vuln_batch_remediation.py: Allow to overwrite existing remediations.

manni83 · manni83 · commit 32f922cfa3e4 · 2023-07-12T11:56:16.000+02:00
This allows to bulk update many of the existing ones via CSV files.
diff --git a/examples/vuln_batch_remediation.py b/examples/vuln_batch_remediation.py
@@ -97,7 +97,7 @@ def remediation_is_valid(vuln, remediation_data):
     
     if vulnerability_name in remediation_data.keys():
         remediation = remediation_data[vulnerability_name]
-        if (remediation_status == remediation[0] and remediation_comment == remediation[1]):
+        if (remediation_status == remediation[0] and remediation_comment == remediation[1].replace('\\n','\n')):
             return None
         return remediation_data[vulnerability_name]
     else:
@@ -133,7 +133,7 @@ def set_vulnerablity_remediation(hub, vuln, remediation_status, remediation_comm
     response = hub.execute_put(url, data=update)
     return response
 
-def process_vulnerabilities(hub, vulnerable_components, remediation_data=None, exclusion_data=None, dry_run=False):
+def process_vulnerabilities(hub, vulnerable_components, remediation_data=None, exclusion_data=None, dry_run=False, overwrite_existing=False):
 
     if (dry_run):
         print(f"Opening dry run output file: {dry_run}")
@@ -144,8 +144,8 @@ def process_vulnerabilities(hub, vulnerable_components, remediation_data=None, e
     print('"Component Name","Component Version","CVE","Reason","Remeidation Status","HTTP response code"')
 
     for vuln in vulnerable_components['items']:
-        if vuln['vulnerabilityWithRemediation']['remediationStatus'] == "NEW":
-            remediation_action = None 
+        if overwrite_existing or vuln['vulnerabilityWithRemediation']['remediationStatus'] == "NEW":
+            remediation_action = None
             exclusion_action = None
 
             if (remediation_data):
@@ -166,8 +166,7 @@ def process_vulnerabilities(hub, vulnerable_components, remediation_data=None, e
 
             if (remediation_action):
                 if (dry_run):
-                    remediation_action.insert(0, vuln['vulnerabilityWithRemediation']['vulnerabilityName'])
-                    csv_writer.writerow(remediation_action)
+                    csv_writer.writerow([vuln['vulnerabilityWithRemediation']['vulnerabilityName']] + remediation_action)
                 else:
                     resp = set_vulnerablity_remediation(hub, vuln, remediation_action[0],remediation_action[1])
                     count += 1
@@ -220,6 +219,7 @@ def main(argv=None): # IGNORE:C0111
         parser.add_argument("--cve-remediation-list-custom-field-label", default='CVE Remediation List', help='Label of Custom Field on Black Duck that contains remeidation list file name')
         parser.add_argument("--origin-exclusion-list-custom-field-label", default='Origin Exclusion List', help='Label of Custom Field on Black Duck that containts origin exclusion list file name')
         parser.add_argument('-V', '--version', action='version', version=program_version_message)
+        parser.add_argument("--overwrite-existing", dest='overwrite_existing', action="store_true", help='By default only NEW vulnerabilities are remediated. Enabling this flag will update all vulnerabilities.')
 
         # Process arguments
         args = parser.parse_args()
@@ -233,6 +233,7 @@ def main(argv=None): # IGNORE:C0111
         #dry_run = args.dry_run
         #dry_run_output = args.dry_run_output
         dry_run = args.dry_run
+        overwrite_existing = args.overwrite_existing
         print(args.dry_run)
 
         message = f"{program_version_message}\n\n Project: {projectname}\n Version: {projectversion}\n Process origin exclusion list: {process_origin_exclulsion}\n Process CVE remediation list: {process_cve_remediation}"
@@ -276,8 +277,9 @@ def main(argv=None): # IGNORE:C0111
 
         # Retrieve the vulnerabiltites for the project version. Newer API versions only allow 1000 items at most.
         vulnerable_components = hub.get_vulnerable_bom_components(version, 1000)
-        process_vulnerabilities(hub, vulnerable_components, remediation_data, exclusion_data, dry_run)
-        
+
+        process_vulnerabilities(hub, vulnerable_components, remediation_data, exclusion_data, dry_run, overwrite_existing)
+
         return 0
     except Exception:
         ### handle keyboard interrupt ###
