User Guide

Synapse-NIST-NVD User Guide

Synapse-NIST-NVD adds new Storm commands to allow you to query the NIST National Vulnerability Database (NVD) API to ingest vulnerabilities.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> nist.nvd.setup.apikey --self myapikey
Setting NVD API key for the current user.

Search for CVEs matching a keyword

> nist.nvd.cves.search log4j --yield --size 2
risk:vuln=743cf0a6ee45ca00728abb4cab1f4305
        .created = 2024/09/05 20:13:42.980
        :cve = cve-2008-7261
        :cve:desc = The Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 3.5.1 before 3.5.1-010 records DEBUG messages containing user credentials in the log4j.xml file, which might allow local users to obtain sensitive information by reading this file.
        :cve:references = ['http://download2.boulder.ibm.com/sar/CMA/IMA/00yrk/0/readme-ae351-021.htm']
        :cve:url = https://nvd.nist.gov/vuln/detail/CVE-2008-7261
        :cvss:v2 = AV:L/AC:L/Au:N/C:P/I:N/A:N
        :cvss:v2_0:score = 2.1
        :cvss:v2_0:score:base = 2.1
        :cwes = ['CWE-255']
        :nist:nvd:modified = 2010/09/21 04:00:00.000
        :nist:nvd:published = 2010/09/20 22:00:02.580
        :nist:nvd:source = mitre
        :reporter = f69048e36b9473f4ce00a57961af3f55
        :reporter:name = nist
risk:vuln=68325bca749d6f8d58691aaae9752b09
        .created = 2024/09/05 20:13:44.240
        :cve = cve-2012-5616
        :cve:desc = Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform (formerly Citrix CloudStack) before 3.0.6 stores sensitive information in the log4j.conf log file, which allows local users to obtain (1) the SSH private key as recorded by the createSSHKeyPair API, (2) the password of an added host as recorded by the AddHost API, or the password of an added VM as recorded by the (3) DeployVM or (4) ResetPasswordForVM API.
        :cve:references = ['http://mail-archives.apache.org/mod_mbox/incubator-cloudstack-users/201301.mbox/%[email protected]%3E', 'http://seclists.org/fulldisclosure/2013/Jan/65', 'http://support.citrix.com/article/CTX136163', 'http://www.securityfocus.com/bid/57259', 'http://www.securitytracker.com/id?1027978']
        :cve:url = https://nvd.nist.gov/vuln/detail/CVE-2012-5616
        :cvss:v2 = AV:L/AC:M/Au:S/C:P/I:N/A:N
        :cvss:v2_0:score = 1.5
        :cvss:v2_0:score:base = 1.5
        :cwes = ['CWE-255']
        :nist:nvd:modified = 2013/04/02 03:21:24.717
        :nist:nvd:published = 2013/01/22 23:55:02.887
        :nist:nvd:source = red hat, inc.
        :reporter = f69048e36b9473f4ce00a57961af3f55
        :reporter:name = nist

Ingest a feed of CVEs

Note that normally this command should be allowed to run to completion. Typically this command would also be run in a cron job to keep up with updates.

> nist.nvd.cves.feed --yield | limit 2
risk:vuln=610383858ae291b8f4929ca80655d90e
        .created = 2024/09/05 20:13:45.635
        :cve = cve-1999-0095
        :cve:desc = The debug command in Sendmail is enabled, allowing attackers to execute commands as root.
        :cve:references = ['http://seclists.org/fulldisclosure/2019/Jun/16', 'http://www.openwall.com/lists/oss-security/2019/06/05/4', 'http://www.openwall.com/lists/oss-security/2019/06/06/1', 'http://www.securityfocus.com/bid/1']
        :cve:url = https://nvd.nist.gov/vuln/detail/CVE-1999-0095
        :cvss:v2 = AV:N/AC:L/Au:N/C:C/I:C/A:C
        :cvss:v2_0:score = 10.0
        :cvss:v2_0:score:base = 10.0
        :nist:nvd:modified = 2019/06/11 20:29:00.263
        :nist:nvd:published = 1988/10/01 04:00:00.000
        :nist:nvd:source = mitre
        :reporter = f69048e36b9473f4ce00a57961af3f55
        :reporter:name = nist
risk:vuln=6140bee75ea912b0893e1fcea92a0890
        .created = 2024/09/05 20:13:45.828
        :cve = cve-1999-0082
        :cve:desc = CWD ~root command in ftpd allows root access.
        :cve:references = ['http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html']
        :cve:url = https://nvd.nist.gov/vuln/detail/CVE-1999-0082
        :cvss:v2 = AV:N/AC:L/Au:N/C:C/I:C/A:C
        :cvss:v2_0:score = 10.0
        :cvss:v2_0:score:base = 10.0
        :nist:nvd:modified = 2008/09/09 12:33:40.853
        :nist:nvd:published = 1988/11/11 05:00:00.000
        :nist:nvd:source = mitre
        :reporter = f69048e36b9473f4ce00a57961af3f55
        :reporter:name = nist

Use of meta:source nodes

Synapse-NIST-NVD uses a meta:source node and -(seen)> light weight edges to track nodes observed from the NVD API.

> meta:source=b3df0ff0c8bf7d8e89f3f2438732047c
meta:source=b3df0ff0c8bf7d8e89f3f2438732047c
        .created = 2024/09/05 20:13:42.730
        :name = nist nvd api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-NIST-NVD. The following example shows how to filter the results of a query to include only results observed by Synapse-NIST-NVD:

> risk:vuln:cwes*[=CWE-255] -> it:sec:cve +{ <(seen)- meta:source=b3df0ff0c8bf7d8e89f3f2438732047c }
it:sec:cve=cve-2008-7261
        .created = 2024/09/05 20:13:42.981
it:sec:cve=cve-2012-5616
        .created = 2024/09/05 20:13:44.241