<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: zynovex-support</title>
    <description>The latest articles on DEV Community by zynovex-support (@zynovex).</description>
    <link>https://dev.to/zynovex</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3988072%2Fc39c1cbb-8483-4eb9-ac7e-d20b33725e87.png</url>
      <title>DEV Community: zynovex-support</title>
      <link>https://dev.to/zynovex</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/zynovex"/>
    <language>en</language>
    <item>
      <title>vrp-ir 0.9.0: a line-cited security audit for Huawei VRP/USG configs</title>
      <dc:creator>zynovex-support</dc:creator>
      <pubDate>Thu, 25 Jun 2026 15:17:55 +0000</pubDate>
      <link>https://dev.to/zynovex/vrp-ir-090-a-line-cited-security-audit-for-huawei-vrpusg-configs-1o1c</link>
      <guid>https://dev.to/zynovex/vrp-ir-090-a-line-cited-security-audit-for-huawei-vrpusg-configs-1o1c</guid>
      <description>&lt;p&gt;If you do acceptance or audit work on Huawei gear, you've hit this wall:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Batfish&lt;/strong&gt; explicitly marks Huawei &lt;strong&gt;VRP as unsupported&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;ntc-templates&lt;/strong&gt; parses &lt;code&gt;display&lt;/code&gt; show-commands, not config files.&lt;/li&gt;
&lt;li&gt;So you're back to &lt;code&gt;grep&lt;/code&gt; + screenshots over &lt;code&gt;display current-configuration&lt;/code&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;a href="https://github.com/zynovexllc/vrp-ir" rel="noopener noreferrer"&gt;&lt;code&gt;vrp-ir&lt;/code&gt;&lt;/a&gt; fills exactly that gap, and &lt;strong&gt;0.9.0&lt;/strong&gt; is out.&lt;/p&gt;

&lt;h2&gt;
  
  
  What it does
&lt;/h2&gt;

&lt;p&gt;It parses an &lt;strong&gt;offline&lt;/strong&gt; Huawei VRP/USG config into a typed model where &lt;strong&gt;every value carries a &lt;code&gt;SourceRef&lt;/code&gt; back to its exact &lt;code&gt;file:line&lt;/code&gt;&lt;/strong&gt; — then turns that into a &lt;strong&gt;security acceptance audit&lt;/strong&gt; where every finding cites the line it's based on.&lt;/p&gt;


&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;pip install vrp-ir&lt;br&gt;
vrp-ir audit firewall.cfg            # Markdown report, every finding line-cited&lt;br&gt;
vrp-ir audit firewall.cfg --strict   # exit 1 on FAIL -&amp;gt; drop it in CI&lt;br&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;
&lt;h2&gt;
&lt;br&gt;
  &lt;br&gt;
  &lt;br&gt;
  New in 0.9.0&lt;br&gt;
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;SARIF + JUnit output&lt;/strong&gt; — pipe the audit into GitHub/GitLab code scanning or a CI gate. A permit-any rule or cleartext Telnet now fails the build &lt;em&gt;with the line&lt;/em&gt;.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;SNMPv3 checks&lt;/strong&gt; (+ 16 others: cleartext mgmt, weak SSH ciphers, missing NTP, default-deny, permit-scope, address-set-resolves-to-any…). &lt;strong&gt;17 checks&lt;/strong&gt; total.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;GB18030 / Chinese configs&lt;/strong&gt; parse cleanly — real-world configs, not just ASCII.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Evidence policy&lt;/strong&gt; — "no source, no claim": a finding never asserts PASS/FAIL without a cited line; coverage gaps are surfaced, not hidden.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Advisory standards mapping&lt;/strong&gt; to common control domains (incl. China's MLPS Level 3/4) — &lt;em&gt;advisory, not a certification&lt;/em&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Zero runtime dependencies. Apache-2.0.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why provenance matters
&lt;/h2&gt;

