This repository contains a Python script designed to enumerate and analyze CVSS scores from Black Duck data. The script fetches information about vulnerable components in a specified project and version from the Black Duck Server's APIs and outputs relevant details.
The script provides options to set or confirm project details and API configuration from a .env
file.
- Fetch Vulnerabilities: Retrieves vulnerable components from a specified Black Duck project and version using the Black Duck Server's APIs.
- Detailed Output: Provides detailed output of vulnerabilities, including component name, version, CVSS 2 and CVSS 3 scores.
- Export Results: Allows exporting the results to CSV or JSON format. The script will prompt the user at the end of execution to ask if exporting is necessary (Yes/No) and if so, what format (csv/json).
- Python 3.x
- Requests library
- Dotenv
You can install the required Python packages using pip or let the script install them for you:
pip install requests python-dotenv
Clone this repository:
git clone https://github.com/snps-steve/Enumerate-CVSS/
Navigate to the project directory:
cd enumerate-cvss
Set up your environment variables in a .env file or simply let the script prompt you for the required information.
Run the script:
python enum_cvss.py
When saved to CSV:
Component Name,Vulnerability ID,CVSS 2,CVSS 3
Apache Portable Runtime,BDSA-2021-2583,5.0,7.5
Apache Portable Runtime,BDSA-2023-0191,7.5,9.8
Apache Portable Runtime,CVE-2021-35940,3.6,7.1
Apache Portable Runtime,BDSA-2023-0190,7.5,9.8
Apache Portable Runtime,CVE-2009-2699,5.0,7.5
Apache Portable Runtime,BDSA-2023-0285,5.0,7.5
Apache Portable Runtime,CVE-2017-12618,1.9,4.7
The output can also be saved as a Json file.
During the first execution of the script, the user will be prompted for the BASEURL, API_TOKEN, project, and project version. These fields will then be stored in a .env file in the project folder. If a .env file is detected, the script will prompt you to either use the existing BASEURL, API_TOKEN, project, and project version as 'defaults' or you can enter different information.
Example .env file:
BASEURL=https://blackduck.synopsys.com
API_TOKEN=[REDACTED]
project_name=testVMDK
version_name=1.0
This project is licensed under the MIT License.
If you would like to contribute to this project, please fork the repository and submit a pull request.
For any questions or issues, please contact Steve Smith ([email protected]).