Initial version of VulnDB app.

.gitignore

@@ -1,3 +1,4 @@
 *.swo
 *.swp
 *test.py
+*.remote-sync.json

vulndb/1.0.0/Dockerfile

@@ -0,0 +1,26 @@
+# Base our app image off of the WALKOFF App SDK image
+FROM frikky/shuffle:app_sdk as base
+
+# We're going to stage away all of the bloat from the build tools so lets create a builder stage
+FROM base as builder
+
+# Install all alpine build tools needed for our pip installs
+RUN apk --no-cache add --update alpine-sdk libffi libffi-dev musl-dev openssl-dev
+
+# Install all of our pip packages in a single directory that we can copy to our base image later
+RUN mkdir /install
+WORKDIR /install
+COPY requirements.txt /requirements.txt
+RUN pip install --prefix="/install" -r /requirements.txt
+
+# Switch back to our base image and copy in all of our built packages and source code
+FROM base
+COPY --from=builder /install /usr/local
+COPY src /app
+
+# Install any binary dependencies needed in our final image
+# RUN apk --no-cache add --update my_binary_dependency
+
+# Finally, lets run our app!
+WORKDIR /app
+CMD python app.py --log-level DEBUG

vulndb/1.0.0/api.yaml

@@ -0,0 +1,35 @@
+app_version: 1.0.0
+name: VulnDB
+description: VulnDB vulnerability notifications (https://vulndb.cyberriskanalytics.com/)
+contact_info:
+  name: "@fritzbacke"
+  url: https://github.com/fritzbacke
+  email: fritzbacke@gmx.org
+tags:
+  - Testing
+  - Assets
+  - Vulnerabilities
+categories:
+  - Assets
+authentication:
+  required: true
+  parameters:
+    - name: ClientID
+      description: The client ID generated at VulnDB for this OAuth2 application
+      example: ""
+      required: true
+      schema:
+        type: string
+    - name: ClientSecret
+      description: The client secret generated at VulnDB for this OAuth2 application
+      example: "*****"
+      required: true
+      schema:
+        type: string
+actions:
+  - name: latest_20_vulns
+    description: Return the 20 most recent vulnerabilities as JSON object
+    returns:
+      schema:
+        type: string
+large_image: data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iODYiIGhlaWdodD0iODciIHZpZXdCb3g9IjAgMCA4NiA4NyI+CiAgICA8ZGVmcz4KICAgICAgICA8cGF0aCBpZD0iYSIgZD0iTTAgLjI3NWg4NS43MjVWODZIMHoiLz4KICAgICAgICA8cGF0aCBpZD0iYyIgZD0iTS4zNjIuMjc1aDQyLjg2M1Y4NkguMzYyeiIvPgogICAgPC9kZWZzPgogICAgPGcgZmlsbD0ibm9uZSIgZmlsbC1ydWxlPSJldmVub2RkIj4KICAgICAgICA8ZyB0cmFuc2Zvcm09InRyYW5zbGF0ZSgwIC4yMjUpIj4KICAgICAgICAgICAgPG1hc