facebookincubator/nvdtools facebookincubator/nvdtools

  • Stars
    star
    428
  • Rank 97,700 (Top 2 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 5 years ago
  • Updated 4 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
facebookincubator/nvdtools
github

facebookincubator

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A set of tools to work with the feeds (vulnerabilities, CPE dictionary etc.) distributed by National Vulnerability Database (NVD)

Tests

NVD Tools

A collection of tools for working with National Vulnerability Database feeds.

The HOWTO provides a broader view on how to effectively use these tools.

Requirements

  • Go 1.13 or newer

Installation

You need a properly setup Go environment.

Download and install NVD Tools:

For Go 1.13 - 1.14:

go get github.com/facebookincubator/nvdtools/...
cd "$GOPATH"/src/github.com/facebookincubator/nvdtools/cmd
go install ./...

From Go 1.15 onwards, modules are not downloaded to GOPATH, but to GOMODCACHE. It is recommended to clone the repo and run run go install from there instead:

git clone https://github.com/facebookincubator/nvdtools
cd nvdtools
go install ./...

From Go 1.17 onwards, go get is deprecated. go install is used instead to download the module to the cache and install it:

go install github.com/facebookincubator/nvdtools/...@latest

How-build

go mod init github.com/facebookincubator/nvdtools
go mod tidy
make
cp build/bin/* ~/go/bin/

Command line tools

cpe2cve

cpe2cve is a command line tool for scanning an inventory of CPE names for vulnerabilities.

It expects a stream of lines of delimiter-separated fields, one of these fields being a delimiter-separated list of CPE names in the inventory.

Vulnerability feeds should be provided as arguments to the program in JSON format.

Output is a stream of delimiter-separated input value decorated with a vulnerability ID (CVE) and a delimiter-separated list of CPE names that match this vulnerability.

Unwanted input fields could be erased from the output with -e option.

Input and output delimiters can be configured with -d, -d2, -o an -o2 options.

The column to which output the CVE and matches for that CVE can be configured with -cve and -matches options correspondingly.

download data

curl -o- -s -k -v https://nvd.nist.gov/vuln/data-feeds >data-feeds.html
cat data-feeds.html|grep  -Eo '(/feeds\/[^"]*\.gz)'|xargs -I % wget -c https://nvd.nist.gov%

Example 1: scan a software for vulnerabilities

echo "cpe:/a:apache"|cpe2cve -cpe 1 -e 1 -cve 1  nvdcve-1.1-*.json.gz
echo "cpe:/a:gnu:glibc:2.28" | cpe2cve -cpe 1 -e 1 -cve 1 nvdcve-1.0-*.json.gz
CVE-2009-4881
CVE-2015-8985
CVE-2016-4429
CVE-2010-3192
CVE-2010-4756

Example 2: find vulnerabilities in software inventory per production host

./cpe2cve -d ' ' -d2 , -o ' ' -o2 , -cpe 2 -e 2 -matches 3 -cve 2 nvdcve-1.0-*.json.gz << EOF
host1.foo.bar cpe:/a:gnu:glibc:2.28,cpe:/a:gnu:zlib:1.2.8
host2.foo.bar cpe:/a:gnu:glibc:2.28,cpe:/a:haxx:curl:7.55.0
EOF
host1.foo.bar CVE-2009-4881 cpe:/a:gnu:glibc:2.28
host1.foo.bar CVE-2016-4429 cpe:/a:gnu:glibc:2.28
host2.foo.bar CVE-2014-5119 cpe:/a:gnu:glibc:2.28
host2.foo.bar CVE-2016-4429 cpe:/a:gnu:glibc:2.28
host2.foo.bar CVE-2018-1000120 cpe:/a:haxx:curl:7.55.0
host2.foo.bar CVE-2018-1000122 cpe:/a:haxx:curl:7.55.0
host2.foo.bar CVE-2010-4756 cpe:/a:gnu:glibc:2.28
host2.foo.bar CVE-2017-8817 cpe:/a:haxx:curl:7.55.0

csv2cpe

csv2cpe is a tool that generates an URI-bound CPE from CSV input, flags configure the meaning of each input field:

  • -cpe_part -- identifies the class of a product: h for hardware, a for application and o for OS
  • -cpe_vendor -- identifies the person or organisation that manufactured or created the product
  • -cpe_product -- describes or identifies the most common and recognisable title or name of the product
  • -cpe_version -- vendor-specific alphanumeric strings characterising the particular release version of the product
  • -cpe_update -- vendor-specific alphanumeric strings characterising the particular update, service pack, or point release of the product
  • -cpe_edition -- capture edition-related terms applied by the vendor to the product; this attribute is considered deprecated in CPE specification version 2.3 and it should be assigned the logical value ANY except where required for backward compatibility with version 2.2 of the CPE specification.
  • -cpe_swedition -- characterises how the product is tailored to a particular market or class of end users
  • -cpe_targetsw -- characterises the software computing environment within which the product operates
  • -cpe_targethw -- characterises the software computing environment within which the product operates
  • -cpe_language -- defines the language supported in the user interface of the product being described; must be valid language tags as defined by [RFC5646]
  • -cpe_other -- any other general descriptive or identifying information which is vendor- or product-specific and which does not logically fit in any other attribute value

Omitted parts of the CPE name defaults to logical value ANY, as per specification

Optional flag -lower brings the strings to lower case.

