Skip to content

andsopwn/LXC-Threat-API-Mapping

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
python_ast_visualizer
python_ast_visualizer
 
 
search_source
search_source
 
 
threat-api-tracker
threat-api-tracker
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

LXC‑Threat‑API‑Mapping Toolkit

End‑to‑end pipeline for discovering vulnerable API calls in your Python codebase and ranking them by real‑world exploitability.

SBOM / CVE list ─▶ nvd_api_extractor ─┐
                                     ▼
                           risk_db.json (EPSS · KEV · PoC links)
                                     │
                   (optional) ────────┤
                   │                  ▼
                   │        llm_api_enricher / vertex_api_enricher
                   ▼                  │  (fill missing `apis` via LLM)
          risk_enricher (EPSS/KEV)    │
                   ▼                  ▼
          risk_db_enriched.json  ─────────▶ threat_api_mapper
                                            ▲
                                            │  scans your source tree
                                            ▼
                                   threat_map.json

Requirements (minimum)

requests
nvdlib
pandas
openai            # ← if you’ll use llm_api_enricher.py
vertexai          # ← if you’ll use vertex_api_enricher.py
unidiff           # diff parsing for cve_api_extract.py

Store cloud creds as env vars:

  • OpenAI → OPENAI_API_KEY
  • Vertex AI → GOOGLE_CLOUD_PROJECT, GOOGLE_APPLICATION_CREDENTIALS, VERTEX_LOCATION

1 . Generate risk_db.json

# Option A – direct CVE list
python nvd_api_extractor.py \
       --cve CVE-2020-14343 CVE-2024-21591 \
       --out risk_db.json

# Option B – CycloneDX SBOM
python nvd_api_extractor.py --sbom bom.json --out risk_db.json

Fields populated:

  • cve, packages, apis (regex),
  • CVSS + severity,
  • epss, epssPercentile, kev, optional exploitDB.

2 . (Option) Fill missing apis via LLM

OpenAI

export OPENAI_API_KEY=sk-…
python llm_api_enricher.py risk_db.json --out risk_db_llm.json --model gpt-4o

Google Vertex AI

export GOOGLE_CLOUD_PROJECT="my‑proj"
export GOOGLE_APPLICATION_CREDENTIALS="/path/key.json"
pip install google-cloud-aiplatform google-generativeai
python vertex_api_enricher.py risk_db.json --out risk_db_vertex.json --model gemini-1.0-pro

3 . Map vulnerable API calls in source

python threat_api_mapper.py \
       --code ./src \                 # root of your codebase
       --risk risk_db_vertex.json \    # or risk_db_llm.json / risk_db.json
       --out threat_map.json \
       --min-epss 0.7      \          # filter (optional)
       --kev-only           \          # CISA KEV only (optional)
       --debug

Output threat_map.json example:

{
  "file": "app/server.py",
  "line": 42,
  "api": "yaml.load",
  "cve": ["CVE-2020-14343"],
  "severity": "CRITICAL",
  "epss": 0.70,
  "kev": true,
  "exploitDB": "https://www.exploit-db.com/exploits/50291",
  "snippet": "data = yaml.load(user_input, Loader=yaml.Loader)"
}

Use this JSON to build dashboards, generate CTI reports, or feed CI gates.

4 . Ad‑hoc utilities

Extract API names for a single CVE

python cve_api_extract.py CVE-2020-14343 --debug

Visualize call‑flow graph for a dangerous API

astvisualizer.py crawls your project, builds a call graph and highlights calls to a target function (default yaml.load). It renders a GraphViz PNG so you can see how tainted data reaches the vulnerable sink.

python astvisualizer.py ./src/ --target yaml.load -o callflow_yaml
# ⇒ callflow_yaml.png

Enrich existing DB with EPSS·KEV

python risk_enricher.py risk_db.json --out risk_db_enriched.json

About

Container Security

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

2 forks
Report repository

Contributors 2

  •  
  •  

Languages