voidaccess 1.3.0__py3-none-any.whl

cli/commands/enrich.py

@@ -0,0 +1,154 @@
+"""
+cli/commands/enrich.py — re-run enrichment over a stored investigation.
+
+Useful after weeks/months: IP feeds shift, emails appear in new breaches,
+domains move. This refreshes:
+    - IP reputation (Feodo, AbuseIPDB, GreyNoise)
+    - Domain reputation (URLScan, SecurityTrails — when keys present)
+    - Hash reputation (VirusTotal, Hybrid Analysis)
+    - Email reputation (HIBP, EmailRep)
+"""
+
+from __future__ import annotations
+
+import asyncio
+import uuid
+from pathlib import Path
+from typing import Optional
+
+import typer
+from rich.console import Console
+
+console = Console()
+
+
+def run(
+    target: str = typer.Argument(..., help="Investigation id or .json file"),
+    skip_ips: bool = typer.Option(False, "--skip-ips"),
+    skip_domains: bool = typer.Option(False, "--skip-domains"),
+    skip_hashes: bool = typer.Option(False, "--skip-hashes"),
+    skip_emails: bool = typer.Option(False, "--skip-emails"),
+) -> None:
+    """Re-enrich entities for an existing investigation."""
+    from cli import config as cli_config
+    cli_config.apply_env()
+
+    inv_id = _resolve_investigation_id(target)
+    if inv_id is None:
+        console.print(f"[red]Cannot resolve investigation:[/red] {target}")
+        raise typer.Exit(code=1)
+
+    asyncio.run(_run(inv_id, skip_ips, skip_domains, skip_hashes, skip_emails))
+
+
+def _resolve_investigation_id(target: str) -> Optional[str]:
+    import json as _json
+    p = Path(target).expanduser()
+    if p.exists() and p.suffix == ".json":
+        try:
+            data = _json.loads(p.read_text(encoding="utf-8"))
+        except Exception:
+            return None
+        return data.get("investigation", {}).get("id") or data.get("id")
+    from cli.adapters import sqlite as sqlite_adapter
+    sqlite_adapter.init_db()
+    resolved = sqlite_adapter.resolve_investigation_id(target) or target
+    row = sqlite_adapter.get_investigation(resolved)
+    return row["id"] if row else None
+
+
+class _FakeEntity:
+    """Minimal stand-in shaped like extractor.normalizer.NormalizedEntity."""
+    __slots__ = ("entity_type", "value", "confidence", "canonical_value")
+
+    def __init__(self, entity_type: str, value: str, confidence: float,
+                 canonical_value: str | None = None):
+        self.entity_type = entity_type
+        self.value = value
+        self.confidence = confidence
+        self.canonical_value = canonical_value or value
+
+
+class _FakeResult:
+    """Shape: ExtractionResult — only .entities is used by reputation enrichers."""
+    __slots__ = ("entities",)
+
+    def __init__(self, entities: list):
+        self.entities = entities
+
+
+_TYPE_MAP = {
+    "ip_address":       "IP_ADDRESS",
+    "domain":           "DOMAIN",
+    "email":            "EMAIL_ADDRESS",
+    "file_hash_md5":    "FILE_HASH_MD5",
+    "file_hash_sha1":   "FILE_HASH_SHA1",
+    "file_hash_sha256": "FILE_HASH_SHA256",
+}
+
+
+def _load_extraction_results(investigation_id: str) -> list:
+    """Reconstruct ExtractionResult-shaped objects from the DB."""