Example: generate URI-bound CPE name out of comma-separated list of attributes

$ echo 'a,Microsoft,Internet Explorer,8.1,SP1,-,*' | csv2cpe -x -lower -cpe_part=1 -cpe_vendor=2 -cpe_product=3 -cpe_version=4 -cpe_update=5 -cpe_edition=6 -cpe_language=7
cpe:/a:microsoft:internet_explorer:8.1:sp1:-

fireeye2nvd

fireeye2nvd downloads the vulnerability data from FireEye and converts it into NVD format. The resulting file can be used as a feed in cpe2cve processor

flexera2nvd

flexera2nvd downloads the vulnerability data from Flexera and converts it into NVD format. The resulting file can be used as a feed in cpe2cve processor

idefense2nvd

idefense2nvd downloads the vulnerability data from Idefense and converts it into NVD format. The resulting file can be used as a feed in cpe2cve processor

nvdsync

nvdsync synchronizes NVD data feeds to local directory; it checks the hashes of the files against the ones provided by NVD and only updates the changed files.

rpm2cpe

rpm2cpe takes a delimiter-separated input with one of the fields containing RPM package name and produces delimiter-separated output consisting of the same fields plus CPE name parsed from RPM package name.

Example: generate URI-bound CPE name out of RPM package filename

echo openoffice-eu-writer-4.1.5-9789.i586.rpm | rpm2cpe -rpm=1 -cpe=2 -e=1
cpe:/a::openoffice-eu-writer:4.1.5:9789:~~~~i586~

rustsec2nvd

rustsec2nvd converts the vulnerabilities from the Rustsec Advisory-DB into NVD format. The resulting file can be used as a feed in cpe2cve processor

snyk2nvd

snyk2nvd downloads the vulnerability data from Snyk and converts it into NVD format. The resulting file can be used as a feed in cpe2cve processor

vfeed2nvd

vfeed2nvd converts the vulnerability data from vFeed into NVD format. The resulting file can be used as a feed in cpe2cve processor

vulndb

vulndb is a command line tool to manage NVD-like vulnerability databases, backed by MySQL.

Supports NVD CVE JSON 1.0 feeds. Data is versioned, organized by provider names and grouped by vendor, custom, and snoozes datasets:

  • Vendor dataset: read-only CVE feeds we continuously import.
  • Custom dataset: allows to overwrite CVEs from vendor data with custom data during exports
  • Snooze dataset: user-defined CVE and metadata with deadline, used for remediation automation

See vulndb help for details.

Libraries

cvss2

Implementation of CVSS v2 specification which provides functions for serializing and deserializing vectors as well as score calculation.

cvss3

Implementation of CVSS v3 specification which provides functions for serializing and deserializing vectors as well as score calculation.

License

nvdtools licensed under Apache License, Version 2.0, as found in the LICENSE file.

More Repositories

1

SocketRocket

A conforming Objective-C WebSocket client library.
Objective-C
9,524
star
2

katran

A high performance layer 4 load balancer
C
4,488
star
3

AITemplate

AITemplate is a Python framework which renders neural network into high performance CUDA/HIP C++ code. Specialized for FP16 TensorCore (NVIDIA GPU) and MatrixCore (AMD GPU) inference.
Python
4,418
star
4

cinder

Cinder is Meta's internal performance-oriented production version of CPython.
Python
3,349
star
5

velox

A C++ vectorized database acceleration library aimed to optimizing query engines and data processing systems.
C++
3,138
star
6

spectrum

A client-side image transcoding library.
C++
1,985
star
7

FBX2glTF

A command-line tool for the conversion of 3D model assets on the FBX file format to the glTF file format.
C++
1,963
star
8

oomd

A userspace out-of-memory killer
C++
1,745
star
9

xar

executable archive format
Python
1,578
star
10

fastmod

A fast partial replacement for the codemod tool
Rust
1,570
star
11

Bowler

Safe code refactoring for modern Python.
Python
1,506
star
12

gloo

Collective communications library with various primitives for multi-machine training.
C++
1,128
star
13

fizz

C++14 implementation of the TLS-1.3 standard
C++
1,104
star
14

submitit

Python 3.8+ toolbox for submitting jobs to Slurm
Python
1,075
star
15

dhcplb

dhcplb is Facebook's implementation of a load balancer for DHCP.
Go
1,035
star
16

below

A time traveling resource monitor for modern Linux systems
Rust
975
star
17

OnlineSchemaChange

A tool for performing online schema changes on MySQL.
Python
951
star
18

Glean

System for collecting, deriving and working with facts about source code.
Hack
886
star
19

