diff --git a/README.md b/README.md index 1a1c0fc..58c6671 100644 --- a/README.md +++ b/README.md @@ -58,52 +58,39 @@ For more information about how v2.0.0 differs from v1.0.10, see the CVEScan provides a number of options. See `cvescan -h` for more details. ``` -$> cvescan -h +usage: cvescan [-h] [--version] [-v] [-p {critical,high,medium,all}] + [--db UBUNTU_DB_FILE] [-m MANIFEST_FILE] [--csv] [--json] + [--syslog HOST:PORT] [--syslog-light HOST:PORT] [--show-links] + [--unresolved] [-x] [-n] [-c CVE-IDENTIFIER] [-s] -usage: cvescan [-h] [-c CVE-IDENTIFIER] [-p {critical,high,medium,all}] [-s] - [-u UCT_FILE] [-m MANIFEST_FILE] [-n] [--show-links] - [--unresolved] [-v] [-x] - -Scan an Ubuntu system for known vulnerabilities. +Scan an Ubuntu system for known vulnerabilities optional arguments: -h, --help show this help message and exit + --version Show CVEScan's version number and exit + -v, --verbose enable verbose messages -p {critical,high,medium,all}, --priority {critical,high,medium,all} - 'critical' = show only critical CVEs. - 'high' = show critical and high CVEs (default) - 'medium' = show critical and high and medium CVEs - 'all' = show all CVES (no filtering based on priority) - -s, --silent Enable script/Silent mode: To be used with '-c '. - Do not print text output; exit 0 if not vulnerable, exit 1 if vulnerable. - --db UBUNTU_DB_FILE Specify an Ubuntu vulnerability datbase file to use instead of downloading the - latest from people.canonical.com. + filter output by CVE priority + --db UBUNTU_DB_FILE Specify an Ubuntu vulnerability datbase file to use instead + of downloading the latest from people.canonical.com. -m MANIFEST_FILE, --manifest MANIFEST_FILE - Enable manifest mode. Do not scan the localhost. Instead, run a scan against the - specified package manifest file. - Note: Package manifest files can be generated by running - `dpkg-query -W > manifest.txt` on the host you wish to scan. - --csv Format output as CSV. + scan a package manifest file instead of the local system + --csv format output as CSV + --json format output as JSON + --syslog HOST:PORT send JSON formatted output to a syslog server specified by + : + --syslog-light HOST:PORT + send a simple log message to a syslog server specified by + : + --show-links include links to the Ubuntu CVE Tracker in the output + --unresolved include CVEs that have not yet been resolved in the output + -x, --experimental for users of Ubuntu Advantage, include eXperimental (also + called "alpha") in the output + -n, --nagios format output for use with Nagios NRPE -c CVE-IDENTIFIER, --cve CVE-IDENTIFIER - Report if this system is vulnerable to a specific CVE. - --json Format output as JSON. - -n, --nagios Enable Nagios mode for use with NRPE. - Typical nagios-style "OK|WARNING|CRITICAL|UNKNOWN" messages - and exit codes of 0, 1, 2, or 3. - 0/OK = not vulnerable to any known and patchable CVEs of the - specified priority or higher. - 1/WARNING = vulnerable to at least one known CVE of the specified - priority or higher for which there is no available update. - 2/CRITICAL = vulnerable to at least one known and patchable CVE of - the specified priority or higher. - 3/UNKNOWN = something went wrong with the script, or oscap. - --show-links Provide links to the Ubuntu CVE Tracker for each CVE. - --unresolved Show CVEs that have not yet been resolved. - -v, --verbose Enable verbose messages. - --version Show CVEScan's version number and exit - -x, --experimental Enable eXperimental mode. Use experimental (also called "alpha") data - from the Ubuntu CVE tracker. The alpha UCT files include information about - package updates available for users of Ubuntu Advantage running systems - with ESM Apps and ESM Infra enabled. + report whether or not this system is vulnerable to a + specific CVE. + -s, --silent do not print any output (only used with --cve) ``` ### Return Codes diff --git a/cvescan/__main__.py b/cvescan/__main__.py index fbcb566..80b24d4 100755 --- a/cvescan/__main__.py +++ b/cvescan/__main__.py @@ -67,8 +67,15 @@ def error_exit(msg, code=const.ERROR_RETURN_CODE): def parse_args(): - cvescan_ap = ap.ArgumentParser( - description=const.CVESCAN_DESCRIPTION, formatter_class=ap.RawTextHelpFormatter + cvescan_ap = ap.ArgumentParser(description=const.CVESCAN_DESCRIPTION) + cvescan_ap.add_argument( + "--version", + action="version", + version="CVEScan, v" + get_version(), + help=const.VERSION_HELP, + ) + cvescan_ap.add_argument( + "-v", "--verbose", action="store_true", default=False, help=const.VERBOSE_HELP ) cvescan_ap.add_argument( "-p", @@ -77,21 +84,12 @@ def parse_args(): choices=[const.CRITICAL, const.HIGH, const.MEDIUM, const.ALL], default=None, ) - cvescan_ap.add_argument( - "-s", "--silent", action="store_true", default=False, help=const.SILENT_HELP - ) cvescan_ap.add_argument("--db", metavar="UBUNTU_DB_FILE", help=const.DB_FILE_HELP) cvescan_ap.add_argument( "-m", "--manifest", metavar="MANIFEST_FILE", help=const.MANIFEST_HELP ) cvescan_ap.add_argument("--csv", action="store_true", help=const.CSV_HELP) - cvescan_ap.add_argument( - "-c", "--cve", metavar="CVE-IDENTIFIER", help=const.CVE_HELP - ) cvescan_ap.add_argument("--json", action="store_true", help=const.JSON_HELP) - cvescan_ap.add_argument( - "-n", "--nagios", action="store_true", default=False, help=const.NAGIOS_HELP - ) cvescan_ap.add_argument("--syslog", metavar="HOST:PORT", help=const.SYSLOG_HELP) cvescan_ap.add_argument( "--syslog-light", metavar="HOST:PORT", help=const.SYSLOG_LIGHT_HELP @@ -102,15 +100,6 @@ def parse_args(): cvescan_ap.add_argument( "--unresolved", action="store_true", default=False, help=const.UNRESOLVED_HELP ) - cvescan_ap.add_argument( - "-v", "--verbose", action="store_true", default=False, help=const.VERBOSE_HELP - ) - cvescan_ap.add_argument( - "--version", - action="version", - version="CVEScan, v" + get_version(), - help=const.VERSION_HELP, - ) cvescan_ap.add_argument( "-x", "--experimental", @@ -118,6 +107,15 @@ def parse_args(): default=False, help=const.EXPERIMENTAL_HELP, ) + cvescan_ap.add_argument( + "-n", "--nagios", action="store_true", default=False, help=const.NAGIOS_HELP + ) + cvescan_ap.add_argument( + "-c", "--cve", metavar="CVE-IDENTIFIER", help=const.CVE_HELP + ) + cvescan_ap.add_argument( + "-s", "--silent", action="store_true", default=False, help=const.SILENT_HELP + ) return cvescan_ap.parse_args() diff --git a/cvescan/constants.py b/cvescan/constants.py index b625c9d..d637186 100644 --- a/cvescan/constants.py +++ b/cvescan/constants.py @@ -1,74 +1,45 @@ -CVESCAN_DESCRIPTION = "Scan an Ubuntu system for known vulnerabilities." +CVESCAN_DESCRIPTION = "Scan an Ubuntu system for known vulnerabilities" -CVE_HELP = "Report if this system is vulnerable to a specific CVE." +VERSION_HELP = "Show CVEScan's version number and exit" -PRIORITY_HELP = ( - "'critical' = show only critical CVEs.