Skip to content

Commit

Permalink
Adding the new NIST CVE Tracking feature for 3.x release.
Browse files Browse the repository at this point in the history
  • Loading branch information
bminnix committed Aug 12, 2024
1 parent 2aed02c commit 1d7f8bd
Show file tree
Hide file tree
Showing 18 changed files with 716 additions and 166 deletions.
Binary file added docs/images/lcm_cve_nist_job.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/images/lcm_cve_nist_job_log.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
34 changes: 32 additions & 2 deletions docs/user/cve_tracking.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,19 +22,20 @@ When creating a CVE object, the following fields are available. Fields in **bold
| Fix | The software fix (if available) for the CVE |
| Comments | Any additional comments or details about the CVE |
| Tags | Arbitrary [tag objects](https://docs.nautobot.com/projects/core/en/stable/models/extras/tag/) that can be applied to this CVE |
| Last Modified Date | The date that the CVE record was last modified |

!!! note
In addition to these standard fields, you can also add one or more [Custom Fields](https://docs.nautobot.com/projects/core/en/stable/models/extras/customfield/) to the model.

### Software Association

As stated previously, you can associate a CVE to one or many [Software objects](./software_lifecycle.md#software-objects). These relationships will present themselves as breadcrumb links on each item's detail view.
As stated previously, you can associate a CVE to one or many [Software objects](./software_lifecycle.md#software-objects). These relationships will present themselves as breadcrumb links on the CVE item's detail view, and as the "Related CVEs" tab on the Software item's detail view.

Example of a breadcrumb link on a CVE item's view:

![](../images/lcm_cve_breadcrumb.png)

Example of a breadcrumb link on a Software item's view:
Example of the "Related CVEs" tab on a Software item's view:

![](../images/lcm_software_breadcrumb.png)

Expand All @@ -60,3 +61,32 @@ After a Vulnerability object has been generated, the CVE, Software, Device and I
In addition to these standard fields, you can also add one or more [Custom Fields](https://docs.nautobot.com/projects/core/en/stable/models/extras/customfield/) to the model.

As was stated previously, running the ``Generate Vulnerabilities`` Job will not modify (or delete) any existing Vulnerability objects - **even if the associations that existed previously no longer exist**. You do have the ability to delete one or more Vulnerability objects via the GUI or API. In addition to manually removing a Vulnerability, if any CVE, Software, Device or Inventory Item objects are removed, any Vulnerability objects that reference the deleted items will also be removed automatically.

## Automated CVE Discovery via NIST API 2.0

### API Key
In order to utilize the NIST CVE DB for automatic software CVE discovery, you will need to obtain a NIST API Key [here]('https://nvd.nist.gov/developers/request-an-api-key').

Once received, this key will need to be added to your `creds.env`:
```
NIST_API_KEY=your-key-will-go-here
```

### Run Job
Automated discovery is used by running the ``NIST - Software CVE Search`` Job.

To run this job, use the "Jobs" menu dropdown and navigate to the **CVE Tracking** section. The jobs will appear here and all you will need to do is click the play button.[^1]

![](../images/lcm_cve_nist_job.png)

The job output should indicate the softwares checked and the amount of CVEs received for that software, as well as the amount of CVEs created. These will not always be the same. New CVE will be created for software with existing CVE, also software will share CVEs.

![](../images/lcm_cve_nist_job_log.png)

[^1] Warning: If play button is grayed out. You will need to enable the job by clicking on edit button in the row and navigate to "Job" portion and click on "Enable"


### Additional Notes:
Due to the way vendor platform entries vary in NIST, some platforms may work without issue, others may not work so well (false positives/negatives). Juniper JunOS is a great example and has a custom parser in netutils to handle this.

