266 lines
7.3 KiB
Go
266 lines
7.3 KiB
Go
|
package main
|
||
|
|
||
|
import (
|
||
|
"bytes"
|
||
|
"crypto/tls"
|
||
|
"encoding/json"
|
||
|
"errors"
|
||
|
"flag"
|
||
|
"fmt"
|
||
|
"github.com/fatih/color"
|
||
|
"io/ioutil"
|
||
|
"log"
|
||
|
"net/http"
|
||
|
"net/url"
|
||
|
"os"
|
||
|
"strings"
|
||
|
"time"
|
||
|
)
|
||
|
|
||
|
const oauth2Url = "https://cloudsso.cisco.com/as/token.oauth2"
|
||
|
|
||
|
type oauthToken struct {
|
||
|
AccessToken string `json:"access_token"`
|
||
|
TokenType string `json:"token_type"`
|
||
|
ExpiresIn int `json:"expires_in"`
|
||
|
}
|
||
|
|
||
|
type ciscoVulns struct {
|
||
|
Advisories []struct {
|
||
|
AdvisoryID string `json:"advisoryId"`
|
||
|
AdvisoryTitle string `json:"advisoryTitle"`
|
||
|
BugIDs []string `json:"bugIDs"`
|
||
|
IpsSignatures []string `json:"ipsSignatures"`
|
||
|
Cves []string `json:"cves"`
|
||
|
CvrfURL string `json:"cvrfUrl"`
|
||
|
OvalURL string `json:"ovalUrl"`
|
||
|
CvssBaseScore string `json:"cvssBaseScore"`
|
||
|
Cwe []string `json:"cwe"`
|
||
|
IosRelease []string `json:"iosRelease"`
|
||
|
FirstFixed []string `json:"firstFixed"`
|
||
|
FirstPublished string `json:"firstPublished"`
|
||
|
LastUpdated string `json:"lastUpdated"`
|
||
|
ProductNames []string `json:"productNames"`
|
||
|
PublicationURL string `json:"publicationUrl"`
|
||
|
Sir string `json:"sir"`
|
||
|
Summary string `json:"summary"`
|
||
|
} `json:"advisories"`
|
||
|
SirCriticalCount int
|
||
|
SirHighCount int
|
||
|
SirMediumCount int
|
||
|
SirLowCount int
|
||
|
}
|
||
|
|
||
|
var verboseFlag = flag.Bool("v", false, "be verbose")
|
||
|
var scriptFlag = flag.Bool("s", false, "scriptble output")
|
||
|
|
||
|
func main() {
|
||
|
var t oauthToken
|
||
|
var c ciscoVulns
|
||
|
|
||
|
var iosXeFlag = flag.String("iosxe", "", "fetch Security Advisories for IOS-XE version")
|
||
|
var iosFlag = flag.String("ios", "", "fetch Security Advisories for IOS version")
|
||
|
var productFlag = flag.String("product", "", "fetch Security Advisories Cisco Products, ex Cisco Adaptive Security Appliance")
|
||
|
|
||
|
flag.Parse()
|
||
|
|
||
|
if *iosXeFlag == "" && *iosFlag == "" && *productFlag == "" {
|
||
|
flag.PrintDefaults()
|
||
|
return
|
||
|
}
|
||
|
|
||
|
/* Colors */
|
||
|
redstr := color.New(color.FgRed).SprintFunc()
|
||
|
red := color.New(color.FgRed)
|
||
|
yellow := color.New(color.FgYellow).SprintFunc()
|
||
|
boldRed := red.Add(color.Bold).SprintFunc()
|
||
|
|
||
|
if *iosXeFlag != "" {
|
||
|
err := t.fetchToken()
|
||
|
if err != nil {
|
||
|
fmt.Println(err)
|
||
|
return
|
||
|
}
|
||
|
c.fetchVulnVersion(t, "iosxe", *iosXeFlag)
|
||
|
c.populateSirCount()
|
||
|
if *scriptFlag == true {
|
||
|
fmt.Printf("Summary Version: %s Critical: %d: High: %d Medium: %d Low: %d\n", *iosXeFlag, c.SirCriticalCount, c.SirHighCount, c.SirMediumCount, c.SirLowCount)
|
||
|
} else {
|
||
|
/* Clear terminal */
|
||
|
fmt.Printf("\033[H\033[2J")
|
||
