You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

Pages: 1

#1 2019-05-29 11:43:39

linker3000
Member
Registered: 2010-03-04
Posts: 56

Software Inventory - Check Against CVE/NVD

Has anyone implemented a link between the GLPI software inventory database and the CVE (Common Vulnerabilities and Exposures) or NVD (National Vulnerability Database) so that tickets can be raised automatically against software that has reported vulnerabilities.

If not, that would make a great plugin, but alas, I am not a good coder!

Offline

#2 2019-05-29 15:44:36

Jean-Christophe
Moderator
Registered: 2007-08-22
Posts: 734

Re: Software Inventory - Check Against CVE/NVD

Hello,
I'm looking into IVA (https://github.com/lbenthins/iva)
It uses the GLPI software database.
More to come when I will try it smile

Offline

#3 2020-11-28 17:04:38

Mitsch94
Member
Registered: 2020-11-28
Posts: 2

Re: Software Inventory - Check Against CVE/NVD

Hello,

I would like to bring up this topic again, because IVA will probably not be developed further and many used modules are unfortunately not supported since the beginning of 2020.

Does anyone here have any idea how this could still be implemented?

Greetings from Germany
Mitsch94

Offline

#4 2020-11-29 06:09:07

cconard96
Moderator
Registered: 2018-07-31
Posts: 2,411
Website

Re: Software Inventory - Check Against CVE/NVD

I've messed around with several ideas for a similar plugin. I've uploaded what I have so far here (far from production-ready):
https://github.com/cconard96/glpi-cve-plugin

It requires that you have a "cve-search" server or container running much like the "iva" solution above to host a database of CVE information and manage updating it from official sources.
Right now, my plugin needs to add something similar to the dictionaries used by GLPI because it is unlikely your inventory in GLPI matches the CVE vendor and product names exactly.
For example, you may have "Microsoft Corporation" when the vendor name has to be "Microsoft".
It also needs to cache some CVE information in GLPI's DB because for some products due to the shear amount of information returned from the cve-search API.

GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.

Offline

#5 2020-11-29 11:29:26

Mitsch94
Member
Registered: 2020-11-28
Posts: 2

Re: Software Inventory - Check Against CVE/NVD

cconard96 wrote:

I've messed around with several ideas for a similar plugin. I've uploaded what I have so far here (far from production-ready):

It requires that you have a "cve-search" server or container running much like the "iva" solution above to host a database of CVE information and manage updating it from official sources.
Right now, my plugin needs to add something similar to the dictionaries used by GLPI because it is unlikely your inventory in GLPI matches the CVE vendor and product names exactly.
For example, you may have "Microsoft Corporation" when the vendor name has to be "Microsoft".
It also needs to cache some CVE information in GLPI's DB because for some products due to the shear amount of information returned from the cve-search API.

thank you very much - I will have a look and try it big_smile

Last edited by Mitsch94 (2020-11-29 11:47:27)

Offline

#6 2020-11-30 08:31:10

Jean-Christophe
Moderator
Registered: 2007-08-22
Posts: 734

Re: Software Inventory - Check Against CVE/NVD

cconard96 wrote:

I've messed around with several ideas for a similar plugin. I've uploaded what I have so far here (far from production-ready):
https://github.com/cconard96/glpi-cve-plugin

It requires that you have a "cve-search" server or container running much like the "iva" solution above to host a database of CVE information and manage updating it from official sources.
Right now, my plugin needs to add something similar to the dictionaries used by GLPI because it is unlikely your inventory in GLPI matches the CVE vendor and product names exactly.
For example, you may have "Microsoft Corporation" when the vendor name has to be "Microsoft".
It also needs to cache some CVE information in GLPI's DB because for some products due to the shear amount of information returned from the cve-search API.

Hi,

This looks very promising ..

I never made the IVA setup fully functional and I moved on to something... But the idea is still there and your plugin looks very interesting.
I will follow this closely !

It's a shame I have no development skills... I would have been glad to help :-/

Offline

#7 2021-04-28 10:58:17

Jean-Christophe
Moderator
Registered: 2007-08-22
Posts: 734

Re: Software Inventory - Check Against CVE/NVD

cconard96 wrote:

I've messed around with several ideas for a similar plugin. I've uploaded what I have so far here (far from production-ready):
https://github.com/cconard96/glpi-cve-plugin

It requires that you have a "cve-search" server or container running much like the "iva" solution above to host a database of CVE information and manage updating it from official sources.
Right now, my plugin needs to add something similar to the dictionaries used by GLPI because it is unlikely your inventory in GLPI matches the CVE vendor and product names exactly.
For example, you may have "Microsoft Corporation" when the vendor name has to be "Microsoft".
It also needs to cache some CVE information in GLPI's DB because for some products due to the shear amount of information returned from the cve-search API.

Hi,

What is the status of the plugin ?
Do you need anything to make progress ? Can I help ?

Thanks a lot !

Offline

#8 2021-05-04 14:55:34

doesntMatter
Member
Registered: 2016-07-06
Posts: 106

Re: Software Inventory - Check Against CVE/NVD

woow, that's cool! Is it possible to use it or do you need a bit more finetuning?

Offline

#9 2021-05-04 16:00:38

cconard96
Moderator
Registered: 2018-07-31
Posts: 2,411
Website

Re: Software Inventory - Check Against CVE/NVD

It doesn't seem compatible with the newer CVE-search servers which I'll look at later.
Beyond that, it currently times out for software with a lot of CVEs since none of that information is cached and, at least previously, their API didn't have the right options for me to get only a few results at a time and paginate them.

I'm more focused on the core GLPI development right now but I welcome any community contributions.

GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.

Offline

#10 2021-05-05 09:35:01

Jean-Christophe
Moderator
Registered: 2007-08-22
Posts: 734

Re: Software Inventory - Check Against CVE/NVD

Thanks for your feedback.

I wish I could help you with the development but I have no skill in PHP development at all !
All I can do is test and report (and help with some Powershell scripts if you need).
I feel useless :-(

Offline

#11 2021-06-14 15:05:51

doesntMatter
Member
Registered: 2016-07-06
Posts: 106

Re: Software Inventory - Check Against CVE/NVD

Jean-Christophe wrote:

Thanks for your feedback.

I wish I could help you with the development but I have no skill in PHP development at all !
All I can do is test and report (and help with some Powershell scripts if you need).
I feel useless :-(

PHP isn't that difficult, dont worry :-)
Unfortenately my time is to limited due the current situation.

Last edited by doesntMatter (2021-06-14 15:06:05)

Offline

Pages: 1

Board footer

Powered by FluxBB