Re: Use OpenVulnQueryClient to query for advisory given CDET/defect ID

jorgrive · ‎01-02-2020

Hello All,

When navigating to Security Advisory page, I'm able to go to Vulnerabilities tab and perform a quick search. When using a CDET ID, i see that a request is being sent with parameter "keyword=CSCun25241"

Request URL:https://tools.cisco.com/security/center/publicationService.x?criteria=exact&cves=&keyword=CSCun25241&last_published_date=&limit=20&offset=0&publicationTypeIDs=1,3&securityImpactRatings=&sort=-day_sir&title=

Request method:GET

In hopes of mimicking this behavior via python script, I've been reviewing PSIRT API documentation:

API reference: https://developer.cisco.com/docs/psirt/#!api-reference/api-reference
OpenVulnQueryClient code: https://github.com/CiscoPSIRT/openVulnAPI/blob/master/openVulnQuery/openVulnQuery/_library/query_client.py

I dont see any function call that suggest I can query advisories using same quick-search functionality. I'm writing to see if anyone else has had success being able to query PSIRT API like this...more specifically is it possible to query for Security Advisories given CDET ID or list of CDET Ids ?

LanDownUnda · ‎01-02-2020

Hi Jorgrive,

I agree with you that there doesn't seem to be a "quick search" feature within the API Reference Material. After looking into the API Reference some more there does appear to be the "Querying by Advisory ID" URL which looks to be the closest thing.

One question I have is what sort of result are you wanting to achieve by a quick search feature? In the past when I haven't had the luxury of a well written API I've ended up having to pull data from different API calls and sort of stitch them together to achieve a data sample that I couldn't call only using 1 URL.

*** Rate All Helpful Responses ***

jorgrive · ‎01-03-2020

I'm currently writing an automation script to detect customer impacted by PSIRT defects (CDETS-side). Once I identify the defect, which contains references to 1 or more CVEs, then I'd like to query the PSIRT-API to find the corresponding security advisory. This would allow me to easily map a PSIRT-cdet to it's proper security advisory.

As it stands now, it appears that I'll have to instead parse out any CVEs listed within the CDET release-notes and then query the API by CVE. However, this method requires more work because

some CVEs in release-note list are not mapped to any security advisory
CVEs in release-note list might map to different security advisories

In the case a CVE from release-note list doesnt map to any security advisory, this isnt too big a deal in that, so far I've found that there is always at least 1 security advisory that is found, which is good thing,

In the event that multiple security advisories are found, I would then have to review all the defects associated with returned security advisory so I can make sure the advisory contains the defect ID to which I was trying to map a security advisory.

For example

I would always start with a given CDET: CSCun25241
Get CVEs listed in Cdet Release-Note: CVE-2008-6505 CVE-2010-1870 CVE-2011-3923 CVE-2012-0391 CVE-2012-0394 CVE-2013-1966 CVE-2013-2134 CVE-2013-2248 CVE-2013-2251 CVE-2013-4310 CVE-2013-4316 CVE-2014-0094 CVE-2014-0112 CVE-2014-0113 CVE-2014-0116
CVE-2010-1870 returns a security advisory
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140709-struts2
- NOTE: this is the actual security advisory that has this defect ID in its cdet list
CVE-2013-2251 returns another security advisory which does NOT have CSCun25241 in it's cdet list
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2

As you can see, searching by CVEs from release-notes isn't as clean as doing an advanced-search or quick-search using defect-ID. My goal was to be able to directly find the correct security advisory with one simple query. Without it, I'll have to take this more circular approach.