Passivetotal

Enhancements

- Significant improvements to the Attack Surface Intelligence (ASI) documentation. Added
class references for ASI, CTI and vulnerability intelligence to ensure the docs and links
generated properly. Introduced a new Sphinx module to help generate inline table-of-contents
for complex classes. Corrected typos in docstrings and ensured consistent type references
when methods returned RecordList-type objects.
- Implemented new config files for readthedocs to align with current documentation practices.
- New `whois_history` property of `Hostname` and `IPAddress` entities gives direct access
to historical Whois (ownership) records. Includes more consistent implementation of
RecordList functionality and better pandas dataframe support for both historical Whois and
field-level Whois searches.
- New `impacted_attack_surfaces` property of vulnerability articles (`VulnArticle`) filters
the list of third-party vendors to only those with at least one observation. The Illuminate
API returns all attack surfaces associated with an API key regardless of whether they are
impacted; the complete list is still available in the `attack_surfaces` property. Also updated
the `info` view of the Pandas dataframe on a vulnerability article so the `impacts` column
shows the count of impacted attack surfaces.


Bug Fixes

- Correctly sum insight and observation counts when accessing Attack Surface Insights
(ASIs) across multiple severity levels. Previously the `active_insight_count`,
`total_insight_count`, and `total_observations` properties of the `all_active_insights`
record list were only counting high-priority insights.
- Fixed issue that caused an exception when trying to generate a dictionary view of an
AttackSurfaceComponent (detection).
- Removed reference to non-existant field in `VulnArticle` that was causing an exception when
rendering a vulnerability article as a dictionary with the `as_dict` property.
- Handle vuln articles with no impacted assets without raising an exception.

Enhancements

- `certificates` property of `analyzer.Hostname` objects now returns same list of SSL
certificates as the UI, enabled by a CertificateField search with the field set to
`name`. This activates special-case functionality in the API that performs a
substring search for a hostname across both subjectAlternativeNames and subjectCommonName fields
The previous version only looked at the `subjectAlternativeNames` field. A more narrow
search across specific fields is still available by instantiating an
`analyzer.CertificateField` object directly.
- Docs now show current version number and link to this changelog hosted on GitHub.

Enhancements

- New example notebook explaining how to use projects, artifacts, and alerts.
- New filter for lists of substrings on all RecordList objects.
- New API library for Trackers to support recently-introduced endpoints that enable
pagination. Ensured pagination for `analyzer.Tracker` objects works correctly with new
API library. It is now possible to download hundreds of thousands of tracker search
results by accessing the `observations_by_ip` or `observations_by_hostname` property of
a Tracker.


Bug Fixes

- Add missing docstring for filter_date* functions on RecordList objects.
- Resolved issue that blocked filtering of project alerts with filter* functions.
- Fixed dataframe column names on vulnerability objects to match properties.

Bug fixes

- Fixed issue that broke Illuminate ASI and Vuln Intel analyzer modules in Python 3.7 and
earlier due to a missing param on the lru_cache decorator required in those versions.
- Fixed default end date behavior in analyzer to include a full day rather than stopping at
midnight "today". Was causing records with a last-seen date equal to the current date
to be excluded from analyzer record list objects (including pDNS, certificates, and
anything else that supported date-bounded queries).

Enhancements

- Support for new RiskIQ Illuminate Vulnerability Intelligence API endpoints in core API library.
- New `cves` property of AttackSurface objects finds vulnerabilities impacting assets within that
attack surface. Works identically for the primary (your own) attack surface and third-party
attack surfaces.
- New `AttackSurfaceCVEs` record list to contain a list of `AttackSurfaceCVE` objects, with properties
to access the vulnerability report, RiskIQ priority score, and list of impacted assets.
- New `VulnArticle` object to provide details on a CVE and discover the list of third-party vendors
with assets impacted by the vuln. Custom views in the article's `to_dataframe()` method render
dataframes focused on article references, component detections, and third-party impacts.
- New helper method `analyzer.AttackSurface()` to directly load an attack surface. Works without params to load
the main attack surface, with an ID to load a third-party vendor attack surface by ID, or with a string
to find an attack surface by vendor name.
- Re-organized Illuminate-specific code in the `analyzer` module into distinct files located under a
subpackage. Existing imports in client code should not be impacted.


Pull Requests

- Publishes pull request 38 "Remove ez_setup dependancy."

Enhancements

- Removed strict checking on tracker type to permit querying by arbitrary tracker types. Updated list
of common trackers. Added searchType param to docs to reflect API's capability of returning either
hostnames or addresses.
- New methods to search trackers in the `analyzer` module, including `tracker_references` property on
`Hostname` and `IPAddress` objects to find other sites referencing the focus host in their tracker
values.
- New `analyzer.Tracker` top-level entity with `observations_by_ip` and `observations_by_hostname`
properties to find other hosts with the same tracker type and value.
- New `filter_fn` method on all RecordList objects enables filtering a list by an arbitrary function.
Helps reduce code duplication and enables more advanced filtering.
- Monitoring API endpoint support in the core library, and new `alerts` property on
project artifacts to easily retrieve the list of new alerts for an artifact in a project.
Handles pagination automatically and returns results in new analyzer objects to enable
standard filtering and data representation (i.e. `as_dict` and `as_df`).
- Small change to the `get_object` method to tolerate passing it objects that are already
`analyzer.Hostname` or `analyzer.IPAddress` objects.
- New `is_ip` and `is_hostname` methods on both `Hostname` and `IPAddress` objects to simplify
code that operates against a list of hosts that may include objects of both types.
- New methods on Tracker search results and Hostpair results to exclude records with hostnames,
domains or tlds in a given list. This helps refine results to focus on "foreign" sites and enables direct
application of proven phishing site detection use cases.



Bug Fixes

- Fixed incorrect constant reference in trackers API (by removing strict checking on
tracker type).
- Fixed broken `age` property on Articles that was also causing `as_df` and `as_dict` to fail.
Likely caused by missing time zone info in dates returned from the API.