data/metrics/rpm-to-cve.xml