Skip to content
Lightweight tool for re-prioritizing vulnerability findings
Haskell Awk
Branch: master
Clone or download
Pull request Compare This branch is 1 commit ahead, 1 commit behind srenatus:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
benchmark
examples
src-exec
src
test
.dockerignore
.gitignore
.travis.yml
Dockerfile
Dockerfile.test
LICENSE
README.md
Setup.hs
avus.cabal

README.md

AVUS tool

Build Status

This tool allows for re-evaluating a list of vulnerability findings. It does that by providing the basic infrastructure for

  1. reading a report (in CSV format, as provided by other means, see below),
  2. re-evaluating its severity score, by calling out to user-provided functions that can modify the parameters of the rating (using CVSS v2), and
  3. outputting the resulting list.
               +---+
               | ? |
               +-+-+
                 |
                 v
+-----+      +-------+     +-----+
| CSV | -->  | AVUS  | --> | CSV |
+-----+      +-------+     +-----+

The knack is that anything can fill the place of the question mark, i.e., change how findings are evaluated. A basic, static example is given in examples/avus.hs, where the parameters of both the base and environment CVSS scoring are determined using a simple security concept.

The mechanism used for this feature is provided by Config.Dyre (see src/Avus.hs)

Furthermore, it includes a static mapping of CWE IDs (as read from the findings CSV) to partial/complete impacts (in src/Avus/CWE.hs, TODO: autogenerate).

Usage

Usage: avus [OPTION...] [FILE]
  -V        --version     show version information
  -o[FILE]  --out[=FILE]  output to FILE (defaults to stdout)

Supported report types

As of now, only the CSV input that is created with ThreadFix' CLI importer is supported. Furthermore, the CSV file needs to be preprocessed (see examples/prep.awk). The rare entries without a CWE ID are passed through unchanged.

Concepts and rationale of AVUS are documented in the following publication:

S. Renatus, C. Bartelheimer, and J. Eichler. Improving prioritization of software weaknesses using security models with AVUS, Source Code Analysis and Manipulation (SCAM 2015), to be published.

AVUS is copyright © 2015 Fraunhofer AISEC, and released to the public under the terms of the MIT license.

You can’t perform that action at this time.