Importing security vulnerabilities

This topic provides instructions on importing a security vulnerability into TrueSight Network Automation.

You can get security advisories or bulletins obtained from a vendor into Network Automation by importing them. Before you import one or more files obtained from a vendor, you must define an importer that can parse those files. For more information about defining an importer, see Adding-or-editing-security-vulnerability-importers.

Network Automation uses the vendor associated with the security vulnerability importer and a unique ID to determine if an import file is a new or an updated security vulnerability. If the file is an updated security vulnerability, Network Automation uses any supplied version  for Cisco CVRF's XML files and last modified date for NVD's XML or JSON files to determine if the import file is newer than what Network Automation already has stored. Only newer files are imported successfully. Note that the version (Cisco CVRF's XML files) and last modified date (NVD's XML/ JSON files) are optional. If no version or last modified date is specified in the file to be imported or in the existing vulnerability, the import process performs an update.

If the import process results in an updated security vulnerability that has associated rules, the applicable OS image patterns in those rules are updated, in which case a Refresh Device Status action is necessary to detect any new violations. An event is logged in Network Automation indicating that the rule was updated, to help you identify the need for a refresh.

Also during an update, if there are associated rules, you must have the rights to edit the associated rules. The import process fails and makes no changes if you do not have the required rights.

Do the following to import a security vulnerability:

On the Admin > Network Admin > Security Vulnerabilities pageclick the Import menu option Icon_Import.pngand do the following:

  1. Enter the following information:

    Field

    Description

    Importer

    From the list of all importers, choose how the source file from a vendor is to be parsed into a security vulnerability in Network Automation.

    File

    Choose to import either a single file or a zipped archive containing any number of files. Single files and zipped files must meet the following conditions:

    • Single File: When importing a single file, it must be named with the .xml or .json extension (case-insensitive).
    • Multiple Files in Zipped Archive: When importing a zipped archive, the file must be named with the .zip extension (case-sensitive). Only contained files named with the .xml or .json extension are processed. Also, a zipped archive might be structured into arbitrary directories/folders and subdirectories/subfolders, in which case the import process traverses the entire archive. Network Automation must have enough free disk space to unzip the zipped archive into the Java temporary directory (see the System Diagnostics report for the exact location).

    Match Filenames

    (Optional) When you choose to import a zipped archive, you might want to filter the file names selected from the archive by using asterisk as the wildcard character. For example, *.xml filters the files named with only a .xml extension.

    Abort import when encounter any error

    (Optional) When you choose to import a zipped archive, select this option if you want to stop the import process when an error occurs. If you are defining a new importer, this option can be useful to avoid being overwhelmed by too many errors while still debugging the importer.

    Enable Automatic Rule Creation

    (Optional) Select this option to generate the rules automatically for all the security vulnerabilities being imported.

  2. Click Import. When the import process is complete, the status is reported file by file, and vulnerability by vulnerability (since a single input file can contain multiple vulnerabilities). The status can be one of the following values:

    Status

    Description

    Added

    The new security vulnerability was added to the system.

    Modified

    The existing security vulnerability was updated with new values from the imported file.

    Skipped

    The file or vulnerability was not imported and was skipped for various reasons. These skips are considered minor and do not cause the import to abort.

    • Filename does not match your filename filter.
    • File in a zip archive is not named with the required .xml or .json extension.
    • The same vulnerability is already present in the system (as determined by version number or by modification date).
    • The initial release date falls outside the importer's date filter.
    • The last modification date falls outside the importer's date filter.

    Failed

    The vulnerability was not imported; the vulnerability is invalid or you are not allowed to modify the associated rules. These failures are considered major and cause the import to abort if you have enabled the abort on error flag.

Where to go from here

Associating-security-vulnerabilities-with-compliance-rules

Related topics

Viewing-the-security-vulnerabilities-listing-and-details
Managing-security-vulnerability-importers

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*