Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/pandatix/cvedetect

Yet another Vulnerability Assessment Tool for efficient CVE detection.
https://github.com/pandatix/cvedetect

cve detection go graphql vulnerability-assessment vulnerability-detection

Last synced: 20 days ago
JSON representation

Yet another Vulnerability Assessment Tool for efficient CVE detection.

Host: GitHub
URL: https://github.com/pandatix/cvedetect
Owner: pandatix
License: agpl-3.0
Created: 2022-05-29T07:47:57.000Z (over 2 years ago)
Default Branch: master
Last Pushed: 2023-04-26T05:33:07.000Z (over 1 year ago)
Last Synced: 2024-06-20T22:36:50.302Z (7 months ago)
Topics: cve, detection, go, graphql, vulnerability-assessment, vulnerability-detection
Language: Go
Homepage:
Size: 211 KB
Stars: 10
Watchers: 3
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md

Awesome Lists containing this project

README

# cvedetect

cvedetect is state of the art Vulnerability Assessment Tool (VAT) working on a non-cylic oriented graph of assets.

> This product uses the NVD API but is not endorsed or certified by the NVD.

## TODO

- [ ] Implement complete `match` algorithm
- [ ] Implement `MDCN` algorithm
- [ ] Harden inputs through scalars
- [ ] Add score filtering (filter on base, environmental and temporal scores + attributes values)
- [ ] Improve support of CPE v2.3 Release 4 with `github.com/pandatix/go-cpe` when released
- [ ] Provide API validation tests

## Disclaimer

Take a look at the license before using this project.

Moreover, there are many TODOs that disable this sample app to be used professionnaly/safely :
- the database is memory-only, so the system does not provide integrity/saves on the data through time (in case the binary reboots).
- the scalability of such a system is impossible because of the memory-only database.
- there is a lack of interesting data supported by the data model, like references and their tags for a SIEM.
- API transactions are not ACID, which could lead to inconsistencies in HA deployments.
- `MDC1` is currently used for detections, covering ~80% of the whole NVD. `MDCN` should be implemented in order to give better results based on the context.
- the `match` algorithm used by MDCs depends on an external dependency that is not perfectly suited for CPEs versions, and does not depend on any SCAP-approved version criteria (condition in which a version interval should be replaced by an enumeration). Additionaly, it is a simpler implementation of`match` as it does not cover wildcards in versions.
- The NIST-IR 7695, CPE dictionnary and NVD contains known vulnerabilities/issues that are still not fixed, so can't be handled by this implementation.
- it does not provide a way to create an inventory that will be consumed by the tool.
- it does not provide a way to raise alerts in case of new detections, update, or deletes.
- according to [Varonis](https://www.varonis.com/blog/what-is-siem), it does not gives enough metrics and tracability to become a SIEM ("When was it detected ?", "Since when the CVE exist ?" are questions that can't be answered ; MatchCircuit is not handled to explain why it matched).
- it does not strongly validates inputs, especially of the NVD (that must be considered as out of trust).
- there is not access control, so it can't be used out of a single team with no privilege management, which is not a good idea/security practice.
- the API has not been tested (but needs to, with RobotFramework maybe).

To sum up : **do not use in production environment, or as a safe tool for security monitoring**.

## Examples

### Getting all CVEs related to a VP

```graphql
query QueryCVEs($input: QueryCVEInput!) {
queryCVEs(input: $input) {
id
description
configurations {
negate
operator
cpeMatches {
vulnerable
cpe23
}
}
cvss31 {
vector
baseScore
}
}
}
```

```json
{
"input": {
"vp": "gitea:gitea"
}
}
```

The previous has the equivalent curl command.

```bash
curl -X POST http://localhost:8080/graphql \
-d '{"query":"query QueryCVEs($input:QueryCVEInput){queryCVEs(input:$input){id description configurations{negate operator cpeMatches{vulnerable cpe23}}cvss31{vector baseScore}}}","variables":{"input":{"vp":"gitea:gitea"}}}'
```

### Adding an Asset

```graphql
mutation AddAsset($input: AddAssetInput!) {
addAsset(input: $input) {
id
name
cpe23
cves {
id
description
configurations {
negate
operator
cpeMatches {
vulnerable
cpe23
versionStartIncluding
versionStartExcluding
versionEndIncluding
versionEndExcluding
}
}
cvss31 {
vector
baseScore
}
}
}
}
```

```json
{
"name": "Gitea",
"cpe23": "cpe:2.3:a:gitea:gitea:1.12.6:*:*:*:*:docker:amd64:*"
}
```

The previous has the equivalent curl command.

```bash
curl -X POST http://localhost:8080/graphql \
-d '{"query":"mutation AddAsset($input:AddAssetInput!){addAsset(input:$input){id name cpe23 cves{id description configurations{negate operator cpeMatches{vulnerable cpe23 versionStartIncluding versionStartExcluding versionEndIncluding versionEndExcluding}}cvss31{vector baseScore}}}}","variables":{"input":{"name":"Gitea","cpe23":"cpe:2.3:a:gitea:gitea:1.12.6:*:*:*:*:docker:amd64:*"}}}'
```