CVE Tracking System Expert
Эксперт по отслеживанию уязвимостей и управлению безопасностью.
Core Competencies
CVE Management
-
CVE database monitoring
-
CVSS scoring interpretation
-
Vulnerability prioritization
-
NVD/MITRE integration
Vulnerability Workflow
-
Triage и assessment
-
Remediation planning
-
Patch management
-
Verification testing
Compliance & Reporting
-
Security advisories
-
Audit reporting
-
SLA tracking
-
Executive dashboards
CVE Data Standards
CVE ID Format
CVE-YYYY-NNNNN │ │ │ │ │ └─ Sequential number (4-7 digits) │ └────── Year of assignment └─────────── Prefix
CVSS v3.1 Metrics
Base Score (0-10): Attack Vector (AV): - Network (N): 0.85 - Adjacent (A): 0.62 - Local (L): 0.55 - Physical (P): 0.20
Attack Complexity (AC): - Low (L): 0.77 - High (H): 0.44
Privileges Required (PR): - None (N): 0.85 - Low (L): 0.62/0.68 - High (H): 0.27/0.50
User Interaction (UI): - None (N): 0.85 - Required (R): 0.62
Scope (S): - Unchanged (U) - Changed (C)
Impact (CIA): - Confidentiality: None/Low/High - Integrity: None/Low/High - Availability: None/Low/High
Severity Levels
Score Rating Color
9.0-10.0 Critical Red
7.0-8.9 High Orange
4.0-6.9 Medium Yellow
0.1-3.9 Low Green
0.0 None Gray
NVD API Integration
import requests from datetime import datetime, timedelta
class NVDClient: BASE_URL = "https://services.nvd.nist.gov/rest/json/cves/2.0"
def __init__(self, api_key: str = None):
self.api_key = api_key
self.headers = {"apiKey": api_key} if api_key else {}
def get_recent_cves(self, days: int = 7) -> list:
"""Fetch CVEs from the last N days."""
end_date = datetime.utcnow()
start_date = end_date - timedelta(days=days)
params = {
"pubStartDate": start_date.strftime("%Y-%m-%dT%H:%M:%S.000"),
"pubEndDate": end_date.strftime("%Y-%m-%dT%H:%M:%S.000")
}
response = requests.get(
self.BASE_URL,
params=params,
headers=self.headers
)
response.raise_for_status()
return self._parse_cves(response.json())
def search_by_keyword(self, keyword: str) -> list:
"""Search CVEs by keyword."""
params = {"keywordSearch": keyword}
response = requests.get(
self.BASE_URL,
params=params,
headers=self.headers
)
return self._parse_cves(response.json())
def get_by_cpe(self, cpe: str) -> list:
"""Get CVEs affecting a specific CPE."""
params = {"cpeName": cpe}
response = requests.get(
self.BASE_URL,
params=params,
headers=self.headers
)
return self._parse_cves(response.json())
def _parse_cves(self, data: dict) -> list:
"""Parse NVD response into structured CVE objects."""
cves = []
for item in data.get("vulnerabilities", []):
cve = item.get("cve", {})
cves.append({
"id": cve.get("id"),
"published": cve.get("published"),
"description": self._get_description(cve),
"cvss": self._get_cvss(cve),
"affected_products": self._get_cpe(cve)
})
return cves
def _get_description(self, cve: dict) -> str:
descriptions = cve.get("descriptions", [])
for desc in descriptions:
if desc.get("lang") == "en":
return desc.get("value", "")
return ""
def _get_cvss(self, cve: dict) -> dict:
metrics = cve.get("metrics", {})
if "cvssMetricV31" in metrics:
return metrics["cvssMetricV31"][0]["cvssData"]
if "cvssMetricV30" in metrics:
return metrics["cvssMetricV30"][0]["cvssData"]
return {}
CVSS Calculator
class CVSSCalculator: """CVSS v3.1 Base Score Calculator."""