|
fmt.Printf("--- Vulnerabilities for IOS-XE %s ---\n", *iosXeFlag)
|
||
|
fmt.Printf("Critical: %s High: %s Medium: %s Low: %d\n\n", boldRed(c.SirCriticalCount), redstr(c.SirHighCount), yellow(c.SirMediumCount), c.SirLowCount)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
if *iosFlag != "" {
|
||
|
err := t.fetchToken()
|
||
|
if err != nil {
|
||
|
fmt.Println(err)
|
||
|
return
|
||
|
}
|
||
|
c.fetchVulnVersion(t, "ios", *iosFlag)
|
||
|
c.populateSirCount()
|
||
|
/* Clear terminal */
|
||
|
if *scriptFlag == true {
|
||
|
fmt.Printf("Summary Version: %s Critical: %d: High: %d Medium: %d Low: %d\n", *iosFlag, c.SirCriticalCount, c.SirHighCount, c.SirMediumCount, c.SirLowCount)
|
||
|
} else {
|
||
|
fmt.Printf("\033[H\033[2J")
|
||
|
fmt.Printf("--- Vulnerabilities for IOS %s ---\n", *iosFlag)
|
||
|
fmt.Printf("Critical: %s High: %s Medium: %s Low: %d\n\n", boldRed(c.SirCriticalCount), redstr(c.SirHighCount), yellow(c.SirMediumCount), c.SirLowCount)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
if *productFlag != "" {
|
||
|
fmt.Println("Not yet implemented.")
|
||
|
}
|
||
|
|
||
|
if *scriptFlag == true {
|
||
|
for _, vuln := range c.Advisories {
|
||
|
fmt.Printf("%s:%s:%s:%s\n", vuln.AdvisoryTitle, vuln.CvssBaseScore, vuln.Sir, vuln.PublicationURL)
|
||
|
}
|
||
|
} else {
|
||
|
for _, vuln := range c.Advisories {
|
||
|
switch vuln.Sir {
|
||
|
case "Critical":
|
||
|
fmt.Printf("Title: %s\nCVE Score: %s\nSeverity: %s\nUrl: %s\n\n", vuln.AdvisoryTitle, vuln.CvssBaseScore, boldRed("!!! "+vuln.Sir+" !!!"), vuln.PublicationURL)
|
||
|
case "High":
|
||
|
fmt.Printf("Title: %s\nCVE Score: %s\nSeverity: %s\nUrl: %s\n\n", vuln.AdvisoryTitle, vuln.CvssBaseScore, redstr(vuln.Sir), vuln.PublicationURL)
|
||
|
case "Medium":
|
||
|
fmt.Printf("Title: %s\nCVE Score: %s\nSeverity: %s\nUrl: %s\n\n", vuln.AdvisoryTitle, vuln.CvssBaseScore, yellow(vuln.Sir), vuln.PublicationURL)
|
||
|
default:
|
||
|
fmt.Printf("Title: %s\nCVE Score: %s\nSeverity: %s\nUrl: %s\n\n", vuln.AdvisoryTitle, vuln.CvssBaseScore, vuln.Sir, vuln.PublicationURL)
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
func (c *ciscoVulns) populateSirCount() {
|
||
|
for _, vuln := range c.Advisories {
|
||
|
switch vuln.Sir {
|
||
|
case "Critical":
|
||
|
c.SirCriticalCount++
|
||
|
case "High":
|
||
|
c.SirHighCount++
|
||
|
case "Medium":
|
||
|
c.SirMediumCount++
|
||
|
case "Low":
|
||
|
c.SirLowCount++
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
func (c *ciscoVulns) fetchVulnVersion(token oauthToken, os string, version string) error {
|
||
|
transport := &http.Transport{
|
||
|
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
||
|
}
|
||
|
|
||
|
timeout := time.Duration(60 * time.Second)
|
||
|
client := &http.Client{
|
||
|
Timeout: timeout,
|
||
|
Transport: transport,
|
||
|
}
|
||
|
|
||
|
var urlStr bytes.Buffer
|
||
|
switch os {
|
||
|
case "iosxe":
|
||
|
urlStr.WriteString("https://api.cisco.com/security/advisories/iosxe?version=")
|
||
|
case "ios":
|
||
|
urlStr.WriteString("https://api.cisco.com/security/advisories/ios?version=")
|
||
|
}
|
||
|
|
||
|
urlStr.WriteString(version)
|
||
|
|
||
|
url, err := url.Parse(urlStr.String())
|
||
|
|
||
|
request, err := http.NewRequest("GET", url.String(), nil)
|
||
|
if err != nil {
|
||
|
log.Println(err)
|
||
|
}
|
||
|
request.Header.Add("Accept", "application/json")
|
||
|
request.Header.Add("Authorization", "Bearer "+token.AccessToken)
|
||
|
|
||
|
if *verboseFlag == true {
|
||
|
fmt.Printf("Connecting to api.cisco.com\n")
|
||
|
}
|
||
|
response, err := client.Do(request)
|
||
|
if err != nil {
|
||
|
log.Println(err)
|
||
|
return err
|
||
|
}
|
||
|
if response.StatusCode == http.StatusUnauthorized {
|
||
|
log.Println("Invalid credentials")
|
||
|
return errors.New("Invalid credentials")
|
||
|
}
|
||
|
if *verboseFlag == true {
|
||
|
fmt.Printf("Authentication ok.\nReading response\n")
|
||
|
}
|
||
|
data, err := ioutil.ReadAll(response.Body)
|
||
|
if err != nil {
|
||
|
log.Println(err)
|
||
|
return err
|
||
|
}
|
||
|
err = json.Unmarshal(data, &c)
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
func (t *oauthToken) fetchToken() error {
|
||
|
clientId := os.Getenv("CLIENT_ID")
|
||
|
clientSecret := os.Getenv("CLIENT_SECRET")
|
||
|
|
||
|
if clientId == "" || clientSecret == "" {
|
||
|
return errors.New("You have not set correct environment variables (CLIENT_ID or CLIENT_SECRET).\n\n$ export CLIENT_ID=\"kajsdkljadslkj\"\n$ export CLIENT_SECRET=\"kljadslksjdlj\"")
|
||
|
}
|
||
|
|
||
|
transport := &http.Transport{
|
||
|
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
||
|
}
|
||
|
|
||
|
timeout := time.Duration(60 * time.Second)
|
||
|
client := &http.Client{
|
||
|
Timeout: timeout,
|
||
|
Transport: transport,
|
||
|
}
|
||
|
|
||
|
form := url.Values{}
|
||
|
form.Add("client_id", clientId)
|
||
|
form.Add("client_secret", clientSecret)
|
||
|
form.Add("grant_type", "client_credentials")
|
||
|
|
||
|
request, err := http.NewRequest("POST", oauth2Url, strings.NewReader(form.Encode()))
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
|
||
|
request.Header.Add("Content-Type", "application/x-www-form-urlencoded")
|
||
|
if *verboseFlag == true {
|
||
|
fmt.Printf("Connecting to cloudsso.cisco.com.\n")
|
||
|
}
|
||
|
response, err := client.Do(request)
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
if response.StatusCode == http.StatusUnauthorized {
|
||
|
log.Println("Authentication failed: " + oauth2Url)
|
||
|
return errors.New("Authentication failed: " + oauth2Url)
|
||
|
}
|
||
|
if *verboseFlag == true {
|
||
|
fmt.Printf("Authenticated ok.\nAcquiring token.\n")
|
||
|
}
|
||
|
|
||
|
data, err := ioutil.ReadAll(response.Body)
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
|
||
|
err = json.Unmarshal(data, &t)
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
|
||
|
return nil
|
||
|
}
|