CVE Scheduler
How to use SW360 CVE schedule
SW360 gets vulnerability information from Common Vulnerability Enumeration (CVE) data. SW360 can connect to your local cve-search server.
Few years ago, sw360 was able to get vulnerability information from online CVE serverr, but it is not active.
Install CVE-search
cve-search is a tool to import CVE (Common Vulnerabilities and Exposures) and CPE (Common Platform Enumeration) into a MongoDB to facilitate search and processing of CVEs. You can choose Docker install or Native install.
Docker Installation Github repo
Only clone and “docker-compose up”.
$ git clone https://github.com/cve-search/CVE-Search-Docker.git
$ cd CVE-Search-Docker
$ docker-compose up
Native Installation Github repo
- Clone source
$ git clone https://github.com/cve-search/cve-search
$ cd cve-search
$ git checkout {tag/branch}
- Install system requirements
$ sudo apt-get install -y < requirements.system
- Install CVE-Search and its Python dependencies
pip3 install -r requirements.txt
- Install mongodb
$ wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add -
$ codename=$(lsb_release --codename --short)
$ echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu ${codename}/mongodb-org/4.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list
$ sudo apt-get update
$ sudo apt-get install -y mongodb-org
$ sudo systemctl daemon-reload
$ sudo systemctl start mongod
# Verify status of mongodb
$ sudo systemctl status mongod
# if all is ok, enable mongodb to start on system startup
$ sudo systemctl enable mongod
- Populating the database
$ sudo apt-get install redis redis-server
#modify: stop-writes-on-bgsave-error yes -> no
$ sudo vim /etc/redis/redis.conf
$ sudo systemctl daemon-reload
$ sudo systemctl restart redis
$ ./sbin/db_mgmt_cpe_dictionary.py -p
$ ./sbin/db_mgmt_json.py -p
$ ./sbin/db_updater.py -c # This will take > 45minutes on a decent machine, please be patient
- Updating the database
$ ./sbin/db_updater.py -v
- Starting and stopping the web-server
# Install psutil >= 5.7.0
$ pip3 install psutil>=5.7.0
# Starting web server
$ python3 web/index.py
Default Web server: http://localhost:5000
To stop the server, press the CTRL+C
Note: By default CVE-Search takes assumptions on certain configuration aspects of the application, you can adjust
$ cd cve-search
$ cp etc/configuration.ini.sample etc/configuration.ini
$ vim etc/configuration.ini
Setup SW360 with CVE server
- Change default CVE server
Change cvesearch.host with CVE server address.
$ vim ${SW360_DIR_INSTALL}/backend/src/src-cvesearch/src/main/resources/cvesearch.properties
- Setting for schedule the CVE service
The offset (first run of the update) and the interval between updates can also be adjusted.
$ vim ${SW360_DIR_INSTALL}/backend/src/src-schedule/src/main/resources/sw360.properties
The offset has to be given in seconds since midnight and also the interval has to be entered in seconds. The default is to update the vulnerabilities by CVEsearch every night at midnight, which corresponds to an offset of 0 and an interval of 24 hours (= 86400 seconds).
According to the default settings, cveSearch is not auto-started with the scheduling service. If want to auto start autostart = cvesearchService
- Schedule task Adminstration
View and start/stop schedule
Click Admin > Schedule
Reference
CVE guide: [https://cve-search.github.io/cve-search/database/database.html]
User Scheduling CVE Search by Admins: [https://github.com/eclipse/sw360/wiki/User-Scheduling-CVE-Search-by-Admins]