Battery-Metrics

Library that helps in instrumenting battery related system metrics.
Java
720
star
20

retrie

Retrie is a powerful, easy-to-use codemodding tool for Haskell.
Haskell
490
star
21

superconsole

The superconsole crate provides a handler and building blocks for powerful, yet minimally intrusive TUIs. It is cross platform, supporting Windows 7+, Linux, and MacOS. Rustaceans who want to create non-interactive TUIs can use the component composition building block system to quickly deploy their code.
Rust
447
star
22

infima

A UI framework that provides websites with the minimal CSS and JS needed to get started with building a modern responsive beautiful website
HTML
393
star
23

CG-SQL

CG/SQL is a compiler that converts a SQL Stored Procedure like language into C for SQLite. SQLite has no stored procedures of its own. CG/CQL can also generate other useful artifacts for testing and schema maintenance.
HTML
385
star
24

flowtorch

This library would form a permanent home for reusable components for deep probabilistic programming. The library would form and harness a community of users and contributors by focusing initially on complete infra and documentation for how to use and create components.
Jupyter Notebook
297
star
25

ptr

Python Test Runner.
Python
285
star
26

TTPForge

The TTPForge is a Cybersecurity Framework for developing, automating, and executing attacker Tactics, Techniques, and Procedures (TTPs).
Go
280
star
27

fbjni

A library designed to simplify the usage of the Java Native Interface
C++
245
star
28

senpai

Senpai is an automated memory sizing tool for container applications.
Python
213
star
29

gazebo

A Rust library containing a collection of small well-tested primitives.
Rust
210
star
30

dynolog

Dynolog is a telemetry daemon for performance monitoring and tracing. It exports metrics from different components in the system like the linux kernel, CPU, disks, Intel PT, GPUs etc. Dynolog also integrates with pytorch and can trigger traces for distributed training applications.
C++
161
star
31

reindeer

Reindeer is a tool to transform Rust Cargo dependencies into generated Buck build rules
Rust
157
star
32

FCR

FBNet-Command-Runner: A thrift service to run commands on heterogeneous Network devices with configurable parameters.
Python
154
star
33

GeoLift

GeoLift is an end-to-end geo-experimental methodology based on Synthetic Control Methods used to measure the true incremental effect (Lift) of ad campaign.
R
149
star
34

oculus-linux-kernel

The Linux kernel code for Oculus devices
C
148
star
35

hsthrift

The Haskell Thrift Compiler. This is an implementation of the Thrift spec that generates code in Haskell. It depends on the fbthrift project for the implementation of the underlying transport.
Haskell
143
star
36

dispenso

The project provides high-performance concurrency, enabling highly parallel computation.
C++
141
star
37

FioSynth

Tool which enables the creation of synthetic storage workloads, automates the execution and results collection of synthetic storage benchmarks.
Python
136
star
38

dataclassgenerate

DataClassGenerate (or simply DCG) is a Kotlin compiler plugin that addresses an Android APK size overhead from Kotlin data classes.
Kotlin
134
star
39

meta-code-verify

Code Verify is an open source web browser extension that confirms that your Facebook, Messenger, Instagram, and WhatsApp Web code hasn’t been tampered with or altered, and that the Web experience you’re getting is the same as everyone else’s.
TypeScript
133
star
40

go-qfext

a fast counting quotient filter implementation in golang
Go
88
star
41

tacquito

Tacquito is an open source TACACs+ server written in Go that implements RFC8907
Go
82
star
42

dcrpm

A tool to detect and correct common issues around RPM database corruption.
Python
72
star
43

ForgeArmory

ForgeArmory provides TTPs that can be used with the TTPForge (https://github.com/facebookincubator/ttpforge).
Swift
67
star
44

antlir

ANother Linux Image buildeR
Rust
63
star
45

ConversionsAPI-Tag-for-GoogleTagManager

This repository will contain the artifacts needed for setting up Conversions API implementation on Google Tag Manager's serverside. Please follow the instructions https://www.facebook.com/business/help/702509907046774
Smarty
63
star
46

