Signs of Triviality

Opinions, mostly my own, on the importance of being and other things.
[homepage] [index] [] [@jschauma] [RSS]

Syncing NIST's National Vulnerability Database with Jira

June 2nd, 2013

I recently wrote about nvd2sqlite3, a simple tool to populate and sync NIST's Vulnerability Database into a local sqlite3 database. This, by itself, is not terribly useful. But once you have the information in your local database, you can then start to feed it into your local ticket tracking system, which can be quite useful.

To do this, I wrote a second, equally simple tool: nvdXjira. Once you've created a user account for this purpose in Jira, you can run the command to either report on any tickets found for the CVEs in the database, or you can have it automatically create new tickets. This second part is where things get interesting, as combined with a regular sync of the NVD into your local database, you now have a way to automatically open new tickets for all new CVEs as they come in.

Since this is something that you may wish to do on a regular basis -- say, nightly from cron(8) -- I've also added a wrapper script that glues these together: nvdsync. This tool is reasonably abstracted so that you can specify all required options or customizations in either the environment or on the command-line, so that hopefully no code changes are necessary for you adopt this to your environment. See the relevant manual pages (nvdsync(1), nvdXjira(1)) for details.

This is still work in progress: there is much room for improvement. I'm currently looking into adding a way to specify which software we don't care about at all, so that we can immediately close those tickets; another TODO item is reading a configuration file that maps software versions of interest to Jira projects and/or individual owners, so that manual auditing of the tickets created becomes less cumbersome. Watch this space for updates.

June 2nd, 2013

[less bug, more /dev/null [Index] [Security Related Interview Questions for all Engineers]