Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The Greenbone Vulnerability Management Tools gvm-tools
are a collection of
tools that help with remote controlling a Greenbone Enterprise Appliance and
Greenbone Community Edition installations. The tools aid in accessing the
communication protocols GMP (Greenbone Management Protocol) and OSP
(Open Scanner Protocol).
This module is comprised of interactive and non-interactive clients. The programming language Python is supported directly for interactive scripting. But it is also possible to issue remote GMP/OSP commands without programming in Python.
The documentation for gvm-tools
can be found at
https://greenbone.github.io/gvm-tools/.
Please refer to the documentation for more details as this README just
gives a short overview.
See the documentation for all supported installation options.
Python 3.9 and later is supported.
Please consider to always use the newest version of gvm-tools
and python-gvm
.
We frequently update this projects to add features and keep them free from bugs.
This is why installing gvm-tools
using pip is recommended.
To use gvm-tools
with an old GMP version (7, 8, 9) you must use a release version
that is <21.06
, combined with an python-gvm
version <21.05
.
In the 21.06
release the support of these older versions has been dropped.
There are several clients to communicate via GMP/OSP.
All clients have the ability to build a connection in various ways:
This tool sends plain GMP/OSP commands and prints the result to the standard output.
Return the current protocol version used by the server:
gvm-cli socket --xml "<get_version/>"
Return all tasks visible to the GMP user with the provided credentials:
gvm-cli --gmp-username foo --gmp-password bar socket --xml "<get_tasks/>"
Read a file with GMP commands and return the result:
gvm-cli --gmp-username foo --gmp-password bar socket myfile.xml
Note that gvm-cli
will by default print an error message and exit with a
non-zero exit code when a command is rejected by the server. If this kind of
error handling is not desired, the unparsed XML response can be requested using
the --raw
parameter:
gvm-cli socket --raw --xml "<authenticate/>"
This tool has a lot more features than the simple gvm-cli
client. You
have the possibility to create your own custom gmp or osp scripts with commands
from the python-gvm library and from
Python 3 itself.
# Retrieve current GMP version
version = gmp.get_version()
# Prints the XML in beautiful form
from gvmtools.helper import pretty_print
pretty_print(version)
# Retrieve all tasks
tasks = gmp.get_tasks()
# Get names of tasks
task_names = tasks.xpath('task/name/text()')
pretty_print(task_names)
There is a growing collection of gmp-scripts in the "scripts/" folder. Some of them might be exactly what you need and all of them help writing your own gmp scripts.
This tool is for running gmp or osp scripts interactively. It provides the same API as gvm-script using the python-gvm library.
Connect with given credentials via a unix domain socket and open an interactive shell:
gvm-pyshell --gmp-username user --gmp-password pass socket
Connect through SSH connection and open the interactive shell:
gvm-pyshell --hostname 127.0.0.1 ssh
For any question on the usage of gvm-tools
or gmp scripts please use the
Greenbone Community Portal. If you
found a problem with the software, please
create an issue on GitHub.
This project is maintained by Greenbone AG.
Your contributions are highly appreciated. Please create a pull request on GitHub. For bigger changes, please discuss it first in the issues.
For development you should use poetry to keep you python packages separated in different environments. First install poetry via pip
python3 -m pip install --user poetry
Afterwards run
poetry install
in the checkout directory of gvm-tools
(the directory containing the
pyproject.toml
file) to install all dependencies including the packages only
required for development.
Afterwards active the git hooks for auto-formatting and linting via autohooks.
poetry run autohooks activate --force
Copyright (C) 2017-2024 Greenbone AG
Licensed under the GNU General Public License v3.0 or later.
FAQs
Tools to control a GSM/GVM over GMP or OSP
We found that gvm-tools demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.