OVVL Server provides the OVVL Frontend with the required data and includes a product (CPE) and vulnerability (CVE) API which can be used for external use cases. OVVL is developed at University of Applied Sciences Offenburg and part of the BMBF KMU-Innovation Project "CloudProtect" (Förderkennzeichen 16KIS0850).
Threats were created with the "Elevation of Privilege Card Game" from Microsoft. The game is licensed under the Creative Commons Attribution 3.0 United States License.
Build the server using Gradle.
gradle clean build
Then run it:
You can also run the Server using docker, but make sure to set up a network bridge with your MongoDB.
docker build --build-arg mongoConnection=$MONGODB_CONNECTION --build-arg jwtSecret=$OVVL_JWT_SECRET --build-arg supportMail=$SUPPORT_MAIL_SENDER --build-arg supportMailPW=$SUPPORT_MAIL_SENDER_PW --build-arg supportMailReceiver=$SUPPORT_MAIL_RECEIVER -t ovvl-docker .
The following environment variables have to be set in order for the server to run correctly.
MONGODB_CONNECTION- The URI for the MongoDB connection. E.g. mongodb://ovvl-mongo:27017/ovvl-db
OVVL_JWT_SECRET- The secret for the JSON Web-Token generation.
SUPPORT_MAIL_SENDER- The mail address used to send support mails.
SUPPORT_MAIL_SENDER_PW- The password of that mail address.
SUPPORT_MAIL_RECEIVER- The mail address receiving the support mails.
MongoDB and CPE/CVE data
The server requires a MongoDB connection in order to work correctly. If you want to utilize the CPE and CVE lookup feature, you need to fill the database with the data provided by the NVD (CPE / CVE). Place the unpacked files under
src/main/resources and specify the years of the downloaded CVE data in the CVEService under
getNVDFileSpecifications(). Once you uncomment the
fillDBWith...() function in
ThreatServer.java, the files will be automatically parsed and fill your MongoDB.
Swagger API generation
To API is specified in
src/main/resources/swagger with the help of yamlinc. If you want to add to the existing API, specify your requirements following the existing structure and after building the API-documentation with yamlinc, run the
gradle generateApi task. Code generated by this method is placed under
When running, the API documentation can be viewed at localhost:8080/swagger-ui.html.
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.