Protection of API key

[raschi-de]

The API key essentially works like a password and I think it should be protected as such. Especially for interactive command line, it is not a good practice to store the API key as accessible as environment variables or type it in the command (and thus expose it in command history).

I suggest that at least in interactive mode it should be possible to ommit the -a option and the tool should then ask the user interactively to enter the password (ideally with obscured or no UI feedback). That is how for example openssh CLI handles the protection of the SSH key / user password.

[mprpic]

Specifying API tokens through environment variables is pretty standard as far as CLI tools go, see e.g.:

• https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
• https://developers.cloudflare.com/cloudflare-one/tutorials/cli#using-the-token-as-an-environment-variable
• https://cli.github.com/manual/gh_help_environment

We could certainly modify the behavior to prompt for the token if neither the env var is configured nor the -a option used, that should be an easy fix. Note though that you'll have to submit the token on every command since each request requires it and there is no caching or session support built into the library right now.

For a better solution, we could define a config file where you could specify the credentials or alternatively a command that fetches them, akin to AWS's cli: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html

That's a larger feature though and should probably be filed separately if desired.

[mprpic]

Implemented in f5db6fa

If neither the option or the env var is specified, you'll get a prompt with a hidden input, e.g.:

$ cve -u joe -o acme quota
API key: 
...

[raschi-de]

Thanks for picking up the suggestion - I agree that it is only relevant / useable for interactive command line use cases, as stated in the original request (and other tools like OpenSSH do exactly that).

[raschi-de]

Hi Martin, sorry for being stupid and for bothering you still - I seem to be running into an issue here. I must admit, I am not that familiar with Python on Windows, but when working for ABB, I have to use what I have. C:\Users\DEU216201>cve --version cvelib 0.5.0 C:\Users\DEU216201>cve -u ***@***.*** -o ABB quota Usage: cve [OPTIONS] COMMAND [ARGS]... Try 'cve -h' for help. Error: Missing option '-a' / '--api-key'. I even tried a fresh install on a personal laptop according to the instructions. Any suggestion? Cheers, Ragnar

[mprpic]

Hey @raschi-de, not a stupid question at all :-) I pushed the fix to this repo but have not published an updated package of cvelib to PyPI yet so the version available there (0.5.0 at the moment) does not contain this code change. I'll push out a new update some time today and then you can just run python3 -m pip install --upgrade. Look out for a new release to be available in either of these places:

• https://pypi.org/project/cvelib/#history
• https://github.com/RedHatProductSecurity/cvelib/releases

[raschi-de]

Hi, Thanks for bearing with me. I noticed that the version in GitHub was still unchanged, but figured such change may be too small to justify a new version. Of course this is not terribly urgent, I'll keep my eyes open (and myself busy with Log4Shell response.). Cheers, Ragnar