├── README.md ├── python3 ├── README.md └── export-library-details.py ├── powershell ├── README.md └── export-library-details.ps1 └── LICENSE /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2021-44228 2 | Professional Service scripts to aid in the identification of affected Java applications in TeamServer 3 | -------------------------------------------------------------------------------- /python3/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2021-44228 Guidance 2 | 3 | Remediation guidance for affected applications can be found here: 4 | [0-DAY DETECTION OF LOG4J2 VULNERABILITY](https://www.contrastsecurity.com/security-influencers/0-day-detection-of-log4j2-vulnerability) 5 | 6 | ## Notes: 7 | 8 | This script only identifies log4j2 versions. If you are using an older version of log4j 9 | the recommended guidance is the same - update to 2.15.x. For details see the following Github comment: [Restrict LDAP access via JNDI 10 | ](https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126) 11 | 12 | ## CSV Output Format: 13 | 14 | [parent app name (if a child app), library name, version, class usage, users] 15 | 16 | -------------------------------------------------------------------------------- /powershell/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2021-44228 Guidance 2 | 3 | Remediation guidance for affected applications can be found here: 4 | [0-DAY DETECTION OF LOG4J2 VULNERABILITY](https://www.contrastsecurity.com/security-influencers/0-day-detection-of-log4j2-vulnerability) 5 | 6 | ## Notes: 7 | 8 | This script only identifies log4j2 versions. If you are using an older version of log4j 9 | the recommended guidance is the same - update to 2.15.x. For details see the following Github comment: [Restrict LDAP access via JNDI 10 | ](https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126) 11 | 12 | ## CSV Output Format: 13 | 14 | [Library Name, Version, CVE-2021-44228, Vulnerabilities, Application, Class Usage, Servers, GroupName, Users] 15 | 16 | -------------------------------------------------------------------------------- /python3/export-library-details.py: -------------------------------------------------------------------------------- 1 | ###################################################################### 2 | # Copyright [2021] Contrast Security, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at: 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | # DESCRIPTION: 17 | # 18 | # A script to aid in the identification of affected Java applications 19 | # in TeamServer impacted by CVE-2021-44228 (log4j RCE vulnerability) 20 | # 21 | # This script collects a list of apps which have references to libs with 22 | # a specified prefix in their name while going iterating through the users 23 | # and gathering applications they are authorized to access. 24 | # 25 | # The output is a file written out to $CWD/vulnerableApps.csv and contains 26 | # tuples of: 27 | # {(parent) app name, lib name, lib version, use count, and user id list} 28 | # 29 | # PREREQUISITE: 30 | # 31 | # Requires a TeamServer user with view access to all applications and 32 | # a valid API key and AUTH token 33 | # 34 | # USAGE: 35 | # 36 | # The script requires the following environment variables to be set: 37 | # 38 | # CONTRAST__AUTHORIZATION 39 | # CONTRAST__API_KEY 40 | # CONTRAST__ORG 41 | # CONTRAST__URL :example - https://app.contrastsecurity.com/ 42 | # 43 | # @author: ching-chiang.van@contrastsecurity.com 