#### GitHub GraphQL API
Credit: https://gist.github.com/gbaman/b3137e18c739e0cf98539bf4ec4366ad

In [107]:
import requests
import json
import time
from dateutil.parser import parse
import pandas as pd

headers = {"Authorization": "bearer 84e5886b54c8d2f6040bd90227494ee619cc5b88"}  # Your token here

In [17]:
def run_query(query): # A simple function to use requests.post to make the API call. Note the json=section.
    request = requests.post('https://api.github.com/graphql', json={'query': query}, headers=headers)
    if request.status_code == 200:
        return request.json()
    else:
        raise Exception("Query failed to run by returning code of {}. {}".format(request.status_code, query))

In [18]:
# The GraphQL query (with a few aditional bits included) itself defined as a multi-line string.       
query = """
{
  viewer {
    login
  }
  rateLimit {
    limit
    cost
    remaining
    resetAt
  }
}
"""

result = run_query(query) # Execute the query
remaining_rate_limit = result["data"]["rateLimit"]["remaining"] # Drill down the dictionary
print("Remaining rate limit - {}".format(remaining_rate_limit))

Remaining rate limit - 4993


For each vulnerability: Description, severity, CVE, published date, affected libraries, affected versions

In [46]:
def gen_query(last_cursor=None):
    insertion = f"after:\"{last_cursor}\"" if last_cursor else ""
    return """
    {
      securityVulnerabilities(ecosystem: MAVEN, orderBy: {field: UPDATED_AT, direction: ASC}, first: 100
    """ + insertion + """
      ) {
        totalCount
        edges {
          node {
            advisory {
              identifiers {
                type
                value
              }
              description
              severity
              summary
              publishedAt
            }
            firstPatchedVersion {
              identifier
            }
            package {
              name
            }
            severity
            updatedAt
            vulnerableVersionRange
          }
          cursor
        }
      }
    }
    """

In [47]:
gen_query()

'\n    {\n      securityVulnerabilities(ecosystem: MAVEN, orderBy: {field: UPDATED_AT, direction: ASC}, first: 100\n    \n      ) {\n        totalCount\n        edges {\n          node {\n            advisory {\n              identifiers {\n                type\n                value\n              }\n              description\n              severity\n              summary\n              publishedAt\n            }\n            firstPatchedVersion {\n              identifier\n            }\n            package {\n              name\n            }\n            severity\n            updatedAt\n            vulnerableVersionRange\n          }\n          cursor\n        }\n      }\n    }\n    '

In [55]:
result_raw = run_query(gen_query())
result = result_raw['data']['securityVulnerabilities']['edges']

{'data': {'securityVulnerabilities': {'totalCount': 974,
   'edges': [{'node': {'advisory': {'identifiers': [{'type': 'GHSA',
         'value': 'GHSA-89gc-6cw6-4vch'},
        {'type': 'CVE', 'value': 'CVE-2016-9177'}],
       'description': 'Directory traversal vulnerability in Spark 2.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI.',
       'severity': 'MODERATE',
       'summary': 'Moderate severity vulnerability that affects com.sparkjava:spark-core',
       'publishedAt': '2018-10-04T19:53:35Z'},
      'firstPatchedVersion': {'identifier': '2.5.2'},
      'package': {'name': 'com.sparkjava:spark-core'},
      'severity': 'MODERATE',
      'updatedAt': '2018-10-04T19:53:22Z',
      'vulnerableVersionRange': '< 2.5.2'},
     'cursor': 'Y3Vyc29yOnYyOpK5MjAxOC0xMC0wNVQwMzo1MzoyMiswODowMM0EWw=='},
    {'node': {'advisory': {'identifiers': [{'type': 'GHSA',
         'value': 'GHSA-2m8h-fgr8-2q9w'},
        {'type': 'CVE', 'value': 'CVE-2016-9878'}],
    

In [62]:
last_cursor = result['data']['securityVulnerabilities']['edges'][-1]['cursor']
gen_query(last_cursor)

'\n    {\n      securityVulnerabilities(ecosystem: MAVEN, orderBy: {field: UPDATED_AT, direction: ASC}, first: 100\n    after:"Y3Vyc29yOnYyOpK5MjAxOC0xMC0xOFQwMDoyNDowOCswODowMM0FJA=="\n      ) {\n        totalCount\n        edges {\n          node {\n            advisory {\n              identifiers {\n                type\n                value\n              }\n              description\n              severity\n              summary\n              publishedAt\n            }\n            firstPatchedVersion {\n              identifier\n            }\n            package {\n              name\n            }\n            severity\n            updatedAt\n            vulnerableVersionRange\n          }\n          cursor\n        }\n      }\n    }\n    '

In [69]:
res_all = []
query = gen_query()
while True:
    res_raw = run_query(query)
    res_curr = res_raw['data']['securityVulnerabilities']['edges']
    if len (res_curr) is 0:
        break
    res_all += res_curr
    last_cursor = res_curr[-1]['cursor']
    print(last_cursor)
    query = gen_query(last_cursor)
    time.sleep(5)

