DEPRECATED. patton-cli has been moved into a module of the new patton repository for better maintenance. THIS REPOSITORY WILL BE DELETED AS OF JULY 1
Patton-cli - The knife of the Admin & Security auditor
| Current version | 0.0.1 |
| Project site | https://github.com/bbva/patton-cli |
| Issues | https://github.com/bbva/patton-cli/issues/ |
| Python versions | 3.6 or above |
What's Patton cli?
Patton-cli (PC) born with the objective to be a knife for system admins and security auditors.
PC could be filled with many different sources and report in many formats, being great for scripting.
You can see a demo video running Patton-Server + Patton-CLI:
Installation
NOTE
Patton-cli need a Patton-server. Be sure that the server is running!
Using pip
Install Patton is easy:
> python3.6 -m pip install patton-cliUsing Docker
There is an included [Dockerfile](./Dockerfile). It can install patton-cli from either the pypi release, the github head, or from the current working directory. It accepts a build-arg for chose. Run one of:
docker build -t patton-cli . --build-arg source=cwd
docker build -t patton-cli . --build-arg source=github
docker build -t patton-cli . --build-arg source=pypiGetting started
Quick example
> patton django:1.9
+------------+-------------------------------------+---------------------+
| Name | CPEs | CVEs |
+------------+-------------------------------------+---------------------+
| django:1.9 | cpe:/a:djangoproject:django:1.9:rc2 | CVE-2017-7234 (5.8) |
| | | ------------------- |
| | | CVE-2017-7233 (5.8) |
| | | ------------------- |
| | | CVE-2017-7233 (5.8) |
| | | ------------------- |
| | | CVE-2017-7234 (5.8) |
| | ----------------------------------- | ------------------- |
| | cpe:/a:djangoproject:django:1.9:rc2 | CVE-2017-7234 (5.8) |
| | | ------------------- |
| | | CVE-2017-7233 (5.8) |
| | | ------------------- |
| | | CVE-2017-7233 (5.8) |
| | | ------------------- |
| | | CVE-2017-7234 (5.8) |
| | ----------------------------------- | ------------------- |
| | cpe:/a:djangoproject:django:1.9:rc2 | CVE-2017-7234 (5.8) |
| | | ------------------- |
| | | CVE-2017-7233 (5.8) |
| | | ------------------- |
| | | CVE-2017-7233 (5.8) |
| | | ------------------- |
| | | CVE-2017-7234 (5.8) |
| | ----------------------------------- | ------------------- |
| | cpe:/a:djangoproject:django:1.9:rc2 | CVE-2017-7234 (5.8) |
| | | ------------------- |
| | | CVE-2017-7233 (5.8) |
| | | ------------------- |
| | | CVE-2017-7233 (5.8) |
| | | ------------------- |
| | | CVE-2017-7234 (5.8) |
| | ----------------------------------- | ------------------- |
| | cpe:/a:djangoproject:django:1.9:rc1 | CVE-2017-7234 (5.8) |
| | | ------------------- |
| | | CVE-2017-7234 (5.8) |
| | | ------------------- |
| | | CVE-2017-7233 (5.8) |
| | | ------------------- |
| | | CVE-2017-7233 (5.8) |
| | ----------------------------------- | ------------------- |
| | cpe:/a:djangoproject:django:1.9:rc1 | CVE-2017-7234 (5.8) |
| | | ------------------- |
| | | CVE-2017-7234 (5.8) |
| | | ------------------- |
| | | CVE-2017-7233 (5.8) |
| | | ------------------- |
| | | CVE-2017-7233 (5.8) |
| | ----------------------------------- | ------------------- |
| | cpe:/a:djangoproject:django:1.9:rc1 | CVE-2017-7234 (5.8) |
| | | ------------------- |
| | | CVE-2017-7234 (5.8) |
| | | ------------------- |
| | | CVE-2017-7233 (5.8) |
| | | ------------------- |
| | | CVE-2017-7233 (5.8) |
| | ----------------------------------- | ------------------- |
| | cpe:/a:djangoproject:django:1.9:rc1 | CVE-2017-7234 (5.8) |
| | | ------------------- |
| | | CVE-2017-7234 (5.8) |
| | | ------------------- |
| | | CVE-2017-7233 (5.8) |
| | | ------------------- |
| | | CVE-2017-7233 (5.8) |
| | ----------------------------------- | ------------------- |
| | cpe:/a:djangoproject:django:1.9:b1 | CVE-2017-7234 (5.8) |
| | | ------------------- |
| | | CVE-2017-7233 (5.8) |
| | ----------------------------------- | ------------------- |
| | cpe:/a:djangoproject:django:1.9:b1 | CVE-2017-7234 (5.8) |
| | | ------------------- |
| | | CVE-2017-7233 (5.8) |
+------------+-------------------------------------+---------------------+Getting help
Patton-cli has self-explained doc:
> patton -h
usage: patton [-h] [-v] [--patton-host PATTON_HOST] [-F {table,json,csv}] [-q]
[-i FROM_FILE] [-o OUTPUT_FILE]
[-e {python,alpine,simple_parser,auto,nmap,dpkg}] [-s] [-D] [-B]
[-t {auto,nmap}] [-f]
[INPUT_LIST [INPUT_LIST ...]]