+    from cli.adapters import sqlite as sqlite_adapter
+    rows = sqlite_adapter.get_entities(investigation_id)
+    fakes = []
+    for r in rows:
+        canonical = _TYPE_MAP.get(r["entity_type"], r["entity_type"].upper())
+        fakes.append(
+            _FakeEntity(
+                entity_type=canonical,
+                value=r["value"],
+                confidence=r.get("confidence") or 1.0,
+                canonical_value=r.get("canonical_value"),
+            )
+        )
+    return [_FakeResult(fakes)]
+
+
+async def _run(
+    investigation_id: str,
+    skip_ips: bool,
+    skip_domains: bool,
+    skip_hashes: bool,
+    skip_emails: bool,
+) -> None:
+    inv_uuid = uuid.UUID(investigation_id)
+    extraction_results = _load_extraction_results(investigation_id)
+
+    if not skip_ips:
+        try:
+            from sources.ip_reputation import enrich_ip_entities
+            console.print("• IP reputation…")
+            await enrich_ip_entities(extraction_results, inv_uuid)
+            console.print("  [green]done[/green]")
+        except Exception as exc:
+            console.print(f"  [red]failed:[/red] {exc}")
+
+    if not skip_domains:
+        try:
+            from sources.domain_reputation import enrich_domain_entities
+            console.print("• Domain reputation…")
+            await enrich_domain_entities(extraction_results, inv_uuid)
+            console.print("  [green]done[/green]")
+        except Exception as exc:
+            console.print(f"  [red]failed:[/red] {exc}")
+
+    if not skip_hashes:
+        try:
+            from sources.hash_reputation import enrich_hash_entities
+            console.print("• Hash reputation…")
+            await enrich_hash_entities(extraction_results, inv_uuid)
+            console.print("  [green]done[/green]")
+        except Exception as exc:
+            console.print(f"  [red]failed:[/red] {exc}")
+
+    if not skip_emails:
+        try:
+            from sources.email_reputation import enrich_email_entities
+            console.print("• Email reputation…")
+            await enrich_email_entities(extraction_results, inv_uuid)
+            console.print("  [green]done[/green]")
+        except Exception as exc:
+            console.print(f"  [red]failed:[/red] {exc}")
+
+    console.print("\n[green]Re-enrichment complete.[/green]")

cli/commands/export.py

@@ -0,0 +1,158 @@
+"""
+cli/commands/export.py — convert a saved investigation to a sharable format.
+
+    voidaccess export <id_or_json_file> --format stix|misp|sigma|csv|md|json
+"""
+
+from __future__ import annotations
+
+import csv
+import io
+import json
+import uuid
+from pathlib import Path
+from typing import Optional
+
+import typer
+from rich.console import Console
+
+console = Console()
+
+
+def run(
+    target: str = typer.Argument(..., help="Investigation id or .json file"),
+    fmt: str = typer.Option("json", "--format", help="stix|misp|sigma|csv|md|json"),
+    output: Optional[Path] = typer.Option(None, "--output", help="Output file"),
+) -> None:
+    """Export an investigation."""
+    from cli import config as cli_config
+    cli_config.apply_env()
+
+    fmt = fmt.lower()
+    if fmt not in ("stix", "misp", "sigma", "csv", "md", "json"):
+        console.print(f"[red]Unsupported format:[/red] {fmt}")
+        raise typer.Exit(code=2)
+
+    inv_id, data = _load_target(target)
+    if not data:
+        console.print(f"[red]Could not load investigation:[/red] {target}")
+        raise typer.Exit(code=1)
+
+    payload, suffix = _render(fmt, inv_id, data)
+    out_path = output or _default_out_path(target, suffix)
+    out_path = Path(out_path).expanduser()
+    out_path.parent.mkdir(parents=True, exist_ok=True)
+    if isinstance(payload, bytes):
+        out_path.write_bytes(payload)
+    else:
+        out_path.write_text(payload, encoding="utf-8")
+    console.print(f"[green]Wrote[/green] {out_path}")
+
+
+def _load_target(target: str) -> tuple[Optional[str], Optional[dict]]:
