Skip to content

Home

Jump to bottom
Chandan edited this page Jul 22, 2019 · 2 revisions

Making the world safer one CVE ID at a time, since 2017.

Introduction

Vulnogram is a tool for creating and editing CVE information in CVE JSON format, and for generating advisories.

The name Vulnogram is inspired from Greek origin suffix '-gram' which is used for denoting something written or recorded especially in a certain way. Vulnerability related information when recorded in a standard format can help in aggregation, curation, dissemination, analysis and remediation. This enables automation and efficiency in response activities.

Vulnogram project aims to make it easier for vendors and security researchers to accurately record vulnerability information for inclusion in the CVE List.

Architecture

Vulnogram can be deployed in two modes:

  1. standalone (stateless, serverless) mode that consists of static webpages and scripts. This is how it is deployed at https://vulnogram.github.io/
  2. NodeJS server mode where it acts as a full fledged JSON schema based issue tracker. Vulnogram can be customized with plugins to track and managing simple workflows of almost anything that can be described by a JSON schema. There are example plugins for tracking contacts, products, emails and incident tickets at Vulnogram plugins.

Vulnogram Architecture

Key features:

  • JSON Schema is the model (as in MVC)
    • GUI editor is generated from a JSON schema
    • JSON schema is used for validation
    • JSON schema is used for autocomplete, suggestions, tips
  • Provides JSON level change tracking (vs text diffs on git)
  • Search, query and commenting capabilities
  • JSON Schemas are infinitely configurable & extensible

What is missing?

Vulnogram currently does not have:

  • RBAC – Role Based Access Control (currently all users have read write access to every tracked object)
  • LDAP authentication (or Google, facebook based auth) . It currently uses locally created application level accounts. It uses password.js Node lib, which could be configured to support LDAP or any other authentication provider.
  • MongoDB level JSON schema validation
  • JSON field level ACL (access control lists)
  • Object locking for editing
  • Realtime Collaborative editing (seeing edits made by others in real time as in google docs).
Clone this wiki locally