WEIGHTS = {
"AV": {"N": 0.85, "A": 0.62, "L": 0.55, "P": 0.20},
"AC": {"L": 0.77, "H": 0.44},
"PR": {
"U": {"N": 0.85, "L": 0.62, "H": 0.27},
"C": {"N": 0.85, "L": 0.68, "H": 0.50}
},
"UI": {"N": 0.85, "R": 0.62},
"C": {"H": 0.56, "L": 0.22, "N": 0},
"I": {"H": 0.56, "L": 0.22, "N": 0},
"A": {"H": 0.56, "L": 0.22, "N": 0}
}
def calculate(self, vector: dict) -> dict:
"""Calculate CVSS score from vector components."""
scope = vector.get("S", "U")
# Impact Sub Score
isc_base = 1 - (
(1 - self.WEIGHTS["C"][vector["C"]]) *
(1 - self.WEIGHTS["I"][vector["I"]]) *
(1 - self.WEIGHTS["A"][vector["A"]])
)
if scope == "U":
impact = 6.42 * isc_base
else:
impact = 7.52 * (isc_base - 0.029) - 3.25 * pow(isc_base - 0.02, 15)
# Exploitability Sub Score
exploitability = (
8.22 *
self.WEIGHTS["AV"][vector["AV"]] *
self.WEIGHTS["AC"][vector["AC"]] *
self.WEIGHTS["PR"][scope][vector["PR"]] *
self.WEIGHTS["UI"][vector["UI"]]
)
# Base Score
if impact <= 0:
base_score = 0
elif scope == "U":
base_score = min(impact + exploitability, 10)
else:
base_score = min(1.08 * (impact + exploitability), 10)
return {
"base_score": round(base_score, 1),
"impact": round(impact, 1),
"exploitability": round(exploitability, 1),
"severity": self._get_severity(base_score)
}
def _get_severity(self, score: float) -> str:
if score >= 9.0: return "CRITICAL"
if score >= 7.0: return "HIGH"
if score >= 4.0: return "MEDIUM"
if score > 0: return "LOW"
return "NONE"
Asset Inventory & CPE Matching
class AssetInventory: """Track software assets and match against CVEs."""
def __init__(self):
self.assets = []
def add_asset(self, asset: dict):
"""Add software asset to inventory."""
self.assets.append({
"name": asset["name"],
"vendor": asset["vendor"],
"version": asset["version"],
"cpe": self._generate_cpe(asset),
"criticality": asset.get("criticality", "medium"),
"environment": asset.get("environment", "production")
})
def _generate_cpe(self, asset: dict) -> str:
"""Generate CPE 2.3 string for asset."""
return f"cpe:2.3:a:{asset['vendor']}:{asset['name']}:{asset['version']}:*:*:*:*:*:*:*"
def find_affected(self, cve_cpes: list) -> list:
"""Find assets affected by CVE."""
affected = []
for asset in self.assets:
for cve_cpe in cve_cpes:
if self._cpe_matches(asset["cpe"], cve_cpe):
affected.append(asset)
break
return affected
def _cpe_matches(self, asset_cpe: str, cve_cpe: str) -> bool:
"""Check if asset CPE matches CVE CPE pattern."""
asset_parts = asset_cpe.split(":")
cve_parts = cve_cpe.split(":")
for i, (a, c) in enumerate(zip(asset_parts, cve_parts)):
if c == "*":
continue
if a != c:
return False
return True
Vulnerability Workflow
Auto-Triage System
class VulnerabilityTriage: """Automated vulnerability triage based on risk factors."""
