CVE-ease
Project Overview
CVE-ease is a dedicated platform for CVE information, aggregating data from community releases and delivering timely notifications via email, WeChat, DingTalk, and other channels. Users can access detailed CVE information on the platform, such as vulnerability descriptions, affected scopes, and remediation recommendations. This enables them to choose appropriate fixes tailored to their systems.
The platform is designed to help users swiftly identify and address vulnerabilities, thereby improving system security and stability.
CVE-ease is an independent innovation initiative by CTYun. Open sourced in the openEuler community, it strictly adheres to the Mulan PSL2 license. We welcome community contributions to the project, working together to create a secure, stable, and reliable ecosystem for domestic operating systems.
Open source details:
- This repository strictly complies with the Mulan Permissive Software License, Version 2.
- This repository meets the open source guidelines of China Telecom Cloud Technology Co., Ltd, having undergone thorough review and preparation to present a high-quality open source project with complete documentation and resources.
- The repository is managed by designated personnel from the company, ensuring long-term maintenance for LTS versions and ongoing development support.
Software Architecture
CVE-ease is a platform dedicated to CVE information, structured around four core modules: CVE crawler, CVE analyzer, CVE notifier, and CVE frontend. Below is an overview of functionality and design of each module.
- CVE crawler
This module collects CVE information from multiple data sources provided by the openEuler community and stores it in relational databases like MySQL. These data sources are primarily managed by the cve-manager project, which supports fetching CVE details from NVD, CNNVD, CNVD, RedHat, Ubuntu, and Debian. CVE-ease employs Python-based crawler scripts, each tailored to a specific data source. These scripts can be executed on a schedule or manually, formatting the scraped raw CVE data and storing it for further analysis.
- CVE analyzer
This module processes CVE information by parsing, categorizing, and scoring it. Written in Python, the analyzer script periodically retrieves raw CVE data from the relational database and performs tasks such as extracting basic attributes (such as ID, title, description), categorizing the impact scope (such as OS, software packages), scoring severity (such as CVSS scores), and matching remediation suggestions (such as patch links). The processed structured data is then stored in SQL format for future queries and presentation.
- CVE notifier
This module sends CVE notifications to users via email, WeChat, DingTalk, and other channels based on their subscription preferences. The Python-based notifier script periodically retrieves structured CVE data from the MySQL database, filters it according to user-configured impact scopes, generates appropriate notification content for different channels, and invokes APIs to deliver notifications. The script also logs sending results and feedback, updating subscription statuses in the database.
- CVE frontend
This module offers a user-friendly CLI terminal command, enabling users to view, search, and subscribe to CVE information.
The architecture of CVE-ease is designed to create an efficient, flexible, and scalable platform, providing users with timely and accurate security vulnerability intelligence.
Development Roadmap
- Adapt repodata to support multiple OSVs.
- Add MOTD login broadcast functionality.
- Enhance the DNF plugin to include patching capabilities.
- Implement automatic patching for specific packages.
- Introduce specific package awareness features.
- ...
We highly value your feedback on the development direction of CVE-ease. If you have any suggestions or ideas, feel free to share them with us. Your input is greatly appreciated!
Installation Guide
CVE-ease is in fast-paced development, offering installation methods such as direct installation, container installation, and RPM package installation.
Direct Installation
git clone https://gitee.com/openeuler/cve-ease cve-ease.git
cd cve-ease.git/cve-ease
make installContainer Installation
git clone https://gitee.com/openeuler/cve-ease cve-ease.git
cd cve-ease.git/cve-ease
make run-in-dockerRPM Package Installation
git clone https://gitee.com/openeuler/cve-ease cve-ease.git
cd cve-ease.git/cve-ease
make gensrpm
cd ..
rpm -ivh *.src.rpm
cd ~/rpmbuild
rpmbuild -ba SPECS/cve-ease.spec
cd RPMS/noarch
rpm -ivh *.rpmUsage Guide
Help Information
- Running the
cve-easecommand without options displays the help menu. - The
cve-easecommand includes multiple subcommands, organized intobasic,info, andnotifiercategories. - Use the
helpsubcommand to view detailed information for each command category.
