Merge branch 'master' into mkumykov-multi-image

Author: Murat Kumykov

blackduck/Core.py

@@ -146,6 +146,17 @@ def execute_put(self, url, data, custom_headers={}):
     response = requests.put(url, headers=headers, data=json_data, verify = not self.config['insecure'])
     return response
 
+def execute_patch(self, url, data, custom_headers={}) -> requests.Response:
+    '''
+    Work-around to add missing execute_patch()
+    '''
+    json_data = self._validated_json_data(data)
+    headers = self.get_headers()
+    headers["Content-Type"] = "application/json"
+    headers.update(custom_headers)
+    response = requests.patch(url, headers=headers, data=json_data, verify=not self.config['insecure'])
+    return response
+
 def _create(self, url, json_body):
     response = self.execute_post(url, json_body)
     # v4+ returns the newly created location in the response headers

blackduck/HubRestApi.py

@@ -68,7 +68,7 @@ class HubInstance(object):
         _create,_get_hub_rest_api_version_info,_get_major_version,_get_parameter_string,_validated_json_data,
         execute_delete,execute_get,execute_post,execute_put,get_api_version,get_apibase,get_auth_token,get_headers,
         get_limit_paramstring,get_link,get_matched_components,get_tags_url,get_urlbase,read_config,write_config,
-        _check_version_compatibility
+        _check_version_compatibility,execute_patch
     )
     from .Roles import (
         _get_role_url, assign_role_given_role_url, assign_role_to_user_or_group, 

blackduck/Reporting.py

@@ -25,7 +25,7 @@ def create_version_reports(self, version, report_list, format="CSV"):
     return self.execute_post(version_reports_url, post_data)
 
 valid_notices_formats = ["TEXT", "JSON"]
-def create_version_notices_report(self, version, format="TEXT", include_copyright_info=True):
+def create_version_notices_report(self, version, format="TEXT", include_copyright_info=True, include_license_info=True):
     assert format in valid_notices_formats, "Format must be one of {}".format(valid_notices_formats)
 
     post_data = {
@@ -35,6 +35,8 @@ def create_version_notices_report(self, version, format="TEXT", include_copyrigh
     }
     if include_copyright_info:
         post_data.update({'categories': ["COPYRIGHT_TEXT"] })
+        if include_license_info:
+            post_data.update({'categories': ["COPYRIGHT_TEXT","LICENSE_DATA","LICENSE_TEXT"] })
 
     notices_report_url = self.get_link(version, 'licenseReports')
     return self.execute_post(notices_report_url, post_data)

examples/client/batch_generate_sbom.py

@@ -262,7 +262,7 @@ def sanitize_filename(filename):
 
 def parse_command_args():
 
-    parser = argparse.ArgumentParser("Generate and download reports for projets in a spreadsheet")
+    parser = argparse.ArgumentParser("Generate and download reports for projects in a spreadsheet")
     parser.add_argument("-u", "--base-url",     required=True, help="Hub server URL e.g. https://your.blackduck.url")
     parser.add_argument("-t", "--token-file",   required=True, help="File containing access token")
     parser.add_argument("-i", "--input-file",   required=True, help="Project Name")

examples/client/generate_sbom.py

@@ -116,6 +116,7 @@ def download_report(bd_client, location, filename, retries=args.retries):
 	logging.debug("Authorization Error - Please ensure the token you are using has write permissions!")
 r.raise_for_status()
 location = r.headers.get('Location')
+print(f"location {location}")
 assert location, "Hmm, this does not make sense. If we successfully created a report then there needs to be a location where we can get it from"
 
 logging.debug(f"Created SBOM report of type {args.type} for project {args.project_name}, version {args.version_name} at location {location}")

