Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 06:12

    adulau on master

    Update search.py maintain same… Update CVEs.py maintain functi… Update DatabaseLayer.py - getC… and 24 more (compare)

  • Sep 19 05:24
    cstayyab opened #375
  • Sep 18 20:04
    adulau closed #373
  • Sep 18 20:04
    adulau commented #373
  • Sep 18 19:32

    adulau on v2.3

    (compare)

  • Sep 18 19:22
    adulau commented #374
  • Sep 18 19:22

    adulau on master

    Update search.html Create filters2.html Update table.html and 5 more (compare)

  • Sep 18 19:22
    adulau closed #374
  • Sep 18 12:44
    faaizshah commented #373
  • Sep 18 12:40
    adulau closed #371
  • Sep 18 12:40
    adulau commented #371
  • Sep 18 12:34

    adulau on master

    chg: [doc] Python 3.6 required (compare)

  • Sep 18 09:06
    FafnerKeyZee commented #371
  • Sep 18 08:47
    adulau labeled #373
  • Sep 18 08:47
    adulau commented #373
  • Sep 18 08:37

    adulau on master

    chg: [db_mgmt_json] improve the… (compare)

  • Sep 18 07:51

    adulau on master

    chg: [db_mgmt_json] force optio… (compare)

  • Sep 17 13:41
    faaizshah commented #373
  • Sep 17 12:07
    FafnerKeyZee commented #348
  • Sep 17 10:39
    FafnerKeyZee commented #372
CriimBow
@CriimBow
Where as I imagine 2 collections and in the CVE collection an attribute like : "NVD": "Yes or No"
Pidgey
@PidgeyL
and run clean-up scripts when people want to disable the feature again after testing it?
CriimBow
@CriimBow
Yes, why not
You should probably contact @adulau by email because the last time he didn't answer (on the question of his conference where he was talking about vuln geolocation)
Pidgey
@PidgeyL
because you could organize the data in other ways, that allows for smooth re-orientation of data, without the need for clean-up scripts. One of the things I'm thinking about, is that not all sources have all the data, but some may be more credible than others. This would allow for a cascading data source (xforce provides the CVSS, microsoft provides the summary, etc)
I DM'd him on twitter as well
CriimBow
@CriimBow
Yes, but the problem is that we'll have duplicate CVEs when they come out on the NVD and were already in the blue DB (non-NVD DB)
Pidgey
@PidgeyL
not necessarily. All it takes to avoid that is to put a plug-in hook in the db_updater script
CriimBow
@CriimBow
I don't know
For me, a same CVE collection remains the best solution because if you don't want it you just have not to run the plug in. And if you want the plugin, you only have to look at one place to get all your CVEs.
And if you (by a BIG MISTAKE) run the plugin and want to delete the non-oficial CVEs, you just have to run the clean-up script
CriimBow
@CriimBow
Do you have some news ?
Steve Clement
@SteveClement
I shall bump this ;)
Steve Clement
@SteveClement
This issue can be closed: cve-search/cve-search#272
I will go through the issues while trying to get cve-search working on my side.
It currently does not work if you follow the README.
Steve Clement
@SteveClement
FYI: There is apparently an imminent backend change that will make things work more smoothly.
Cyrille Bollu
@StCyr
@SteveClement I've written a PR to improve the documentation: cve-search/cve-search#311
Jean-Christophe-P
@Jean-Christophe-P
Hello
Is there still a few people around here? :-)
Is there any other way to get support? A forum, a wiki, else ?
I'm having some difficulties to make this work behind a proxy. It should not be so complicated but I have issue I can't work around.
Philippe Ombredanne
@pombredanne
@Jean-Christophe-P welcome :)
Steve Clement
@SteveClement
Not sure...
I personally have no proxy setup, but as the proxy thing seems to pop-up regularly, I guess I need to arrange something....
gustavokotarsky
@gustavokotarsky
api is down?
Pidgey
@PidgeyL
@gustavokotarsky we've been having a lot of traffic, and lately cve.circl.lu started to throttle to handle the load
pranavmondhe
@pranavmondhe
Hi guys i want to use this cve-search tool on my yocto image. Are there any steps to do?
Philippe Ombredanne
@pombredanne
@pranavmondhe can you be more specific?
pranavmondhe
@pranavmondhe
@pombredanne Hi Thanks for reaching out to me. My plan is to run the script on yocto O.S which has kernel -v3.14.28 to get so CVEs. I am running python 2.7 on yocto.
Philippe Ombredanne
@pombredanne
@pranavmondhe but which script are you talking about?
cve-search is not a code scan tool :)
pranavmondhe
@pranavmondhe
@pombredanne Okay so on this site : https://github.com/cve-search/cve-search . Do this tool searches for CVE on yocto embedded image?
Philippe Ombredanne
@pombredanne
@pranavmondhe absolutely not. This tools aggregates CVE-related data from multiple sources and provides a correlated data model that is exposed as a web app and JSON API at https://cve.circl.lu/
@pranavmondhe now if you have the list of packages and versions installed on your device, then you could use it to search for CVE.
pranavmondhe
@pranavmondhe
@pombredanne Okay- so i think this tool is not for me i suppose. :(
Philippe Ombredanne
@pombredanne
@pranavmondhe there is no FOSS tool that I know of that does what you need. For yocto this would have to be part of the build
pranavmondhe
@pranavmondhe
@pombredanne Fair point. Thanks. We have third party vendor who builds yocto image on our linux embedded system(ARM), so i thought if there is any direct tool in python/shell script if i can run on the yocto image itself and see for CVEs.
Okay - i my next goal is to built up the yocto image, include python3 and add cve layer init and scan through for CVEs i suppose.
Philippe Ombredanne
@pombredanne
that would be the only sane way I can think of :)
carey-at-xq
@carey-at-xq
Hi there. I'm in the process of setting up a cve-search instance on DigitalOcean, and the initial import of the cpe dictionary has so far taken almost 2 hours, on a droplet (vm) with 8GB of RAM and 2 CPUs. There's been no onscreen feedback since the initial Preparing [##################################################] 310355/310355, so I can't really tell if the job is hung or not.
ps aux gives me this:
cat 1319 0.4 8.0 875628 658980 pts/1 Sl+ 11:27 0:27 python3 ./db_mgmt_cpe_dictionary.py
Any assistance graciously accepted :-)
Philippe Ombredanne
@pombredanne
@PidgeyL @adulau ping ^
would this ring a bell?
carey-at-xq
@carey-at-xq
I guess I just didn't wait long enough. I left a day for the CPE dictionary, a day for the updater and a day for CPE Other. It completed, when I ignored it. Thanks. The documentation should probably say "several hours" rather than "> 45 minutes". While technically correct, it's a wild underestimate in my experience.
Thanks :-)
Philippe Ombredanne
@pombredanne
@carey-at-xq this could very much be a DigitalOcean issue
carey-at-xq
@carey-at-xq
Yes, it could. Thank you @pombredanne
Philippe Ombredanne
@pombredanne
:)