Y3Vyc29yOnYyOpK5MjAxOC0xMC0xOFQwMDoyNDowOCswODowMM0FJA==
Y3Vyc29yOnYyOpK5MjAxOC0xMC0xOFQwNDoyOToyOCswODowMM0FiQ==
Y3Vyc29yOnYyOpK5MjAxOC0xMC0yMFQwMDo0MjozNSswODowMM0F7g==
Y3Vyc29yOnYyOpK5MjAxOC0xMi0yMlQwMTo0NzoxOSswODowMM0Gsg==
Y3Vyc29yOnYyOpK5MjAxOS0wMy0xNFQyMzozNzo1NCswODowMM0IHA==
Y3Vyc29yOnYyOpK5MjAxOS0wNS0zMFQxMTozMDowOCswODowMM0I8A==
Y3Vyc29yOnYyOpK5MjAxOS0xMi0yN1QwMjoyMjowNCswODowMM0LZw==
Y3Vyc29yOnYyOpK5MjAyMC0wNC0xNlQwNDo1NjoxOSswODowMM0Mxg==
Y3Vyc29yOnYyOpK5MjAyMC0wNy0wOFQwMDo0NToxMCswODowMM0N4g==
Y3Vyc29yOnYyOpK5MjAyMS0wMS0yMVQwNToxODoxNCswODowMM0WMg==


In [94]:
len(res_all)

974

In [116]:
df = pd.DataFrame(columns=['CVE', 'package', 'severity', 'summary', 'description', 'publishedAt', 'vulnerableVersionRange', 'firstPatchedVersion'])

for index, vulnerability in enumerate(res_all):
    try:
        node = vulnerability['node']
        CVE = node['advisory']['identifiers'][-1]['value']
        package = node['package']['name']
        severity = node['severity']
        summary = node['advisory']['summary']
        description = node['advisory']['description']
#         publishedAt = parse(node['advisory']['publishedAt'])  # Oops, timezone not supported
        publishedAt = node['advisory']['publishedAt']
        vulnerableVersionRange = node['vulnerableVersionRange']
        firstPatchedVersion = node['firstPatchedVersion']['identifier'] if node['firstPatchedVersion'] else None
    except Exception as e:
        raise Exception(f"{e}:{node}")
    df.loc[index] = [CVE, package, severity, summary, description, publishedAt, vulnerableVersionRange, firstPatchedVersion]

In [117]:
df

Unnamed: 0,CVE,package,severity,summary,description,publishedAt,vulnerableVersionRange,firstPatchedVersion
0,CVE-2016-9177,com.sparkjava:spark-core,MODERATE,Moderate severity vulnerability that affects c...,Directory traversal vulnerability in Spark 2.5...,2018-10-04T19:53:35Z,< 2.5.2,2.5.2
1,CVE-2016-9878,org.springframework:spring-core,MODERATE,Moderate severity vulnerability that affects o...,An issue was discovered in Pivotal Spring Fram...,2018-10-04T20:29:55Z,< 3.2.18,3.2.18
2,CVE-2016-9878,org.springframework:spring-core,MODERATE,Moderate severity vulnerability that affects o...,An issue was discovered in Pivotal Spring Fram...,2018-10-04T20:29:55Z,">= 4.2.0, < 4.2.9",4.2.9
3,CVE-2016-9878,org.springframework:spring-core,MODERATE,Moderate severity vulnerability that affects o...,An issue was discovered in Pivotal Spring Fram...,2018-10-04T20:29:55Z,">= 4.3.0, < 4.3.5",4.3.5
4,CVE-2017-3159,org.apache.camel:camel-snakeyaml,HIGH,High severity vulnerability that affects org.a...,Apache Camel's camel-snakeyaml component is vu...,2018-10-16T17:21:42Z,< 2.17.5,2.17.5
...,...,...,...,...,...,...,...,...
969,CVE-2021-21234,eu.hinsch:spring-boot-actuator-logview,HIGH,Directory Traversal in spring-boot-actuator-lo...,### Impact\nThe nature of this library is to e...,2021-01-05T17:29:40Z,< 0.2.13,0.2.13
970,CVE-2020-17519,org.apache.flink:flink-runtime_2.11,MODERATE,Path Traversal in Apache Flink,A change introduced in Apache Flink 1.11.0 (an...,2021-01-06T20:01:34Z,< 1.11.3,1.11.3
971,CVE-2020-17519,org.apache.flink:flink-runtime_2.12,MODERATE,Path Traversal in Apache Flink,A change introduced in Apache Flink 1.11.0 (an...,2021-01-06T20:01:34Z,< 1.11.3,1.11.3
972,CVE-2019-17359,org.bouncycastle:bcprov-jdk14,MODERATE,Out-of-Memory Error in Bouncy Castle Crypto,The ASN.1 parser in Bouncy Castle Crypto (aka ...,2019-10-17T18:15:16Z,= 1.63,1.64


In [118]:
df.to_excel('data/vulnerabilities_github.xlsx')