examples/client/generate_vuln_status_report.py

@@ -0,0 +1,181 @@
+#!/usr/bin/env python
+
+'''
+Copyright (C) 2021 Synopsys, Inc.
+http://www.blackducksoftware.com/
+
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+ 
+'''
+import argparse
+from datetime import datetime
+import json
+import logging
+import requests
+import sys
+import time
+import csv
+
+from blackduck import Client
+
+DEFAULT_OUTPUT_FILE="vuln_status_report.csv"
+
+parser = argparse.ArgumentParser("Generate a vulnerability status report")
+parser.add_argument("--base-url", help="Hub server URL e.g. https://your.blackduck.url")
+parser.add_argument("--token-file", help="containing access token")
+parser.add_argument("--projects", nargs="+", help="The list of projects to include in the report")
+parser.add_argument('-t', '--tries', default=10, type=int, help="How many times to retry downloading the report, i.e. wait for the report to be generated")
+parser.add_argument("-o", "--output-file-name", 
+    dest="file_name", 
+    default=DEFAULT_OUTPUT_FILE, 
+    help=f"Name of the output file (default: {DEFAULT_OUTPUT_FILE})")
+parser.add_argument("--no-verify", 
+    dest='verify', 
+    action='store_false', 
+    help="disable TLS certificate verification")
+args = parser.parse_args()
+
+
+logging.basicConfig(format='%(asctime)s:%(levelname)s:%(message)s', stream=sys.stdout, level=logging.DEBUG)
+logging.getLogger("requests").setLevel(logging.WARNING)
+logging.getLogger("urllib3").setLevel(logging.WARNING)
+logging.getLogger("blackduck").setLevel(logging.WARNING)
+
+class FailedReportDownload(Exception):
+    pass
+
+def download_vuln_report(bd_client, location, filename, report_format, retries=args.tries):
+    if retries:
+        report_status = bd_client.session.get(location).json()
+        if report_status['status'] == 'COMPLETED':
+            download_url = bd_client.list_resources(report_status)['download']
+            contents_url = download_url + "/contents"
+            report_contents = bd_client.session.get(contents_url).json()
+            if report_format == 'JSON':
+                with open(filename, 'w') as f:
+                    json.dump(report_contents, f, indent=3)
+                    logging.info(f"Wrote vulnerability status report contents to {filename}")
+            elif report_format == 'CSV':
+                csv_data = report_contents['reportContent'][0]['fileContent']
+                with open(filename, 'w') as f:
+                    f.write(csv_data)
+                    logging.info(f"Wrote vulnerability status report contents to {filename}")
+            else:
+                logging.error(f"Unrecognized format ({report_format}) given. Exiting")
+
+        else:
+            sleep_time = 25
+            retries -= 1
+            logging.debug(f"Report is not ready to download yet, waiting {sleep_time} seconds and then retrying {retries} more times")
+            time.sleep(sleep_time)
+            download_vuln_report(bd_client, location, filename, report_format, retries)
+    else:
+        raise FailedReportDownload(f"Failed to retrieve report from {location} after {retries} attempts")
+
+
+def get_projects(client, project_names):
+    print (project_names)
+    '''Given a list of project names return a list of the corresponding project URLs'''
+    project_urls = list()
+    for project in client.get_items("/api/projects"):
+        if project['name'] in project_names:
+            project_urls.append(project['_meta']['href'])
+    return project_urls
+
+def augment_filename(filename):
+    if filename.endswith('.csv'):
+        index = filename.index('.csv')
+        return filename[:index] + '_augmented' + filename[index:]
+    else:
+        return filename + '_augmented.csv'
+
+def correct_vuln_ids(bd, filename, new_filename):
+    logging.debug(f"Generating file with augmented vuln ids as {new_filename}")
+    input = open(filename, 'r')
+    reader = csv.DictReader(input)
+    fieldnames = reader.fieldnames
+    rowcount = 0
+    with open(new_filename, 'w') as output:
+        writer = csv.DictWriter(output, fieldnames=fieldnames)
+        writer.writeheader()
+        for row in reader:
+            vuln_id = row['Vulnerability id']
+            related_vuln_id = get_related_vuln_id(bd, vuln_id)
+            if related_vuln_id:
+                correct_vuln_id = f"{vuln_id} ({related_vuln_id})"
+            else:
+                correct_vuln_id = vuln_id
+            row['Vulnerability id'] = correct_vuln_id
+            writer.writerow(row)
+            rowcount+=1
+            if rowcount % 100 == 0:
+                logging.debug(f"{rowcount:15} rows written into {new_filename}")
+        logging.debug(f"Total of {rowcount} rows written into {new_filename}")
+    logging.info(f"Wrote vulnerability status report contents to {filename}")
+
+def get_related_vuln_id(bd, vuln_id):
+    related_id = None
+    if vuln_id.startswith('BDSA') and 'CVE' not in vuln_id:
+        vuln_data = bd.get_json(f"/api/vulnerabilities/{vuln_id}")
+        vuln_resources = bd.list_resources(vuln_data)
+        related_url = vuln_resources.get('related-vulnerability', None)
+        if related_url:
+            related_id = related_url.split('/')[-1:][0]
+    return related_id
+
+with open(args.token_file, 'r') as tf:
+    access_token = tf.readline().strip()
+
+bd = Client(
+    base_url=args.base_url,
+    token=access_token,
+    verify=args.verify
+)
+
+project_urls = get_projects(bd, args.projects)
+logging.debug(f"Generating vulnerability status report for the following projects: {args.projects}")
+logging.debug(f"Project list resulted in following project URLs {project_urls}")
+post_data = {
+    'reportFormat': 'CSV',
+    'projects': project_urls,
+    'locale': 'en_US'
+}
+
+try:
+    r = bd.session.post("/api/vulnerability-status-reports", json=post_data)
+    r.raise_for_status()
+    report_url = r.headers['Location']
+    logging.debug(f"created vulnerability status report {report_url}")
+except requests.HTTPError as err:
+    # more fine grained error handling here; otherwise:
+    bd.http_error_handler(err)
+    logging.error("Failed to generate the report")
+    sys.exit(1)
+
+download_vuln_report(bd, report_url, args.file_name, 'CSV', retries=args.tries)
+
+correct_vuln_ids(bd, args.file_name, augment_filename(args.file_name))
+
+
+
+
+
+
+
+
+

