Name of Your Organization:
ToolsWatch
Web Site:
https://www.toolwatch.org
Compatible Capability:
vFeed API and Correlated Vulnerability/Threat Community Database
Capability home page:
https://github.com/toolswatch/vFeed
General Capability Questions
Product Accessibility <CR_2.4>
Provide a short description of how and where
your capability is made available to your customers and the public (required):
vFeed Python API & vFeed.db The Correlated Community Vulnerability and Threat Database can be downloaded using the Github service. Once the vFeed Python API is installed, users can leverage the update option to retrieve the full SQLite vFeed Vulnerability Database.
The vFeed Python API can be downloaded from the following URL:
https://github.com/toolswatch/vFeed
Or installed on any system running Python and SQLite using the following CLI:
#git clone https://github.com/toolswatch/vFeed.git
Once installed, the users can leverage the following syntax:
#python vfeedcli.py –-update or #python vfeedcli.py –u
to get the latest version of the vFeed.db database.
Mapping Questions
Map Currency Indication <CR_6.1>
Describe how and where your capability indicates the most recent CWE content used to create or update its mappings (required):
The vFeed (since version 0.5.0) uses and maps the CWE 2.8 XML (http://cwe.mitre.org/data/xml/cwec_v2.8.xml.zip) published the 31 July 2014. Whenever a CVE is exported to JSON / XML, the CWE-ID is included as part of the vulnerability description.
The changelog of vFeed API 0.5.0 indicates the use of the latest CWE content
https://github.com/toolswatch/vFeed/blob/master/CHANGELOG.md
Map Currency Update Approach <CR_6.2>
Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository (recommended):
All new entries are added to our vFeed vulnerability community database within fifteen (15) business days. We fully rely on NVD CVE XML current year, recent and modified feeds. Once a quarter, the full XML NVD feeds are rescanned to generate a new fresh SQLite database. The previous process keeps the database up-to-date with new correlation between CVEs and CWEs.
In the other hand, vFeed has integrated since version 0.5.0 the full CWE v2.8 XML dictionary. Typically, we prioritize the mapping with the open standards such as (CWE, CAPEC, OVAL …) including the CWE/SANS Top 25 (2009, 2010 and 2011)
The python API comes as well with a statistical method to view the total of all integrated items into the vFeed vulnerability database.
/vfeedcli.py --stats get_stats
---------------------------------------------------------------
vFeed.db Statistics
Distinct values of CVEs and associated third party references
Database build (latest update date): 8222015
---------------------------------------------------------------
[+] Vulnerability Information and References
[-] Common Vulnerability Enumeration (CVE): 71851
[-] Affected Products or Common Platform Enumeration (CPE): 176742
[-] Common Weakness Enumeration (CWE) types: 496
----------- SNIP ----------------
MAP CURRENCY UPDATE TIME <CR_6.3>
Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CWE content (required):
Due to the complexity of the vFeed Vulnerability Database Community's update process (as we rely on more than 50 different data sources, tools, signatures and feeds), the alerts are retrieved each fifteen (15) business days. The update information is announced via different channels:
Documentation Questions
CWE AND COMPATIBILITY DOCUMENTATION <CR_5.1>
Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers (required):
The documentation describing the CWE and CWE compatibility program can be reached at this location
https://github.com/toolswatch/vFeed/wiki/%5B1%5D-vFeed-Framework-%28API-&-Correlated-Vulnerability-Database%29 cf. vFeed Common Weakness Enumeration (CWE) Compatibility Statement paragraph.
DOCUMENTATION OF FINDING ELEMENTS USING CWE IDENTIFIERS <CR_5.2>
Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CWE identifiers to find the individual security elements within your capability’s repository (required):
The correlated vulnerability and threat community database vFeed.db comes with a set of python API methods that help to query CWE identifiers within the database.
Users can leverage different methods as described in the documentation (https://github.com/toolswatch/vFeed/wiki/%5B3%5D-Methods-list)
- The search method queries quickly the database and returns an excerpt of the CVE and few other information such as the existence of exploits.
