A tiny IRC bot that announces new/updated CVEs
Make sure you have composer installed. In the project directory, run php composer.phar install
to fetch the required dependencies.
Then, copy config.example.ini
to config.ini
and make sure to edit and set everything in it before running the bot. To run the bot:
$ vendor/bin/phergie
-
Why did you write this in PHP? Why not [other language]?
- We already had great experience with the ProtoIRC framework for our Nagios bot, so continuing to use this framework was a natural choice.
-
Why did you use FastFeed instead of [other library]?
- Because it's very simple and it works effectively.
-
Why did you not use [insert coding standard]?
- Because this is a prototype/proof-of-concept. If you desperately want it to be PSR-4, by all means feel free to do so and submit a pull request.
-
Currently the bot polls every half-hour by default for new CVEs, but apparently NIST updates their RSS feed once per day. Due to the throttling implemented, by default the bot will announce 3 CVEs and nothing else. If there are more CVEs, they go ignored. This should be changed so the bot adds them to a buffer that gets announced over time (e.g. one CVE per half-hour).
-
The bot currently does not respond to user commands, but it would be useful if it could do so, such as giving some basic information about a CVE when asked (ex.
!cve CVE-2016-4012
will trigger the bot to look up that CVE and provide some basic details and a URL to the NIST page). -
General debugging and tweaking needs done to make the bot more robust (e.g. not exiting when it loses connectivity for a long enough time)
- Version 1.1 - Rewrite using Phergie
- Version 1.0 - Initial release