44 | # 45 | ##################################################################### 46 | 47 | # -*- coding: utf-8 -*- 48 | import requests 49 | import json 50 | import io 51 | import os 52 | import re 53 | import sys 54 | 55 | CONTRAST_AUTHORIZATION = os.getenv('CONTRAST__AUTHORIZATION', '<>') 56 | CONTRAST_API_KEY = os.getenv('CONTRAST__API_KEY', '<>') 57 | CONTRAST_ORG = os.getenv('CONTRAST__ORG', '<>') 58 | CONTRAST_URL = os.getenv('CONTRAST__URL', "https://app.contrastsecurity.com/") 59 | 60 | BASEURL = CONTRAST_URL + "Contrast/api/ng/%s" % CONTRAST_ORG 61 | VERIFY_CERT = False 62 | LIBPREFIX = 'log4j' 63 | headers = {"Accept": "application/json", "Content-Type": "application/json", "API-Key": CONTRAST_API_KEY, 64 | "Authorization": CONTRAST_AUTHORIZATION} 65 | 66 | grpdict = {} 67 | appdict = {} 68 | appusersdict = {} 69 | 70 | 71 | def getLibsForOrg(pName, pIncr): 72 | offset = 0 73 | 74 | # urllib = (BASEURL) + "/libraries/filter?expand=skip_links,apps,servers,vulns,manifest,status,usage_counts&limit=%s&offset=%s&sort=score" % (str(pIncr), str(offset)) 75 | urllib = BASEURL + "/libraries/filter?expand=skip_links,apps,vulns,usage_counts&limit=%s&offset=%s&sort=score" % ( 76 | str(pIncr), str(offset)) 77 | jBody = "{\"quickFilter\": \"ALL\", \"q\": \"%s\"}" % pName 78 | 79 | rc = requests.post(urllib, headers=headers, json=json.loads(jBody), verify=VERIFY_CERT) 80 | if rc.status_code == 400: 81 | print('*** API call failed. Check authorization credential?') 82 | sys.exit() 83 | data = rc.json() 84 | 85 | # paginate through the libraries 86 | libcnt = data['count'] 87 | liboffset = 0 88 | while liboffset < libcnt: 89 | 90 | libs = data['libraries'] 91 | for alib in libs: 92 | libname = alib['file_name'] 93 | 94 | # match for library name with the specified prefix string 95 | if libname[0:5] != pName: 96 | continue 97 | libversion = alib['version'] 98 | 99 | # check for major and sub version numbers - reporting only 2.x 100 | # (2.14.1 and below) 101 | sublist = libversion.split('.') 102 | 103 | if sublist[0] == '1': 104 | # print('found 1.x') 105 | continue 106 | elif (len(sublist) > 1 and int(sublist[1]) > 14) and (len(sublist) > 2 and int(sublist[2]) < 2): 107 | # print('skipping version > 2.14.1' + libversion) 108 | continue 109 | # else: 110 | # print(libversion) 111 | 112 | libhash = alib['hash'] 113 | liblang = alib['app_language'] 114 | libclassesusedcount = alib['classes_used'] 115 | apps = alib['apps'] 116 | # servers = [] 117 | # if (alib['servers'] != None): 118 | # for asvr in alib['servers']: 119 | # servers.append(asvr['server_id']) 120 | 121 | for app in apps: 122 | appid = app['app_id'] 123 | appname = app['name'] 124 | 125 | # Keying on appid which means only the 1st instance with the same 126 | # prefix will be reported. The same also applies with only the first 127 | # version number encountered to use compound key with appid, lib name, 128 | # and version if that needs to be expanded 129 | 130 | if not (appid in appdict): 131 | urlapp = (BASEURL) + "/applications/%s?expand=skip_links,license" % appid 132 | arc = requests.get(urlapp, headers=headers) 133 | adata = arc.json() 134 | pappid = '' 135 | pappname = '' 136 | 137 | if 'parentApplicationId' in adata['application']: 138 | pappid = adata['application']['parentApplicationId'] 139 | urlapp = (BASEURL) + "/applications/%s?expand=skip_links,license" % pappid 140 | brc = requests.get(urlapp, headers=headers) 141 | bdata = brc.json() 142 | pappname = bdata['application']['name'] 143 | # adict = {appid: [appname, libname, libhash, libversion, liblang, libclassesused, servers]} 144 | adict = {appid: [appname, pappname, libname, libhash, libversion, liblang, libclassesusedcount]} 145 | appdict.update(adict) 146 | 147 | liboffset += pIncr 148 | urllib = (BASEURL) + "/libraries/filter?expand=skip_links,apps&limit=%s&offset=%s" % (pIncr, str(liboffset)) 149 | rc = requests.post(urllib, headers=headers, json=json.loads(jBody)) 150 | data = rc.json() 151 | 152 | return appdict 153 | 154 | 155 | # def getGroupsForOrg(): 156 | # urlgrp = (BASEURL) + "/groups?expand=applications,skip_links&sort=name" 157 | # rc = requests.get(urlgrp, headers=headers) 158 | # data = rc.json() 159 | # adict = {} 160 | # for agrp in data['custom_groups']['groups']: 161 | # if ('applications' in agrp): 162 | # for app in agrp['applications']: 163 | # appname = app['application']['name'] 164 | # appid = app['application']['app_id'] 165 | # adict = {agrp['group_id']: [agrp['name'], appid, appname]} 166 | # grpdict.update(adict) 167 | # return grpdict 168 | 169 | def getUsersForOrg(): 170 | urluser = BASEURL + "/users?expand=skip_links&sort=name" 171 | rc = requests.get(urluser, headers=headers) 172 | data = rc.json() 173 | 174 | # get the list of authorized apps accessible by the user 175 | for auser in data['users']: 176 | urluseraccess = (BASEURL) + "/users/%s/access?expand=applications,skip_links" % auser['user_uid'] 177 | arc = requests.get(urluseraccess, headers=headers) 178 | adata = arc.json() 179 | for app in adata['applications']: 180 | # only picking up Java apps 181 | if ('language' in app) and (not (app['language'] == 'Java')): 182 | continue 183 | users = appusersdict.get(app['application']['app_id']) 184 | if users is not None: 185 | users.append(auser['user_uid']) 186 | else: 187 | users = [auser['user_uid']] 188 | adict = {app['application']['app_id']: users} 189 | appusersdict.update(adict) 190 | return appusersdict.update(adict) 191 | 192 | 193 | def main(): 194 | # getGroupsForOrg() 195 | getLibsForOrg(LIBPREFIX, 50) 196 | getUsersForOrg() 197 | 198 | seperator = ',' 199 | with open('vulnerableApps.csv', 'w') as vf: 200 | for appid in appdict: 201 | llist = appdict.get(appid) 202 | ulist = appusersdict.get(appid) 203 | 204 | # write out {app name, parent app name, library name, version, use count, users} 205 | appname = llist[0] 206 | if llist[1] != '': 207 | appname = llist[1] 208 | if ulist is not None: 209 | joinedunames = ','.join(ulist) 210 | vf.write(appname + seperator + llist[2] + seperator + llist[4] + seperator + str( 211 | llist[6]) + seperator + joinedunames + '\n') 212 | else: 213 | vf.write(appname + seperator + llist[2] + seperator + llist[4] + seperator + str(llist[6]) + '\n') 214 | 215 | 216 | if __name__ == '__main__': 217 | main() 218 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /powershell/export-library-details.ps1: -------------------------------------------------------------------------------- 1 | ###################################################################### 2 | # Copyright [2021] Contrast Security, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at: 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | # DESCRIPTION: 17 | # 18 | # A script to aid in the identification of affected Java applications 19 | # in TeamServer impacted by CVE-2021-44228 (log4j RCE vulnerability) 20 | # 21 | # PREREQUISITE: 