Patton cli
positional arguments:
INPUT_LIST
optional arguments:
-h, --help show this help message and exit
-v log level
--patton-host PATTON_HOST
patton server host
-F {table,json,csv}, --display-format {table,json,csv}
display format options
-q, --quiet do not display any information in stdout
-i FROM_FILE, --from-file FROM_FILE
output file for results
-o OUTPUT_FILE, --output-file OUTPUT_FILE
results file. formats: csv, json, raw
-e {python,alpine,simple_parser,auto,nmap,dpkg}, --source-type {python,alpine,simple_parser,auto,nmap,dpkg}
use specific source parser
-s, --skip-on-fail doesn't abort execution on dependency check fail
Working modes:
-D, --dependency check libraries and versions (default)
-B, --banner check banners (currently experimental)
Specific option for banners:
-t {auto,nmap}, --banner-type {auto,nmap}
http, ftp, ...-
-f, --follow read from stdin and do a continuously check
Examples:
* Checking specific library and output as table:
> patton django:1.2 flask:1.1.0
* Checking Python installed dependencies and output as CSV:
> pip freeze | patton -F csv
or
> patton -F csv -i requirements.txt
* Checking ubuntu dependencies display as table and dump in json file:
> dpkg -l | patton -e dpkg -F table -o results.jsonUsage examples
Getting vulnerabilities from different sources
From Ubuntu
> dpkg -l | patton -e dpkgFrom Brew
> brew list --versions | pattonFrom Alpine
> apk version -v | patton -e alpineFrom python requirements
> pip freeze | patton -e pythonor
> cat requirements.txt | patton -e pythonor
> patton -i requirements.txt -e pythonFrom Golang requirements
> cat Gopkg.lock | patton -e golang- Currently Golang's package versioning is still somewhat green, but the biggest solution right now is https://github.com/golang/dep
Formatting the output
Patton-cli can display results in these formats:
- Table
- JSON
- CSV
> cat requirements.txt | patton -e python -F csv> cat requirements.txt | patton -e python -F json> cat requirements.txt | patton -e python -F tableExporting results
Patton-cli can export the results in format:
- Raw (table)
- JSON
- CSV
The format of file is determined by the extension:
> cat requirements.txt | patton -e python -o report.json> cat requirements.txt | patton -e python -o report.csv> cat requirements.txt | patton -e python -o report.rawQuiet mode
If you don't want that Patton-cli reports anything by the terminal, you can use -q option:
> cat requirements.txt | patton -e python -q -o report.csvSome funny examples
Listing dependencies and check te vulns:
> dpkg -l | tee patton -e dpkg -q -o reports.csvFinding critical vulnerabilities:
> dpkg -l | patton -e dpkg -F csv | grep "10\.0" > critial_vulns.txtContributing
Any collaboration is welcome!
There're many tasks to do.You can check the Issues and send us a Pull Request.
Also you can read the TODO file.
License
This project is distributed under Apache 2 license
