Login - Default user?

Hello!

Looking projects that extend cve-search, I've come across yours.
cve-search is up & running. I put Vulnerability-management's files inside cve-search's directory as it didn't seem to run just like that. I hope I did the right thing? I thought it might be the case because of reference to ../etc/configuration.ini in Config.py

Vulnerabilty-management is also up and running, but I have no idea what the default user and password are to login and look around. Are those users the ones you can create with cve-search?

Thank you for your time.
Best regards

[PidgeyL]

Hello @AkiraTakizawa, thanks for showing your interest in this project!
This project uses the CVE-Search API. This means, if you have a web-interface of CVE-Search running, you can configure this tool to point to the API (if CVE-Search is local, this means 127.0.0.1:5000)

By default, there is no user available. I'm still developing this tool (it is an early prototype), so I haven't created a script to add users yet. However, if you ran the testdata file in the install script, you have the following users available:

Username	Password	Teams + status
test	test	Team A: reviewer, Team B: reviewer
teamleader	test	Team A: teamleader, Team B: reviewer
engineer	test	(no team): database engineer
management	test	(no team): management

If you wish to try this tool, and add your own data, you can modify the testdata file, but make sure to keep the same format, or the script will fail.

Looking forward to your feedback!

Got it up and running now. Thank you.

It's getting me even more curious now. What kind of software will it become?
Something to let the users add software, for example "Adobe Flash Player 19.0.0.226" and get it to create a ticket or record that links it to cpe:2.3:a:adobe:flash_player:19.0.0.226 for example and automatically add relevant CVE, OVAL, CWE etc entries that it can find in cve-search?

[PidgeyL]

Users will be able to add a list of software they have installed on a list of systems. They can add the cpe, and that is used to query all the vulnerabilities related to their software. When a software is vulnerable, it is marked in red, until the person responsible takes action (upgrades, patches, installs...).
It wouldn't directly let you add or remove software, but it's a place to document your vulnerability info. It's mostly meant for companies that cannot just upgrade right away, due to compatibility issues

[PidgeyL]

I forgot to mention, tickets are generated automatically each time a software has vulnerabilities. The user is responsible for taking measures and recording measures taken. Depending on the actions, the software will close all solves issues

That sounds great :)

I am currently looking for something that isn't depending on penetration testing and scanning a whole network for feeding a vulnerability management database. So far no I found nothing suitable to the point that I might consider writing something for it.

I would start to create software & hardware list for different type of users/departments and let it looks for known vulnerabilities and generate advisories depending on how serious the issues are. Well... It's just a start. I'll need to learn Python and some additional frameworks/template engines.

[PidgeyL]

Actually, that's what I created CVR-Scan for. You can scan the network with nmap, and feed the Nmap scan in CVE-SCan, to get the vulnerability info. Is that what you're looking for?

It would be more like manually entering the different components or importing them from csv, xml or xls files exported by already active vulnerability scanners.
It's basically to get a clear idea of what's going on and being used on different locations and in the future work towards an overarching solution. You could say it is more for "research" or rather learning than actually enforcing patching and management.

[PidgeyL]

A friend of mine said he'd use CVE-Search for something similar. Also, this vulnerability management tool should be capable of reading those files and setting up the DB with that information. It's not in there yet, but if you want to help add that feature, you'd be most welcome to do so. Also, I'd you want, you can contact me directly by mail, or exchange contract details

Sure. I don't mind, although at the moment I don't feel very confident that I can contribute.
It's been over years since I graduated and only worked for a short time in IT as DBA. It's only recently that I got back to IT and there's a lot to catch up with ^^"