This tool allows for re-evaluating a list of vulnerability findings. It does that by providing the basic infrastructure for
- reading a report (in CSV format, as provided by other means, see below),
- re-evaluating its severity score, by calling out to user-provided functions that can modify the parameters of the rating (using CVSS v2), and
- outputting the resulting list.
+---+
| ? |
+-+-+
|
v
+-----+ +-------+ +-----+
| CSV | --> | AVUS | --> | CSV |
+-----+ +-------+ +-----+
The knack is that anything can fill the place of the question mark, i.e., change how findings are evaluated.
A basic, static example is given in examples/avus.hs
, where the parameters of both the base and environment CVSS scoring are determined using a simple security concept.
The mechanism used for this feature is provided by Config.Dyre
(see src/Avus.hs
)
Furthermore, it includes a static mapping of CWE IDs (as read from the findings CSV) to partial/complete impacts (in src/Avus/CWE.hs
, TODO: autogenerate).
Usage: avus [OPTION...] [FILE]
-V --version show version information
-o[FILE] --out[=FILE] output to FILE (defaults to stdout)
As of now, only the CSV input that is created with ThreadFix' CLI importer is supported.
Furthermore, the CSV file needs to be preprocessed (see examples/prep.awk
).
The rare entries without a CWE ID are passed through unchanged.
Concepts and rationale of AVUS are documented in the following publication:
S. Renatus, C. Bartelheimer, and J. Eichler. Improving prioritization of software weaknesses using security models with AVUS, Source Code Analysis and Manipulation (SCAM 2015), to be published.
AVUS is copyright © 2015 Fraunhofer AISEC, and released to the public under the terms of the MIT license.