&lt;p&gt;An audit tool's worst failure is a &lt;strong&gt;wrong&lt;/strong&gt; finding that &lt;em&gt;looks&lt;/em&gt; authoritative. So vrp-ir's rule is the opposite of most linters: if it can't trace a fact to a source line, it says so (&lt;code&gt;UNCHECKED&lt;/code&gt;) rather than bluffing a pass.&lt;/p&gt;

&lt;p&gt;It's the open core of &lt;strong&gt;AegisTwin&lt;/strong&gt; (acceptance at scale). The single most useful contribution is a real, &lt;strong&gt;de-identified&lt;/strong&gt; config we parse wrong — that's the best possible issue.&lt;/p&gt;

&lt;p&gt;→ &lt;a href="https://github.com/zynovexllc/vrp-ir" rel="noopener noreferrer"&gt;https://github.com/zynovexllc/vrp-ir&lt;/a&gt;&lt;/p&gt;

</description>
      <category>networking</category>
      <category>security</category>
      <category>python</category>
      <category>opensource</category>
    </item>
    <item>
      <title>Batfish marks Huawei VRP as unsupported — so I built a source-traceable IR for it</title>
      <dc:creator>zynovex-support</dc:creator>
      <pubDate>Wed, 17 Jun 2026 01:06:47 +0000</pubDate>
      <link>https://dev.to/zynovex/batfish-marks-huawei-vrp-as-unsupported-so-i-built-a-source-traceable-ir-for-it-fh0</link>
      <guid>https://dev.to/zynovex/batfish-marks-huawei-vrp-as-unsupported-so-i-built-a-source-traceable-ir-for-it-fh0</guid>
      <description>&lt;p&gt;If you do network automation, you reach for &lt;a href="https://github.com/batfish/batfish" rel="noopener noreferrer"&gt;Batfish&lt;/a&gt;. And if you've ever pointed it at a Huawei box, you've hit the wall: Batfish's own source marks Huawei &lt;strong&gt;VRP&lt;/strong&gt; as &lt;code&gt;UNSUPPORTED&lt;/code&gt;. &lt;code&gt;ntc-templates&lt;/code&gt; helps, but only for &lt;code&gt;display&lt;/code&gt; &lt;em&gt;show-command&lt;/em&gt; output — there's no open parser for the saved &lt;code&gt;display current-configuration&lt;/code&gt; file. And &lt;code&gt;ciscoconfparse2&lt;/code&gt; is Cisco-shaped and only gives you an integer line number, not field-level provenance.&lt;/p&gt;

&lt;p&gt;So for anyone doing Huawei &lt;strong&gt;acceptance / audit&lt;/strong&gt; work, a basic capability was just missing: turn a saved config into a structured model you can reason about, where you can always trace a value back to the exact line it came from.&lt;/p&gt;

&lt;p&gt;That's the gap &lt;a href="https://github.com/zynovexllc/vrp-ir" rel="noopener noreferrer"&gt;&lt;code&gt;vrp-ir&lt;/code&gt;&lt;/a&gt; fills.&lt;/p&gt;

&lt;h2&gt;
  
  
  Provenance is the whole point
&lt;/h2&gt;

&lt;p&gt;&lt;code&gt;vrp-ir&lt;/code&gt; parses a Huawei VRP/USG config into a typed model where &lt;strong&gt;every parsed value carries a &lt;code&gt;SourceRef&lt;/code&gt; back to its &lt;code&gt;file:line&lt;/code&gt;&lt;/strong&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;vrp_ir&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;parse_file&lt;/span&gt;