# cve-ease
Available commands:
basic commands:
config Print cve-ease config
daemon Run as daemon without interactive
motd Motd info manager
service Service manager
info commands:
cve OpenEuler CVE info
cvrf OpenEuler CVRF info
db Database manager
help List available commands
logger Logger config
repodata Repodata info
rpm Rpm info
sa OpenEuler security notice info
notifier commands:
dingding Notifier of dingding
feishu Notifier of feishu
mail163 Notifier of mail163
mailqq Notifier of mailqq
wecom Notifier of wecom
Try "cve-ease --help" for help about global gconfig
Try "cve-ease help" to get all available commands
Try "cve-ease <command> --help" for help about the gconfig of a particular command
Try "cve-ease help <category>" to get commands under a particular category
Available commands are: basic, info, notifier
# cve-ease help info
Available commands:
info commands:
cve OpenEuler CVE info
cvrf OpenEuler CVRF info
db Database manager
help List available commands
logger Logger config
repodata Repodata info
rpm Rpm info
sa OpenEuler security notice info
Try "cve-ease --help" for help about global gconfig
Try "cve-ease help" to get all available commands
Try "cve-ease <command> --help" for help about the gconfig of a particular command
Try "cve-ease help <category>" to get commands under a particular category
Available commands are: basic, info, notifierConfiguration File
The configuration file is located at /etc/cve-ease/cve-ease.cfg.
[main]
pid_file_path = /var/log/cve-ease/cve-ease.pid
lock_file_path = /var/log/cve-ease/cve-ease.lock
# log configuration
# debug/ error(default) / warn
log_level = debug
log_file_path = /var/log/cve-ease/cve-ease.log
log_maxbytes = 10240
log_backup_num = 30
# sql configuration
db_type = sqlite
db_file_path = /usr/share/cve-ease/cve-ease.db
db_user =
db_password =
db_host =
db_port =
product = openEuler-23.09
expiration_days = 14
# notifier
notifier_record_num = 9
# filter
focus_on = kernel,systemd,openssh,openssl
[wecom]
enabled = 1
# https://developer.work.weixin.qq.com/document/path/91770?version=4.0.19.6020&platform=win
# https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=fe9eae1f-xxxx-4ae3-xxxx-ecf9f77abba6
update_key = 2142ef2a-d99d-417d-8c31-b550b0fcb4e3
status_key = 2142ef2a-d99d-417d-8c31-b550b0fcb4e3
[dingding]
enabled = 1
# just for test
update_key = 81907155a6cc88004e1ed6bcdd86c68d5b21565ed59d549ca031abc93d90d9cb
status_key = 81907155a6cc88004e1ed6bcdd86c68d5b21565ed59d549ca031abc93d90d9cb
[feishu]
enabled = 1
# just for test
update_key = 5575739b-f59d-48db-b737-63672b2c32ab
status_key = 5575739b-f59d-48db-b737-63672b2c32ab
[mail163]
enabled = 0
mail_sender = xxxxxxx@163.com
mail_recver = xxxxxxx@163.com
mail_smtp_token = xxxxxx
[mailqq]
enabled = 0
mail_sender = xxxxxxx@qq.com
mail_recver = xxxxxxx@qq.com
mail_smtp_token = xxxxxxxxCVE-ease
The CVE-ease service consists of two files, cve-ease.service and cve-ease.timer, utilizing the systemd timer functionality for scheduled execution.
# /usr/lib/systemd/system/cve-ease.timer
# CTyunOS cve-ease: MulanPSL2
#
# This file is part of cve-ease.
#
[Unit]
Description=CTyunOS cve-ease Project
Documentation=https://gitee.com/openeuler/cve-ease
[Timer]
OnBootSec=1m
OnUnitActiveSec=10m
RandomizedDelaySec=10
[Install]
WantedBy=timers.target# systemctl enable --now cve-ease.timer
Created symlink /etc/systemd/system/timers.target.wants/cve-ease.timer → /usr/lib/systemd/system/cve-ease.timer.
# systemctl status cve-ease.timer
● cve-ease.timer - CTyunOS cve-ease Project
Loaded: loaded (/usr/lib/systemd/system/cve-ease.timer; enabled; vendor preset: disabled)
Active: active (waiting) since Sat 2023-03-18 17:55:53 CST; 5s ago
Trigger: Sat 2023-03-18 18:05:55 CST; 9min left
Docs: https://gitee.com/openeuler/cve-ease
Mar 18 17:55:53 56d941221b41 systemd[1]: Started CTyunOS cve-ease Project.
