Add python vapm scanner#58
Merged
Merged
Conversation
- New tools/python-vapm-scanner with two self-contained assessment modes: - endpoint-assessment: scans the local machine (stub) - centralized-assessment: assesses externally-collected inventory (stub) - Each mode has its own copysdk.py (stages SDK client binaries + license into ./sdk via the sdkroot marker, like the helloworld/python samples), plus copies of sdk_wrapper.py and platform_utils.py, and a vapm_scanner.py stub + README. - Remove the old tools/python-scanner (replaced by this). - tools/README.md: point at python-vapm-scanner; .gitignore: ignore staged sdk/, output, __pycache__, and *.json per assessment mode. Verified: copysdk.py stages the SDK and vapm_scanner.py runs the stub end-to-end. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- scan-ca-endpoint.py: endpoint product-inventory scan (stub) - scan-ca-osdetails.py: OS details scan (stub) - scan-ca-third-party.py: third-party application vuln/patch scan (stub) - Document the three scripts in the centralized-assessment README All three init the SDK and run the stub workflow end-to-end. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ent product Replace the stub with a working implementation: detect patch-management products (category 12), call GetMissingPatches (method 1013) for each, print the missing patches, and write ca_missing_patches.json. Products that don't support the call are reported gracefully (e.g. rc -11/-12). Does not call the destructive InstallMissingPatches (1014). Verified on Windows: Windows Update Agent returned a missing KB; other agents reported not-supported without error. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Replace the stub with a working implementation: detect installed products (method 0) and resolve each product's precise version via GetVersion (method 100, since the DetectProducts version field is often empty); print a table and write ca_third_party.json. Verified on Windows: 80 products detected with reliable versions. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Replace the stub with an orchestrator that runs scan-ca-osdetails.py and scan-ca-third-party.py in turn (as subprocesses, since the hyphenated filenames aren't importable), then prints a per-scan summary and exits non-zero if any fail. Verified on Windows: both sub-scans run and report ok. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
On Windows, filter the category-12 patch-management products to signature 1103 (Windows Update Agent) — the other detected agents (RMM, Intune, Dell) don't support GetMissingPatches. On Linux/macOS the logic is unchanged (assess every detected product). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…a-osdetails-result.json - GetOSInfo (method 1): OS name/version/architecture - GetInstalledPatches (method 1023) alongside the existing GetMissingPatches (1013), per patch-management product (Windows limited to Windows Update Agent / 1103) - Write the full result set (os_info + per-product missing/installed) to scan-ca-osdetails-result.json (replaces ca_missing_patches.json) Verified on Windows: OS info + 1 missing + 10 installed captured. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
… CVEs Uses the Analog offline catalog (vuln_system_associations.json + cves.json), following the Windows approach in the ruby sample get_system_vuln.rb. Reads scan-ca-osdetails-result.json, builds a kb-article -> CVE map for the endpoint's os_id, then lists each missing patch with the CVEs it remediates plus a consolidated CVE list (with CWE and fixing KB). Writes map-ca-osdetails-result.json. Verified on Windows: missing KB5094126 mapped to 106 CVEs for os_id 81. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…exposure) Map installed patches to CVEs the same way as missing patches, then remove those already-covered CVEs from the missing-patch results. Output now reports raw vs installed-covered vs net distinct CVEs, giving the most accurate exposure. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…log) - scan-ca-third-party.py: also capture product_id/vendor_id and os_type; rename output to scan-ca-third-party-result.json (consistent naming + mapping inputs) - map_ca_third_party.py: follow get_vuln.rb — match each product against vuln_associations by product_id + signature + version range (per os_type), collect CVEs, enrich from cves.json; write map-ca-third-party-result.json Verified on Windows: 8 of 80 products vulnerable, 61 distinct CVEs — matches the live SDK vulnerability scan (Python 3.9: 28, Grafana: 17, VS: 11, .NET 9.0: 3...). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…oduct Resolve each product's latest available version from the Analog patch catalog (patch_associations -> patch_aggregation.latest_version, a simplified get_latest_installer.rb), compare to the detected version, and flag patch_missing. Output and console now include latest_version, patch_missing, and a total count. Verified on Windows: OneDrive (26.095 -> 26.098) and VC++ Redist (14.51.36231 -> 14.51.36247) flagged missing; current products flagged up-to-date. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Runs map_ca_osdetails.py and map_ca_third_party.py, then merges their JSON output into map-ca-result.json with a unified, de-duplicated CVE count across the OS and third-party assessments. Handles a missing assessment gracefully. Verified on Windows: OS (1 missing patch / 106 CVEs) + third-party (8 vulnerable, 4 patch-missing / 61 CVEs) = 167 total distinct CVEs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
One-command centralized assessment: runs scan-ca-endpoint.py (gather), then map-ca.py (map + combine), then derives a final consolidated ca-result.json from map-ca-result.json (endpoint summary, missing OS patches, vulnerable/outdated products, and a unified CVE list tagged by source: os / third_party). Verified on Windows: Windows 11, 1 missing OS patch, 12 vulnerable/outdated products, 167 total distinct CVEs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…JSON The full pipeline now writes its single deliverable to results/ca-result.json and removes the intermediate scan/map *.json files, so the output is unambiguous. .gitignore: ignore the per-assessment results/ folder. Verified: pipeline leaves no loose JSON; only results/ca-result.json remains (7 intermediates cleaned up). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…rd-party) - scan-ea-osdetails.py: live OS assessment like os_vulnerability.py — GetOSInfo, load wuov2.dat/wiv-lite.dat, GetLatestInstaller (50300) for the OS patch, and GetProductVulnerability (50505) for OS CVEs. Output matches map-ca-osdetails-result.json. - scan-ea-third-party.py: live third-party scan like vulnerability.py — load v2mod.dat, DetectProducts, GetVersion, GetProductVulnerability per product. Output matches map-ca-third-party-result.json. - README: document both scripts and the endpoint-vs-centralized difference. Verified on Windows: osdetails finds the latest OS cumulative installer (0 OS CVEs from wiv-lite); third-party finds 8/80 vulnerable, 61 CVEs (matches the live scan). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- scan-ea.py: full endpoint pipeline -> results/ea-result.json. Combines the OS (signature 1103) and third-party products into a single product list; enriches third-party latest_version from the offline patch catalog; cleans up intermediates. - scan-ea-osdetails.py / scan-ea-third-party.py: capture CPEs per CVE/product. - map_ca_third_party.py: collect CPEs per product (from vuln_associations.cpe). - scan-ca.py: rebuild results/ca-result.json in the SAME product-centric schema: products[] with signature_id, product_id, name, version, latest_version, cves[], cpes[]. - READMEs updated. Verified on Windows: both files produce identical product schema (81 products). Centralized 9 vulnerable / 167 CVEs (catalog finds 106 OS CVEs); endpoint 8 / 61 (wiv-lite finds 0 OS CVEs) — same schema, expected method difference. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…an-ca.py) The original combined stubs are no longer used now that scan-ea.py and scan-ca.py are the pipeline entry points and the gather/map steps are separate scripts. Remove the README references to them. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…s root result/diff JSON scan-all-workflows.py is a local-only test harness (runs both pipelines and diffs the results); it and its scan-ea-result.json / scan-ca-result.json / scan-all-diff.json outputs are not checked in. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Top-level README: explain the purpose — endpoint (traditional, database files on the endpoint, resolves all detail locally) vs centralized (minimal endpoint scan with no database files, mapping done on a cloud/on-prem server), and that both produce the same product-centric result so DB-size cost can shift to the server. - endpoint-assessment README: framed as the traditional database-on-endpoint workflow. - centralized-assessment README: split the scripts into Step 1 (endpoint scan, no catalog DB) and Step 2 (server mapping, uses the catalog DB), with a data-flow diagram; scan-ca.py runs both halves locally for the demo. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.