{"id":21020578,"url":"https://github.com/nodiscc/netdata-debsecan","last_synced_at":"2025-08-12T00:39:56.064Z","repository":{"id":86258555,"uuid":"193351508","full_name":"nodiscc/netdata-debsecan","owner":"nodiscc","description":"[mirror] Check/graph the number of CVEs in currently installed packages - netdata plugin","archived":false,"fork":false,"pushed_at":"2023-05-11T16:02:44.000Z","size":28,"stargazers_count":7,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-05-15T07:42:50.388Z","etag":null,"topics":["cve","debian","debsecan","monitoring","netdata","patch-management","scanner","security"],"latest_commit_sha":null,"homepage":"https://gitlab.com/nodiscc/netdata-debsecan","language":"Python","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nodiscc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-06-23T13:29:28.000Z","updated_at":"2025-01-19T14:17:11.000Z","dependencies_parsed_at":null,"dependency_job_id":"b69b1402-1ab0-4c8e-9936-edf0cdf1f4b6","html_url":"https://github.com/nodiscc/netdata-debsecan","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/nodiscc/netdata-debsecan","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nodiscc%2Fnetdata-debsecan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nodiscc%2Fnetdata-debsecan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nodiscc%2Fnetdata-debsecan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nodiscc%2Fnetdata-debsecan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nodiscc","download_url":"https://codeload.github.com/nodiscc/netdata-debsecan/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nodiscc%2Fnetdata-debsecan/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":269981622,"owners_count":24507279,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-11T02:00:10.019Z","response_time":75,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve","debian","debsecan","monitoring","netdata","patch-management","scanner","security"],"created_at":"2024-11-19T10:42:11.360Z","updated_at":"2025-08-12T00:39:56.002Z","avatar_url":"https://github.com/nodiscc.png","language":"Python","readme":"# netdata-debsecan\n\nCheck/graph the number [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)s in currently installed packages.\n\n![](https://gitlab.com/nodiscc/toolbox/-/raw/master/DOC/SCREENSHOTS/OIu846o.png)\n\nThis is a `python.d` module for [netdata](https://my-netdata.io/). It parses output from [debsecan](https://manpages.debian.org/stretch/debsecan/debsecan.1.en.html)\n\nThe number of vulnerabilities is graphed by scope (locally/remotely exploitable) and urgency (low/medium/high).\n\n\n\n## Installation\n\nThis module expects the output of debsecan, split by scope/urgency in files at `/var/log/debsecan`. A [script](usr_local_bin_debsecan-by-type) to generate the expected reports is provided.\n\n```bash\n# install debsecan\napt install debsecan\n\n# clone the repository\ngit clone https://gitlab.com/nodiscc/netdata-debsecan\n\n# install the generation script\ncp netdata-debsecan/usr_local_bin_debsecan-by-type /usr/local/bin/debsecan-by-type\n\n# generate initial debsecan reports in /var/log/debsecan/\n/usr/local/bin/debsecan-by-type\n\n# (optional) configure dpkg to refresh the file after each run\n# generating reports after each apt/dpkg run can take some time\ncp netdata-debsecan/etc_apt_apt.conf.d_99debsecan /etc/apt/apt.conf.d/99debsecan\n\n# add a cron job to refresh the file every hour\ncp netdata-debsecan/etc_cron.d_debsecan /etc/cron.d/debsecan\n\n# install the module/configuration file\nnetdata_install_prefix=\"/opt/netdata\" # if netdata is installed from binary/.run script\nnetdata_install_prefix=\"\" # if netdata is installed from OS packages\ncp netdata-debsecan/debsecan.chart.py $netdata_install_prefix/usr/libexec/netdata/python.d/\ncp netdata-debsecan/debsecan.conf $netdata_install_prefix/etc/netdata/python.d/\n\n# restart netdata\nsystemctl restart netdata\n\n```\n\nYou can also install this module using the [`nodiscc.xsrv.monitoring` ansible role](https://gitlab.com/nodiscc/xsrv/-/tree/master/roles/monitoring).\n\n\n## Configuration\n\nNo configuration is required. Common `python.d` plugin options can be changed in [`debsecan.conf`](debsecan.conf).\n\nThe default `update every` value is 600 seconds so the initial chart will only be created after 10 minutes. Change this value if you need more accuracy.\n\nYou can get details on vulnerabilities by reading mail sent by debsecan, or by reading the output of `debsecan --format report`.\n\nYou can work towards decreasing the count of vulnerabilities by upgrading/patching/removing affected software, or by mitigating them through other means and adding them to debsecan's whitelist.\n\n## Debug\n\nTo debug this module:\n\n```bash\n$ sudo su -s /bin/bash netdata\n$ $netdata_install_prefix/usr/libexec/netdata/plugins.d/python.d.plugin 1  debug trace debsecan\n```\n\n## TODO\n\n- Document alarm when total number of CVEs changes\n- Document alarm when number of remote/high CVEs is above a threshold\n- Configure debsecan to generate the status file after each APT run (see `/etc/debsecan/notify.d/600-mail`)\n\n## License\n\n[GNU GPLv3](LICENSE)\n\n## Mirrors\n\n- https://github.com/nodiscc/netdata-debsecan\n- https://gitlab.com/nodiscc/netdata-debsecan\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnodiscc%2Fnetdata-debsecan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnodiscc%2Fnetdata-debsecan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnodiscc%2Fnetdata-debsecan/lists"}