&lt;span class="n"&gt;cfg&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;parse_file&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;edge-fw.cfg&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="n"&gt;ip&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;cfg&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;interfaces&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;].&lt;/span&gt;&lt;span class="n"&gt;ipv4&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;
&lt;span class="nf"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ip&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;address&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;value&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;ip&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;prefix_length&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;value&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;  &lt;span class="c1"&gt;# 10.10.10.1 24
&lt;/span&gt;&lt;span class="nf"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ip&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;address&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;source&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;                          &lt;span class="c1"&gt;# edge-fw.cfg:11  &amp;lt;- provenance
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;When a value looks wrong, you jump straight to the line — you don't grep the raw config. That sounds small until you're reviewing a 4,000-line firewall dump and every claim in your report needs to be defensible.&lt;/p&gt;

&lt;h2&gt;
  
  
  From IR to a line-cited security audit
&lt;/h2&gt;

&lt;p&gt;Provenance pays off the moment you turn the IR into findings. &lt;code&gt;vrp-ir audit&lt;/code&gt; runs 13 security acceptance checks, and &lt;strong&gt;every finding cites the exact config line&lt;/strong&gt; it's based on:&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;$ vrp-ir audit edge-fw.cfg
### FW-DEFAULT-DENY [CRITICAL] — default action denies unmatched traffic
Default action is 'permit': all traffic matching no rule is allowed.
Evidence:
- edge-fw.cfg:14 — default action permit
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;

&lt;p&gt;The checks cover the boring-but-deadly stuff: permit-any rules, a non-default permit default action, cleartext management (Telnet/HTTP), VTY accepting Telnet or missing an inbound ACL, weak SSH ciphers (CBC/3DES/DES), local AAA users with Telnet, address-sets that resolve to &lt;code&gt;0.0.0.0/0&lt;/code&gt;, and HRP consistency.&lt;/p&gt;

&lt;p&gt;And because &lt;code&gt;--strict&lt;/code&gt; exits non-zero on any failure, it drops straight into CI as an acceptance gate:&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;$ vrp-ir audit edge-fw.cfg --strict || echo "acceptance failed"
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;

&lt;p&gt;No more "the report says it's fine" with nothing to point at — each line of the report points at a line of the config.&lt;/p&gt;

&lt;h2&gt;
  
  
  Design choices
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Zero-dependency core&lt;/strong&gt;, Python 3.9+, &lt;code&gt;pip install vrp-ir&lt;/code&gt;. Easy to embed.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Reuse, don't reinvent.&lt;/strong&gt; It complements &lt;code&gt;ntc-templates&lt;/code&gt; (show-command parsing), &lt;code&gt;napalm&lt;/code&gt; (live collection) and Batfish (multi-vendor analysis) — it doesn't try to replace them.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;No garbage facts.&lt;/strong&gt; If a value can't be parsed cleanly, it's skipped rather than surfaced wrong. Provenance or nothing.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Where it's going — and how to help
&lt;/h2&gt;

&lt;p&gt;It's &lt;code&gt;v0.6&lt;/code&gt; / alpha and moving fast. Next up: SNMP communities, NTP/Syslog presence, &lt;code&gt;vsys&lt;/code&gt;, and a wider real-world test corpus. The best contributions are &lt;strong&gt;real, de-identified configs it parses wrong&lt;/strong&gt; — those become the best issues. There are a handful of &lt;code&gt;good first issue&lt;/code&gt;s open right now (parsing SNMP/NTP/syslog with provenance) if you want a gentle on-ramp.&lt;/p&gt;

&lt;p&gt;&lt;code&gt;vrp-ir&lt;/code&gt; is Apache-2.0 and stays that way. It's the open core of AegisTwin, a Huawei security-acceptance workbench I'm building — but the parser and the audit are useful on their own today.&lt;/p&gt;

&lt;p&gt;→ Repo + 30-second demo: &lt;a href="https://github.com/zynovexllc/vrp-ir" rel="noopener noreferrer"&gt;https://github.com/zynovexllc/vrp-ir&lt;/a&gt;&lt;/p&gt;

</description>
      <category>networking</category>
      <category>python</category>
      <category>security</category>
      <category>opensource</category>
    </item>
  </channel>
</rss>