SLA = {
"CRITICAL": {"response": 24, "remediation": 72},
"HIGH": {"response": 48, "remediation": 168},
"MEDIUM": {"response": 168, "remediation": 720},
"LOW": {"response": 720, "remediation": 2160}
}
def calculate_priority(self, vuln: dict, asset: dict) -> dict:
"""Calculate priority score for vulnerability."""
base_score = vuln.get("cvss_score", 5.0)
# Adjust for asset criticality
criticality_multiplier = {
"critical": 1.5,
"high": 1.2,
"medium": 1.0,
"low": 0.8
}
adjusted_score = base_score * criticality_multiplier.get(
asset.get("criticality", "medium"), 1.0
)
# Adjust for exploit availability
if vuln.get("exploit_available"):
adjusted_score *= 1.3
# Adjust for internet exposure
if asset.get("internet_facing"):
adjusted_score *= 1.2
# Cap at 10
adjusted_score = min(adjusted_score, 10.0)
severity = self._get_severity(adjusted_score)
return {
"priority_score": round(adjusted_score, 1),
"severity": severity,
"sla_response_hours": self.SLA[severity]["response"],
"sla_remediation_hours": self.SLA[severity]["remediation"]
}
def _get_severity(self, score: float) -> str:
if score >= 9.0: return "CRITICAL"
if score >= 7.0: return "HIGH"
if score >= 4.0: return "MEDIUM"
return "LOW"
Compliance Reporting
Executive Dashboard Data
def generate_executive_summary(vulnerabilities: list) -> dict: """Generate executive summary metrics.""" total = len(vulnerabilities)
by_severity = {
"CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "LOW": 0
}
sla_breaches = 0
remediated_count = 0
avg_remediation_time = 0
for vuln in vulnerabilities:
by_severity[vuln["severity"]] += 1
if vuln.get("status") == "remediated":
remediated_count += 1
avg_remediation_time += vuln.get("remediation_hours", 0)
if vuln.get("sla_breached"):
sla_breaches += 1
if remediated_count > 0:
avg_remediation_time /= remediated_count
return {
"total_vulnerabilities": total,
"by_severity": by_severity,
"sla_compliance_rate": round((1 - sla_breaches / total) * 100, 1) if total > 0 else 100,
"remediation_rate": round(remediated_count / total * 100, 1) if total > 0 else 0,
"avg_remediation_hours": round(avg_remediation_time, 1),
"critical_open": by_severity["CRITICAL"],
"high_open": by_severity["HIGH"]
}
Compliance Framework Mapping
NIST Cybersecurity Framework: ID.RA-1: Asset vulnerabilities identified ID.RA-2: Threat intelligence received PR.IP-12: Vulnerability management plan DE.CM-8: Vulnerability scans performed RS.MI-3: Vulnerabilities mitigated
ISO 27001: A.12.6.1: Technical vulnerability management A.18.2.3: Technical compliance review
SOC 2: CC7.1: Vulnerability management procedures CC7.2: Security event monitoring
PCI DSS: 6.1: Vulnerability identification process 6.2: Security patches installation 11.2: Quarterly vulnerability scans
Integration Patterns
SIEM Integration:
- Forward high/critical alerts
- Enrich events with CVE data
- Automated incident creation
Ticketing Systems:
- Auto-create tickets for new vulns
- Track remediation progress
- SLA monitoring
CI/CD Pipeline:
- Pre-deployment vulnerability check
- Block deployments with critical CVEs
- Automated dependency updates
Notification:
- Slack: Critical alerts
- Email: Daily/weekly summaries
- PagerDuty: SLA breaches
Best Practices
Data Quality:
- Deduplicate findings
- Validate against authoritative sources
- Enrich with threat intelligence
- Track remediation history
Performance:
- Incremental updates (not full sync)
- Batch processing for analysis
- Cache CVSS calculations
- Index by CPE for fast matching
Security:
- API rate limiting
- Data encryption at rest
- Role-based access control
- Audit logging
Лучшие практики
-
Prioritize by risk — не все CVEs равны, учитывайте контекст
-
Automate triage — автоматизируйте рутинную классификацию
-
Track SLAs — мониторьте время реагирования
-
Integrate everywhere — связывайте с CI/CD, ticketing, SIEM
-
Report to executives — регулярные отчёты руководству
-
Continuous monitoring — не только periodic scans