Skip to content

abhiunix/cve-in-my-code

Repository files navigation

CVE-in-My-Code

Description

CVE-in-My-Code is a tool specifically created to fetch the latest CVEs periodically, and extract information about the vulnerable product and its version, and then search for occurrences of these vulnerable components in the organization's GitHub repositories. This tool offers near real-time monitoring of the most up-to-date CVE data and promptly notifies users about actionable CVEs via Slack.

Features

  • Automated retrieval and storage of CVE data periodically using nvd API.
  • Extract vulnerable components (Product/Framework/Libraries) using mitre API.
  • Search for vulnerable components using Github API.
  • Slack Notifications for each new actionable CVE entries using slack webhooks.
  • Health check mechanism using webhooks.

Prerequisite:

  • Python 3.x is required.
  • SQLite database.

Setup:

  1. Clone the repository:
git clone https://github.com/abhiunix/cve-in-my-code
cd cve-in-my-code
  1. Install the required dependencies:
pip install -r requirements.txt
  1. Set up environment variables:
  • Create a .env file in the project directory.
  • Define the following variables in the .env file:
    webhook_url=<your_slack_webhook_url>
    health_check_webhook=<your_health_check_webhook_url>
    github_token=<your-personal github token>
    

Usage

Run the script manually for the initial setup:

python3 timestamp.py
python3 cve-in-my-code.py

Configure the cronjob:

  • Open the crontab file:

    crontab -e
    
  • Add the following line to run the script every 5 minutes:

    */5 * * * * /usr/bin/python3 /path/to/cve-in-my-code.py
    
  • Save and exit the crontab file.

Contributions

Contributions to CVE-in-My-Code are welcome! Please fork the repository, make your enhancements, and submit a pull request.

To do:

  • Parse the description of the vulnerabilities and extract framework/Library/Software name and vulnerable version.
  • Search for the extracted library and version in organizations codebase using github/bitbucket APIs.
  • Actionable alerts on slack if any vulnerable library/framework found in code base.
  • Add other CVE databases.
  • Search feature for Bitbucket, GitLabs.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages