The open source cross-linked local vulnerability database

vFeed is an open source naming scheme concept that provides extra structured detailed 3rd parties references for a CVE entry. While the emergence of the Open Standards helped undeniably to shape a new way to communicate about vulnerabilities1, the new vFeed is adding an intelligent structured xml feed that provides effective level of information (meta-data) related to vulnerability.

Internally, vFeedCore (not published yet) collects the basis xml feeds which are generated by reliable references and correlates it across multiple information sources. Here are examples of 3rd parties sources (just to name a few):

• Security standards
  • CVE (http://cve.mitre.org)
  • CWE (http://cwe.mitre.org)
  • CPE (http://cpe.mitre.org)
  • OVAL (http://oval.mitre.org)
  • CAPEC (http://capec.mitre.org)
  • CVSS (http://www.first.org/cvss)
• Vulnerability Assessment & Exploitation IDs (Metasploit, Saint Corporation, Nessus Scripts, ZDI, Exploit-DB, milw0rm)
• Vendors Security Alerts
  • Microsoft MS
  • Mandriva
  • Redhat
  • Cisco
  • Sun
  • Gentoo
  • Apple
  • ...

• Built using open source technologies
• Fully downloadable SQLite local vulnerability database
• Structured new XML format to describe vulnerabilities
• Based on major open standards CVE, CPE, CWE, CVSS..
• Support correlation with 3rd party security references (CVSS, OSVDB, OVAL…)
• Extended to support correlation with security assessment and patch vendors (Nessus, Exploit-DB, Redhat, Microsoft..)
• Simple & ready to use Python module with more than 15 methods

• Penetration testers who want to analyze CVEs and gather extra information to help shape avenues to exploit vulnerabilities.
• Security auditors who want to report accurate information about findings. vFeed could be the best way to describe a CVE with attributes based on standards and 3rd party references as vendors or companies involved into standarization efforts.
• Security tools vendors / security open source developers who need to implement libraries to enumerate useful information about CVEs without wasting time to correlate and to create a proprietary database. vFeed is by far the best solution. Methods can be invoked from programs or scripts with a simple call.
• Any security hacker who is conducting researches and need a very fast and accurate way to enumerate available exploits or techniques to check a vulnerability

Beta v0.4.6 ---------

• Added the support to Suricata ET SID (http://suricata-ids.org/). When available, vFeed reports the mapping with Suricata ID, Attack title rule and class type
• Added the support to VMware IDs.
• Updated the Gentoo GLSA mapper. Many new IDs have been added to vFeed.db
• Updated the Fedora mapper. Many new IDs have been added to vFeed.db

* To reflect the newest cross references, the following methods have been added:

• get_suricata to enumerate Suricata ID rules. This function returns Suricata SID, signature title and class type
• `get_vmware`to list VMware patches

° vfeed.db the sqlite opensource cross linked vulnerability database fully regenerated to support the new changes

Beta v0.4.5 ----------

• Added the support to CWE v2.5. Now, vFeed reports the newest CWE-id added to version 2.5. See here for more information http://cwe.mitre.org/data/reports/diff_reports/v2.4_v2.5.html
• Added the support to OWASP Top 2013. The method get_category() reports the appropriate OWASP ID. The method get_risk() also reports the categories of the attack as topAlert value.
• Better support of Microsoft Bulletins and KB.
• Extended the functions get_ms() and get_mskb() to report the Microsoft Title and URL.
• Added the support to Snort SID. A new function get_snort() is available. It returns snort sid, signature name and class type.
• Updated the vFeed XML export() function with a new attribute <defense>. The Snort IDs could be leveraged to deploy detection capabilities.
• Fixed bug#24 toolswatch#24
• Fixed a bug with PCIstatus in get_risk(). Now PCIstatus is set as "Failed" when a topAlert is found
• Fixed a bug in get_risk(). The value are not set when the CVSS base is undefined
• Updated slightly get_risk() to also display CVSS scores. Top Vulnerability attribute took a sense. When all CVSS scores are set to 10, then Top Vulnerability is True.

• Refactored the exportXML method as a separate class vFeedXML (vfeedexportxml.py). The method export() could be invoked to generate the appropriate vFeed XML format
• Changed methods name to something "pythonic compliant names" according to Andres Riancho (Thanks to David Mirza for python documentation). Format is now get_cve, get_cpe etc instead of the awful checkCVE, checkCPE ...(Issue Ref: toolswatch#13)
• Added the support to DISA/IAVM database (Information Assurance Vulnerability Alert) advisories from DoD-CERT. When available, the IAVM id and DISA VMSkey are reported
• Added the support to CERT-VN (CERT Vulnerability Notes Database (VU)). When available, the CERT-VU and Link are reported.
• Added the support to SCIP database effort from folks at www.scip.ch. The ids and link are reported (thanks to Marc Ruef @mruef for the help)
• Added the support to OpenVAS (www.openvas.org). Whenever a reference exists, the ID, script file(s), family(s) and title are reported
• Added the support to Cisco Security Advisories (http://tools.cisco.com/security/center/publicationListing.x)
• Added the support to Ubuntu USN Security Notices (http://www.ubuntu.com/usn/)
• Added the support to Gentoo GLSA http://www.gentoo.org/security/en/glsa/
• Added the support to Fedora Security advisories (http://www.redhat.com/archives/fedora-announce-list/)

