Releases: zynovexllc/vrp-ir
Release list
v0.9.0
0.9.0 (2026-06-25)
Features
v0.8.0
v0.7.0
0.7.0 (2026-06-25)
Features
- audit: add NA and unchecked statuses (#57) (c103cb0)
- audit: flag missing NTP servers (#58) (414740b)
- audit: flag weak SNMP communities (#56) (ef7bad8)
- parser: parse info-center loghost (#55) (59a1cdf)
- parser: surface unparsed config lines (#54) (ff0df69)
Bug Fixes
Documentation
- add config de-identification workflow (#59) (48cb72a)
- add social-preview (OG) card + reproducible generator (#42) (1e784aa)
- add terminal demo GIF to README (parse provenance + line-cited audit) (#36) (356185d)
- document release and PyPI process (#60) (9adb311)
- open-source hygiene (CHANGELOG, SECURITY, CoC, issue/PR templates, README badges) (#31) (2460e55)
- refine commercial positioning (trivy-style open-core CTA + comparison page) (#35) (54e843e)
- vrp-ir is live on PyPI (pip install vrp-ir + PyPI badges) (#34) (4174aee)
v0.6.0 — management-plane access baseline
v0.6.0 — management-plane access baseline
This release was driven by a real-world config corpus: we ran vrp-ir over a
set of public Huawei lab/tutorial configs, measured which constructs it did not
yet recognise, and the data ranked management-plane access control as the top
gap. v0.6 closes it. Every parsed value still carries a SourceRef to its exact
file:line.
New parsing (with SourceRef)
user-interfacecon/vty blocks —protocol inbound(ssh/telnet/all),
acl <id> inbound,authentication-mode,user privilege levelssh server cipheralgorithm listaaalocal-users —local-user <name> service-type ...
Audit: 9 → 13 checks
- FW-MGMT-VTY-TELNET — a VTY line accepts Telnet (
protocol inbound telnet|all). - FW-MGMT-VTY-NO-ACL — a VTY line allows remote login but has no inbound source ACL.
- FW-SSH-WEAK-CIPHER — SSH server offers weak ciphers (CBC-mode / 3DES / DES).
- FW-AAA-LOCAL-USER-TELNET — a local AAA user is granted the Telnet service type.
These join the v0.5 set (default-deny, permit-scope with address-set dereference,
rule-logging, zone-iface-unique, address-set-any, HRP consistency, cleartext
Telnet/HTTP management). Every finding cites the exact config line; --strict
exits non-zero for CI gating.
Quality
- Zero runtime dependencies in the core.
- 147 stdlib
unittestcases; CI green (tests + regression + CodeQL).
vrp-ir is the open core of AegisTwin (Huawei security-integration acceptance workbench).
v0.5.0 — object-aware parsing + management-plane audit
v0.5.0 — object-aware parsing + management-plane audit
Builds on v0.4.0 (source-traceable IR + security acceptance audit). Every parsed
value still carries a SourceRef back to its exact file:line.
New parsing (with SourceRef)
nat-policyrules (zones / addresses / service / action)ip address-setandip service-setnamed objects (members, type, raw expressions)- Management-plane switches:
telnet server enable/http server enable(and theirundoforms)
Audit: 5 → 9 checks
- FW-PERMIT-SCOPE now dereferences
address-setreferences — a permit rule
whose only narrowing is an address-set that resolves to0.0.0.0/0is still flagged
(a permit-any hidden behind a named object). - FW-ADDRESS-SET-ANY — an
address-setmember equal to0.0.0.0/0(any). - FW-HRP-INCOMPLETE — HRP enabled but heartbeat interface / remote peer missing
(an HA pair that will not sync). - FW-MGMT-TELNET / FW-MGMT-HTTP — cleartext management protocols enabled.
Every finding cites the exact config line as evidence; --strict exits non-zero for CI gating.
Quality
- Zero runtime dependencies in the core.
- 80 stdlib
unittestcases; CI green (tests + regression + CodeQL).
vrp-ir is the open core of AegisTwin (Huawei security-integration acceptance workbench).
v0.4.0 — Huawei config parsing + security acceptance audit
Source-traceable IR for Huawei VRP/USG configs, plus vrp-ir audit — a bilingual (zh/en) security acceptance report where every finding cites the exact config line.
Highlights (v0.1 → v0.4)
- Routing/switching: VLANs (batch ranges), VRF (RD/RT), interfaces (link-type, trunk allow-pass, Eth-Trunk, dot1q sub-if, secondary IPv4, VRF binding), ACLs, static routes — all with field-level
SourceRefprovenance. - USG firewall:
firewall zone,security-policy(rule namewith zones / addresses / services / profiles / action / logging),nat server,hrp. - Security acceptance audit (
vrp-ir audit): permit-any (policy default action + rule scope), session logging, one-interface-per-zone, HRP — each finding line-cited. Markdown (zh/en) or JSON;--strictfor CI gating. - Zero runtime dependencies · 41 tests · CI on Python 3.9 & 3.12 · Apache-2.0.
The gap it fills
Batfish marks Huawei VRP as unsupported; ntc-templates only parses show-command output; ciscoconfparse exposes a line number but not field-level provenance. No open-source tool gives Huawei config → field-level file:line provenance + acceptance verdicts.
vrp-ir is the open core of AegisTwin (Huawei security-integration acceptance). Commercial / support: see the README.