About security vulnerability importers
This topic describes the conversion mechanism used by a security vulnerability importer, shipped importer, and a sample stylesheet that you can use as a template.
Conversion mechanisms
A security vulnerability importer converts a vendor's source file into the TrueSight Network Automation internal format, then parses that internal format to populate a security vulnerability into the TrueSight Network Automation security vulnerability database. An importer can convert a vendor's source file in one of the following ways:
- Conversion using a stylesheet: If the vendor provides an XML file, you can develop a stylesheet using the XSLT version 2.0 syntax that parses the XML file into the internal XML format that is supported by TrueSight Network Automation.
- Conversion using an executable script or program: If the vendor provides any other type of file that can be parsed, you can develop a script or program and place it in the BCAN_DATA\endorsed directory. This script or program converts the source file into the internal XML format. The script or program must accept one argument that specifies the name of the source file, and must print the converted results to its standard output (
stdout). The program or script must exit with a return code of 0 to indicate success, and any other value to indicate failure. - No conversion: Manually-generated file that is already in the TrueSight Network Automation internal XML format and does not need conversion.
Importers shipped with TrueSight Network Automation
TrueSight Network Automation is shipped with the following canned importers:
- Import Cisco Advisory From CVRF XML File: Supports the import of security advisories from the Cisco Common Vulnerability Reporting Framework (CVRF) repository. This importer uses a stylesheet that detects references to the supported devices in Cisco's CVRF files.
Import Advisories From NVD XML File: Supports the import of security advisories for the following device types from the National Vulnerability Database (NVD) repository. This importer uses a stylesheet that detects references to the TrueSight Network Automation supported devices in NVD's XML files. TrueSight Network Automation supports only version 2.0 of the NVD's XML files.
- Aruba
- Juniper
- NEW IN 8.904.001 Extreme Networks
- NEW IN 8.904.001 Hewlett Packard Enterprise (HPE) Aruba
- NEW IN 8.904.001 Palo Alto
Import Cisco Advisories From NVD XML File, Published After 08/15/17: Supports the import of Cisco security advisories from the NVD repository. This importer uses a stylesheet that detects references to the supported Cisco devices in NVD's XML (version 2.0) files. This importer imports only those advisories published after August 15, 2017 (the point where the canned CVRF database stops).
You might want to use stylesheets of these importers as examples to develop your own stylesheets. When you upgrade TrueSight Network Automation, these stylesheets are replaced by the shipped version. If you have customized any of the stylesheets, it will be saved in a backup version of the importer. You can delete the backup importer if not needed.
TrueSight Network Automation internal XML format
The TrueSight Network Automation internal format defines an XML structure that captures all the attributes of a security vulnerability supported by TrueSight Network Automation. The exact format is defined in the SecurityVulnerability.xsd file, which is included in the BCAN_HOME\public\bmc\bca-networks\xml directory.
The following is an example of the TrueSight Network Automation internal format in 8.9.02 and earlier versions that includes all the available elements. You can use this format as a template.
<securityVulnerability>
<!-- id and title are required -->
<id> unique ID string within the vendor (required) </id>
<title> a descriptive title (required) </title>
<!-- the rest is optional -->
<status> string describing state of this report </status>
<!-- date/time this report was initially released; must match one of these formats:
yyyy-MM-dd'T'HH:mm:ss
yyyy-MM-dd'T'HH:mm:ssX
(per java SimpleDateFormat syntax) -->
<initialRelease>2014-05-21T16:00:00+00:00</initialRelease>
<!-- dotted set of numbers; used when re-importing to detect a newer
version of an existing vulnerability -->
<version> 1.0 </version>
<!-- URL to vendor's full report, since what is imported is a summary -->
<notificationUrl> http://URL </notificationUrl>
<!-- identifier(s) into Mitre's CVE database -->
<cveId> CVE-2013-5503 </cveId>
<cveId> CVE-2013-5504 </cveId> <!-- can have multiple cveId tags -->
<!-- severity, ranges from 0.0 to 10.0 -->
<baseScore> 7.0 </baseScore>
<!-- product(s) that are vulnerable to the security threat, one per
operating system version -->
<product>
<affectedProductName> descriptive name of the product </affectedProductName>
<affectedOsVersion> vulnerable version that can be mapped to a BNA version string </affectedOsVersion>
<deviceType> Cisco IOS Switch/Router </deviceType> <!-- name or GUID -->
</product>
<product>
<affectedProductName> descriptive name of the product </affectedProductName>
<unenforceableVersion> some version that cannot be mapped to a BNA version string </unenforceableVersion>
</product>
<description> detailed description of the issue </description>
<description> ...can have multiple descriptions </description>
<remediation> instructions for working around or correcting the issue </remediation>
<remediation> ...can have multiple remediaions </remediation>
</securityVulnerability>
The following is an example of the TrueSight Network Automation internal format in 8.9.03 and later versions that includes all the available elements. You can use this format as a template.
