Merge pull request #40 from Yamato-Security/fix-vt-lookup-error

fix: `JsonParsingError` when `vt-lookup` failed with invalid api key

CHANGELOG-Japanese.md

@@ -11,6 +11,7 @@
 **バグ修正*:**
 
 - Hayabusa 2.8.0以上の結果で`timeline-suspicious-processes`を実行した際のクラッシュを修正した。 (#35) (@fukusuket)
+- 無効なAPIキーが指定された場合に、VirusTotalの検索でJSONパースエラーが発生する問題を修正した。(@fukusuket)
 
 ## 2.0.0 [2022/08/03] - [SANS DFIR Summit 2023 Release](https://www.sans.org/cyber-security-training-events/digital-forensics-summit-2023/)
 

CHANGELOG.md

@@ -11,6 +11,7 @@
 **Bug Fixes*:**
 
 - `timeline-suspicious-processes` would crash when Hayabusa results from version 2.8.0+ was used. (#35) (@fukusuket)
+- Fixed a JSON parsing error in VirusTotal lookups when an invalid API key was specified. (@fukusuket)
 
 ## 2.0.0 [2022/08/03] - [SANS DFIR Summit 2023 Release](https://www.sans.org/cyber-security-training-events/digital-forensics-summit-2023/)
 

src/takajopkg/vtDomainLookup.nim

@@ -7,12 +7,13 @@ var vtAPIDomainChannel: Channel[VirusTotalResult] # channel for receiving parall
 
 proc queryDomainAPI(domain:string, headers: httpheaders.HttpHeaders) {.thread.} =
     let response = get("https://www.virustotal.com/api/v3/domains/" & encodeUrl(domain), headers)
-    let jsonResponse = parseJson(response.body)
+    var jsonResponse = %* {}
     var singleResultTable = newTable[string, string]()
     var malicious = false
     singleResultTable["Domain"] = domain
     singleResultTable["Link"] = "https://www.virustotal.com/gui/domain/" & domain
     if response.code == 200:
+        jsonResponse = parseJson(response.body)
         singleResultTable["Response"] = "200"
         # Parse values that need epoch time to human readable time
         singleResultTable["CreationDate"] = getJsonDate(jsonResponse, @["data", "attributes", "creation_date"])

src/takajopkg/vtHashLookup.nim

@@ -1,18 +1,18 @@
-# Todo: add more info useful for triage, trusted_verdict, signature info, sandbox results etc...
+# TODO: add more info useful for triage, trusted_verdict, signature info, sandbox results etc...
 # https://blog.virustotal.com/2021/08/introducing-known-distributors.html
-# TODO:
 # Add output not found to txt file
 
 var vtAPIHashChannel: Channel[VirusTotalResult] # channel for receiving parallel query results
 
 proc queryHashAPI(hash:string, headers: httpheaders.HttpHeaders) {.thread.} =
     let response = get("https://www.virustotal.com/api/v3/files/" & hash, headers)
-    let jsonResponse = parseJson(response.body)
+    var jsonResponse = %* {}
     var singleResultTable = newTable[string, string]()
     var malicious = false
     singleResultTable["Hash"] = hash
     singleResultTable["Link"] = "https://www.virustotal.com/gui/file/" & hash
     if response.code == 200:
+        jsonResponse = parseJson(response.body)
         singleResultTable["Response"] = "200"
 
         # Parse values that need epoch time to human readable time

src/takajopkg/vtIpLookup.nim

@@ -4,12 +4,13 @@ var vtIpAddressChannel: Channel[VirusTotalResult] # channel for receiving parall
 
 proc queryIpAPI(ipAddress:string, headers: httpheaders.HttpHeaders) {.thread.} =
     let response = get("https://www.virustotal.com/api/v3/ip_addresses/" & ipAddress, headers)
-    let jsonResponse = parseJson(response.body)
+    var jsonResponse = %* {}
     var singleResultTable = newTable[string, string]()
     var malicious = false
     singleResultTable["IP-Address"] = ipAddress
     singleResultTable["Link"] = "https://www.virustotal.com/gui/ip_addresses/" & ipAddress
     if response.code == 200:
+        jsonResponse = parseJson(response.body)
         singleResultTable["Response"] = "200"
 
         # Parse values that need epoch time to human readable time