[26. January 2025] - Version 0.12.0

Author: xaitax

CHANGELOG.md

@@ -1,5 +1,31 @@
 # 📆 Changelog
 
+## [26. January 2025] - Version 0.12.0
+
+- **CVSS Parsing Enhancements**  
+  Updated the `extract_cvss_info()` function to handle a broader range of CVSS fields: checks for CVSSv4.0, v3.1, v3.0, and v3 in that order, and then falls back to ADP entries if necessary.
+
+- **Date Parsing Unification**  
+  Introduced a new `parse_iso_date()` helper. Replaced direct `datetime.fromisoformat()` calls throughout the code with this function for consistent date formatting, including error handling for trailing Z characters.
+
+- **VulnCheck Key Handling**  
+  Improved error handling for the VulnCheck API key check—now returns a clearer error message if no VulnCheck key is configured.
+
+- **HTML Report Template Overhaul**  
+  Updated and reformatted the HTML export template for improved readability and consistency. Enhanced the layout for displaying references, exploit details, and the AI-powered risk assessment. Moved to a more standardized code style.
+
+- **Refined Public Exploits Display**  
+  Enhanced how exploit PoCs are sorted and displayed.
+
+- **Dependency Upgrades**  
+  Updated `requests` (2.32.2 → 2.32.3), `jinja2` (3.1.4 → 3.1.5), and `openai` (1.30.2 → 1.60.1) in `requirements.txt`.
+
+
+- **General Code Cleanup**  
+  - Organized imports and method parameters for clarity (e.g., specifying `params=` in all relevant requests).  
+  - Tweaked debug output for loading the configuration file, making it more verbose and consistent.  
+  - Adjusted logic for selecting public exploits to be clearer and more maintainable.
+
 ## [05. September 2024] - Version 0.11.0
 
 - **Method Selection Added**: Introduced a new `-m` argument to allow users to selectively run specific methods (e.g., `cisa`, `epss`, `hackerone`, `ai`, `prio`, `references`). This enables more granular control over which data sources and assessments are retrieved for each CVE.

README.md

@@ -73,7 +73,7 @@ pip install -r requirements.txt
 pip install --user sploitscan
 ```
 
-### Kali/Ubuntu/Debian
+### Kali/Ubuntu/Debian (might not the latest version)
 
 ```shell
 apt install sploitscan
@@ -86,18 +86,21 @@ apt install sploitscan
 
 ### Configuration File
 
-Note: The OpenAI and VulnCheck API keys are optional. The OpenAI API key is used for AI-powered risk assessment, and the VulnCheck API key is used for VulnCheck data retrieval. If you do not intend to use these features, you can omit the configuration file or leave the API key fields blank.
+SploitScan searches for a `config.json` in multiple locations by default. It will load the first valid file it finds, in this order:
 
-Create a `config.json` file in one of the following locations with your API keys:
+1. **Custom path passed via `--config` or `-c`**  
+2. **Environment variable**: `SPLOITSCAN_CONFIG_PATH`  
+3. **Local and standard config-file locations**:  
+   - Current working directory  
+   - `~/.sploitscan/config.json`  
+   - `~/.config/sploitscan/config.json`  
+   - `~/Library/Application Support/sploitscan/config.json` (macOS)  
+   - `%APPDATA%/sploitscan/config.json` (Windows)  
+   - `/etc/sploitscan/config.json`
 
-- Current directory
-- `~/.sploitscan/`
-- `~/.config/sploitscan/`
-- `/etc/sploitscan/`
-- `~/Library/Application Support/sploitscan/` (macOS)
-- `%APPDATA%/sploitscan/` (Windows)
+> **Note**: Only one file is loaded — the first one found in the above sequence. You can place your `config.json` in any of these paths.
 
-You can also specify a custom configuration file path using the `--config` or `-c` command-line argument.
+A typical `config.json` might look like this:
 
 ```json
 {
@@ -117,7 +120,7 @@ $ sploitscan.py -h
 ╚════██║██╔═══╝ ██║     ██║   ██║██║   ██║   ╚════██║██║     ██╔══██║██║╚██╗██║
 ███████║██║     ███████╗╚██████╔╝██║   ██║   ███████║╚██████╗██║  ██║██║ ╚████║
 ╚══════╝╚═╝     ╚══════╝ ╚═════╝ ╚═╝   ╚═╝   ╚══════╝ ╚═════╝╚═╝  ╚═╝╚═╝  ╚═══╝
-v0.11.0 / Alexander Hagenah / @xaitax / [email protected]
+v0.12.0 / Alexander Hagenah / @xaitax / [email protected]
 
 usage: sploitscan.py [-h] [-e {json,JSON,csv,CSV,html,HTML}] [-t {nessus,nexpose,openvas,docker}] [-m METHODS] [-i IMPORT_FILE] [-c CONFIG] [-d] [cve_ids ...]
 
@@ -136,7 +139,8 @@ options:
   -m METHODS, --methods METHODS
                         Specify which methods to run, separated by commas. Options: 'cisa', 'epss', 'hackerone', 'ai', 'prio', 'references', etc.
   -i IMPORT_FILE, --import-file IMPORT_FILE
-                        Path to an import file from a vulnerability scanner. If used, CVE IDs can be omitted from the command line arguments.
+                        Path to an import file. If used, CVE IDs can be omitted from the command line arguments. Expected file type is a plain text file with one CVE per line. Vulnerability scanner
+                        files can be imported also with the --type argument to specify the correct type
   -c CONFIG, --config CONFIG
                         Path to a custom config file.
   -d, --debug           Enable debug output.

docs/sploitscan.1

@@ -1,4 +1,4 @@
-.TH SploitScan 1 "Version 0.11.0" "SploitScan user manual"
+.TH SploitScan 1 "Version 0.12.0" "SploitScan user manual"
 .SH NAME
 \fBSploitScan\fP - A tool to fetch and display vulnerability information and public exploits for given CVE IDs.
 .PP

requirements.txt

@@ -1,3 +1,3 @@
-requests==2.32.2
-jinja2==3.1.4
-openai==1.30.2
+requests==2.32.3
+jinja2==3.1.5
+openai==1.60.1