\n'high' = show " - "critical and high CVEs (default)\n'medium' = show critical and " - "high and medium CVEs\n'all' = show all CVES (no filtering " - "based on priority)" -) +VERBOSE_HELP = "enable verbose messages" -SILENT_HELP = ( - "Enable script/Silent mode: To be used with " - "'-c '.\nDo not print text output; exit 0 if not " - "vulnerable, exit 1 if vulnerable." -) -MANIFEST_HELP = ( - "Enable manifest mode. Do not scan the localhost. Instead, run a scan against the\n" - "specified package manifest file.\n" - "Note: Package manifest files can be generated by running \n" - " `dpkg-query -W > manifest.txt` on the host you wish to scan." -) - -FILE_HELP = ( - "Used with '-m' option to override the default behavior. Specify\n " - "a manifest file to scan instead of downloading an OCI manifest.\n " - "The file needs to be readable under snap confinement.\n User's home " - "will likely work, /tmp will likely not work." -) +PRIORITY_HELP = "filter output by CVE priority" DB_FILE_HELP = ( - "Specify an Ubuntu vulnerability datbase file to use instead of downloading the \n" - "latest from people.canonical.com." + "Specify an Ubuntu vulnerability datbase file to use instead of downloading the" + " latest from people.canonical.com." ) -NAGIOS_HELP = ( - "Enable Nagios mode for use with NRPE.\nTypical nagios-style " - '"OK|WARNING|CRITICAL|UNKNOWN" messages\n and exit codes of 0, 1, ' - "2, or 3.\n0/OK = not vulnerable to any known and patchable CVEs of " - "the\n specified priority or higher.\n1/WARNING = vulnerable to at " - "least one known CVE of the specified\n priority or higher for which " - "there is no available update.\n2/CRITICAL = vulnerable to at least " - "one known and patchable CVE of\n the specified priority or higher.\n" - "3/UNKNOWN = something went wrong with the script, or oscap." -) +MANIFEST_HELP = "scan a package manifest file instead of the local system" -SYSLOG_HELP = "Send JSON formatted output to a syslog server specified by HOST:PORT." -SYSLOG_LIGHT_HELP = ( - "Send a short log message stating how many vulnerabilities are fixable to a \n" - "syslog server specified by HOST:PORT." -) +CSV_HELP = "format output as CSV" + +JSON_HELP = "format output as JSON" -UCT_LINKS_HELP = "Provide links to the Ubuntu CVE Tracker for each CVE." -UNRESOLVED_HELP = "Show CVEs that have not yet been resolved." +SYSLOG_HELP = "send JSON formatted output to a syslog server specified by :" -VERBOSE_HELP = "Enable verbose messages." +SYSLOG_LIGHT_HELP = ( + "send a simple log message to a syslog server specified by :" +) -VERSION_HELP = "Show CVEScan's version number and exit." +UCT_LINKS_HELP = "include links to the Ubuntu CVE Tracker in the output" + +UNRESOLVED_HELP = "include CVEs that have not yet been resolved in the output" EXPERIMENTAL_HELP = ( - 'Enable eXperimental mode. Use experimental (also called "alpha") data \n' - "from the Ubuntu CVE tracker. The alpha UCT files include information about\n" - "package updates available for users of Ubuntu Advantage running systems \n" - "with ESM Apps and ESM Infra enabled." + 'for users of Ubuntu Advantage, include eXperimental (also called "alpha")' + " in the output" ) -JSON_HELP = "Format output as JSON." +NAGIOS_HELP = "format output for use with Nagios NRPE" + +CVE_HELP = "report whether or not this system is vulnerable to a specific CVE." + +SILENT_HELP = "do not print any output (only used with --cve)" -CSV_HELP = "Format output as CSV." DEBUG_LOG = "debug.log" LSB_RELEASE_FILE = "/etc/lsb-release"