Processing security bulletins with the HP Client Management Script Library

So just about now, you've settled in your favorite chair, latest HP Zombieload bulletin neatly printed on (of course) high quality HP paper, preparing to get medieval on that printout with your highlighter. But medieval is so 2018. How about something a little more modern?

If we study the bulletin, we notice that it is nothing more than a list of platforms and links to related downloads. Let's see if we can process this document automatically. We'll present a fully working script soon, but we'll start by looking at the individual parts.

To be clear, scripts shown in this blog are meant to illustrate concepts, and are not supported for production use by HP. Please feel free to use the concepts to create your own scripts, and always test your scripts on representative systems before going into production.

Building the script

First, we will extract all the downloads from the bulletin. They are really all we care about. We already know what platforms we are interested in.

We know the URL of the bulletin (it came in your email probably), and we can make a reasonable regex expression for the softpaq download URL:


    $url = "https://support.hp.com/us-en/document/$bulletin"
    $regex = 'https?:\/\/ftp\.hp\.com\/pub\/softpaq\/sp[0-9]{3,8}-[0-9]{3,8}\/sp([0-9]{3,8})\.exe'

Now we can extract all the softpaqs mentioned in the bulletin:

    $page = Invoke-WebRequest -UseBasicParsing -Uri $url
    $paqs = $page.Links  | where { $_.href  -and $_.href.toLower() -Match  $regex }   `
        |  select @{ Name = 'obj';   Expression={([regex]::match($_.href.toLower(), $regex)).`
            Groups[1].Value} } 
    $candidates = $paqs.obj | select -Unique

In this snippet, we retrieved the bulletin, searched for links that match our regex, extracted the softpaq number from the href element of the links, and then removed all duplicates from our list of softpaqs. We now have a collection of all softpaqs mentioned in the bulletin.

And finally, using the HP Client Management Script Library (1.2.1 or later), we check our platform of interest against the list of softpaqs in the bulletin. If you are unclear how to find your platform's system id, try the Get-HPDeviceProductID function, or simply look in the Win32_BaseBoard WMI class, field "Product" using (gwmi Win32_Baseboard).Product.

    $avail = Get-SoftpaqList -platform $platform 
    $avail | where  { $candidates -contains $_.Id.ToLower().Trim("sp") }

Here, we used the Get-SoftpaqList function to retrieve latest softpaqs for this platform, and then filtered the list against the collection of softpaqs scraped from the bulletin. And what we are left with is the softpaq in the bulletin that matches this platform.

The full script

Now for the full script (not really much more to it), here's GetSoftpaqsFromBulletin.ps1. You invoke it by specifying the bulletin number and the platform of interest, and it will return the softpaq specified in the bulletin.

[CmdletBinding()]
param(
    [ValidatePattern('^[cC][0-9]{3,12}$')]
    [Parameter(position=0, Mandatory=$true)]
    [string]$bulletin,

    [ValidatePattern('^[a-fA-F0-9]{4}$')]
    [Parameter(position=1, Mandatory=$false)]
    [string]$platform = (Get-HPDeviceProductID)
    )

    $url = "https://support.hp.com/us-en/document/$bulletin"
    $regex = 'https?:\/\/ftp\.hp\.com\/pub\/softpaq\/sp[0-9]{3,8}-[0-9]{3,8}\/sp([0-9]{3,8})\.exe'

    $page = Invoke-WebRequest -UseBasicParsing -Uri $url
    $paqs = $page.Links  | where { $_.href  -and $_.href.toLower() -Match  $regex }   `
        |  select @{ Name = 'obj';   Expression={([regex]::match($_.href.toLower(), $regex)).`
            Groups[1].Value} } 

    $candidates = $paqs.obj | select -Unique


    $avail = Get-SoftpaqList -platform $platform 
    $avail | where  { $candidates -contains $_.Id.ToLower().Trim("sp") } 


And that is it!

Trying it out

A quick test, given 'c06330149 ' as the Zombieload bulletin:


    PS C:\> .\GetSoftpaqsFromBulletin -platform 8100 -bulletin c06330149 

    Id           : sp95991
    Name         : HP Notebook System BIOS Update (N78)
    Category     : BIOS
    Version      : 01.39
    Vendor       : HP Inc.
    ReleaseType  : Critical
    SSM          : true
    DPB          : false
    Url          : ftp.hp.com/pub/softpaq/sp95501-96000/sp95991.exe
    ReleaseNotes : ftp.hp.com/pub/softpaq/sp95501-96000/sp95991.html
    Metadata     : ftp.hp.com/pub/softpaq/sp95501-96000/sp95991.cva
    MD5          : fa5586c48d5b13f37bce6de2b41135ff
    Size         : 12716824
    ReleaseDate  : 2019-05-14

Or to download instead of just view:


    PS C:\> .\GetSoftpaqsFromBulletin -platform 8100 -bulletin c06330149 | foreach { Get-Softpaq -number $_.Id -friendlyName }

Where to next

We hope this was useful. This script is only a starting place, from here you can modify the platform parameter to accept a list of platforms, or to accept a list of platforms from a file, and then process the list in a loop. Or, consider running this script on the client and use the '-action silentinstall' option of the Get-Softpaq function. Another option is to download everything to a network share, and let SSM figure out what is needed for each particular client.

Summary image credit Gnist Design, Tromsø, Norway, via pexels.com

Author : txvalp