Skip to content

Add python vapm scanner#58

Merged
cseileropswat merged 19 commits into
mainfrom
add-python-vapm-scanner
Jun 17, 2026
Merged

Add python vapm scanner#58
cseileropswat merged 19 commits into
mainfrom
add-python-vapm-scanner

Conversation

@cseileropswat

Copy link
Copy Markdown
Contributor

No description provided.

cseileropswat and others added 19 commits June 16, 2026 17:04
- New tools/python-vapm-scanner with two self-contained assessment modes:
  - endpoint-assessment: scans the local machine (stub)
  - centralized-assessment: assesses externally-collected inventory (stub)
- Each mode has its own copysdk.py (stages SDK client binaries + license into ./sdk
  via the sdkroot marker, like the helloworld/python samples), plus copies of
  sdk_wrapper.py and platform_utils.py, and a vapm_scanner.py stub + README.
- Remove the old tools/python-scanner (replaced by this).
- tools/README.md: point at python-vapm-scanner; .gitignore: ignore staged sdk/,
  output, __pycache__, and *.json per assessment mode.

Verified: copysdk.py stages the SDK and vapm_scanner.py runs the stub end-to-end.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- scan-ca-endpoint.py: endpoint product-inventory scan (stub)
- scan-ca-osdetails.py: OS details scan (stub)
- scan-ca-third-party.py: third-party application vuln/patch scan (stub)
- Document the three scripts in the centralized-assessment README

All three init the SDK and run the stub workflow end-to-end.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ent product

Replace the stub with a working implementation: detect patch-management products
(category 12), call GetMissingPatches (method 1013) for each, print the missing
patches, and write ca_missing_patches.json. Products that don't support the call
are reported gracefully (e.g. rc -11/-12). Does not call the destructive
InstallMissingPatches (1014).

Verified on Windows: Windows Update Agent returned a missing KB; other agents
reported not-supported without error.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Replace the stub with a working implementation: detect installed products
(method 0) and resolve each product's precise version via GetVersion (method 100,
since the DetectProducts version field is often empty); print a table and write
ca_third_party.json.

Verified on Windows: 80 products detected with reliable versions.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Replace the stub with an orchestrator that runs scan-ca-osdetails.py and
scan-ca-third-party.py in turn (as subprocesses, since the hyphenated filenames
aren't importable), then prints a per-scan summary and exits non-zero if any fail.

Verified on Windows: both sub-scans run and report ok.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
On Windows, filter the category-12 patch-management products to signature 1103
(Windows Update Agent) — the other detected agents (RMM, Intune, Dell) don't
support GetMissingPatches. On Linux/macOS the logic is unchanged (assess every
detected product).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…a-osdetails-result.json

- GetOSInfo (method 1): OS name/version/architecture
- GetInstalledPatches (method 1023) alongside the existing GetMissingPatches (1013),
  per patch-management product (Windows limited to Windows Update Agent / 1103)
- Write the full result set (os_info + per-product missing/installed) to
  scan-ca-osdetails-result.json (replaces ca_missing_patches.json)

Verified on Windows: OS info + 1 missing + 10 installed captured.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
… CVEs

Uses the Analog offline catalog (vuln_system_associations.json + cves.json),
following the Windows approach in the ruby sample get_system_vuln.rb. Reads
scan-ca-osdetails-result.json, builds a kb-article -> CVE map for the endpoint's
os_id, then lists each missing patch with the CVEs it remediates plus a
consolidated CVE list (with CWE and fixing KB). Writes map-ca-osdetails-result.json.

Verified on Windows: missing KB5094126 mapped to 106 CVEs for os_id 81.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…exposure)

Map installed patches to CVEs the same way as missing patches, then remove those
already-covered CVEs from the missing-patch results. Output now reports raw vs
installed-covered vs net distinct CVEs, giving the most accurate exposure.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…log)

- scan-ca-third-party.py: also capture product_id/vendor_id and os_type; rename
  output to scan-ca-third-party-result.json (consistent naming + mapping inputs)
- map_ca_third_party.py: follow get_vuln.rb — match each product against
  vuln_associations by product_id + signature + version range (per os_type),
  collect CVEs, enrich from cves.json; write map-ca-third-party-result.json

Verified on Windows: 8 of 80 products vulnerable, 61 distinct CVEs — matches the
live SDK vulnerability scan (Python 3.9: 28, Grafana: 17, VS: 11, .NET 9.0: 3...).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…oduct

Resolve each product's latest available version from the Analog patch catalog
(patch_associations -> patch_aggregation.latest_version, a simplified
get_latest_installer.rb), compare to the detected version, and flag patch_missing.
Output and console now include latest_version, patch_missing, and a total count.

