CVE Reporting Tool
In version 6.9.8 of the ipfabric Python SDK a new ipf_cve_report CLI tool was added which creates an Excel report
of CVEs and EoL for devices in IP Fabric. The
cve-report project will no longer be maintained as all
functionality has been migrated into the SDK.
Definitions
- NIST: The National Institute of Standards and Technology (NIST) is a non-regulatory agency that develops technology, metrics, and standards to drive innovation and economic competitiveness at U.S.-based organizations in the science and technology industry.
- CPE: Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. Based on the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name.
- CVE: Common Vulnerabilities and Exposures (CVE) is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities. CVE Entries are used in numerous cybersecurity products and services from around the world, including the U.S. National Vulnerability Database (NVD).
Data Collection
It was determined in the previous cve-report project that some CVE data was missing which has caused the migration to
the new process as defined below:
- Query NISTs API for CPEs that match the device’s vendor, family, and version.
- Iterate through the CPEs and query NISTs API for CVEs that match the CPE.
- Create the report which may contain duplicate CVEs if multiple CPEs are found. A new column in the report shows the matching CPE.
Since the number of calls to the NIST API has now doubled the time to generate the report has increased compared to the previous versions.
Important Caveats
Please note the following:
- The IP Fabric team cannot guarantee the accuracy of the data and this is provided as best effort. Please ensure you are subscribed to security alerts from your vendors and other sources.
- At this time we are unable to report on CVEs that are not associated with a exact CPE match. Examples include:
- A CVE defined with “affected versions” instead of being associated with a CPE
(
before|prior to X.X.Xorbetween X.X.X and Y.Y.Y). - CVE of an underlying component that is not directly associated with the device (e.g. NTP, OpenSSL, etc). Vendors will send notifications about these but will not always associate their CPE to the CVE.
- A CVE defined with “affected versions” instead of being associated with a CPE
(
- Our team is unable to determine if a vulnerability is applicable to a device based on the CVE alone. This requires a manual review of the CVE, vendor’s documentation, and the device’s configuration.
- Not all vendors and families are supported. If our team was unable to determine how to query for the CPEs for a vendor or family then it will not be included in the report.
If any bugs are found or you have any feature requests please open an issue in GitLab or report it to your Solution Architect.
Requirements
Required environment variables exported (IPF_URL and IPF_TOKEN or IPF_USERNAME & IPF_PASSWORD) or a
.env file located in the current working directory or your home directory.
Requires:
pandasandopenpyxlpip install pandas openpyxlorpip install ipfabric[cli]
NVD_API_KEYfrom NIST- Can be exported as an environment variable
NVD_API_KEYor passed as an argument.
- Can be exported as an environment variable
Documentation
IPF CVE Report Help
# ipf_cve_report -h
usage: ipf_cve_report.cmd [-h] [-s SNAPSHOT] [-n NVD_API_KEY] [-f FILENAME] [-t TIMEOUT] [-j]
Creates an Excel report of CVEs and EoL for devices in IP Fabric; requires:
Python Packages: 'pandas' and 'openpyxl' (`pip install ipfabric[cve]` or `pip install pandas openpyxl`)
NVD_API_KEY: See https://nvd.nist.gov/developers/request-an-api-key
optional arguments:
-h, --help show this help message and exit
-s SNAPSHOT, --snapshot SNAPSHOT
Snapshot to use which can be a UUID or one of ['last', 'prev', 'lastLocked']with or without `$` for *nix compatability; default '$last'.
-n NVD_API_KEY, --nvd-api-key NVD_API_KEY
NVD_API_KEY from https://nvd.nist.gov/developers/request-an-api-key
-f FILENAME, --filename FILENAME
Filename to save, defaults to CVE_report.(xlsx|json). Extension will always be corrected to either '.xlsx' or '.json'.
-t TIMEOUT, --timeout TIMEOUT
Timeout for NIST API (Int, Float, or None); default 60 seconds.
-l SITE_NAME, --site-name SITE_NAME
Filter on a specific site name (location); case-insensitive equals search.
-j, --json Save as JSON output instead of Excel; default is Excel output.
Usage
Excel
IPF CVE Report Example
# ipf_cve_report -n NVD_API_KEY -s last -f CVE_report.xlsx
# ls
CVE_report.xlsx
End of Life Report
CVE Report
CVE Errors Report
JSON
IPF CVE Report JSON Example
# ipf_cve_report -n NVD_API_KEY -s last -f CVE_report.json -j -l hwlab
# ls
CVE_report.json
JSON Output
{
"CVE": [
{
"device": "HWLAB",
"site": "HWLAB",
"serial": "3RK4-20R2",
"ip": "10.64.128.1/32",
"vendor": "mikrotik",
"family": "routeros",
"version": "6.45.3",
"cpe_name": "cpe:2.3:o:mikrotik:routeros:6.45.3:*:*:*:*:*:*:*",
"cve_id": "CVE-2019-15055",
"cve_base_score": 6.5,
"cve_description": "MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 improperly handles the disk name...",
"cve_url": "https://fortiguard.com/zeroday/FG-VD-19-108"
}
],
"No CVE": [],
"CVE Error": [
{
"device": "HWLAB-SGE300",
"site": "HWLAB",
"serial": "PSZ21111F8D",
"ip": "10.64.128.16/32",
"vendor": "cisco",
"family": "sg",
"version": "1.4.8.6",
"cpe_name": null,
"error": "Unsupported"
}
],
"EoL": [
{
"hostname": "HWLAB-SGE300",
"siteName": "HWLAB",
"deviceSn": "PSZ21111F8D",
"vendor": "cisco",
"pid": "SG300-10PP-K9",
"replacement": "SG350-10P-K9-AU",
"sn": "PSZ21111F8D",
"endSale": "2018-05-10T00:00:00.000",
"endMaintenance": null,
"endSupport": "2023-05-31T00:00:00.000",
"url": "https://www.cisco.com/c/en/us/products/collateral/switches/small-business-300-series-managed-switches/eos-eol-notice-c51-739973.html",
"dscr": "SG300-10PP 10-port Gigabit PoE+ Managed Switch"
}
]
}