The following application has different endpoints to retrieve and manage API vulnerabilities from the NATIONAL VULNERABILITIES DATABASE (NVD), NIST.
For more information: https://nvd.nist.gov/developers/vulnerabilities
The database used is MongoDB, it could be run in a local machine or in several cloud services.
The application is developed in Python using the FastAPI framework. The application could be deployed in a Docker container too.
Python3: The language the Ap has been written.
Mongo: The Db chosen as the data platform tested locally, containerized and in the Cloud.
And all the pip libraries contained in requirements.txt file.
pymongo
fastapi
requests
uvicorn
For Docker execution, Docker Engine (and optionally Docker compose plugin) it's only needed, and the rest of components will be automatically added.
Run the following command to clone the repository.
git clone https://github.com/Qubo-FNSD/Mapl-App-NVDs.git
Navigate to the ap directory with:
cd Mapl-App-NVDs
python3 -m venv venv
source venv/bin/activate
It will look like this:
Install all the libraries using pip install -r requirements.txt:
pip install -r requirements.txt
sudo systemctl enable mongod
# Or in Mac
brew services start mongodb-community
python3 main.py
For mac:
[https://docs.docker.com/desktop/install/mac-install/](https://docs.docker.com/desktop/install/mac-install/)
For Windows:
[https://docs.docker.com/desktop/install/windows-install/](https://docs.docker.com/desktop/install/windows-install/)
For Ubuntu:
[https://docs.docker.com/desktop/install/ubuntu/](https://docs.docker.com/desktop/install/ubuntu/)
And follow the instructions. To run the scripts, we need to run Docker first.
From Mapl-App-NVDs folder, run the Docker build and compose command.
docker-compose up -d
When stop the containers is needed, use:
docker-compose down
docker network create -d bridge mapl-net
docker run -d --network mapl-net -p 8000:8000 -v mapl-vol --name mapl-api --label mapl mapl-api
docker run -d --network mapl-net -p 27017:27017 -v mapl-vol --name mongodb --label mapl mongo:latest
1.- Endpoint that returns the vulnerabilities filtered by the keyword, saves their degree of severity and categorizes them with an open status.
Endpoint: http://localhost:8000/getVulns
Parameters:
- myapikey
- keyword
- resultsperpage
2.- Endpoint that receives the IDs of fixed vulnerabilities. If the vulnerability is open, it updates it to fixed status.
Endpoint: http://localhost:8000/postFixedVulns
Parameters:
- In the body, as raw JSON, the following scheme:
{ "IDS": [ {"ID": "CVE-2020-13254"},
{"ID": "CVE-2020-13596"} ] }
3.- Endpoint that returns a list with the vulnerabilities pending correction (status other than fixed).
Endpoint: http://localhost:8000/getOpenVulns
Parameters:
- Without parameters.
4.- Endpoint that returns a total of vulnerabilities by degree of severity (status open).
Endpoint: http://localhost:8000/getTotalVulnsBySeverity
parameters:
- Without parameters.
- Add more endpoints to manage the API.
- Testing the API with Pytest.
- QA testing.
- and more...
https://join.slack.com/t/mapl-alp-2022/shared_invite/zt-1exbwmwps-zE7NC~bKRPWOozkr20RH4g
On discord: Luck547#7467