/vulnerability-catalog

A catalog designed for environments with multiple or diffuse Information Security vulnerability-related information sources.

Primary LanguageJavaScriptMIT LicenseMIT

status: Production

Known Vulnerabilities Maintainability

Welcome to Vulnerability Catalog project, a catalog for Information Security Management designed for environments with multiple or diffuse vulnerability-related information sources.

Vulnerability catalog is a WEB application written in Python/Django/D3 providing a visual, organized, centralized and easy-to-use catalog that act as an --unique point of control-- to the vulnerabilities management efforts.

By providing a way to produce the same measurement basis for all vulnerabilities, risks and severities can be evaluated more accuratedly, without the inherent biases derived from the providers' evaluation. Be your environment evaluated by meaningful and useful metrics. That's the idea.

It can also be used as a roadmap and a timeline to treat vulnerabilities in a more efficient way, keeping track of all environment status and efforta progresses.

By the way, take a look at the project's Roadmap for updates and more details.

You can also chech our Wiki to documentation and more information.

See the Catalog in action at youtube:

View at yout mobile for a better experience:

Vulnerability catalog running at Android phone in less than 5 minutes

Panorama charts mobile concept

CRUDS (Create, Remove, Update, Delete & Search) concept

Search function concept

Running development branch into your box

You can run Vulnerability Catalog at Windows or Linux systems. Android is also supported, provided you install Termux app. It acts like a Linux terminal, so all Linux steps apply exactly the same way as in Linux setup.

You'll just need a Linux terminal (Termux is a Linux terminal) or the cmd.exe command line (the Windows terminal).

  1. Get the files by downloading it from GitHub.

    1.1 If you are interesting in develop or contribute with some feature, you can clone the project by running:

git clone https://github.com/daavelino/vulnerability-catalog.git
  1. Run the installer:

Under the project's directory, run

python setup.py build

This procedure will install Vulnerability Catalog under a Python Virtual Enviroment. to avoid system´s pollution.

Once installed, run it by typing:

python run.py

Hint: If you are interesting in see how catalog works with non-production data, load some test data here by running

python setup.py loadtestdata
  1. Follow the instructions to provide systems' dependencies and point your browser to

http://localhost:8000/catalog

Tips for developers

The project has 2 scripts to make development processes a bit easier.

  1. setup.py:

setup.py is responsible to set all Django required files and start the Catalog project and app properly. For instance, to build the project from the scratch, run

python setup.py build

This command sets Django properly and run the project into your box. It will also load the project with a ficticious database to help you to understand better how it works.

The command

python setup.py urlsviews

updates catalog app urls and views without rebuild the entire project. To update only the visual part of the project, try

python setup.py templatesonly

It will update catalog templates, forms and static files without rebuild the entire project.

  1. run.py

run.py is the project's launcher script, once the Catalog is already installed.

Combining setup.py and run.py:

If you made some minor change, like a template update or a url/view change, instead of rebuild the entire project (and add your users again, log into the app and so one) just try:

python setup.py templatesonly

or

python setup.py urlsviews

and then

python run.py

It will update your changes without reconstruct everything again.

Motivation

The idea to start this effort came from my experience trying to keep track of vulnerabilities during the Olympic and Paralympic Games at Rio 2016 - The Rio de Janeiro Olympics. During that time, I realized three important things concerning vulnerability management:

  1. it is hard to centralize all information we got from vulnerability reports, assessments, pentests, user/peers report in a consistent way.
  2. it is hard to put relevant information, like risks and severity, in a common (and normalized) base.
  3. it is hard to visualize and get insights about the enviroment when we have multiple and diffuse sources of data, comming from .pdf, .xslx, .doc files or even by e-mail or other channels.

So, Vulnerability catalog emerges trying to address and make things like that a little bit easier. With Catalog, we can unify, put data into a normal basis and manage vulnerabilities better than if you try to do this by using sheets or reading reports one-by-one each time.

TODO:

Please check at project's Roadmap for updates and more details.

License: MIT License. Author: Daniel Avelino

Made in .