InjKit

Injection Kit. It is a java bytecode processing library for bytecode injection and transformation.
Java
56
star
47

sks

Secure Key Storage (SKS) is a library for Go that abstracts Security Hardware on laptops.
Go
55
star
48

obs-plugins

OBS Plugins
C++
54
star
49

glTFVariantMeld

An application that accepts files on the glTF format, interprets them as variants of an over-arching whole, and melds them together.
Rust
47
star
50

later

A framework for python asyncio with batteries included for people writing services in python asyncio
Python
38
star
51

go2chef

A Golang tool to bootstrap a system from zero so that it's able to run Chef to be managed
Go
38
star
52

ConversionsAPI-Client-for-GoogleTagManager

This repository will contain the artifacts needed for setting up Conversions API implementation on Google Tag Manager's serverside. Primarily we will be hosting, - ConversionsAPI(Facebook) Client - listens on the events fired to GTM Server and maps them to common GTM schema. - ConversionsAPI(Facebook) Tag - server tag that fires events to CAPI.For more details on Design here https//fburl.com/uae68vlr
37
star
53

CommutingZones

Commuting zones are geographic areas where people live and work and are useful for understanding local economies, as well as how they differ from traditional boundaries. These zones are a set of boundary shapes built using aggregated estimates of home and work locations. Data used to build commuting zones is aggregated and de-identified.
JavaScript
37
star
54

Facebook-Pixel-for-Wordpress

A plugin for advertisers who use Wordpress to enable them easily setup the facebook pixel.
JavaScript
34
star
55

wordpress-messenger-customer-chat-plugin

Messenger Customer Chat Plugin for WordPress
PHP
26
star
56

CP4M

CP4M is a conversational marketing platform which enables advertisers to integrate their customer-facing chatbots with FB Messenger/WhatsApp, in order to meet customers where they are and drive native conversations on the advertiser's owned infra.
Java
26
star
57

rush

RUSH (Reliable - unreliable - Streaming Protocol)
C++
22
star
58

buck2-change-detector

Given a Buck2 built project and a set of changes (e.g. from source control) compute the targets that may have changed. Sometimes known as a target determinator, useful for optimizing a CI system.
Rust
18
star
59

MY_ENUM

Small c++ macro library to add compile-time introspection to c++ enum classes.
C++
15
star
60

spark-ar-core-libs

Core libraries that can be used in Spark AR. You can import each library depends on your requirements.
TypeScript
15
star
61

SafeC

Library containing safer alternatives/wrappers for insecure C APIs.
C++
14
star
62

go-belt

It is an implementation-agnostic Go(lang) package to generalize observability tooling (logger, metrics, tracer and so on) and provide ability to use any of these tools with a standard context. Essentially it is an attempt to standardize observability API in Go.
Go
14
star
63

Portal-Kernel

Kernel Code for Portal.
C
11
star
64

sado

A macOS signed-app shim for running daemons with reliable capabilities.
Swift
10
star
65

npe-toolkit

Libraries, guides, blueprints, and sample code, to enable rapidly building 0-1 applications on iOS, Android and web.
TypeScript
9
star
66

Eigen-FBPlugins

This is collection of plugins extending Eigen arrays/matrices with main focus on using them for computer vision. In particular, this project should provide support for multichannel arrays (missing in vanilla Eigen) and seamless integration between Eigen types and OpenCV functions.
C++
8
star
67

isometric_pattern_matcher

A new isometric calibration pattern - which should/might lead to higher accuracy calibrations compared to existing solutions (checkerboards, patterns of circles).
C++
8
star
68

dnf-plugin-cow

Code to enable Copy on Write features being upstreamed in rpm and librepo
Shell
8
star
69

wireguard_py

Cython library for Wireguard
C
6
star
70

strobelight

Meta's fleetwide profiler framework
6
star
71

jupyterhub_fb_authenticator

JupyterHub Facebook Authenticator is a Facebook OAuth authenticator built on top of OAuthenticator.
Python
5
star
72

meta-fbvuln

OpenEmbedded meta-layer that allows producing a vulnerability manifest alongside a Yocto build. The produced manifest is suitable for ongoing vulnerability scanning of fielded software.
5
star
73

gazebo_lint

A Rust linter that provides various suggestions based on the new primitives offered in the `gazebo` library.
Rust
4
star
74

kernel-patches-daemon

Sync Patchwork series's with Github pull requests
Python
4
star
75

scrut

Scrut is a testing toolkit for CLI applications. A tool to scrutinize terminal programs without fuss.
Rust
4
star
76

language-capirca

Adds syntax highlighting for Capirca filetypes in Atom. Capirca is an open source standard for writing vendor-neutral firewall policies as originally released by Google: https://github.com/google/capirca
3
star
77

fbc_owrt_feed

Facebook Connectivity OpenWrt Feed. Package feed for OpenWrt router OS by Facebook Connectivity programme.
Lua
2
star
78

cutlass-fork

A Meta fork of NV CUTLASS repo.
C++
2
star