22 | # 23 | # Requires a TeamServer user with view access to all applications and 24 | # a valide API key and AUTH token 25 | # 26 | # @author prashant.mishra@contrastsecurity.com 27 | # 28 | ##################################################################### 29 | 30 | # =================================================================== 31 | # Variables. Edit for your Connection Details as per TS. 32 | # =================================================================== 33 | 34 | <# 35 | 36 | .SYNOPSIS 37 | This script exports library details from Contrast Team Server 38 | 39 | .DESCRIPTION 40 | This script exports library details from Contrast Team Server, It expects a user with the view access to the application. It supports following parameters; 41 | Connectivity Parameters 42 | -CONTRAST_API_URL , Contrast api url till api/ng e.g.https://app.contrastsecurity.com/Contrast/api/ng https://app.contrastsecurity.com/Contrast/api/ng 43 | -CONTRAST_AUTH_TOKEN , Contrast user authentication token. It can also be passed through environment variable CONTRAST_AUTH_TOKEN 44 | -CONTRAST_API_KEY , Contrast API key, It can also be passed through environment variable CONTRAST_API_KEY 45 | -CONTRAST_ORG_ID , Contrast Org ID, It can also be passed through environment variable CONTRAST_ORG_ID 46 | -CONTRAST_APP_ID , Contrast Application ID, It can also be passed through environment variable CONTRAST_APP_ID 47 | -$LIBRARY_NAME , Library name or part of name 48 | 49 | It will generate a CSV file containing the library details in current working directory 50 | 51 | 52 | .EXAMPLE 53 | ./export-library-details.ps1 54 | 55 | #> 56 | 57 | Param 58 | ( 59 | $CONTRAST_API_URL=$ENV:CONTRAST_API_URL, 60 | $CONTRAST_AUTH_TOKEN=$env:CONTRAST_AUTH_TOKEN, 61 | $CONTRAST_API_KEY=$env:CONTRAST_API_KEY, 62 | $CONTRAST_ORG_ID=$env:CONTRAST_ORG_ID, 63 | $LIBRARY_NAME=$null 64 | ) 65 | function Add-Log( $MESSAGE, $FILE, $APPEND ) { 66 | $TIMESTAMP="[{0:MM/dd/yy} {0:HH:mm:ss}]" -f (Get-Date) 67 | if( $APPEND -eq "Create" ){ 68 | Write-Output "$TIMESTAMP $MESSAGE"| Out-file $FILE 69 | }else{ 70 | Write-Output "$TIMESTAMP $MESSAGE"| Out-file $FILE -Append 71 | } 72 | Write-Host "$TIMESTAMP $MESSAGE" 73 | } 74 | 75 | function New-Dir-If-Not-Exist ($DIR ){ 76 | if(!(Test-Path -Path $DIR)) { 77 | New-Item -ItemType Directory -Force -Path $DIR 78 | } 79 | } 80 | 81 | function Get-Current-Time( ) { 82 | $DATE = (Get-Date) 83 | $YEAR = $DATE.Year 84 | $MONTH = $DATE.MONTH 85 | $DAY = $DATE.DAY 86 | return "$YEAR$MONTH$DAY" 87 | } 88 | 89 | 90 | function Get-LibraryForOrg($CONTRAST_API_URL, $CONTRAST_ORG_ID, $CONTRAST_AUTH_TOKEN, $CONTRAST_API_KEY, $INDEX, $LIMIT, $LIB_NAME) { 91 | $LIBS = @() 92 | $REQUEST_FILTER = @{ 93 | quickFilter = "ALL" 94 | q = "$LIB_NAME" 95 | } 96 | $REQUEST_BODY = $REQUEST_FILTER | ConvertTo-Json 97 | $RESPONSE_LIB_LIST = Invoke-RestMethod "$CONTRAST_API_URL/$CONTRAST_ORG_ID/libraries/filter?offset=$INDEX&limit=$LIMIT&sort=score&expand=skip_links,apps,server,vulns,manifest,status,usage_counts" -Method POST -ContentType "application/json" -Headers @{"Authorization"="$CONTRAST_AUTH_TOKEN";"API-Key"="$CONTRAST_API_KEY"} -Body $REQUEST_BODY 98 | 99 | if ( $RESPONSE_LIB_LIST.success ) { 100 | Add-Log " Ognization libs details fetched successfully from $INDEX to $LIMIT." $LOG_FILE 101 | 102 | if (($INDEX + $LIMIT) -le $RESPONSE_LIB_LIST.count) { 103 | $LIBS += Get-LibraryForOrg $CONTRAST_API_URL $CONTRAST_ORG_ID $CONTRAST_AUTH_TOKEN $CONTRAST_API_KEY ($INDEX + $LIMIT) $LIMIT $LIB_NAME 104 | } 105 | else { 106 | return $RESPONSE_LIB_LIST.libraries 107 | } 108 | 109 | $LIBS += $RESPONSE_LIB_LIST.libraries 110 | return $LIBS 111 | } 112 | } 113 | 114 | 115 | function Get-Groups-For-Org($CONTRAST_API_URL, $CONTRAST_ORG_ID, $CONTRAST_AUTH_TOKEN, $CONTRAST_API_KEY, $INDEX, $LIMIT) { 116 | $GROUPS = @() 117 | $RESPONSE_GROUP_LIST = Invoke-RestMethod "$CONTRAST_API_URL/$CONTRAST_ORG_ID/groups?expand=users,applications,skip_links&sort=name&offset=$INDEX&limit=$LIMIT" -Method GET -ContentType "application/json" -Headers @{"Authorization" = "$CONTRAST_AUTH_TOKEN"; "API-Key" = "$CONTRAST_API_KEY" } 118 | 119 | if ( $RESPONSE_GROUP_LIST.success ) { 120 | Add-Log " Ognization groups details fetched successfully from $INDEX to $LIMIT." $LOG_FILE 121 | 122 | if (($INDEX + $LIMIT) -le $RESPONSE_GROUP_LIST.custom_groups.count) { 123 | $GROUPS += Get-Groups-For-Org $CONTRAST_API_URL $CONTRAST_ORG_ID $CONTRAST_AUTH_TOKEN $CONTRAST_API_KEY ($INDEX + $LIMIT) $LIMIT 124 | } 125 | else { 126 | return $RESPONSE_GROUP_LIST.custom_groups.groups 127 | } 128 | 129 | $GROUPS += $RESPONSE_GROUP_LIST.custom_groups.groups 130 | return $GROUPS 131 | } 132 | } 133 | 134 | function Get-AppGroupUserMap($CONTRAST_API_URL, $CONTRAST_ORG_ID, $CONTRAST_AUTH_TOKEN, $CONTRAST_API_KEY, $GROUPS) { 135 | $APP_GROUP_USER_MAP = @{} 136 | $BUILT_IN_GROUPS = @{} 137 | foreach ( $GROUP in $GROUPS){ 138 | if($GROUP.total_users -ne 0){ 139 | $GROUP_ID = $GROUP.group_id 140 | $GROUP_NAME = $GROUP.name 141 | $USERS = $null 142 | $RESPONSE_USER_LIST = Invoke-RestMethod "$CONTRAST_API_URL/$CONTRAST_ORG_ID/groups/$GROUP_ID/users" -Method GET -ContentType "application/json" -Headers @{"Authorization" = "$CONTRAST_AUTH_TOKEN"; "API-Key" = "$CONTRAST_API_KEY" } 143 | 144 | if ( $RESPONSE_USER_LIST.success ) { 145 | Add-Log "Groups $GROUP_NAME users details fetched successfully." $LOG_FILE 146 | $USERS = $RESPONSE_USER_LIST.group.users | select -Expand uid 147 | } 148 | if($GROUP.PSobject.Properties.name -match "applications"){ 149 | foreach ( $APP in $GROUP.applications){ 150 | $APP_NAME = $APP.application.name 151 | if( $false -eq $APP_GROUP_USER_MAP.ContainsKey($APP_NAME)){ 152 | $APP_GROUP_USER_MAP[$APP_NAME] = @{ 153 | $GROUP.name = @() 154 | } 155 | } 156 | $APP_GROUP_USER_MAP[$APP_NAME][$GROUP.name] += $USERS 157 | } 158 | } 159 | }else{ 160 | if($GROUP.PSobject.Properties.name -match "applications"){ 161 | foreach ( $APP in $GROUP.applications){ 162 | $APP_NAME = $APP.application.name 163 | if( $false -eq $APP_GROUP_USER_MAP.ContainsKey( $APP_NAME)){ 164 | $APP_GROUP_USER_MAP[$APP_NAME] = @{ 165 | $GROUP.name = $null 166 | } 167 | } 168 | } 169 | } 170 | } 171 | } 172 | 173 | return $APP_GROUP_USER_MAP 174 | } 175 | 176 | function Get-LibAppsServers($CONTRAST_API_URL, $CONTRAST_ORG_ID, $CONTRAST_AUTH_TOKEN, $CONTRAST_API_KEY, $LIB) { 177 | $LIB_SERVERS= @{} 178 | $LIB_HASH = $LIB.hash 179 | $LANGUAGE = $LIB.app_language 180 | $LANGUAGE = $LANGUAGE.ToLower() 181 | $LIB_NAME = $LIB.file_name 182 | $URL = "$CONTRAST_API_URL/$CONTRAST_ORG_ID/libraries/$LANGUAGE/$LIB_HASH`?expand=apps,skip_links" 183 | $RESPONSE_LIB_DETAILS = Invoke-RestMethod $URL -Method GET -ContentType "application/json" -Headers @{"Authorization" = "$CONTRAST_AUTH_TOKEN"; "API-Key" = "$CONTRAST_API_KEY" } 184 | 185 | if ( $RESPONSE_LIB_DETAILS.success ) { 186 | Add-Log "LIB details $LIB_NAME fetched