A bash script to query Cisco PSIRT OpenVuln API.

Cisco provides an API to openVuln:

The Cisco Product Security Incident Response Team (PSIRT) openVuln API is a RESTful API that allows technical staff and programmers to build tools that help them do their job more effectively (in this case, to keep up with security vulnerability information).

My first instinct was to use Python to query the API and create some reports but today I tried a different approach using bash.

The script sends a request to the PSIRT API to get all the open CVE for a specific platform and version. The current API supports:

• ios
• iosxe
• nxos
• aci

The script accepts two arguments: platform and version:

1opencheck.sh <platform> <version>

To access the API we must provide valid credentials (get yours here.

The script gets the credentials via env vars:

1export CISCO_API_KEY=<myCiscoApiKey>
2export CISCO_CLIENT_SECRET=<myCiscoClientSecret>

or from a file named credentials.env in the same path.

Bash and friends

The output of the API is in JSON format. To filter the JSON response I used jq.

To render the Jinja2 template I used j2cli.

This is the command pipeline:

1echo $output| jq | j2 -f json openvuln.j2

jq is a lightweight and flexible command-line JSON processor

j2cli is a command-line tool for templating in shell-scripts, leveraging the Jinja2 library

The workflow

The workflow of the script is simple:

1. authentice and get the token
2. query the API to get CVEs for the platform/version
3. transform the result to json with jq
4. use j2cli to render the j2 template using the json as input

I put some error checks for the most common issues, it's far from being complete or production ready (use it at your own risk). Consider it just an exercise of bash scripting.

Open source

The code is available on GitHub and on DevNet Code Exchange.

Watch it in action:

Links

• Opencheck on Cisco DevNet
• PSIRT API
• curl
• jq
• j2cli
• Jinja2