About security vulnerability importers
This topic describes the conversion mechanism used by a security vulnerability importer, shipped importer, and a sample stylesheet that you can use as a template.
A security vulnerability importer converts a vendor's source file into the BMC Network Automation internal format, then parses that internal format to populate a security vulnerability into the BMC Network Automation security vulnerability database. An importer can convert a vendor's source file in one of the following ways:
- Conversion using a stylesheet: If the vendor provides an XML file, you can develop a stylesheet using the XSLT version 2.0 syntax that parses the XML file into the internal XML format that is supported by BMC Network Automation.
- Conversion using an executable script or program: If the vendor provides any other type of file that can be parsed, you can develop a script or program and place it in the BCAN_DATA\endorsed directory. This script or program converts the source file into the internal XML format. The script or program must accept one argument that specifies the name of the source file, and must print the converted results to its standard output (
stdout). The program or script must exit with a return code of 0 to indicate success, and any other value to indicate failure.
- No conversion: Manually-generated file that is already in the BMC Network Automation internal XML format and does not need conversion.
Importer shipped with BMC Network Automation
BMC Network Automation is shipped with one canned importer, named Import Cisco Advisory From CVRF XML File, which supports the import of security advisories from the Cisco Common Vulnerability Reporting Framework (CVRF) repository. This importer uses a stylesheet that detects references to the supported devices in Cisco's CVRF files. You might want to use this importer's stylesheet as an example to develop your own stylesheets. When you upgrade BMC Network Automation, the stylesheet of this importer is replaced by the shipped version. If you have customized this stylesheet, it will be saved in a backup version of the importer. You can delete the backup importer if not needed.
BMC Network Automation internal XML format
The BMC Network Automation internal format defines an XML structure that captures all the attributes of a security vulnerability supported by BMC Network Automation. The exact format is defined in the SecurityVulnerability.xsd file, which is included in the BCAN_HOME\public\bmc\bca-networks\xml directory.
The following is an example of the BMC Network Automation internal format that includes all the available elements. You can use this format as a template.
<?xml version="1.0" encoding="UTF-8"?> <securityVulnerability> <!-- id and title are required --> <id> unique ID string within the vendor (required) </id> <title> a descriptive title (required) </title> <!-- the rest is optional --> <status> string describing state of this report </status> <!-- date/time this report was initially released; must match format yyyy-MM-dd'T'HH:mm:ss or yyyy-MM-dd'T'HH:mm:ssX (per java SimpleDateFormat syntax) --> <initialRelease>2014-05-21T16:00:00</initialRelease> <!-- dotted set of numbers; used when re-importing to detect a newer version of an existing vulnerability --> <version>1.0</version> <!-- URL to vendor's full report, since what is imported is a summary --> <notificationUrl> http://URL </notificationUrl> <!-- identifier(s) into Mitre's CVE database --> <cveId> CVE-2013-5503 </cveId> <cveId> CVE-2013-5504 </cveId> <!-- can have multiple cveId tags --> <!-- severity, ranges from 0.0 to 10.0 --> <baseScore> 7.0 </baseScore> <!-- product(s) that are vulnerable to the security threat, one per operating system version --> <product> <affectedProductName> descriptive name of the product </affectedProductName> <affectedOsVersion> vulnerable version that can be mapped to a BNA version string </affectedOsVersion> <deviceType> Cisco IOS Switch/Router </deviceType> <~-- name or GUID --> </product> <product> <affectedProductName> descriptive name of the product </affectedProductName> <unenforceableVersion> some version that cannot be mapped to a BNA version string </unenforceableVersion> </product> <description> detailed description of the issue </description> <description> ...can have multiple descriptions </description> <remediation> instructions for working around or correcting the issue </remediation> <remediation> ...can have multiple remediaions </remediation> </securityVulnerability>
This template includes the following elements:
|(Required) This element must appear only once. It contains the unique identifier or name of the security vulnerability, advisory, bulletin, or issue using the naming conventions that are defined by the vendor. Its value must be unique within a vendor. It is used to locate an existing security vulnerability when updating.|
|(Required) This element must appear at least once. It contains text that summarizes the nature of the security vulnerability.|
|(Optional) This element can appear only once. It contains text that describes the current state of the security vulnerability.|
(Optional) This element can appear only once. It contains the date/time the security vulnerability was first published. It must match the following format (as per Java SimpleDateFormat syntax):
|(Optional) This element can appear only once. It contains the latest version of the security vulnerability, usually a dotted numerical version string (for example, 1.2.3). It is used to determine if an existing security vulnerability is older than the one being imported. Only newer versions are imported successfully.|
|(Optional) This element can appear only once. It contains the link to the vendor's page, which contains complete details about the security vulnerability.|
|(Optional) This element can appear any number of times. It contains the Common Vulnerabilities and Exposures (CVE) identifiers from the central CVE database.|
|(Optional) This element can appear any number of times. It contains the numerical severity of the security vulnerability, ranging from 0.0 to 10.0. The highest value is used when this element appears more than once.|
|(Optional) This element can appear any number of times. It contains information about one product affected by the security vulnerability.|
|(Optional) This element can appear only once. It contains text that describes one particular product, model, or operating system affected by the security vulnerability.|
|(Optional) This element can appear only once. It contains text specifying one particular operating system version that is at risk. The OS version should be expressed by using the same syntax as the OS versions discovered by BMC Network Automation for devices of the affected type, or as close as possible. Once OS Image Name Conversions defined in the importer are applied, OS version should look like a version string that you would see associated with a device. Use Admin > Network Admin > OS Images to review your image library and closely observe the image names and their formats. Be aware of delimiters (such as dots, commas, parentheses, dashes, and spaces) that the security vulnerability report might not include or might format differently.|
|(Optional) This element can appear only once. It contains the name or GUID of the device type associated with the devices that are running the affected OS version. This element is used when generating a rule to make the rule applicable to the device type, when a vulnerability refers to only one device type. If there are several different device types or no device types, the generated rule is applicable to all device types. If this element refers to a disabled device type or the value does not map to a known device type, it is ignored.|
|(Optional) This element can appear only once. It contains text specifying an operating system that lacks any version that can be matched to a specific device OS version string. This might be a very broad version or a generalized description of an operating system (for example, "all 6509 models"). This text is displayed when viewing this vulnerability (because it might still apply to your network), but cannot be converted into a pattern appropriate for use in a rule, thus making it unenforceable.|
|(Optional) This element can appear any number of times. It contains text that describes details about the nature of the security vulnerability, its impact, and so on.|
|(Optional) This element can appear any number of times. It contains text that describes what steps might be taken to mitigate, correct, or avoid the security vulnerability.|