Verified on Windows: OneDrive (26.095 -> 26.098) and VC++ Redist (14.51.36231 ->
14.51.36247) flagged missing; current products flagged up-to-date.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Runs map_ca_osdetails.py and map_ca_third_party.py, then merges their JSON output
into map-ca-result.json with a unified, de-duplicated CVE count across the OS and
third-party assessments. Handles a missing assessment gracefully.

Verified on Windows: OS (1 missing patch / 106 CVEs) + third-party (8 vulnerable,
4 patch-missing / 61 CVEs) = 167 total distinct CVEs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
One-command centralized assessment: runs scan-ca-endpoint.py (gather), then
map-ca.py (map + combine), then derives a final consolidated ca-result.json from
map-ca-result.json (endpoint summary, missing OS patches, vulnerable/outdated
products, and a unified CVE list tagged by source: os / third_party).

Verified on Windows: Windows 11, 1 missing OS patch, 12 vulnerable/outdated
products, 167 total distinct CVEs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…JSON

The full pipeline now writes its single deliverable to results/ca-result.json and
removes the intermediate scan/map *.json files, so the output is unambiguous.
.gitignore: ignore the per-assessment results/ folder.

Verified: pipeline leaves no loose JSON; only results/ca-result.json remains
(7 intermediates cleaned up).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…rd-party)

- scan-ea-osdetails.py: live OS assessment like os_vulnerability.py — GetOSInfo,
  load wuov2.dat/wiv-lite.dat, GetLatestInstaller (50300) for the OS patch, and
  GetProductVulnerability (50505) for OS CVEs. Output matches map-ca-osdetails-result.json.
- scan-ea-third-party.py: live third-party scan like vulnerability.py — load
  v2mod.dat, DetectProducts, GetVersion, GetProductVulnerability per product.
  Output matches map-ca-third-party-result.json.
- README: document both scripts and the endpoint-vs-centralized difference.

Verified on Windows: osdetails finds the latest OS cumulative installer (0 OS CVEs
from wiv-lite); third-party finds 8/80 vulnerable, 61 CVEs (matches the live scan).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- scan-ea.py: full endpoint pipeline -> results/ea-result.json. Combines the OS
  (signature 1103) and third-party products into a single product list; enriches
  third-party latest_version from the offline patch catalog; cleans up intermediates.
- scan-ea-osdetails.py / scan-ea-third-party.py: capture CPEs per CVE/product.
- map_ca_third_party.py: collect CPEs per product (from vuln_associations.cpe).
- scan-ca.py: rebuild results/ca-result.json in the SAME product-centric schema:
  products[] with signature_id, product_id, name, version, latest_version, cves[], cpes[].
- READMEs updated.

Verified on Windows: both files produce identical product schema (81 products).
Centralized 9 vulnerable / 167 CVEs (catalog finds 106 OS CVEs); endpoint 8 / 61
(wiv-lite finds 0 OS CVEs) — same schema, expected method difference.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…an-ca.py)

The original combined stubs are no longer used now that scan-ea.py and scan-ca.py
are the pipeline entry points and the gather/map steps are separate scripts.
Remove the README references to them.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…s root result/diff JSON

scan-all-workflows.py is a local-only test harness (runs both pipelines and diffs
the results); it and its scan-ea-result.json / scan-ca-result.json / scan-all-diff.json
outputs are not checked in.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Top-level README: explain the purpose — endpoint (traditional, database files on
  the endpoint, resolves all detail locally) vs centralized (minimal endpoint scan
  with no database files, mapping done on a cloud/on-prem server), and that both
  produce the same product-centric result so DB-size cost can shift to the server.
- endpoint-assessment README: framed as the traditional database-on-endpoint workflow.
- centralized-assessment README: split the scripts into Step 1 (endpoint scan, no
  catalog DB) and Step 2 (server mapping, uses the catalog DB), with a data-flow
  diagram; scan-ca.py runs both halves locally for the demo.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@cseileropswat cseileropswat merged commit 6f5e039 into main Jun 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant