diff --git a/docs/user/lib_mapper/nist.md b/docs/user/lib_mapper/nist.md index 1af6fa7a..044a7193 100644 --- a/docs/user/lib_mapper/nist.md +++ b/docs/user/lib_mapper/nist.md @@ -1,9 +1,11 @@ | NIST | | NORMALIZED | | ---------- | -- | ------ | | adaptive_security_appliance_software | → | cisco_asa | +| arubaos | → | aruba_os | | eos | → | arista_eos | | ios | → | cisco_ios | | ios_xe | → | cisco_xe | | ios_xr | → | cisco_xr | | junos | → | juniper_junos | -| nx-os | → | cisco_nxos | \ No newline at end of file +| nx-os | → | cisco_nxos | +| pan-os | → | paloalto_panos | \ No newline at end of file diff --git a/docs/user/lib_mapper/nist_reverse.md b/docs/user/lib_mapper/nist_reverse.md index 1619f1df..cef1480c 100644 --- a/docs/user/lib_mapper/nist_reverse.md +++ b/docs/user/lib_mapper/nist_reverse.md @@ -1,9 +1,11 @@ | NORMALIZED | | NIST | | ---------- | -- | ------ | | arista_eos | → | eos | +| aruba_os | → | arubaos | | cisco_asa | → | adaptive_security_appliance_software | | cisco_ios | → | ios | | cisco_nxos | → | nx-os | | cisco_xe | → | ios_xe | | cisco_xr | → | ios_xr | -| juniper_junos | → | junos | \ No newline at end of file +| juniper_junos | → | junos | +| paloalto_panos | → | pan-os | \ No newline at end of file diff --git a/netutils/lib_mapper.py b/netutils/lib_mapper.py index 30c5f76b..e32f68bd 100644 --- a/netutils/lib_mapper.py +++ b/netutils/lib_mapper.py @@ -451,12 +451,14 @@ # NIST | Normalized NIST_LIB_MAPPER = { "adaptive_security_appliance_software": "cisco_asa", - "nx-os": "cisco_nxos", - "ios_xr": "cisco_xr", - "ios_xe": "cisco_xe", + "arubaos": "aruba_os", "eos": "arista_eos", "ios": "cisco_ios", + "ios_xe": "cisco_xe", + "ios_xr": "cisco_xr", + "nx-os": "cisco_nxos", "junos": "juniper_junos", + "pan-os": "paloalto_panos", } # Normalized | NAPALM @@ -616,15 +618,29 @@ # Normalized | NIST NIST_LIB_MAPPER_REVERSE = { + "arista_eos": "eos", + "aruba_os": "arubaos", "cisco_asa": "adaptive_security_appliance_software", + "cisco_ios": "ios", "cisco_nxos": "nx-os", - "cisco_xr": "ios_xr", "cisco_xe": "ios_xe", - "arista_eos": "eos", - "cisco_ios": "ios", + "cisco_xr": "ios_xr", "juniper_junos": "junos", + "paloalto_panos": "pan-os", } +# Normalized | NIST reverse dictionary parser for NIST URL generation. +NIST_TO_VENDOR = { + "arista_eos": {"vendor": "arista", "os_name": "eos"}, + "aruba_os": {"vendor": "arubanetworks", "os_name": "arubaos"}, + "cisco_asa": {"vendor": "cisco", "os_name": "asa"}, + "cisco_ios": {"vendor": "cisco", "os_name": "ios"}, + "cisco_nxos": {"vendor": "cisco", "os_name": "nx-os"}, + "cisco_xe": {"vendor": "cisco", "os_name": "xe"}, + "cisco_xr": {"vendor": "cisco", "os_name": "xr"}, + "juniper_junos": {"vendor": "juniper", "os_name": "junos"}, + "paloalto_panos": {"vendor": "paloaltonetworks", "os_name": "pan-os"}, +} # Deep copy the reverse, where there is no actual translation happening with special # consideration for OS's not in netmiko. diff --git a/netutils/nist.py b/netutils/nist.py index eba7ed6c..1dd8adff 100644 --- a/netutils/nist.py +++ b/netutils/nist.py @@ -5,6 +5,7 @@ import re import typing as t +from netutils.lib_mapper import NIST_TO_VENDOR from netutils.os_version import version_metadata # Setting up the dataclass values for specific parsers @@ -69,7 +70,7 @@ def _get_nist_urls_juniper_junos(os_platform_data: t.Dict[str, t.Any]) -> t.List List of NIST CPE URLs that may contain platform data. """ nist_urls = [] - base_url = f'{"https://services.nvd.nist.gov/rest/json/cves/2.0?virtualMatchString=cpe:2.3:o:juniper:junos"}' + base_url = f'{"https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:o:juniper:junos"}' # BASE _main = os_platform_data.get("main") @@ -168,7 +169,7 @@ def _get_nist_urls_default(os_platform_data: t.Dict[str, t.Any]) -> t.List[str]: """ nist_urls = [] escape_list = [r"\(", r"\)"] - base_url = f'{"https://services.nvd.nist.gov/rest/json/cves/2.0?virtualMatchString=cpe:2.3:o:"}' + base_url = f'{"https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:o:"}' os_platform_data = {"base_url": base_url, **os_platform_data} os_platform_data["version_string"] = os_platform_data.get("version_string").replace("-", ":") # type: ignore @@ -200,7 +201,7 @@ def _os_platform_object_builder(vendor: str, platform: str, version: str) -> obj Examples: >>> jp = _os_platform_object_builder("juniper", "junos", "12.1R3-S4.1") >>> jp.get_nist_urls() - ['https://services.nvd.nist.gov/rest/json/cves/2.0?virtualMatchString=cpe:2.3:o:juniper:junos:12.1r3:s4.1:*:*:*:*:*:*', 'https://services.nvd.nist.gov/rest/json/cves/2.0?virtualMatchString=cpe:2.3:o:juniper:junos:12.1r3-s4.1:*:*:*:*:*:*:*'] + ['https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:o:juniper:junos:12.1r3:s4.1:*:*:*:*:*:*', 'https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:o:juniper:junos:12.1r3-s4.1:*:*:*:*:*:*:*'] """ platform = platform.lower() vendor = vendor.lower() @@ -265,15 +266,7 @@ def get_nist_urls(network_driver: str, version: str) -> t.List[str]: t.List[str]: NIST URLs to search for possible CVE matches """ # DICTIONARY FOR VENDOR/PLATFORM TO NETWORK_DRIVER; UPDATE AS NEEDED - network_driver_mappings = { - "arista_eos": {"vendor": "arista", "os_name": "eos"}, - "cisco_ios": {"vendor": "cisco", "os_name": "ios"}, - "cisco_nxos": {"vendor": "cisco", "os_name": "nxos"}, - "cisco_xe": {"vendor": "cisco", "os_name": "xe"}, - "cisco_xr": {"vendor": "cisco", "os_name": "xr"}, - "cisco_asa": {"vendor": "cisco", "os_name": "asa"}, - "juniper_junos": {"vendor": "juniper", "os_name": "junos"}, - } + network_driver_mappings = NIST_TO_VENDOR vendor_os = network_driver_mappings[network_driver] diff --git a/pyproject.toml b/pyproject.toml index 96f13749..1e2b9da7 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "netutils" -version = "1.13.0" +version = "1.14.0" description = "Common helper functions useful in network automation." authors = ["Network to Code, LLC "] license = "Apache-2.0" diff --git a/tests/unit/test_nist.py b/tests/unit/test_nist.py index b381b1e0..8e63e720 100644 --- a/tests/unit/test_nist.py +++ b/tests/unit/test_nist.py @@ -7,27 +7,25 @@ platform_nist_urls = [ { "sent": {"network_driver": "cisco_ios", "version": "15.5"}, - "received": ["https://services.nvd.nist.gov/rest/json/cves/2.0?virtualMatchString=cpe:2.3:o:cisco:ios:15.5:*"], + "received": ["https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:o:cisco:ios:15.5:*"], }, { "sent": {"network_driver": "arista_eos", "version": "4.15.3f"}, - "received": [ - "https://services.nvd.nist.gov/rest/json/cves/2.0?virtualMatchString=cpe:2.3:o:arista:eos:4.15.3f:*" - ], + "received": ["https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:o:arista:eos:4.15.3f:*"], }, # Juniper platforms receive multiple URLs to try as they are not very standardized and some return info on both { "sent": {"network_driver": "juniper_junos", "version": "12.3R12-S15"}, "received": [ - "https://services.nvd.nist.gov/rest/json/cves/2.0?virtualMatchString=cpe:2.3:o:juniper:junos:12.3r12:s15:*:*:*:*:*:*", - "https://services.nvd.nist.gov/rest/json/cves/2.0?virtualMatchString=cpe:2.3:o:juniper:junos:12.3r12-s15:*:*:*:*:*:*:*", + "https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:o:juniper:junos:12.3r12:s15:*:*:*:*:*:*", + "https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:o:juniper:junos:12.3r12-s15:*:*:*:*:*:*:*", ], }, { "sent": {"network_driver": "juniper_junos", "version": "12.3x48:d25"}, "received": [ - "https://services.nvd.nist.gov/rest/json/cves/2.0?virtualMatchString=cpe:2.3:o:juniper:junos:12.3x48:d25:*:*:*:*:*:*", - "https://services.nvd.nist.gov/rest/json/cves/2.0?virtualMatchString=cpe:2.3:o:juniper:junos:12.3x48-d25:*:*:*:*:*:*:*", + "https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:o:juniper:junos:12.3x48:d25:*:*:*:*:*:*", + "https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:o:juniper:junos:12.3x48-d25:*:*:*:*:*:*:*", ], }, ]