oreoshake / hackerone-client Goto Github PK

👋 When a weakness references an external_id that starts with capec-, calling to_owasp will throw an error.

=> #<HackerOne::Client::Weakness:0x00007fb8503c9de8 @attributes={:name=>"Privilege Escalation", :description=>"An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.", :external_id=>"capec-233", :created_at=>"2017-01-05T01:51:19.000Z"}>

Calling weakness.to_owasp throws an error in weakeness.rb

/cc @rzhade3

state_change, add_comment, triage, add_report_reference are all specific to reports yet live in the hodge podge HackerOne::Client class.

This is fine when the library is tiny and with few developers, but it can get out of hand quickly.

There's probably a few opportunities to DRY up the code too.

See https://api.hackerone.com/docs/v1#/reports/assignee/update

Internal and external. See https://api.hackerone.com/docs/v1#/reports/comments/create

See https://api.hackerone.com/docs/v1#/reports/state_changes

Hi, I've need to be able to define more extensive filters on reports and also noticed that you don't do pagination, which yield in missing records. I've hacked something quickly in https://github.com/Showmax/hackerone-client/tree/reports-find . It should be considered WIP, for example abstracting pagination out of this methods and actually making it more robust (similarly to your parse_response method).

But I thought that you may be interested in the work.

We should consider adding Sorbet type checking.

In order to ensure all reports are assigned to a user, we should opportunistically assign issues upon any state change if the report is unassigned.

def triage(reference, assignee: nil)
def award_bounty(message:, amount:, bonus_amount: nil, assignee: nil)

etc. It seems like this would be a common use case and it's entirely optional anyways.

/cc @gregose @brentjo @esjee

We should add support for Report/ Program Custom fields: https://api.hackerone.com/customer-resources/#reports-manage-custom-field-values

The API doesn't like invalid state changes or even state changes to the current state. This can lead to confusing 400 errors.

For the case where you're doing a state change to the current state, we could raise an error in the client.

For the other cases, we'd probably need to map out the valid transitions and check this prior to making a call.

/cc @brentjo @gregose

Currently, we only support instantiation of the H1 credentials as Environment variables. This means that it is very difficult to use in an environment with multiple programs.

In order to fix this, we should allow instantiation of the H1-client with the creds passed in as variables, and allow callers to decide where the credentials originate from.

See https://api.hackerone.com/docs/v1#/programs/reporters

@esjee is working on adding support to pay bounties via the API. This includes:

• Paying bounties
• Suggesting bounties
• Awarding swag

Hey!

I am thinking of adding a pull request to get all reporters. So we need to set the page[size] =100 and increment page[number]= 1...2...3 etc. till we get zero array size.

I don't see those params for client.reporter am I missing something ?