Adding or editing security vulnerability importers

 TrueSight Network Automation is shipped with a few canned importers. Use the procedure described in this topic if you want to add or edit your own importer.

To add or edit a security vulnerability importer

On the Admin > Network Admin > Security Vulnerability Importers page, do the following:

  1. Do one of the following:
    • To define a new importer, click Add Icon_Add.png.
      The Add Security Vulnerability Importer page is displayed.
    • To create a new importer by duplicating and editing an existing importer, click Copy Icon_Copy.png.
    • To edit an existing importer, click Edit Icon_Edit.png.

  2. Enter or update information in the following fields:

    Field

    Description

    Name

    Specify a unique name for the security vulnerability importer.
    This name appears in the list of available importers when importing a security vulnerability.

    Transform Input File Using

    Specify how the source file from the vendor will be converted to an internal XML format for processing:

    • No Conversion Necessary: Source files are already in the internal format.
    • Stylesheet: Source files contain XML or JSON, which will be converted to the internal XML format by a stylesheet.
    • Endorsed Program: Source files contain text that can be parsed and converted by a program or a script to the internal XML format.

    Import Vulnerabilities from JSON

    This option appears if you have selected Stylesheet as the transformation mechanism. Select this option if you want the importer to import vulnerabilities from a NVD JSON file.

    Stylesheet File

    If you have selected Stylesheet as the transformation mechanism, specify the stylesheet file.

    Note: The file must be named with the .xsl extension (case-insensitive). Also, the file must contain legal XSLT 2.0 syntax, which is validated when you save the importer.

    Executable Program Name

    If you have selected Endorsed Program as the transformation mechanism, specify the name of the program or script, which is placed in the BCAN_DATA/endorsed directory. The program or script must exist and be executable by the web server. The program must accept one argument that specifies the name of the source file to be parsed, and must print the converted results to its standard output (stdout). The program or script must exit with a return code of 0 to indicate success, and any other value to indicate failure. The program or script is given two minutes to run to completion. If the program or script does not complete within two minutes, Network Automation times out and declares it to have failed.

    Filter Input By

    Specify how to filter incoming security vulnerabilities:

    • Initial Release: Select to import only vulnerabilities whose initial release date and time fall within the selected time period.
    • Last Modified At Source: Select to import only vulnerabilities whose most recent modification date and time fall within the selected time period.

    OS Image Name Conversions

    (Optional) Specify how to convert a raw <affectedOsVersion> or <affectedOsVersionRange> value into a value that closely resembles the device OS image values that Network Automation discovers while it is logged on to the managed device. Click Add to specify a conversion.

    These conversions are ordered. The output of one conversion is passed as the input to the next conversion, and every conversion that matches is executed. Drag Use the Drag icon Icon_Drag.png to control the ordering. For more information, see OS Image Name Conversions.

    Applicable OS Image Pattern Generators

    (Optional) Specify how to generate the regular expressions to be used in a compliance rule and its applicable OS image name-matching patterns. Click Add to specify a pattern generator. These generators are ordered; only the first one that matches an affected OS version is used and subsequent ones are ignored. If none match, the default is used. Use the Drag icon Icon_Drag.png to control the ordering. For more information, see Applicable OS Image Name Pattern Generators.

  3. Click Save.

OS Image Name Conversions

The fields in the OS Image Name Conversion dialog box (shown in the following figure) specify how to convert a raw <affectedOsVersion> or <affectedOsVersionRange> value into a value that closely resembles a device OS image string that Network Automation discovers while it is logged on to the managed device. A vendor might not report its product versions in a security advisory or bulletin in the same format as the versions Network Automation discovers from a live device (which you can view in the OS image library). Because the <affectedOsVersion> or <affectedOsVersionRange> values are displayed when viewing the resulting imported security vulnerability, it is desirable that those values look like the device OS image values that are displayed in the rest of Network Automation. The versions are also used to generate the patterns filled into any generated compliance rule, so they need to match the device version strings closely.

OSImageNameConvert.png

The OS Image Name Conversion dialog box contains the following fields:

Field

Description

Input Match

Specify a regular expression for the affected OS version string to look for, with parentheses around capture groups for the data to be transferred into the output or result.

Output Result Format

Specify the format in which to generate the result, with regular brackets around arguments to plug in data from input capture groups.

Annotation

(Optional) Specify a description for the conversion.

For example, a source file reports IPS device versions, such as 7.1(5)E4. However, Network Automation discovers versions, such as 7.1-5-E4. The conversion shown in the OS Image Name Conversion dialog box converts the parentheses in the source string into dashes.

Applicable OS Image Name Pattern Generators

The fields in the Applicable OS Image Name Pattern Generator dialog box (shown in the following figure) specify how to convert an affected OS version or affected range of OS versions (resulting from the OS image name conversions) into a regular expression that is suitable for use in the applicable OS image patterns of a compliance rule. By default, an affected OS version, when copied into a rule, has its regular expression meta characters escaped, and gets a (,[,\,.,;\-].+|$) appended to match the trailing content. However, this conversion might not be sufficient to create a pattern that will match the device OS versions discovered by Network Automation. In the Applicable OS Image Name Pattern Generator dialog box fields, you can define how to further massage the affected OS version to generate a properly matching regular expression.

AppOSImageSubPattern.png

The Applicable OS Image Name Pattern Generator dialog box contains the following fields:

Field

Description

Input Match

Specify a regular expression for the affected OS version string to look for, with parentheses around capture groups for the data to be transferred into the output or result.

Output Result Format

Specify the format in which to generate the resulting regular expression, with regular brackets around arguments to plug in data from input capture groups.

Annotation

(Optional) Specify a description for the generator.

In the example shown in the preceding figure, the affected OS version looks like IPS-K9-7.0 Base, where the trailing word Base means any version starting with 7.0. The resulting regular expression that would appear in a generated compliance rule, would be IPS-K9-7\.0(-.+|$) to account for the dash being the version delimiter in the discovered IPS version strings.

Where to go from here

Importing-security-vulnerabilities

Related topic

Viewing-the-security-vulnerability-importers-listing

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*