If the platform you are attempting to gather information from does not work, a custom parser will likely be needed to build a proper NIST search URL.
1 change: 1 addition & 0 deletions nautobot_device_lifecycle_mgmt/api/serializers.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
"""API serializers implementation for the LifeCycle Management app."""

from nautobot.apps.api import NautobotModelSerializer, TaggedModelSerializerMixin

from nautobot_device_lifecycle_mgmt.models import (
Expand Down
5 changes: 5 additions & 0 deletions nautobot_device_lifecycle_mgmt/filters.py
Original file line number Diff line number Diff line change
Expand Up @@ -594,6 +594,10 @@ class CVELCMFilterSet(NautobotFilterSet, StatusModelFilterSetMixin): # , Custom
published_date__gte = django_filters.DateFilter(field_name="published_date", lookup_expr="gte")
published_date__lte = django_filters.DateFilter(field_name="published_date", lookup_expr="lte")

last_modified_date = django_filters.DateTimeFromToRangeFilter()
last_modified_date__gte = django_filters.DateFilter(field_name="last_modified_date", lookup_expr="gte")
last_modified_date__lte = django_filters.DateFilter(field_name="last_modified_date", lookup_expr="lte")

cvss__gte = django_filters.NumberFilter(field_name="cvss", lookup_expr="gte")
cvss__lte = django_filters.NumberFilter(field_name="cvss", lookup_expr="lte")

Expand All @@ -612,6 +616,7 @@ class Meta:
fields = [
"name",
"published_date",
"last_modified_date",
"link",
"status",
"description",
Expand Down
8 changes: 8 additions & 0 deletions nautobot_device_lifecycle_mgmt/forms.py
Original file line number Diff line number Diff line change
Expand Up @@ -606,6 +606,7 @@ class CVELCMForm(NautobotModelForm):
"""CVE Lifecycle Management creation/edit form."""

published_date = forms.DateField(widget=DatePicker())
last_modified_date = forms.DateField(widget=DatePicker(), required=False)
severity = forms.ChoiceField(choices=CVESeverityChoices.CHOICES, label="Severity", required=False)
tags = DynamicModelMultipleChoiceField(queryset=Tag.objects.all(), required=False)
affected_softwares = DynamicModelMultipleChoiceField(queryset=SoftwareVersion.objects.all(), required=False)
Expand All @@ -618,6 +619,7 @@ class Meta:
fields = [
"name",
"published_date",
"last_modified_date",
"link",
"status",
"description",
Expand All @@ -633,6 +635,7 @@ class Meta:

widgets = {
"published_date": DatePicker(),
"last_modified_date": DatePicker(),
}


Expand Down Expand Up @@ -673,6 +676,9 @@ class CVELCMFilterForm(NautobotFilterForm):
published_date_before = forms.DateField(label="Published Date Before", required=False, widget=DatePicker())
published_date_after = forms.DateField(label="Published Date After", required=False, widget=DatePicker())

last_modified_date_before = forms.DateField(label="Last Modified Date Before", required=False, widget=DatePicker())
last_modified_date_after = forms.DateField(label="Last Modified Date After", required=False, widget=DatePicker())

cvss__gte = forms.FloatField(label="CVSS Score Above", required=False)
cvss__lte = forms.FloatField(label="CVSS Score Below", required=False)

Expand Down Expand Up @@ -701,6 +707,8 @@ class Meta:
"q",
"published_date_before",
"published_date_after",
"last_modified_date_before",
"last_modified_date_after",
"severity",
"status",
"affected_softwares",
Expand Down
9 changes: 7 additions & 2 deletions nautobot_device_lifecycle_mgmt/jobs/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,13 @@

from nautobot.core.celery import register_jobs

from .cve_tracking import GenerateVulnerabilities
from .cve_tracking import GenerateVulnerabilities, NistCveSyncSoftware
from .lifecycle_reporting import DeviceSoftwareValidationFullReport, InventoryItemSoftwareValidationFullReport

jobs = [DeviceSoftwareValidationFullReport, InventoryItemSoftwareValidationFullReport, GenerateVulnerabilities]
jobs = [
DeviceSoftwareValidationFullReport,
InventoryItemSoftwareValidationFullReport,
GenerateVulnerabilities,
NistCveSyncSoftware,
]
register_jobs(*jobs)
Loading

0 comments on commit 1d7f8bd

Please sign in to comment.