+    p = Path(target).expanduser()
+    if p.exists() and p.suffix == ".json":
+        try:
+            data = json.loads(p.read_text(encoding="utf-8"))
+        except Exception:
+            return None, None
+        inv_id = data.get("investigation", {}).get("id") or data.get("id")
+        return inv_id, data
+    from cli.adapters import sqlite as sqlite_adapter
+    sqlite_adapter.init_db()
+    resolved = sqlite_adapter.resolve_investigation_id(target) or target
+    data = sqlite_adapter.investigation_to_export_dict(resolved)
+    if not data or not data.get("investigation"):
+        return None, None
+    return resolved, data
+
+
+def _render(fmt: str, inv_id: Optional[str], data: dict) -> tuple[str | bytes, str]:
+    if fmt == "json":
+        return json.dumps(data, indent=2, default=str), ".json"
+
+    if fmt == "csv":
+        return _csv_from_data(data), ".csv"
+
+    if fmt == "md":
+        from cli.commands.investigate import _render_markdown  # reuse renderer
+        # Adapt shape: _render_markdown expects flat payload
+        flat = _flatten_for_md(data)
+        return _render_markdown(flat), ".md"
+
+    # STIX/MISP/Sigma need investigation_id (UUID) and load from DB
+    if inv_id is None:
+        raise typer.BadParameter(
+            "STIX, MISP, and Sigma export require an investigation id in the database "
+            "(not a bare JSON file)."
+        )
+    try:
+        inv_uuid = uuid.UUID(inv_id)
+    except (ValueError, TypeError) as exc:
+        raise typer.BadParameter(f"Invalid investigation id: {inv_id} ({exc})") from exc
+
+    if fmt == "stix":
+        from export import investigation_to_stix_bundle, bundle_to_json
+        bundle = investigation_to_stix_bundle(inv_uuid)
+        return bundle_to_json(bundle), ".json"
+
+    if fmt == "misp":
+        from export import investigation_to_misp_event, misp_event_to_json
+        event = investigation_to_misp_event(inv_uuid)
+        return misp_event_to_json(event), ".json"
+
+    if fmt == "sigma":
+        from export import export_sigma_rules
+        rules_yaml = export_sigma_rules(inv_uuid)
+        return rules_yaml if isinstance(rules_yaml, str) else "\n---\n".join(rules_yaml), ".yml"
+
+    raise typer.BadParameter(f"Unknown format: {fmt}")
+
+
+def _csv_from_data(data: dict) -> str:
+    entities = data.get("entities", [])
+    if not entities and isinstance(data.get("investigation"), dict):
+        entities = data.get("entities", [])
+    buf = io.StringIO()
+    writer = csv.writer(buf)
+    writer.writerow(
+        ["entity_type", "value", "canonical_value", "confidence",
+         "extraction_method", "corroborating_sources", "context_snippet"]
+    )
+    for e in entities:
+        writer.writerow(
+            [
+                e.get("entity_type", ""),
+                e.get("value", ""),
+                e.get("canonical_value", ""),
+                e.get("confidence", ""),
+                e.get("extraction_method", ""),
+                e.get("corroborating_sources", ""),
+                (e.get("context_snippet") or "").replace("\n", " ")[:500],
+            ]
+        )
+    return buf.getvalue()
+
+
+def _flatten_for_md(data: dict) -> dict:
+    if "investigation" in data:
+        inv = data["investigation"]
+        return {
+            "query": inv.get("query", ""),
+            "refined_query": inv.get("refined_query"),
+            "model_used": inv.get("model_used"),
+            "created_at": inv.get("created_at", ""),
+            "summary": inv.get("summary"),
+            "entities": data.get("entities", []),
+            "relationships": data.get("relationships", []),
+            "sources_used": data.get("sources_used", {}),
+        }
+    return data
+
+
+def _default_out_path(target: str, suffix: str) -> Path:
+    p = Path(target).expanduser()
+    if p.exists():
+        return p.with_suffix(suffix)
+    from cli import config as cli_config
+    return cli_config.get_output_dir() / f"{target}{suffix}"