CVE Scheduler

SW360 CVE Schedules

How to use SW360 CVE schedule

SW360 gets vulnerability information from Common Vulnerability Enumeration (CVE) data. SW360 can connect to your local cve-search server.
Few years ago, sw360 was able to get vulnerability information from online CVE serverr, but it is not active.

cve-search is a tool to import CVE (Common Vulnerabilities and Exposures) and CPE (Common Platform Enumeration) into a MongoDB to facilitate search and processing of CVEs. You can choose Docker install or Native install.

Docker Installation Github repo

Only clone and “docker-compose up”.

 $ git clone https://github.com/cve-search/CVE-Search-Docker.git
 $ cd CVE-Search-Docker
 $ docker-compose up 
  1. Clone source
    $ git clone https://github.com/cve-search/cve-search
    $ cd cve-search
    $ git checkout {tag/branch}
  1. Install system requirements
    $ sudo apt-get install -y < requirements.system
  1. Install CVE-Search and its Python dependencies
    pip3 install -r requirements.txt
  1. Install mongodb

    $ wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add -

    $ codename=$(lsb_release --codename --short)

    $ echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu ${codename}/mongodb-org/4.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list
    $ sudo apt-get update
    
    $ sudo apt-get install -y mongodb-org

    $ sudo systemctl daemon-reload

    $ sudo systemctl start mongod

    # Verify status of mongodb
    $ sudo systemctl status mongod

    # if all is ok, enable mongodb to start on system startup
    $ sudo systemctl enable mongod
  1. Populating the database
    $ sudo apt-get install redis redis-server

    #modify: stop-writes-on-bgsave-error yes -> no
    $ sudo vim /etc/redis/redis.conf

    $ sudo systemctl daemon-reload

    $ sudo systemctl restart redis

    $ ./sbin/db_mgmt_cpe_dictionary.py -p
    
    $ ./sbin/db_mgmt_json.py -p
    
    $ ./sbin/db_updater.py -c # This will take > 45minutes on a decent machine, please be patient
  1. Updating the database
    $ ./sbin/db_updater.py -v
  1. Starting and stopping the web-server
    # Install psutil >= 5.7.0
    $ pip3 install psutil>=5.7.0

    # Starting web server
    $ python3 web/index.py

Default Web server: http://localhost:5000

To stop the server, press the CTRL+C

Note: By default CVE-Search takes assumptions on certain configuration aspects of the application, you can adjust

    $ cd cve-search
    $ cp etc/configuration.ini.sample etc/configuration.ini
    $ vim etc/configuration.ini

Setup SW360 with CVE server

  1. Change default CVE server

Change cvesearch.host with CVE server address.

    $ vim ${SW360_DIR_INSTALL}/backend/src/src-cvesearch/src/main/resources/cvesearch.properties
  1. Setting for schedule the CVE service

The offset (first run of the update) and the interval between updates can also be adjusted.

    $ vim ${SW360_DIR_INSTALL}/backend/src/src-schedule/src/main/resources/sw360.properties

The offset has to be given in seconds since midnight and also the interval has to be entered in seconds. The default is to update the vulnerabilities by CVEsearch every night at midnight, which corresponds to an offset of 0 and an interval of 24 hours (= 86400 seconds).

According to the default settings, cveSearch is not auto-started with the scheduling service. If want to auto start autostart = cvesearchService

  1. Schedule task Adminstration

View and start/stop schedule

Click Admin > Schedule

Reference

CVE guide: [https://cve-search.github.io/cve-search/database/database.html]

User Scheduling CVE Search by Admins: [https://github.com/eclipse/sw360/wiki/User-Scheduling-CVE-Search-by-Admins]

Last modified June 22, 2022: SW360 website remodeling (#9) (3e6e7da)