#python ./vfeedcli.py -s cwe-89
[+] Gathering information ...
|-> CVE-2015-6522
[!] Exploit-DB PoC found.
|-> CVE-2015-6519
[!] Exploit-DB PoC found.
|-> CVE-2015-6516
[!] Exploit-DB PoC found.
|-> CVE-2015-6513
|-> CVE-2015-6512
[!] Exploit-DB PoC found.
|-> CVE-2015-5599
|-> CVE-2015-5504
|-> CVE-2015-5459
|-> CVE-2015-5452
|-> CVE-2015-5148
[!] Exploit-DB PoC found.
|-> CVE-2015-5078
|-> CVE-2015-4713
|-> CVE-2015-4678
----------- SNIP ----------------
- The get_cwe method returns the information whenever they are available
#python vfeedcli.py -m get_cwe CVE-2014-10038
[
{
"id": "CWE-89",
"title": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
"url": "https://cwe.mitre.org/data/definitions/89.html"
}
]
DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS
<CR_5.3>
Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CWE identifiers associated with individual security elements within your capability’s repository (required):
CWE alongside all attributes and elements are displayed using vFeed built-in functions or within pre-formatted vFeed JSON/XML output
As described previously, vFeed uses different python API methods such as get_cwe, search and export options to display CWE information (amongst other open standards and 3rd party references information)
The export function can as well be leveraged to document a CWE identifier as JSON export.
#python vfeedcli.py –e json_dump CVE-2014-10038
[+] Exporting to JSON file CVE_2014_10038.json
[!] CVE_2014_10038.json moved to export repository
Here is an except of CVE-2014-10038 correlated with 3rd party references and standards. We can notice as the well the availability of CWE/SANS Top 25.
{
"Information": {
"Category": [
{
"url": "https://cwe.mitre.org/data/definitions/864.html",
"id": "CWE-864",
"title": "2011 Top 25 - Insecure Interaction Between Components"
},
{
"url": "https://cwe.mitre.org/data/definitions/801.html",
"id": "CWE-801",
"title": "2010 Top 25 - Insecure Interaction Between Components"
},
{
"url": "https://cwe.mitre.org/data/definitions/943.html",
"id": "CWE-943",
"title": "Improper Neutralization of Special Elements in Data Query Logic"
},
{
"url": "https://cwe.mitre.org/data/definitions/20.html",
"id": "CWE-20",
"title": "Improper Input Validation"
},
{
"url": "https://cwe.mitre.org/data/definitions/722.html",
"id": "CWE-722",
"title": "OWASP Top Ten 2004 Category A1 - Unvalidated Input"
},
{
"url": "https://cwe.mitre.org/data/definitions/727.html",
"id": "CWE-727",
"title": "OWASP Top Ten 2004 Category A6 - Injection Flaws"
xx
"CVE": [
{
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-10038",
"published": "2015-01-13T10:59:48.210-05:00",
"id": "CVE-2014-10038",
"modified": "2015-01-14T15:11:21.137-05:00",
"summary": "SQL injection vulnerability in agenda/indexdate.php in DomPHP 0.83 and earlier allows remote attackers to execute arbitrary SQL commands via the ids parameter."
}
],
"CWE": [
{
"url": "https://cwe.mitre.org/data/definitions/89.html",
"url": "https://cwe.mitre.org/data/definitions/89.html",
"id": "CWE-89",
"title": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
}
],
"CPE": [
{
"id": "cpe:/a:domphp:domphp:0.83"
}
]
----------- SNIP ----------------
DOCUMENTATION INDEXING OF CWE-RELATED MATERIAL
<CR_5.4>
If your documentation includes an index, provide a copy of the items and resources that you have listed under "CWE" in your index. Alternately, provide directions to where these "CWE" items are posted on your web site commended):
The vFeed framework is based on built-in functions and a local correlated vulnerability and threat community database.
The explanation provided at <CR_5.3> applies here. Therefore, the CWE-ID could be accessed through API functions. Refer to
<CR_5.3>
The documentation
https://github.com/toolswatch/vFeed/wiki/%5B3%5D-Methods-list explains how to leverage those functions to display the needed information either in API or command line mode.
Type-Specific Capability Questions
Tool Questions
FINDING TASKS USING CWE IDENTIFIERS <CR_A.2.1>
Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):
vFeed search function (https://github.com/toolswatch/vFeed/wiki/%5B2%5D-Usage-%28API-and-Command-Line%29 under Search Function paragraph) could be leveraged to search for CWE identifiers.
#python vfeedcli.py -s cwe-352
[+] Gathering information …
|-> CVE-2015-6523
|-> CVE-2015-6517
|-> CVE-2015-5530
[!] Exploit-DB PoC found.
|-> CVE-2015-5397
|-> CVE-2015-4677
[!] Exploit-DB PoC found.
|-> CVE-2015-4659
[!] Exploit-DB PoC found.
|-> CVE-2015-4586
|-> CVE-2015-4530
|-> CVE-2015-4460
[!] Exploit-DB PoC found.
|-> CVE-2015-4397
|-> CVE-2015-4390
|-> CVE-2015-4383
|-> CVE-2015-4382
--- SNIP ----
|-> CVE-2006-5175
|-> CVE-2005-3348
|-> CVE-2002-2426
[+] Printing search statistics for CWE-352
[-] Total unique found CVEs: 1046
FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.2.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):
From the documentation (https://github.com/toolswatch/vFeed/wiki/%5B3%5D-Methods-list) the function get_cwe can be leveraged to retrieve information related to standard CWE (Common Weakness Enumeration)
The command line option
#python vfeedcli.py -m get_cwe CVE-2008-2276
[
{
"id": "CWE-352",
"title": "Cross-Site Request Forgery (CSRF)",
"url": "https://cwe.mitre.org/data/definitions/352.html"
}
]
The API option
from lib.core.methods import CveInfo
cve = "CVE-2014-0160"
info = CveInfo(cve).get_cwe()
print info
JSON Result :
[
{
"id": "CWE-119",
"title": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
"url": "https://cwe.mitre.org/data/definitions/119.html"
}
]
The JSON export function
#python vfeedcli.py -e json_dump CVE-2015-2502
Except of the JSON file
{
"Information": {
"Category": [
{
"url": "https://cwe.mitre.org/data/definitions/118.html",
"id": "CWE-118",
"title": "Improper Access of Indexable Resource (Range Error)"
},
{
"url": "https://cwe.mitre.org/data/definitions/20.html",
"id": "CWE-20",
"title": "Improper Input Validation"
},
{
-----SNIP -----
"CAPEC": [
{
"url": "https://capec.mitre.org/data/definitions/10.html",
"id": 10
},
{
"url": "https://capec.mitre.org/data/definitions/100.html",
"id": 100
},
{
"url": "https://capec.mitre.org/data/definitions/14.html",
"id": 14
},
-----SNIP -----
"CVE": [
{
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2502",
"published": "2015-08-19T06:59:00.090-04:00",
"id": "CVE-2015-2502",
"modified": "2015-08-19T14:45:48.310-04:00",
"summary": "Microsoft Internet Explorer 7 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka \"Memory Corruption Vulnerability,\" as exploited in the wild in August 2015."
}
],
-----SNIP -----
"CWE": [
{
"url": "https://cwe.mitre.org/data/definitions/119.html
"id": "CWE-119",
"title": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
}
],
"CPE": [
{
"id": "cpe:/a:microsoft:internet_explorer:9"
},
{
"id": "cpe:/a:microsoft:internet_explorer:10"
},
{
"id": "cpe:/a:microsoft:internet_explorer:8"
},
{
"id": "cpe:/a:microsoft:internet_explorer:7"
},
{
"id": "cpe:/a:microsoft:internet_explorer:11:-"
}
]
},
-----SNIP -----
"Risk": [
{
"CVSS v2": [
{
"impact": "10.0",
"access complexity": "medium",
"confidentiality impact": "complete",
"authentication": "none",
"exploit": "8.6",
"base": "9.3",
"integrity impact": "complete",
"availability impact": "complete",
"access vector": "network"
}
],
"severity": "High",
"Top alert": false,
"Top vulnerable": false
}
],
"vFeed": {
"Product": "vFeed - The Correlated Vulnerability Database",
"Contact": "@toolswatch",
"Author": "NJ OUCHN",
"URL": "https://github.com/toolswatch/vFeed",
"Version": "0.6.0
"id": "VFD-2015-2502"
},
GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.3>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):
Please refer to the answer to <CR_A.2.1>. The search function is suitable for this requirement.
USING CCR TO PROVIDE CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.4>
Give a detailed explanation of how a user can find the Coverage Claim Representation (CCR) XML document with all of the CWE Identifiers that the owner claims the tool is effective at locating in software (recommended):
N/A
GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.2.6>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool’s tasks (recommended):
Please refer to the answers to and . The search function, export and get_cwe will list the CWE-IDs associated with a task.
SELECTING TASKS WITH A LIST OF CWE IDENTIFIERS <CR_A.2.7>
Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CWE identifiers (recommended):
The API (or command-line) could be leveraged to automate this task. Either to display or search for CWE-IDs:
Display
from lib.core.methods import CveInfo
cve = "CVE-2014-0160"
info = CveInfo(cve).get_cwe()
print info
Search
from lib.core.search import Search
Search(cpe)
cwe = "cwe-89"
print "Search for", cwe
Search(cwe)
Please refer to the answers to and for more details.
SELECTING TASKS USING INDIVIDUAL CWE IDENTIFIERS <CR_A.2.8>
Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CWE identifiers (recommended):
N/A
NON-SUPPORT NOTIFICATION FOR A REQUESTED CWE IDENTIFIER <CR_A.2.9>
Provide a description of how the tool notifies the user that a task associated with a selected CWE Identifier cannot be performed (recommended):
N/A
Service Questions
FINDING TASKS USING CWE IDENTIFIERS <CR_A.3.1>
Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):
Same as <CR_A.2.1> with the leverage of the search function.
