search

tenable / pyTenable

Python Library for interfacing into Tenable's platform APIs
https://pytenable.readthedocs.io
MIT License
354 stars 173 forks source link

Accepted Risk filter not working in sc.analysis.vuln #266

Closed armudgal closed 3 years ago

armudgal commented 3 years ago

Describe the bug If I include acceptedRisk in filters, then pyTenable throws an error

DEBUG:tenable.sc.TenableSC:{"body": {"query": {"startOffset": 0, "endOffset": 1000, "filters": [{"operator": "=", "value": "<pluginid>", "filterName": "pluginID"}, {"operator": "=", "value": "<port>", "filterName": "port"}, {"operator": "=", "value": "<acceptedflag>", "filterName": "acceptedRisk"}], "tool": "vulndetails", "type": "vuln"}, "sourceType": "cumulative", "type": "vuln"}, "params": {}, "url": "<url>/rest/analysis", "method": "POST"}
DEBUG:urllib3.connectionpool:Resetting dropped connection: tenablesc.akamai.com
DEBUG:urllib3.connectionpool:<url>:443 "POST /rest/analysis HTTP/1.1" 403 233
ERROR:tenable.errors.APIError:POST <url>/rest/analysis >> None:403 {"type":"regular","response":"","error_code":143,"error_msg":"Unable to process Vuln Query.\nAn error occurred when building the vuln query command.\nFilter \"acceptedRisk\" is not recognized\n","warnings":[],"timestamp":1612279528}

To Reproduce Steps to reproduce the behavior:

>>> from tenable.sc import TenableSC
>>> sc = TenableSC(<url>)
>>> sc.login(<username>,<password>)
>>> filters = [('pluginID', '=', '<id>'), ('port', '=', '<port>'), ("acceptedRisk","=","1")]
>>> import logging
>>> logging.basicConfig(level=logging.DEBUG)
>>> 
>>> vulns = sc.analysis.vulns(*filters)
>>> next(vulns)

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

System Information (please complete the following information):

Additional context Add any other context about the problem here.

SteveMcGrath commented 3 years ago

Please refer to the query filters supported: https://docs.tenable.com/tenablesc/api/Query.htm

In your scenario, you would need to use acceptRiskStatus not acceptedRisk.

armudgal commented 3 years ago

You are absolutely right. acceptRiskStatus works as expected. The following error is badly worded I guess which threw me off "error_msg":"The filter 'acceptRisk' is invalid (valid filters: acceptedRisk, acceptRiskStatus, assetID, auditFileID, benchmarkName, cceID, cpe, cveID, baseCVSSScore, cvssVector, cvssV3BaseScore, cvssV3Vector, dataFormat, daysMitigated, daysToMitigated, dnsName, exploitAvailable, exploitFrameworks, familyID, firstSeen, iavmID, ip, lastMitigated, lastSeen, mitigatedStatus, msbulletinID, outputAssets, patchPublished, pluginModified, pluginPublished, pluginID, pluginName, pluginText, pluginType, policyID, port, protocol, recastRisk, recastRiskStatus, repositoryIDs, responsibleUserIDs, severity, stigSeverity, tcpport, udpport, vulnPublished, wasMitigated, xref, uuid, vprScore)

This includes acceptedRisk as a valid filter.

Thanks a lot for the quick reply

prjpet commented 2 years ago

Reading the Query documentation of the Tenable API is very helpful, thanks for sharing @SteveMcGrath.