User Guide
Synapse-NIST-NVD User Guide
Synapse-NIST-NVD adds new Storm commands to allow you to query the NIST National Vulnerability Database (NVD) API to ingest vulnerabilities.
Getting Started
Check with your Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal API key
To set-up a personal use API key:
> nist.nvd.setup.apikey --self myapikey
Setting NVD API key for the current user.
Search for CVEs matching a keyword
> nist.nvd.cves.search log4j --yield --size 2
risk:vuln=743cf0a6ee45ca00728abb4cab1f4305
.created = 2024/12/20 18:11:08.303
:cve = cve-2008-7261
:cve:desc = The Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 3.5.1 before 3.5.1-010 records DEBUG messages containing user credentials in the log4j.xml file, which might allow local users to obtain sensitive information by reading this file.
:cve:references = ['http://download2.boulder.ibm.com/sar/CMA/IMA/00yrk/0/readme-ae351-021.htm']
:cve:url = https://nvd.nist.gov/vuln/detail/CVE-2008-7261
:cvss:v2 = AV:L/AC:L/Au:N/C:P/I:N/A:N
:cvss:v2_0:score = 2.1
:cvss:v2_0:score:base = 2.1
:cwes = ['CWE-255']
:nist:nvd:modified = 2010/09/21 04:00:00.000
:nist:nvd:published = 2010/09/20 22:00:02.580
:nist:nvd:source = mitre
:reporter = f69048e36b9473f4ce00a57961af3f55
:reporter:name = nist
risk:vuln=68325bca749d6f8d58691aaae9752b09
.created = 2024/12/20 18:11:09.592
:cve = cve-2012-5616
:cve:desc = Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform (formerly Citrix CloudStack) before 3.0.6 stores sensitive information in the log4j.conf log file, which allows local users to obtain (1) the SSH private key as recorded by the createSSHKeyPair API, (2) the password of an added host as recorded by the AddHost API, or the password of an added VM as recorded by the (3) DeployVM or (4) ResetPasswordForVM API.
:cve:references = ['http://mail-archives.apache.org/mod_mbox/incubator-cloudstack-users/201301.mbox/%[email protected]%3E', 'http://seclists.org/fulldisclosure/2013/Jan/65', 'http://support.citrix.com/article/CTX136163', 'http://www.securityfocus.com/bid/57259', 'http://www.securitytracker.com/id?1027978']
:cve:url = https://nvd.nist.gov/vuln/detail/CVE-2012-5616
:cvss:v2 = AV:L/AC:M/Au:S/C:P/I:N/A:N
:cvss:v2_0:score = 1.5
:cvss:v2_0:score:base = 1.5
:cwes = ['CWE-255']
:nist:nvd:modified = 2013/04/02 03:21:24.717
:nist:nvd:published = 2013/01/22 23:55:02.887
:nist:nvd:source = red hat, inc.
:reporter = f69048e36b9473f4ce00a57961af3f55
:reporter:name = nist
Ingest a feed of CVEs
Note that normally this command should be allowed to run to completion. Typically this command would also be run in a cron job to keep up with updates.
> nist.nvd.cves.feed --yield | limit 2
risk:vuln=610383858ae291b8f4929ca80655d90e
.created = 2024/12/20 18:11:11.051
:cve = cve-1999-0095
:cve:desc = The debug command in Sendmail is enabled, allowing attackers to execute commands as root.
:cve:references = ['http://seclists.org/fulldisclosure/2019/Jun/16', 'http://www.openwall.com/lists/oss-security/2019/06/05/4', 'http://www.openwall.com/lists/oss-security/2019/06/06/1', 'http://www.securityfocus.com/bid/1']
:cve:url = https://nvd.nist.gov/vuln/detail/CVE-1999-0095
:cvss:v2 = AV:N/AC:L/Au:N/C:C/I:C/A:C
:cvss:v2_0:score = 10.0
:cvss:v2_0:score:base = 10.0
:nist:nvd:modified = 2019/06/11 20:29:00.263
:nist:nvd:published = 1988/10/01 04:00:00.000
:nist:nvd:source = mitre
:reporter = f69048e36b9473f4ce00a57961af3f55
:reporter:name = nist
risk:vuln=6140bee75ea912b0893e1fcea92a0890
.created = 2024/12/20 18:11:11.449
:cve = cve-1999-0082
:cve:desc = CWD ~root command in ftpd allows root access.
:cve:references = ['http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html']
:cve:url = https://nvd.nist.gov/vuln/detail/CVE-1999-0082
:cvss:v2 = AV:N/AC:L/Au:N/C:C/I:C/A:C
:cvss:v2_0:score = 10.0
:cvss:v2_0:score:base = 10.0
:nist:nvd:modified = 2008/09/09 12:33:40.853
:nist:nvd:published = 1988/11/11 05:00:00.000
:nist:nvd:source = mitre
:reporter = f69048e36b9473f4ce00a57961af3f55
:reporter:name = nist
Use of meta:source
nodes
Synapse-NIST-NVD uses a meta:source
node and -(seen)>
light
weight edges to track nodes observed from the NVD API.
> meta:source=b3df0ff0c8bf7d8e89f3f2438732047c
meta:source=b3df0ff0c8bf7d8e89f3f2438732047c
.created = 2024/12/20 18:11:08.024
:name = nist nvd api
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-NIST-NVD. The following example shows how to filter the results of a query to include only results observed by Synapse-NIST-NVD:
> risk:vuln:cwes*[=CWE-255] -> it:sec:cve +{ <(seen)- meta:source=b3df0ff0c8bf7d8e89f3f2438732047c }
it:sec:cve=cve-2008-7261
.created = 2024/12/20 18:11:08.303
it:sec:cve=cve-2012-5616
.created = 2024/12/20 18:11:09.593