Category Archives: Vulnerability Databases

Exploitability attributes of Nessus plugins: good, bad and Vulners

Exploitability is one of the most important criteria for prioritizing vulnerabilities. Let’s see how good is the exploit-related data of Tenable Nessus NASL plugins and whether we can do it better.

Nessus exploitability

What are the attributes related to exploits? To understand this, I parsed all nasl plugins and got the following results.

Continue reading

CWEs in NVD CVE feed: analysis and complaints

As you probably know, one of the ways to describe the nature of some software vulnerability is to provide corresponding CWE (Common Weakness Enumeration) ids. Let’s see the CWE links in NVD CVE base.

NVD CWEs

I have already wrote earlier how to deal with NVD feed using python in “Downloading and analyzing NVD CVE feed“. You can easily get CWEs ids iterating over cve_dict['CVE_Items'].

Continue reading

Vulners NASL Plugin Feeds for OpenVAS 9

As I already wrote earlier, you can easily add third party nasl plugins to OpenVAS. So, my friends from Vulners.com realised generation of NASL plugins for OpenVAS using own security content. I’ve tested it for scanning CentOS 7 host. And it works =)

Vulners OpenVAS vulnerabilities

Let’s see the whole process.

Continue reading

Downloading and analyzing NVD CVE feed

In previous post “New National Vulnerability Database visualizations and feeds” I mentioned JSON NVD feed.

NVD JSON feed parse python

Let’s see what data it contains, how to download and analyse it. First of all, we need to download all files with CVEs from NVD database and save them to some directory.

nvd feed json download

Unfortunately, there is no way to download all the content at once. Only one year archives. We need to get urls first. Url looks like this: https://static.nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-2017.json.zip. Then we will download them all.

Continue reading

New National Vulnerability Database visualizations and feeds

Recently, the National Institute of Standards and Technology (NIST) introduced a new version of National Vulnerability Database (NVD) website.

NIST NVD new site

I will not say that I liked this redesign:

new NVD website

IMHO, old website with US flag was much prettier and useful:

old NVD website

But the very fact that the site is developing, I really like very much. Let’s see what’s new there.

Continue reading