2sgaWQ9ImIiIGZpbGw9IiNmZmYiPgogICAgICAgICAgICAgICAgPHVzZSB4bGluazpocmVmPSIjYSIvPgogICAgICAgICAgICA8L21hc2s+CiAgICAgICAgICAgIDxwYXRoIGZpbGw9IiNGOTY1MDAiIGQ9Ik02OS40NDUgNjkuNzJjLTcuMSA3LjEtMTYuNTQxIDExLjAxLTI2LjU4MyAxMS4wMS0xMC4wNDEgMC0xOS40ODMtMy45MS0yNi41ODMtMTEuMDFDOS4xNzggNjIuNjIgNS4yNjggNTMuMTggNS4yNjggNDMuMTM3YzAtMTAuMDQyIDMuOTEtMTkuNDgyIDExLjAxMS0yNi41ODMgNy4xLTcuMSAxNi41NDItMTEuMDEgMjYuNTgzLTExLjAxIDEwLjA0MSAwIDE5LjQ4MyAzLjkxIDI2LjU4MyAxMS4wMSA3LjEgNy4xMDEgMTEuMDEyIDE2LjU0MSAxMS4wMTIgMjYuNTgzIDAgMTAuMDQyLTMuOTExIDE5LjQ4My0xMS4wMTEgMjYuNTgzbTMuNzI1LTU2Ljg5QzY1LjA3NSA0LjczMyA1NC4zMS4yNzQgNDIuODYyLjI3NCAzMS40MTMuMjc1IDIwLjY1IDQuNzM0IDEyLjU1NCAxMi44MyA0LjQ1OSAyMC45MjUgMCAzMS42OSAwIDQzLjEzN2MwIDExLjQ1IDQuNDU4IDIyLjIxMyAxMi41NTUgMzAuMzA5QzIwLjY1IDgxLjU0MiAzMS40MTMgODYgNDIuODYxIDg2YzExLjQ0OSAwIDIyLjIxMy00LjQ1OCAzMC4zMDktMTIuNTU0IDguMDk1LTguMDk2IDEyLjU1NC0xOC44NiAxMi41NTQtMzAuMzA5IDAtMTEuNDQ4LTQuNDU5LTIyLjIxMi0xMi41NTQtMzAuMzA4IiBtYXNrPSJ1cmwoI2IpIi8+CiAgICAgICAgPC9nPgogICAgICAgIDxwYXRoIGZpbGw9IiNGOTY1MDAiIGQ9Ik00Mi44ODYgNDUuODg1aC0uMDQ4YTQzLjQ0OCA0My40NDggMCAwIDEtNi4yNTItLjMyNWMxLjYwNS00LjE3MyAzLjcxLTcuOTY1IDYuMjc2LTExLjMwMyAyLjU2NiAzLjMzOCA0LjY3MSA3LjEzIDYuMjc1IDExLjMwM2E0My40MyA0My40MyAwIDAgMS02LjI1LjMyNXptMjQuMDA3LTE1LjE5NGwtNC43OCAyLjc5OC4wNi4xNDhjMS4zMTggMy4yODggMS4yNDggNiAxLjA2OCA3LjQwMmE0MC40NDIgNDAuNDQyIDAgMCAxLTguNjEzIDMuNDRjLTEuOTUxLTUuMzU3LTQuNjY3LTEwLjIwMi04LjA4NC0xNC40M2E0MC45NDggNDAuOTQ4IDAgMCAxIDcuMTM2LTUuNTU4Yy40OTkuMjA5IDEuMTMzLjUxOCAxLjg0Ny45NjQgMS41ODQuOTg4IDIuOTk2IDIuMjk0IDQuMiAzLjg3OGwuMTM4LjE4MiA0Ljc2Ni0yLjc5MS0uMjg2LS4zODljLTQuNDg2LTYuMTIzLTEwLjEyNi03LjQ3Ny0xMC4zNjQtNy41M2wtMS4wNTItLjI0My0uOTM1LjU0YTQ2LjA4MiA0Ni4wODIgMCAwIDAtOS4xMzIgNi45MDMgNDYuMTAxIDQ2LjEwMSAwIDAgMC05LjEzLTYuOTAzbC0uOTM3LS41NC0xLjA1Mi4yNDJjLS4yMzguMDU0LTUuODc3IDEuNDEtMTAuMzY1IDcuNTMxbC0uMjg5LjM5NCA0Ljc2NiAyLjc5MS4xNDItLjE4N2MxLjIwNC0xLjU4NCAyLjYxNi0yLjg5IDQuMi0zLjg3OGExMi45NiAxMi45NiAwIDAgMSAxLjg0Ny0uOTY0IDQwLjk1OCA0MC45NTggMCAwIDEgNy4xMzYgNS41NTljLTMuNDE3IDQuMjI3LTYuMTMzIDkuMDcyLTguMDg0IDE0LjQyOGE0MC40NzQgNDAuNDc0IDAgMCAxLTguNjEzLTMuNDM5Yy0uMTgtMS40MDMtLjI1LTQuMTE0IDEuMDY4LTcuNDAybC4wNTctLjE0Mi00Ljc3OC0yLjc5OC0uMi40NzJjLTEuMTk5IDIuODI0LTEuNzggNS43MjQtMS43MyA4LjYyLjA0IDIuMjQ2LjQ2NSAzLjY4Mi41MTIgMy44MzZsLjMxNyAxLjAzMy45MzUuNTRhNDYuMTQ1IDQ2LjE0NSAwIDAgMCAxMC44MDYgNC41M2MtMS42NDkgNi4zOTctMS42NzMgMTEuMDc2LTEuNjc0IDExLjI4NGwtLjAwMSAxLjA4LjczNy43OTNjLjE2NC4xNzYgNC4xIDQuMzI4IDExLjU1IDUuMTkybC40OTguMDU4di01LjUzMmwtLjE5Mi0uMDI2Yy0xLjkyNi0uMjU5LTMuNzE2LS44MjQtNS4zMjMtMS42NzhhMTMuMDM3IDEzLjAzNyAwIDAgMS0xLjcxOC0xLjA4OGMuMTE4LTEuNjg2LjQ3LTQuOTM3IDEuNTI4LTguOTQgMi42LjM5IDUuMjgyLjU2NiA3Ljk4Ny41MjNhNDguNzU0IDQ4Ljc1NCAwIDAgMCA3Ljk4OC0uNTIzYzEuMDU3IDQuMDA0IDEuNDEgNy4yNTQgMS41MjcgOC45NC0uNDI0LjMyLS45OTYuNzA0LTEuNzE4IDEuMDg4LTEuNjA2Ljg1NC0zLjM5NyAxLjQyLTUuMzIzIDEuNjc4bC0uMTkuMDI2djUuNTMybC40OTYtLjA1OGM3LjQ1LS44NjQgMTEuMzg3LTUuMDE2IDExLjU1LTUuMTkybC43MzctLjc5Mi0uMDAxLTEuMDgyYzAtLjIwOC0uMDI2LTQuODkyLTEuNjc0LTExLjI4M2E0Ni4xODIgNDYuMTgyIDAgMCAwIDEwLjgwNi00LjUzbC45MzUtLjU0LjMxNy0xLjAzYy4wNDctLjE1OC40NzEtMS41OTUuNTExLTMuODQuMDUyLTIuODk1LS41My01Ljc5NS0xLjcyOC04LjYxOWwtLjIwMi0uNDc4eiIvPgogICAgICAgIDxnIHRyYW5zZm9ybT0idHJhbnNsYXRlKDQyLjUgLjIyNSkiPgogICAgICAgICAgICA8bWFzayBpZD0iZCIgZmlsbD0iI2ZmZiI+CiAgICAgICAgICAgICAgICA8dXNlIHhsaW5rOmhyZWY9IiNjIi8+CiAgICAgICAgICAgIDwvbWFzaz4KICAgICAgICAgICAgPHBhdGggZmlsbD0iI0ZGOTEwMCIgZD0iTTMwLjY3IDEyLjgzQzIyLjU3NiA0LjczNCAxMS44MTMuMjc1LjM2My4yNzV2NS4yNjljMTAuMDQyIDAgMTkuNDgzIDMuOTEgMjYuNTg0IDExLjAxIDcuMSA3LjEwMiAxMS4wMTEgMTYuNTQyIDExLjAxMSAyNi41ODQgMCAxMC4wNDItMy45MSAxOS40ODMtMTEuMDExIDI2LjU4My03LjEgNy4xLTE2LjU0MiAxMS4wMTEtMjYuNTg0IDExLjAxMVY4NmMxMS40NSAwIDIyLjIxMy00LjQ1OCAzMC4zMDktMTIuNTU0IDguMDk2LTguMDk1IDEyLjU1NC0xOC44NiAxMi41NTQtMzAuMzA4IDAtMTEuNDUtNC40NTgtMjIuMjEzLTEyLjU1NC0zMC4zMDgiIG1hc2s9InVybCgjZCkiLz4KICAgICAgICA8L2c+CiAgICAgICAgPHBhdGggZmlsbD0iI0ZGOTEwMCIgZD0iTTUwLjg1IDUwLjg3MWMxLjA1NyA0LjAwNCAxLjQxIDcuMjU1IDEuNTI4IDguOTQtLjQyNS4zMi0uOTk3LjcwNC0xLjcyIDEuMDg5LTEuNjA1Ljg1NC0zLjM5NiAxLjQxOC01LjMyIDEuNjc3bC0uMTkzLjAyNnY1LjUzMmwuNDk3LS4wNTdjNy40NS0uODY1IDExLjM4Ny01LjAxNyAxMS41NTEtNS4xOTNsLjczNi0uNzkydi0xLjA4MmMtLjAwMS0uMjA4LS4wMjctNC44OTItMS42NzQtMTEuMjg0YTQ2LjA1OSA0Ni4wNTkgMCAwIDAgMTAuODA1LTQuNTI5bC45MzYtLjU0LjMxNi0xLjAzYy4wNDgtLjE1Ny40NzItMS41OTUuNTEyLTMuODQuMDUtMi44OTUtLjUzLTUuNzk0LTEuNzMtOC42MThsLS4yMDEtLjQ3OS00Ljc4IDIuNzk5LjA2LjE0OGMxLjMxOCAzLjI4NiAxLjI0OSA1Ljk5OCAxLjA2OCA3LjQwMmE0MC40NyA0MC40NyAwIDAgMS04LjYxMiAzLjQzOGMtMS45NTMtNS4zNTYtNC42NjctMTAuMjAxLTguMDg0LTE0LjQyOGE0MS4wMTEgNDEuMDExIDAgMCAxIDcuMTM1LTUuNTZjLjQ5OC4yMSAxLjEzNC41MTkgMS44NDguOTY1IDEuNTgzLjk4OSAyLjk5NiAyLjI5MyA0LjIgMy44NzlsLjEzNy4xODEgNC43NjYtMi43OS0uMjg1LS4zOWMtNC40ODctNi4xMjMtMTAuMTI3LTcuNDc2LTEwLjM2NC03LjUzMWwtMS4wNTMtLjI0Mi0uOTM1LjU0YTQ2LjA5OCA0Ni4wOTggMCAwIDAtOS4xMzIgNi45MDN2OC4yNTJjMi41NjYgMy4zMzkgNC42NzEgNy4xMyA2LjI3NiAxMS4zMDNhNDMuMTUgNDMuMTUgMCAwIDEtNi4yNTIuMzI1aC0uMDI0djUuNTFhNDguODA3IDQ4LjgwNyAwIDAgMCA3Ljk4OC0uNTI0Ii8+CiAgICA8L2c+Cjwvc3ZnPgo=

