Anthropic-Cybersecurity-Skills/skills/performing-endpoint-vulnerability-remediation/references/api-reference.md

# API Reference — Performing Endpoint Vulnerability Remediation

## Libraries Used

| Library | Purpose |
|---------|---------|
| `csv` | Parse vulnerability scan CSV exports (Nessus, Qualys, Rapid7) |
| `subprocess` | Check installed Windows patches via `wmic qfe` and PowerShell |
| `socket` | Validate port-based remediation via TCP connect |
| `json` | Read/write remediation plans and reports |
| `argparse` | CLI argument parsing for scan file and host parameters |
| `datetime` | Track patch dates and SLA deadlines |

## CLI Interface

```bash
python agent.py parse --scan-file scan.csv
python agent.py patches
python agent.py validate --host 10.0.0.1 --port 445
python agent.py report --scan-file scan.csv [--output plan.json]
```

## Core Functions

### `parse_scan_report(csv_file)` — Parse and prioritize vulnerabilities by severity
```python
def parse_scan_report(csv_file):
    """Parse Nessus/Qualys CSV export, group by host, sort by severity."""
    with open(csv_file, newline="") as f:
        reader = csv.DictReader(f)
        vulns = []
        for row in reader:
            vulns.append({
                "host": row.get("Host", row.get("IP")),
                "plugin_id": row.get("Plugin ID", row.get("QID")),
                "severity": row.get("Risk", row.get("Severity", "Info")),
                "name": row.get("Name", row.get("Title")),
                "cve": row.get("CVE", ""),
                "solution": row.get("Solution", row.get("Fix", "")),
            })
    severity_order = {"Critical": 0, "High": 1, "Medium": 2, "Low": 3, "Info": 4}
    return sorted(vulns, key=lambda v: severity_order.get(v["severity"], 5))
```

### `check_windows_patches()` — List installed Windows hotfixes via WMIC
```python
def check_windows_patches():
    """Query installed patches on a Windows endpoint."""
    result = subprocess.run(
        ["wmic", "qfe", "get", "HotFixID,InstalledOn,Description", "/format:csv"],
        capture_output=True, text=True, timeout=30,
    )
    patches = []
    for line in result.stdout.strip().split("\n")[1:]:
        parts = line.strip().split(",")
        if len(parts) >= 4:
            patches.append({
                "hotfix_id": parts[1],
                "description": parts[2],
                "installed_on": parts[3],
            })
    return patches
```

### `validate_remediation(host, port)` — TCP connect to verify port closure
```python
def validate_remediation(host, port):
    """Verify that a vulnerable port has been closed after remediation."""
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.settimeout(5)
    try:
        result = sock.connect_ex((host, int(port)))
        return {
            "host": host,
            "port": port,
            "status": "open" if result == 0 else "closed",
            "remediated": result != 0,
        }
    finally:
        sock.close()
```

### `generate_remediation_report(scan_file, output)` — Group vulns by host for remediation
```python
def generate_remediation_report(scan_file, output=None):
    """Generate a prioritized remediation plan from scan results."""
    vulns = parse_scan_report(scan_file)
    by_host = {}
    for v in vulns:
        by_host.setdefault(v["host"], []).append(v)

    report = {
        "total_vulns": len(vulns),
        "hosts_affected": len(by_host),
        "by_severity": {},
        "remediation_plan": [],
    }
    for severity in ["Critical", "High", "Medium", "Low"]:
        count = sum(1 for v in vulns if v["severity"] == severity)
        report["by_severity"][severity] = count

    for host, host_vulns in sorted(by_host.items()):
        report["remediation_plan"].append({
            "host": host,
            "vuln_count": len(host_vulns),
            "critical": sum(1 for v in host_vulns if v["severity"] == "Critical"),
            "patches": [v["name"] for v in host_vulns[:10]],
        })

    if output:
        with open(output, "w") as f:
            json.dump(report, f, indent=2)
    return report
```

## Output Format

```json
{
  "total_vulns": 245,
  "hosts_affected": 42,
  "by_severity": {
    "Critical": 8,
    "High": 35,
    "Medium": 112,
    "Low": 90
  },
  "remediation_plan": [
    {
      "host": "10.0.0.50",
      "vuln_count": 12,
      "critical": 2,
      "patches": ["MS17-010: EternalBlue", "CVE-2024-21887: Ivanti RCE"]
    }
  ]
}
```

## Dependencies

No external packages — Python standard library only.