successfully." $LOG_FILE 187 | $LIB_SERVERS= $RESPONSE_LIB_DETAILS.library.servers | select -Expand name 188 | } 189 | return $LIB_SERVERS 190 | } 191 | 192 | $PSDefaultParameterValues['Invoke-RestMethod:SkipHeaderValidation'] = $true 193 | 194 | 195 | $COMMAND_NAME=$MyInvocation.MyCommand.Name 196 | $scriptPath = split-path -parent $MyInvocation.MyCommand.Definition 197 | $LOG_DIR="$scriptPath/logs" 198 | $REPORT_DIR="$scriptPath/reports" 199 | New-Dir-If-Not-Exist($LOG_DIR) 200 | New-Dir-If-Not-Exist($REPORT_DIR) 201 | if( $null -eq $CONTRAST_API_URL -or $null -eq $CONTRAST_AUTH_TOKEN -or $null -eq $CONTRAST_API_KEY -or $null -eq $CONTRAST_ORG_ID ){ 202 | Write-Output "You must have forgot to set the following environment vatiables or update the script with default values" 203 | Write-Output " - `$ENV:CONTRAST_API_URL=`"Default Contrast API URL is https://app.contrastsecurity.com/Contrast/api/ng`"" 204 | Write-Output " - `$ENV:CONTRAST_AUTH_TOKEN=`"Contrast user name`"" 205 | Write-Output " - `$ENV:CONTRAST_API_KEY=`"Contrast API Key`"" 206 | Write-Output " - `$ENV:CONTRAST_ORG_ID=`"Contrast Organization ID`"" 207 | exit 208 | } 209 | 210 | $LOG_FILE="$LOG_DIR/$COMMAND_NAME.log" 211 | $CURRENT_TIME = Get-Current-Time 212 | $REPORT_FILE = "$REPORT_DIR/library_details_$CURRENT_TIME.csv" 213 | 214 | Add-Log "Running $COMMAND_NAME $ARGUMENTS" $LOG_FILE "Create" 215 | 216 | Add-Log "Fetching library list from Contrast Team Server matching $LIBRARY_NAME..." $LOG_FILE 217 | 218 | Add-Log " Fetching application access groups from Contrast Team Server..." $LOG_FILE 219 | $GROUPS = Get-Groups-For-Org $CONTRAST_API_URL $CONTRAST_ORG_ID $CONTRAST_AUTH_TOKEN $CONTRAST_API_KEY 0 25 220 | 221 | $APP_GROUP_USER_MAP = Get-AppGroupUserMap $CONTRAST_API_URL $CONTRAST_ORG_ID $CONTRAST_AUTH_TOKEN $CONTRAST_API_KEY $GROUPS 222 | 223 | $LIBS = Get-LibraryForOrg $CONTRAST_API_URL $CONTRAST_ORG_ID $CONTRAST_AUTH_TOKEN $CONTRAST_API_KEY 0 25 $LIBRARY_NAME 224 | 225 | Write-Output "Library Name, Version, CVE-2021-44228, Vulnerabilities, Application, Class Usage, Servers, GroupName, Users" | Out-File $REPORT_FILE 226 | foreach( $LIB in $LIBS){ 227 | $LIB_NAME = $LIB.file_name 228 | $VERSION = $LIB.version 229 | $VULNS = $LIB.vulns | select -Expand name | Join-String -Separator "; " 230 | $CVE_2021_44228 = if ($VULNS -match "CVE-2021-44228") {"Yes"} else {"No"} 231 | $CLASS_COUNT = $LIB.class_count 232 | $BASE_URL = $CONTRAST_API_URL -replace "/api/ng" 233 | # $SERVERS = Get-LibAppsServers $CONTRAST_API_URL $CONTRAST_ORG_ID $CONTRAST_AUTH_TOKEN $CONTRAST_API_KEY $LIB 234 | # $SERVER_NAMES = $SERVERS | Join-String -Separator ";" 235 | foreach($APP in $LIB.apps){ 236 | $APP_NAME = $APP.name 237 | $APP_ID = $APP.app_id 238 | $CLASS_USED = $LIB.library_class_usage_counts | Where-Object -FilterScript {$_.appId -eq $APP_ID} | select -Expand usageCount 239 | $SERVER_LINK = "$BASE_URL/static/ng/index.html#/$CONTRAST_ORG_ID/servers?applications=$APP_ID" 240 | $GROUP = $APP_GROUP_USER_MAP[$APP_NAME] 241 | $GROUP_NAMES = $GROUP.keys | Join-String -Separator "; " 242 | $USERS = $GROUP.Values | Join-String -Separator "; " 243 | Write-Output "$LIB_NAME, $VERSION, $CVE_2021_44228, $VULNS, $APP_NAME, $CLASS_USED/$CLASS_COUNT, $SERVER_LINK, $GROUP_NAMES, $USERS" | Out-File $REPORT_FILE -Append 244 | } 245 | } 246 | Write-Output "Library details exported in $REPORT_FILE" 247 | --------------------------------------------------------------------------------