CVE feed synchronization to issue management system
Switch branches/tags
Nothing to show
Clone or download
Permalink
Failed to load latest commit information.
blacklist Forgot extra import... Dec 28, 2014
main Blacklisting capability Dec 28, 2014
nvd Initial commit Dec 25, 2014
selinux Initial commit Dec 25, 2014
tracker RT's ticket/edit fails to react to Text, adding as updates as comments Dec 28, 2014
util RT's ticket/edit fails to react to Text, adding as updates as comments Dec 28, 2014
.gitignore
LICENSE Initial commit Dec 25, 2014
Makefile Blacklisting capability Dec 28, 2014
README.md Comment about Jira Automation Plugin Dec 28, 2014
blacklist.txt Blacklisting capability Dec 28, 2014
ca.crt Initial commit Dec 25, 2014
cvesync.sqlite Initial commit Dec 25, 2014
cwec_v2.8.xml Initial commit Dec 25, 2014
jira.json TLS support for both RT and Jira Dec 28, 2014
jira.png Initial commit Dec 25, 2014
jira.templ Initial commit Dec 25, 2014
rt.json TLS support for both RT and Jira Dec 28, 2014
rt.png Basic support for RT Dec 27, 2014
rt.templ Cleanups Dec 28, 2014
settings.json Blacklisting capability Dec 28, 2014

README.md

Cvesync

Introduction

Accidentally disregarding known information-security vulnerabilities and exposures may lead to dire consequences. Tracking CVEs reliably requires great amount of work. Cvesync assists in previous by synchronizing new CVEs to an issue management system. After that the workflow included within issue management system can assist in the analysis, mitigation, and patching.

By default cvesync reads the modified feed provided by nvd, and updates to either Jira or RT. The outcome looks something like this or this.

Installation

The following prerequisities should be met:

  • Golang 1.3+
  • sqlite3
  • [go-sqlite3|github.com/mattn/go-sqlite3]
  • [blackjack/syslog|ithub.com/blackjack/syslog]
  • Jira or RT

Cvesync can be built and installed with make:

go get github.com/mikkolehtisalo/cvesync
...
make
sudo make install

Configuration

The common options can be found from /opt/cvesync/etc/settings.json:

{
    "CAKeyFile": "/opt/cvesync/etc/ca.crt",
    "BlackList": "/opt/cvesync/etc/blacklist.txt",
    "FeedURL": "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz",
    "CWEfile": "/opt/cvesync/etc/cwec_v2.8.xml",
    "DBFile": "/opt/cvesync/var/cvesync.sqlite"
}

The CAKeyFile points to CA Certificate chain that is used for validating the NVD's server. Before you run cvesync you should verify that it and the used URL are valid.

Jira

Jira specific options can be found from /opt/cvesync/etc/jira.json:

{
    "BaseURL": "http://dev.localdomain:8080",
    "CAFile": "/opt/cvesync/etc/ca.crt",
    "Username": "admin",
    "Password": "password",
    "Project": "10000",
    "Issuetype": "10000",
    "TemplateFile": "/opt/cvesync/etc/jira.templ", 
    "HighPriority": "2",
    "MediumPriority": "3",
    "LowPriority": "4"
}

It is recommended that you create separate user, project, priorities, and issue type in Jira. Also it is recommendable to evaluate different workflows for the vulnerability issue type. Also, make sure that the description field renderer is Wiki Style Renderer instead of Default Text Renderer.

If the BaseURL starts with https, the server's certificate is checked against provided CA certificates, which should be supplied with CAFile.

RT

In order to synchronize to RT, you will have to change the tracker to Jira by modifying main.go before installing the application.

func main() {
    // ...
    //ts := tracker.Jira{}
    ts := tracker.RT{}
}

RT specific options can be found from /opt/cvesync/etc/rt.json:

{
    "BaseURL": "http://dev.localdomain",
    "CAFile": "/opt/cvesync/etc/ca.crt",
    "Username": "root",
    "Password": "password",
    "Queue": "3",
    "TemplateFile": "/opt/cvesync/etc/rt.templ",
    "HighPriority": "100",
    "MediumPriority": "50",
    "LowPriority": "10"
}

If the BaseURL starts with https, the server's certificate is checked against provided CA certificates, which should be supplied with CAFile.

Blacklisting

To reduce amount of unwanted spam, it is possible to blacklist CVEs by product strings. To use this feature, just add the blacklisted strings to /opt/cvesync/etc/blacklist.txt, one per each line. For example to suppress all CVEs targeting IBM's Java SDK:

:ibm:java_sdk:

The previous would match for example "cpe:/a:ibm:java_sdk:6.0.11.0::~~technology~~", and the CVE information would not be synchronized.

For more information on product strings, please see Official Common Platform Enumeration (CPE) Dictionary.

SELinux

A simple SELinux policy is included. To install it, use make:

sudo make selinux

Running

NVD's CVE feeds update at maximum once per two hours. Cvesync should most likely be run daily via cron, for example:

0 5 * * * /opt/cvesync/bin/cvesync

Notes

  • NVD recommends that the CVEs are classified with scale Low-Medium-High. Vulnerabilities with a base score in the range 7.0-10.0 are High, those in the range 4.0-6.9 as Medium, and 0-3.9 as Low.
  • CWE xml can be downloaded from http://cwe.mitre.org/data/index.html#downloads . It doesn't update very often.
  • There is an interface (Tracker) for implementing other issue management systems
  • Logging is done to syslog facility DAEMON. If it is not meaningful to recover, the application panics.
  • If you need more complex logic for handling incoming CVEs you might want to take a look at JIRA Automation Plugin