Update find_hosts_by_cve.py

Added -i --include option to only include output from specific columns. Added `seen` set in the `get_match_details` function to track unique entries based on "hostname" and "local_ip". Modified the loop to skip duplicate entries by checking the seen set. Added a `—deduplicate` (-d) option. When this argument is provided, the script will remove duplicates based on hostname and local_ip.
CrowdStrike · Jul 19, 2024 · 7e7ace8 · 7e7ace8
1 parent 90bd268
commit 7e7ace8
Showing 1 changed file with 39 additions and 6 deletions.
diff --git a/samples/spotlight/find_hosts_by_cve.py b/samples/spotlight/find_hosts_by_cve.py
@@ -1,5 +1,4 @@
-"""Retrieve hosts by CVE vulnerability.
-
+"""
  ______                         __ _______ __         __ __
 |      |.----.-----.--.--.--.--|  |     __|  |_.----.|__|  |--.-----.
 |   ---||   _|  _  |  |  |  |  _  |__     |   _|   _||  |    <|  -__|
@@ -23,6 +22,7 @@
 """
 from argparse import ArgumentParser, RawTextHelpFormatter
 import json
+import sys
 try:
     from tabulate import tabulate
 except ImportError as no_tabulate:
@@ -181,6 +181,15 @@ def parse_command_line() -> object:
         'hostname, local_ip, os_version, service_provider, remediation)',
         required=False
         )
+    parser.add_argument(
+        '-i',
+        '--include',
+        help='List of columns to include in the display, comma-separated.\n'
+        'If specified, only these columns will be displayed.\n'
+        '(cve, score, severity, cve_description, created_on, updated_on,\n'
+        'hostname, local_ip, os_version, service_provider, remediation)',
+        required=False
+        )
     parser.add_argument(
         '-f',
         '--format',
@@ -212,14 +221,21 @@ def parse_command_line() -> object:
         action="store_false",
         required=False
         )
+    parser.add_argument(
+        '-d',
+        '--deduplicate',
+        help='Remove duplicate entries based on hostname and local_ip.',
+        action="store_true",
+        required=False
+        )
 
     return parser.parse_args()
 
 
 def inform(msg: str):
     """Provide informational updates to the user as the program progresses."""
     if PROGRESS:
-        print("  %-80s" % msg, end="\r", flush=True)  # pylint: disable=C0209
+        print(f"\r{' ' * 80}\r{msg}", end='', flush=True)
 
 
 def get_spotlight_matches(cves: list) -> list:
@@ -237,6 +253,9 @@ def get_spotlight_matches(cves: list) -> list:
 
 def remove_exclusions(resultset: dict) -> dict:
     """Remove requested columns from the table display."""
+    if INCLUDE:
+        return [{key: result[key] for key in INCLUDE} for result in resultset]
+
     for result in resultset:
         for exclusion in EXCLUDE:
             del result[exclusion]
@@ -247,15 +266,23 @@ def remove_exclusions(resultset: dict) -> dict:
 def get_match_details(match_list: list) -> list:
     """Retrieve details for individual matches to the specified CVEs."""
     returned = []
+    seen = set()
     inform("[ Retrieve matches ]")
     match_results = spotlight.get_vulnerabilities(ids=match_list)
     if match_results["status_code"] >= 400:
         raise SystemExit(match_results["body"]["errors"][0]["message"])
 
     for result in match_results["body"]["resources"]:
         row = SpotlightCVEMatch(result).to_object()
-        inform(f"[ {row['cve']} ] Found {row['hostname']}/{row['local_ip']}")
-        returned.append(row)
+        if args.deduplicate:
+            unique_id = (row['hostname'], row['local_ip'])
+            if unique_id not in seen:
+                seen.add(unique_id)
+                inform(f"[ {row['cve']} ] Found {row['hostname']}/{row['local_ip']}")
+                returned.append(row)
+        else:
+            inform(f"[ {row['cve']} ] Found {row['hostname']}/{row['local_ip']}")
+            returned.append(row)
 
     reversing = False
     if SORT_REVERSE:
@@ -292,6 +319,10 @@ def get_match_details(match_list: list) -> list:
 if args.exclude:
     EXCLUDE = args.exclude.split(",")
 
+INCLUDE = []
+if args.include:
+    INCLUDE = args.include.split(",")
+
 TABLE_FORMAT = "fancy_grid"
 if args.format:
     table_format = args.format.strip().lower()
@@ -338,8 +369,10 @@ def get_match_details(match_list: list) -> list:
 inform("[ Process startup ]")
 details = get_match_details(get_spotlight_matches(CVE_LIST))
 
+# Clear the progress message
+print("\r" + " " * 80 + "\r", end='', flush=True)
+
 # Display results
-inform("[ Results display ]")
 print(
     tabulate(
         tabular_data=remove_exclusions(details),