vulndb/1.0.0/docs.md

@@ -0,0 +1,23 @@
+# VulnDB App
+
+The VulnDB app for accessing their API to get latest vulnerability notifications or metadata about vendors and products. A subscription is needed to access this service. For more details see their [webpage](https://vulndb.cyberriskanalytics.com/).
+
+Once logged in, the [API documentation](https://vulndb.cyberriskanalytics.com/documentation/api) is available this app is based upon.
+
+## Actions
+
+- **Latest 20 vulns**<br>Returns the 20 most recent vulnerabilities as a JSON
+object. Needs no parameters besides authentication parameters ClientID and
+ClientSecret.
+
+## Requirements
+
+- You need an account for accessing the VulnDB database.
+
+## Setup
+
+1. Go to the VulnDB [API overview page](https://vulndb.cyberriskanalytics.com/oauth_clients).
+1. Hit **Register new application** at the bottom of the page (under OAuth Client Applications).
+1. Enter a name and an URL (URL isn't used and doesn't matter).
+1. You will get a **Client ID** and a **Client Secret** which you need to give
+to the VulnDB app in Shuffle as parameters.

vulndb/1.0.0/requirements.txt

@@ -0,0 +1 @@
+requests

vulndb/1.0.0/src/app.py

@@ -0,0 +1,60 @@
+import requests
+import asyncio
+import json
+
+from walkoff_app_sdk.app_base import AppBase
+
+
+class VulnDB(AppBase):
+    __version__ = "1.0.0"
+    app_name = "VulnDB"  # this needs to match "name" in api.yaml
+    SITE_URL = "https://vulndb.cyberriskanalytics.com"
+    TOKEN_URL = SITE_URL + "/oauth/token"
+    API_URL = SITE_URL + "/api/v1"
+
+    def __init__(self, redis, logger, console_logger=None):
+        """
+        Each app should have this __init__ to set up Redis and logging.
+        :param redis:
+        :param logger:
+        :param console_logger:
+        """
+        super().__init__(redis, logger, console_logger)
+        self.headers = ""
+
+    def get_auth_headers(self, ClientID, ClientSecret):
+        authentication_data = {
+            'grant_type': 'client_credentials',
+            'client_id': ClientID,
+            'client_secret': ClientSecret
+            }
+
+        access_token_response = requests.post(self.TOKEN_URL,
+                                              data=authentication_data)
+
+        if access_token_response.status_code != 200:
+            raise Exception('VulnDB authentication error: HTTP status code ' +
+                            '{}'.format(access_token_response.status_code))
+        token = access_token_response.json()['access_token']
+        self.headers = {'Content-Type': 'application/json',
+                        'Authorization': f'Bearer {token}'}
+
+    async def latest_20_vulns(self, ClientID, ClientSecret):
+        if self.headers == "":
+            self.get_auth_headers(ClientID, ClientSecret)
+
+        url = self.API_URL + "/vulnerabilities"
+        response = requests.get(url, headers=self.headers)
+        if response.status_code != 200:
+            raise Exception('VulnDB latest_20_vulns error: HTTP ' +
+                            '{}'.format(response.status_code) +
+                            ' {}'.format(response.reason) +
+                            ' {} '.format(url))
+
+        vulnerabilities = response.json()['results']
+
+        return vulnerabilities
+
+
+if __name__ == "__main__":
+    asyncio.run(VulnDB.run(), debug=True)