examples/client/get_bom_component_vuln_info.py

@@ -49,20 +49,23 @@
 all_bom_component_vulns = []
 
 for bom_component_vuln in bd.get_resource('vulnerable-components', version):
-    vuln_name = bom_component_vuln['vulnerabilityWithRemediation']['vulnerabilityName']
-    vuln_source = bom_component_vuln['vulnerabilityWithRemediation']['source']
+    vulnerabilities = bd.get_resource('vulnerabilities', bom_component_vuln)
     upgrade_guidance = bd.get_json(f"{bom_component_vuln['componentVersion']}/upgrade-guidance")
     bom_component_vuln['upgrade_guidance'] = upgrade_guidance
+    all_bom_component_vulns.append(bom_component_vuln)
+    #for vuln in vulnerabilities:
+        #pprint(vuln)
+        #vuln_name = vuln['name']
+        #vuln_source = vuln['source']
 
-    vuln_details = bd.get_json(f"/api/vulnerabilities/{vuln_name}")
-    bom_component_vuln['vulnerability_details'] = vuln_details
+        #vuln_details = bd.get_json(f"/api/vulnerabilities/{vuln_name}")
+        #bom_component_vuln['vulnerability_details'] = vuln_details
 
-    if 'related-vulnerability' in bd.list_resources(vuln_details):
-        related_vuln = bd.get_resource("related-vulnerability", vuln_details, items=False)
-    else:
-        related_vuln = None
-    bom_component_vuln['related_vulnerability'] = related_vuln
-    all_bom_component_vulns.append(bom_component_vuln)
+        #if 'related-vulnerability' in bd.list_resources(vuln_details):
+        #    related_vuln = bd.get_resource("related-vulnerability", vuln_details, items=False)
+        #else:
+        #    related_vuln = None
+        #bom_component_vuln['related_vulnerability'] = related_vuln
 
 if args.csv_file:
     '''Note: See the BD API doc and in particular .../api-doc/public.html#_bom_vulnerability_endpoints
@@ -73,28 +76,28 @@
     with open(args.csv_file, 'w') as csv_f:
         field_names = [
             'Vulnerability Name',
-            'Vulnerability Description',
+            #'Vulnerability Description',
             'Remediation Status',
             'Component',
             'Component Version',
-            'Exploit Available',
-            'Workaround Available',
-            'Solution Available',
+            #'Exploit Available',
+            #'Workaround Available',
+            #'Solution Available',
             'Upgrade Guidance - short term',
             'Upgrade Guidance - long term',
         ]
         writer = csv.DictWriter(csv_f, fieldnames = field_names)
         writer.writeheader()
         for comp_vuln in all_bom_component_vulns:
             row_data = {
-                'Vulnerability Name': comp_vuln['vulnerabilityWithRemediation']['vulnerabilityName'],
-                'Vulnerability Description': comp_vuln['vulnerabilityWithRemediation']['description'],
-                'Remediation Status': comp_vuln['vulnerabilityWithRemediation']['remediationStatus'],
+                'Vulnerability Name': comp_vuln['vulnerability']['vulnerabilityId'],
+                #'Vulnerability Description': comp_vuln['vulnerabilityWithRemediation']['description'],
+                'Remediation Status': comp_vuln['vulnerability']['remediationStatus'],
                 'Component': comp_vuln['componentName'],
                 'Component Version': comp_vuln['componentVersionName'],
-                'Exploit Available': comp_vuln['vulnerability_details'].get('exploitPublishDate', 'None available'),
-                'Workaround Available': comp_vuln['vulnerability_details'].get('workaround', 'None available'),
-                'Solution Available': comp_vuln['vulnerability_details'].get('solution', 'None available'),
+                #'Exploit Available': comp_vuln['vulnerability_details'].get('exploitPublishDate', 'None available'),
+                #'Workaround Available': comp_vuln['vulnerability_details'].get('workaround', 'None available'),
+                #'Solution Available': comp_vuln['vulnerability_details'].get('solution', 'None available'),
                 'Upgrade Guidance - short term': comp_vuln['upgrade_guidance'].get('shortTerm', 'None available'),
                 'Upgrade Guidance - long term': comp_vuln['upgrade_guidance'].get('longTerm', 'None available')
             }