* To reflect the newest cross references, the following new methods have been added

• get_iavm to check for DISA/IAVM ids associated with a CVE
• get_scip to check for SCIP database ids
• get_certvn to enumerate the CERT-VN ids
• get_openvas to list the OpenVAS Vulnerability scanner scripts. It always classy to have both Nessus and OpenVAS scripts ;)
• get_cisco to list cisco patchs
• get_ubuntu to list ubuntu patchs
• get_gento. You bet, it's for listing the Gentoo patchs
• get_fedora to list the fedora patchs

• Despite the fact the OSVDB ids was already mapped with vFeed since the beginning, a new method get_osvdb has been added to enumerate them when available.
• Added get_milw0rm method even if the website is deprecated (for old time's sake)
• Introduced vfeedcli.py instead of awful script name vFeed_Calls_1.py. From now on, vFeed CLI should be used to get CVE attributes
• Slightly modified the get_cve keys to (summary, published and modified). Check the vfeedcli.py code source.
• vFeed XML format slightly modified. It's still easy to read and to parse.
• Minor bug fixed (when a CVE is missed, vFeed exits)
• vfeed.db regenerated to support the newest changes
• Documentation should be updated the reflect the major methods name changes

• Added the support of Metasploit Ids. Now vFeed reports msf exploit id, link to file and title
• Added the support of CAPEC. When the reference exists, the CAPEC id and link are reported accordingly with its associated CWE
• checkCWE extended to support the CWE title. Sometimes, it's comfortable to deal with human words than ids ;)

* checkRISK extended to support Top Categories as CWE/SANS 2011, OWASP 2010 etc. Whenever the CVE is flagged in the some specific categories (see api.py at _isTopAlert), the topAlert value is filled with categories name such as OWASP Top Ten 2010 Category A1 - Injection or 2011 Top 25 - Insecure Interaction Between Components * checkCVSS extended to support the CVSS Vector. * To reflect the newest cross references, 3 new methods have been added - checkMSF to check for Metasploit sploits or plugins - checkCAPEC to enumerate the CWE associated (and indirectly CVE) CAPEC ids - checkCATEGORY to list the whole Top Categories associated with CWE and indirectly CVE. This method is useful if topAlert doesnt report any known Top List. - Updated checkRISK, checkCWE and checkCVSS - updated exportXML to reflect the changes. * vfeed.db regenerated from scratch to support the newest changes. * Documentation as usual in progress.

• Refactoring as a first step towards having the vfeed module in pypi (andres riancho)
• PEP8 compatible code (at least what autopep8 can do) (andres riancho)
• README format is now RST (andres riancho)
• Bug fixes (andres riancho)
• Global vfeed.db update with latest CVEs, Redhat OVAL, SaintExploit, Nessus Scripts .....

• Extended the checkREDHAT method
  • Added the support of Redhat OVAL ids reference. Now, vFeed reports more accurate Redhat Patchs with associated Redhat OVAL ids
  • Added the support of Redhat Bugzilla Ids and advisory issue date
• Added the support of Debian ids. vFeed now reports DSA as patch
• Added the support of Mandriva ids.
• Extended Exploitation Checks to support Saint Corporation Exploits. If available, title, link to exploit file are reported
• To reflect the newest cross references, 3 new methods have been added
  • checkREDHAT extended to support Redhat OVAL, Bugzilla ids more redhat patchs ids.
  • checkDEBIAN to check for debian patchs
  • checkMANDRIVA to check for mandrake patchs
  • checkSAINT to check for Saint corporation exploits
• Fixed a small bug in checkRISK() (thanks to Ronald Bister https://github.com/savon-noir)
• Updating wiki documentation in progress

• Rewrite vFeedApi.py as a class (added _init_db() method with sql query sanitization)
• Added a class vFeedInfo to return variables and global configuration
• Added a config.py module.
• Updated the "update.py". Now verifies if a new db is available (support of checksum)
• Renamed method checkReferences into checkREF()
• Updated the sample scripts (vFeedAPI_calls_1 and _2) to reflect the changes
• documentation update (always in progress) and will be mainly delivered via vfeed github wiki.

• moved project to github
• added an updater.py to download the vFeed vulnerability database

• initial release
• read documentation