Updating information about Common Vulnerabilities and Exposures (CVE)

Available from 9.2.12. Common Vulnerabilities and Exposures (CVE) list is integrated with the software catalog and updated with each upgrade of BigFix Inventory. Use this procedure if you require more frequent updates.

Before you begin

  • You must have access to the computer where the BigFix Inventory server is installed with permissions to paste files into the installation directory of BigFix Inventory.
  • To perform the described actions, you must have the following tools installed:
    • GNU Wget
    • unzip tool
    • sha256sum

About this task

CVE contains a list of known security threats that are assigned identification numbers. Thanks to the import of CVE to BigFix Inventory, you can browse your software inventory and identify potential threats in your environment.

Information about CVE is automatically updated during every upgrade of BigFix Inventory. Use this procedure if you require to update CVE between the subsequent releases of BigFix Inventory.
Note: The procedure describes how to update CVE files with a semi-automated method. Alternatively, you can perform each step manually.

Procedure

  1. To download the zip CVE files, including json files and the relevant meta files from the National Vulnerability Database, run the following command.
    wget --secure-protocol=auto -r -A nvdcve-1.0-20*.meta,nvdcve-1.0-20*.json.zip 
    https://nvd.nist.gov/vuln/data-feeds
    The files are downloaded to the following location: nvd.nist.gov/feeds/json/cve/1.0.
    Important: Do not change names of the downloaded files.
  2. Optional: Ensure that you downloaded the appropriate files.
    1. To unpack the packages that contain json files, run the following command.
      unzip '*.zip'
    2. To generate SHA-256 for each json file, run the following command.
      sha256sum file_name.json
    3. Compare SHA-256 from each json file with SHA-256 from the relevant meta file.
      Both values should be the same.
  3. Copy all zip CVE files to the following directory on the computer where the BigFix Inventory server is installed:
    • Linux installation_directory/cve_data
    • Windows installation_directory\cve_data
  4. Wait for the scheduled import of data or run it manually.

Results

The list of common vulnerabilities and exposures is populated to BigFix Inventory. To check information about CVE, go to Reports > Software Components. The vulnerabilities are listed in the Vulnerability Risk (Preview) column for each relevant component.
Software Components report with information about CVEs