<securityVulnerabilities>
<securityVulnerability>
<!-- id and title are required -->
<id> unique ID string within the vendor (required) </id>
<title> a descriptive title (required) </title>
<vendor> vendor GUID (required) </vendor>
<!-- the rest is optional -->
<status> string describing state of this report </status>
<!-- date/time this report was initially released; must match one of these formsats:
yyyy-MM-dd'T'HH:mm:ss
yyyy-MM-dd'T'HH:mm:ssX
yyyy-MM-dd'T'HH:mm:ss.SSS
yyyy-MM-dd'T'HH:mm:ss.SSSX
(per java SimpleDateFormat syntax) -->
<initialRelease> 2014-05-21T16:00:00.000+00:00 </initialRelease>
<!-- dotted set of numbers; used when re-importing to detect a newer
version of an existing vulnerability in-case of Cisco CVRF's xml -->
<version> 1.0 </version>
<!-- date/time this when the report is last updted; must match same formats as
initialRelease. used when re-importing to detect a newer version of an
existing vulnerability in-case of NVD xml -->
<lastModified> 2017-07-26T16:15:23 </lastModified>
<!-- URLs to vendor's full report, since what is imported is a summary -->
<notificationUrl primary="true"> http://URL1 </notificationUrl>
<notificationUrl> http://URL2 </notificationUrl> <!-- can have multiple notificationUrl tags -->
<!-- identifier(s) into Mitre's CVE database -->
<cveId> CVE-2013-5503 </cveId>
<cveId> CVE-2013-5504 </cveId> <!-- can have multiple cveId tags -->
<!-- severity, ranges from 0.0 to 10.0 -->
<baseScore> 7.0 </baseScore>
<!-- product(s) that are vulnerable to the security threat, one per
operating system version -->
<product>
<affectedProductName> descriptive name of the product </affectedProductName>
<affectedOsVersion> vulnerable version that can be mapped to a BNA version string </affectedOsVersion>
<deviceType> Cisco IOS Switch/Router </deviceType>
<!-- name or GUID -->
</product>
<product>
<affectedProductName> descriptive name of the product </affectedProductName>
<unenforceableVersion> some version that cannot be mapped to a BNA version string </unenforceableVersion>
</product>
<description> detailed description of the issue </description>
<description> ...can have multiple descriptions </description>
<remediation> instructions for working around or correcting the issue </remediation>
<remediation> ...can have multiple remediaions </remediation>
</securityVulnerability>
</securityVulnerabilities>These templates include the following elements:
| XML Element | Description |
|---|---|
<id> | (Required) This element must appear only once. It contains the unique identifier or name of the security vulnerability, advisory, bulletin, or issue using the naming conventions that are defined by the vendor. Its value must be unique within a vendor. It is used to locate an existing security vulnerability when updating. |
<title> | (Required) This element must appear at least once. It contains text that summarizes the nature of the security vulnerability. |
<vendor> (Applicable for 8.9.03 and later versions) | (Required) This element must appear only once. It contains the GUID of the vendor from which the security vulnerabilities are originated that this importer can process. |
<status> | (Optional) This element can appear only once. It contains text that describes the current state of the security vulnerability. |
<initialRelease> | (Optional) This element can appear only once. It contains the date/time the security vulnerability was first published. It must match the following format (as per Java SimpleDateFormat syntax): As of version 8.9.03, it can match the following format instead (allows for milliseconds in the time): The timezone is optional. If it is missing, timezone +00:00 (UTC or GMT) is assumed. |
<version> | (Optional) This element can appear only once. It contains the latest version of the security vulnerability, usually a dotted numerical version string (for example, 1.2.3). It is used to determine if an existing security vulnerability is older than the one being imported. Only newer versions are imported successfully. |
<lastModified> (Applicable for 8.9.03 and later versions) | (Optional) This element can appear only once. It contains the date/time the security vulnerability was modified last by the vulnerability reporting source. It is used when re-importing a vulnerability to detect a newer version of an existing vulnerability in case of NVD XML. The date/time must match a recognized format, as defined for the <initialRelease> element above. |
<notificationUrl> | (Optional) This element can appear only once in 8.9.02 and earlier versions and more than once in 8.9.03 and later versions. It contains the links to the vendor's pages, which contain complete details about the security vulnerability. At least one notificationURL should have the primary="true" attribute. The URL which has this attribute set to true appears in the TrueSight Network Automation reports. |
<cveId> | (Optional) This element can appear any number of times. It contains the Common Vulnerabilities and Exposures (CVE) identifiers from the central CVE database. |
<baseScore> | (Optional) This element can appear any number of times. It contains the numerical severity of the security vulnerability, ranging from 0.0 to 10.0. The highest value is used when this element appears more than once. |
<product> | (Optional) This element can appear any number of times. It contains information about one product affected by the security vulnerability. |
<affectedProductName> | (Optional) This element can appear only once. It contains text that describes one particular product, model, or operating system affected by the security vulnerability. |
<affectedOsVersion> | (Optional) This element can appear only once. It contains text specifying one particular operating system version that is at risk. The OS version should be expressed by using the same syntax as the OS versions discovered by TrueSight Network Automation for devices of the affected type, or as close as possible. Once OS Image Name Conversions defined in the importer are applied, OS version should look like a version string that you would see associated with a device. Use Admin > Network Admin > OS Images to review your image library and closely observe the image names and their formats. Be aware of delimiters (such as dots, commas, parentheses, dashes, and spaces) that the security vulnerability report might not include or might format differently. |
<deviceType> | (Optional) This element can appear only once. It contains the GUID of the device type associated with the devices that are running the affected OS version. This element is used when generating a rule to make the rule applicable to the device type, when a vulnerability refers to only one device type. If there are several different device types or no device types, the generated rule is applicable to all device types. If this element refers to a disabled device type or the value does not map to a known device type, it is ignored. |
<unenforceableVersion> | (Optional) This element can appear only once. It contains text specifying an operating system that lacks any version that can be matched to a specific device OS version string. This might be a very broad version or a generalized description of an operating system (for example, "all 6509 models"). This text is displayed when viewing this vulnerability (because it might still apply to your network), but cannot be converted into a pattern appropriate for use in a rule, thus making it unenforceable. |
<description> | (Optional) This element can appear any number of times. It contains text that describes details about the nature of the security vulnerability, its impact, and so on. |
<remediation> | (Optional) This element can appear any number of times. It contains text that describes what steps might be taken to mitigate, correct, or avoid the security vulnerability. |
Comments
Log in or register to comment.