There is a great start to the database we want to build, called vfeed. It is built in python, so we can access and modify it easily.

We can download some python code which can be used to access the vfeed database from [the vfeed project repository](https://github.com/toolswatch/vFeed)

In [1]:
!git clone https://github.com/toolswatch/vFeed.git

Cloning into 'vFeed'...
remote: Counting objects: 228, done.[K
remote: Total 228 (delta 0), reused 0 (delta 0), pack-reused 228[K
Receiving objects: 100% (228/228), 446.67 KiB | 518.00 KiB/s, done.
Resolving deltas: 100% (109/109), done.
Checking connectivity... done.


To acquire the database, we can use the built-in methods of the vfeed client. Here we're using the ipython built-in [run magic](https://ipython.org/ipython-doc/dev/interactive/magics.html#magic-run)

This might give us an error around the 'exit' condition. Thats ok.

In [2]:
%run -e vfeed/vfeedcli.py update

[info] checking for the latest vfeed.db 
[progress 100 %] receiving 49 out of 49 Bytes of update.dat 
[info] You have the latest vfeed.db vulnerability database
[info] Cleaning compressed database and update file


NameError: global name 'exit' is not defined

We now have the database loaded in our working directory, called `vfeed.db`:

In [5]:
!ls

Step 1 - Load existing Vfeed DB.ipynb vfeed.db
[34mvFeed[m[m


###Explore the existing vfeed database
The database is in [sqlite](https://www.sqlite.org/) format, meaning that we can treat it as a file for purposes of versioning and updating, but query it like a relational database

In [3]:
import sqlite3 
import vfeed.config as config
import pandas as pd

configData = config.database['primary'] 
vfeed_db  = configData['vfeed_db']
conn = sqlite3.connect(vfeed_db)

The database has a bunch of relational tables, the bulk of which map CVEs to various references to them.

In [7]:
pd.read_sql("SELECT * FROM sqlite_master WHERE type='table'", conn)

Unnamed: 0,type,name,tbl_name,rootpage,sql
0,table,nvd_db,nvd_db,2,"CREATE TABLE nvd_db (\ncveid text primary key,..."
1,table,cve_cwe,cve_cwe,4,"CREATE TABLE cve_cwe (\ncweid name,\ncveid te..."
2,table,cwe_db,cwe_db,5,"CREATE TABLE cwe_db (\ncweid name,\ncwetitle n..."
3,table,cwe_category,cwe_category,6,"CREATE TABLE cwe_category (\ncategoryid name,\..."
4,table,cwe_capec,cwe_capec,7,"CREATE TABLE cwe_capec (\ncapecid name,\ncweid..."
5,table,cve_cpe,cve_cpe,8,"CREATE TABLE cve_cpe (\ncpeid name,\ncveid te..."
6,table,cve_reference,cve_reference,9,"CREATE TABLE cve_reference (\nrefsource name,\..."
7,table,map_cve_aixapar,map_cve_aixapar,12,CREATE TABLE map_cve_aixapar (\naixaparid name...
8,table,map_cve_redhat,map_cve_redhat,13,"CREATE TABLE map_cve_redhat (\nredhatid name,\..."
9,table,map_redhat_bugzilla,map_redhat_bugzilla,14,CREATE TABLE map_redhat_bugzilla (\nadvisory_d...


The most basic table is that which lists CVE information from the national vulnerability database

In [8]:
pd.read_sql('SELECT * FROM nvd_db LIMIT 5', conn)

Unnamed: 0,cveid,date_published,date_modified,summary,cvss_base,cvss_impact,cvss_exploit,cvss_access_vector,cvss_access_complexity,cvss_authentication,cvss_confidentiality_impact,cvss_integrity_impact,cvss_availability_impact
0,CVE-2011-1180,2013-06-08T09:05:54.927-04:00,2013-06-10T09:43:42.513-04:00,Multiple stack-based buffer overflows in the i...,7.5,6.4,10.0,network,low,none,partial,partial,partial
1,CVE-2011-1585,2013-06-08T09:05:55.053-04:00,2013-06-10T00:00:00.000-04:00,The cifs_find_smb_ses function in fs/cifs/conn...,3.3,4.9,3.4,local,medium,none,partial,partial,none
2,CVE-2011-2482,2013-06-08T09:05:55.080-04:00,2013-12-30T23:08:15.367-05:00,A certain Red Hat patch to the sctp_sock_migra...,7.8,6.9,10.0,network,low,none,none,none,complete
3,CVE-2011-2693,2013-06-08T09:05:55.107-04:00,2013-06-10T00:00:00.000-04:00,The perf subsystem in the kernel package 2.6.3...,1.9,2.9,3.4,local,medium,none,none,none,partial
4,CVE-2011-2942,2013-06-08T09:05:55.130-04:00,2013-06-10T00:00:00.000-04:00,A certain Red Hat patch to the __br_deliver fu...,6.8,6.4,8.6,network,medium,none,partial,partial,partial


In [11]:
pd.read_sql('SELECT * FROM nvd_db LIMIT 1', conn).iloc[0]

cveid                                                              CVE-2011-1180
date_published                                     2013-06-08T09:05:54.927-04:00
date_modified                                      2013-06-10T09:43:42.513-04:00
summary                        Multiple stack-based buffer overflows in the i...
cvss_base                                                                    7.5
cvss_impact                                                                  6.4
cvss_exploit                                                                10.0
cvss_access_vector                                                       network
cvss_access_complexity                                                       low
cvss_authentication                                                         none
cvss_confidentiality_impact                                              partial
cvss_integrity_impact                                                    partial
cvss_availability_impact    

Another table that we'll make good use of maps CVE numbers to various references to that CVE around the web. If we want to look at all of the microsoft security buletins, for instance, we can filter this table for all of the entries with `refsource = MS`.

In [12]:
pd.read_sql('SELECT * FROM cve_reference LIMIT 10', conn)

Unnamed: 0,refsource,refname,cveid
0,CERT-VN,http://www.kb.cert.org/vuls/id/705004,CVE-2013-3611
1,XF,http://xforce.iss.net/xforce/xfdb/75789,CVE-2012-2951
2,BID,http://www.securityfocus.com/bid/53644,CVE-2012-2951
3,MISC,http://packetstormsecurity.org/files/112947/Pl...,CVE-2012-2951
4,DEBIAN,http://www.debian.org/security/2014/dsa-2895,CVE-2014-2750
5,CONFIRM,http://blog.prosody.im/prosody-0-9-4-released/,CVE-2014-2750
6,MISC,https://drupal.org/node/2076221,CVE-2013-4336
7,CONFIRM,https://drupal.org/node/2075287,CVE-2013-4336
8,MLIST,http://www.openwall.com/lists/oss-security/201...,CVE-2013-4336
9,MS,http://technet.microsoft.com/security/bulletin...,CVE-2014-0235
