Skip to content

CVE Reporting Tool

In version 6.9.8 of the ipfabric Python SDK a new ipf_cve_report CLI tool was added which creates an Excel report of CVEs and EoL for devices in IP Fabric. The
cve-report project will no longer be maintained as all functionality has been migrated into the SDK.

Definitions

  • NIST: The National Institute of Standards and Technology (NIST) is a non-regulatory agency that develops technology, metrics, and standards to drive innovation and economic competitiveness at U.S.-based organizations in the science and technology industry.
  • CPE: Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. Based on the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name.
  • CVE: Common Vulnerabilities and Exposures (CVE) is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities. CVE Entries are used in numerous cybersecurity products and services from around the world, including the U.S. National Vulnerability Database (NVD).

Data Collection

It was determined in the previous cve-report project that some CVE data was missing which has caused the migration to the new process as defined below:

  1. Query NISTs API for CPEs that match the device’s vendor, family, and version.
  2. Iterate through the CPEs and query NISTs API for CVEs that match the CPE.
  3. Create the report which may contain duplicate CVEs if multiple CPEs are found. A new column in the report shows the matching CPE.

Since the number of calls to the NIST API has now doubled the time to generate the report has increased compared to the previous versions.

Important Caveats

Please note the following:

  • The IP Fabric team cannot guarantee the accuracy of the data and this is provided as best effort. Please ensure you are subscribed to security alerts from your vendors and other sources.
  • At this time we are unable to report on CVEs that are not associated with a exact CPE match. Examples include:
    • A CVE defined with “affected versions” instead of being associated with a CPE (before|prior to X.X.X or between X.X.X and Y.Y.Y).
    • CVE of an underlying component that is not directly associated with the device (e.g. NTP, OpenSSL, etc). Vendors will send notifications about these but will not always associate their CPE to the CVE.
  • Our team is unable to determine if a vulnerability is applicable to a device based on the CVE alone. This requires a manual review of the CVE, vendor’s documentation, and the device’s configuration.
  • Not all vendors and families are supported. If our team was unable to determine how to query for the CPEs for a vendor or family then it will not be included in the report.

If any bugs are found or you have any feature requests please open an issue in GitLab or report it to your Solution Architect.

Requirements

Required environment variables exported (IPF_URL and IPF_TOKEN or IPF_USERNAME & IPF_PASSWORD) or a .env file located in the current working directory or your home directory.

Requires:

  • pandas and openpyxl
    • pip install pandas openpyxl or pip install ipfabric[cli]
  • NVD_API_KEY from NIST
    • Can be exported as an environment variable NVD_API_KEY or passed as an argument.

Documentation

IPF CVE Report Help
# ipf_cve_report -h
usage: ipf_cve_report [-h] [-s SNAPSHOT] [-b BASE_URL] [-t TOKEN] [-u USERNAME] [-p PASSWORD] [-n NVD_API_KEY] [-f FILENAME] [-to TIMEOUT] [-l SITE_NAME] [-j]

Creates an Excel report of CVEs and EoL for devices in IP Fabric; requires:
Python Packages: 'pandas' and 'openpyxl' (`pip install ipfabric[cve]` or `pip install pandas openpyxl`)
NVD_API_KEY: See https://nvd.nist.gov/developers/request-an-api-key

optional arguments:
  -h, --help            show this help message and exit
  -s SNAPSHOT, --snapshot SNAPSHOT
                        Snapshot to use which can be a UUID or one of ['last', 'prev', 'lastLocked']with or without `$` for *nix compatability.
  -b BASE_URL, --base-url BASE_URL
                        Base URL for IPFabric API or IPF_URL env variable.
  -t TOKEN, --token TOKEN
                        IP Fabric API Token or IPF_TOKEN env variable.
  -u USERNAME, --username USERNAME
                        IP Fabric username (requires --password) or IPF_USERNAME env variable.
  -p PASSWORD, --password PASSWORD
                        IP Fabric password or IPF_PASSWORD env variable.
  -n NVD_API_KEY, --nvd-api-key NVD_API_KEY
                        NVD_API_KEY from https://nvd.nist.gov/developers/request-an-api-key
  -f FILENAME, --filename FILENAME
                        Filename to save, defaults to CVE_report.(xlsx|json). Extension will always be corrected to either '.xlsx' or '.json'.
  -to TIMEOUT, --timeout TIMEOUT
                        Timeout for NIST API (Int, Float, or None); default 60 seconds.
  -l SITE_NAME, --site-name SITE_NAME
                        Filter on a specific site name (location); case-insensitive equals search.
  -j, --json            Save as JSON output instead of Excel; default is Excel output.

Usage

Excel

IPF CVE Report Example
# ipf_cve_report -n NVD_API_KEY -s last -f CVE_report.xlsx
# ls
CVE_report.xlsx

End of Life Report

End of Life Report

CVE Report

CVE Report

CVE Errors Report

CVE Errors Report

JSON

IPF CVE Report JSON Example
# ipf_cve_report -n NVD_API_KEY  -s last -f CVE_report.json -j -l hwlab
# ls
CVE_report.json

JSON Output

{
  "CVE": [
    {
      "device": "HWLAB",
      "site": "HWLAB",
      "serial": "3RK4-20R2",
      "ip": "10.64.128.1/32",
      "vendor": "mikrotik",
      "family": "routeros",
      "version": "6.45.3",
      "cpe_name": "cpe:2.3:o:mikrotik:routeros:6.45.3:*:*:*:*:*:*:*",
      "cve_id": "CVE-2019-15055",
      "cve_base_score": 6.5,
      "cve_description": "MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 improperly handles the disk name...",
      "cve_url": "https://fortiguard.com/zeroday/FG-VD-19-108"
    }
  ],
  "No CVE": [],
  "CVE Error": [
    {
      "device": "HWLAB-SGE300",
      "site": "HWLAB",
      "serial": "PSZ21111F8D",
      "ip": "10.64.128.16/32",
      "vendor": "cisco",
      "family": "sg",
      "version": "1.4.8.6",
      "cpe_name": null,
      "error": "Unsupported"
    }
  ],
  "EoL": [
    {
      "hostname": "HWLAB-SGE300",
      "siteName": "HWLAB",
      "deviceSn": "PSZ21111F8D",
      "vendor": "cisco",
      "pid": "SG300-10PP-K9",
      "replacement": "SG350-10P-K9-AU",
      "sn": "PSZ21111F8D",
      "endSale": "2018-05-10T00:00:00.000",
      "endMaintenance": null,
      "endSupport": "2023-05-31T00:00:00.000",
      "url": "https://www.cisco.com/c/en/us/products/collateral/switches/small-business-300-series-managed-switches/eos-eol-notice-c51-739973.html",
      "dscr": "SG300-10PP 10-port Gigabit PoE+ Managed Switch"
    }
  ]
}