#python vfeedcli.py -s cwe-352
[+] Gathering information …
|-> CVE-2015-6523
|-> CVE-2015-6517
|-> CVE-2015-5530
[!] Exploit-DB PoC found.
|-> CVE-2015-5508
|-> CVE-2015-5397
|-> CVE-2015-4677
The search displays all associated CVEs (those with exploits are as well marked).
FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.3.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):
vFeed API has the ability to generate a JSON file with all CWE identifiers mapped with other security elements.
Refer to <CR_A.2.2> for a detailed view of the JSON file.
A more complete vFeed JSON export of the CVE-2014-0160 can be viewed online at
http://www.toolswatch.org/vfeed/CVE_2014_0160.json.
GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.3.3>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):
vFeed integrates the latest CWE XML v2.8. Therefore, there is a table in the vFeed.db (cwe_db) that stores the whole CWE identifies used within the framework. Today, the count shows (select count(*) from cwe_db) 1003 CWEs entries. Which is compliant and aligned with the total reported by CWE.mitre.org organization.
From a statistical perspective, the command line “#python vfeedcli.py --stats get_stats” will highlight the total of the effective CWEs used by the NVD.
GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.3.4>
Give a detailed explanation of how a user can find the Coverage Claim Representation (CCR) XML document with all of the CWE identifiers that the owner claims the service is effective at locating in software (recommended):
N/A
GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.3.6>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool’s tasks (recommended):
vFeed API version 0.6.0 obtained using command line
#python vfeedcli.py -v
.:. vFeed - The Correlated Vulnerability Database .:. (API Release 0.6.0)
The vFeed.db The Correlated Vulnerability and Threat Vulnerability Database release and total of all security elements and third party references totals obtained using the command line
#python vfeedcli.py --stats get_stats
---------------------------------------------------------------
vFeed.db Statistics
Distinct values of CVEs and associated third party references
Database build (latest update date): 8222015
---------------------------------------------------------------
[+] Vulnerability Information and References
[-] Common Vulnerability Enumeration (CVE): 71851
[-] Affected Products or Common Platform Enumeration (CPE): 176742
[-] Common Weakness Enumeration (CWE) types: 496
[-] Common Attack Pattern Enumeration and Classification (CAPEC) types: 226
[-] SecurityFocus BID: 33019
[-] OSVDB - Open Source Vulnerability Database advisories: 22371
[-] CERT.org Vulnerability Notes: 4192
[-] DOD-CERT Information Assurance Vulnerability Alert (IAVA): 1168
[-] Scip AG Security Advisories: 73815
----------SNIP ----------
[+] Third Party Security Scanners Scripts
[-] Nessus Security Scripts: 50445
[-] OpenVAS Security Scripts: 27090
[-] Nmap NSE scripts: 48
[-] Open Vulnerability Assessment Language (OVAL) definitions: 26230
[+] Open Source Intrusion Detection Rules
[-] Snort Detection Rules: 1333
[-] Suricata Detection Rules: 5031
Media Questions
ELECTRONIC DOCUMENT FORMAT INFO <B.3.1>
Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CWE-related text (required):
https://github.com/toolswatch/vFeed/wiki/%5B1%5D-vFeed-Framework-%28API-&-Correlated-Vulnerability-Database%29 under vFeed Common Weakness Enumeration (CWE) Compatibility Statement
ELECTRONIC DOCUMENT LISTING OF CWE IDENTIFIERS <CR_B.3.2>
If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CWE identifiers are listed for each individual security element
(required):
[
{
"id": "CWE-264",
"title": "Permissions, Privileges, and Access Controls",
"url": "https://cwe.mitre.org/data/definitions/264.html"
}
]
ELECTRONIC DOCUMENT ELEMENT TO CWE IDENTIFIER <CR_B.3.3>
Provide example documents that demonstrate the mapping from the capability’s individual elements to the respective CWE identifier(s)
(recommended):
Please refer to the answers to <CR_A.2.1> and <CR_A.2.2>.
Questions for Signature
STATEMENT OF COMPATIBILITY <CR_2.11>
Have an authorized individual sign and date the following Compatibility Statement (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Nabil Joseph OUCHN
Title: Founder/Developer
STATEMENT OF ACCURACY <CR_3.4>
Have an authorized individual sign and date the following accuracy Statement (recommended):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Nabil Joseph OUCHN
Title: Founder/Developer
STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES <CR_B.2.10> and/or <CR_B.3.7>
FOR TOOLS AND SERVICES ONLY — Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Nabil Joseph OUCHN
Title: Founder/Developer
More information is available — Please edit the custom filter or select a different filter.
|
