Here are my quick notes from the BruCON 2015 conference.All the slides can be found here.
cve-search a free software to collect search and analyze common vulnerabilities and exposures in software
Some of the goals of the tool:
- do vulnerability search on off-line local search.
- fast lookup of vulnerabilities on different criteria.
- allow localized classification of vulnerabilities; localization geographically or from the business perspective.
- build new tools based on local database of software and hardware vulnerabilities.
Some of the components/features of the tool:
- db_updater.py
- the goal of the script is to fetch vulnerabilities from different data-sources.
- the data sources used are: NIST NVD, D2SEC, Microsoft Bulletin, vFeed.
- the scrript can be extended to easily fetch other sources.
- MongoDB
- is the DB used to store the info.
- search.py
- used to search for vulnerabilities in the DB.
- web interface
- you can see, search
- color scheme for vulnerabilities
- you can use your own tagging system to weight the critical software/vendors in your constituency.
- you can use statistics using external tools/languages like R
ex: searh.py -p oracle.....| jq -r '.cvss' | Rscript .........
Problems that face the application:
- some vendors do not publish vulnerabilities information in a parsable way.
- some vendors do not support the CPE naming convention.
Software using cve-search:
- CVE-Portal
- CVE-Scan
- NorthernSec Vulnerability-Management (still under development)
Roadmap and future:
- add vulnerabilities data sources from software and hardware vendors
- expand cve-search to include vulnerabilities whitout CVE assignment.
You must be logged in to post a comment.