arazzo: 1.0.1
info:
  title: Shodan InternetDB Vulnerability Triage
  summary: Pull an IP's free InternetDB record, then detail one of its known CVEs.
  description: >-
    A lightweight, keyless triage pattern. The workflow retrieves the free
    InternetDB record for an IP, which lists its open ports, CPEs, tags, and
    known CVEs, then pulls the full CVEDB record for a selected CVE to assess
    severity and exploitation likelihood. Both InternetDB and CVEDB are
    unauthenticated, so no API key is required. Every step spells out its
    request inline so the flow can be read and executed without opening the
    underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: shodanInternetdb
  url: ../openapi/shodan-internetdb-openapi.yml
  type: openapi
- name: shodanCvedb
  url: ../openapi/shodan-cvedb-openapi.yml
  type: openapi
workflows:
- workflowId: internetdb-vuln-triage
  summary: Triage an IP's exposure using free InternetDB and CVEDB lookups.
  description: >-
    Retrieves the InternetDB record for an IP and details a selected CVE from
    its known vulnerabilities using the CVEDB.
  inputs:
    type: object
    required:
    - ip
    - cveId
    properties:
      ip:
        type: string
        description: The IPv4 address to triage.
      cveId:
        type: string
        description: >-
          The CVE identifier to detail. InternetDB returns a list of known CVEs
          for the IP, so the chosen CVE id is carried forward through this input
          for the detail lookup.
  steps:
  - stepId: internetDbRecord
    description: >-
      Retrieve the open ports, CPEs, hostnames, tags, and known CVEs for the IP
      from the free InternetDB.
    operationId: getInternetDbHost
    parameters:
    - name: ip
      in: path
      value: $inputs.ip
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      ports: $response.body#/ports
      cpes: $response.body#/cpes
      tags: $response.body#/tags
      vulns: $response.body#/vulns
  - stepId: cveDetails
    description: >-
      Retrieve the full CVEDB record for the selected CVE, including CVSS, EPSS,
      and KEV status.
    operationId: getCve
    parameters:
    - name: cveId
      in: path
      value: $inputs.cveId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      summary: $response.body#/summary
      cvss: $response.body#/cvss
      epss: $response.body#/epss
      kev: $response.body#/kev
  outputs:
    ports: $steps.internetDbRecord.outputs.ports
    vulns: $steps.internetDbRecord.outputs.vulns
    cvss: $steps.cveDetails.outputs.cvss
    kev: $steps.cveDetails.outputs.kev