# systemctl status cve-ease.service
● cve-ease.service - CTyunOS cve-ease project
Loaded: loaded (/usr/lib/systemd/system/cve-ease.service; disabled; vendor preset: disabled)
Active: inactive (dead) since Sat 2023-03-18 17:55:56 CST; 5s ago
Docs: https://gitee.com/openeuler/cve-ease
Process: 196 ExecStart=/usr/bin/cve-ease daemon (code=exited, status=0/SUCCESS)
Main PID: 196 (code=exited, status=0/SUCCESS)
Mar 18 17:55:53 56d941221b41 systemd[1]: Starting CTyunOS cve-ease project...
Mar 18 17:55:56 56d941221b41 systemd[1]: cve-ease.service: Succeeded.
Mar 18 17:55:56 56d941221b41 systemd[1]: Started CTyunOS cve-ease project.basic Commands
config
Usage: cve-ease config <options>
(Specify the --help global option for a list of other help options)
Options:
-h, --help show this help message and exit
-r, --rawdata print raw config file contentcve-ease config # Display the configuration file path and active settings.
cve-ease config -r # Display the configuration file path and raw data.daemon
- The
daemoncommand acts as the entry point for the systemd service and is typically not run manually. - The service is executed periodically by the systemd timer associated with cve-ease.
# /usr/lib/systemd/system/cve-ease.service
# CTyunOS cve-ease: MulanPSL2
#
# This file is part of cve-ease.
#
[Unit]
Description=CTyunOS cve-ease project
Documentation=https://gitee.com/openeuler/cve-ease
[Service]
Type=oneshot
ExecStart=/usr/bin/cve-ease daemon
[Install]
WantedBy=multi-user.targetmotd
- TODO.
service
service command options for controlling the cve-ease service:
Usage: cve-ease service <options>
(Specify the --help global option for a list of other help options)
Options:
-h, --help show this help message and exit
-k, --kill kill cve-ease service
-r, --restart restart cve-ease service
-s, --status get cve-ease service status
-v, --verbose show verbose outputcve-ease service -k # Pause the cve-ease service
cve-ease service -r # Restart the cve-ease service
cve-ease service -s # Query the cve-ease service statusinfo Commands
cve
Retrieve CVE data from the openEuler community in the openEuler Security Center.
Usage: cve-ease cve <options>
(Specify the --help global option for a list of other help options)
Options:
-h, --help show this help message and exit
-r, --rawdata get cve cache and print raw data without write db
-m, --makecache get cve cache
-l, --list list all cve info
-t, --total get cve info statistics
-v, --verbose show verbose outputcve-ease cve -m # Collect CVE data and store it in the database.
cve-ease cve -l # Fetch CVE data from the database and format it for display.
cve-ease cve -t # Retrieve and show CVE statistics from the database.
cve-ease cve -r # Gather CVE data and display it in raw form (without saving to the database).sa
Retrieve security advisory (SA) data from the openEuler community in the openEuler Security Center.
Usage: cve-ease sa <options>
(Specify the --help global option for a list of other help options)
Options:
-h, --help show this help message and exit
-r, --rawdata get sa cache and print raw data without write db
-m, --makecache get sa cache
-l, --list list all sa info
-t, --total get sa info statistics
-v, --verbose show verbose outputcve-ease sa -m # Collect SA data and store it in the database.
cve-ease sa -l # Fetch SA data from the database and format it for display.
cve-ease sa -t # Retrieve and show SA statistics from the database.
cve-ease sa -r # Gather SA data and display it in raw form (without saving to the database).cvrf
Common Vulnerability Reporting Framework (CVRF)-related commands:
cve-ease cvrf -m # Collect CVRF data and store it in the database.
cve-ease cvrf -l # Fetch CVRF data from the database and format it for display.
cve-ease cvrf -t # Retrieve and show CVRF statistics from the database.rpm
Usage: cve-ease rpm <options>
(Specify the --help global option for a list of other help options)
Options:
-h, --help show this help message and exit
-l, --list list all rpm info
-v, --verbose show verbose outputcve-ease rpm -l # Use the RPM interface to retrieve and display details of installed RPM packages in the system.repodata
Usage: cve-ease repodata <options>
(Specify the --help global option for a list of other help options)
Options:
-h, --help show this help message and exit
-m, --makecache cache repodata to database
-p PRODUCT, --product=PRODUCT
specific product (work with --check)
--osv=OSV specific osv rpm release
-t, --total get total rpm statistics
-l, --list list all rpm
-c, --check check repo cve
-v, --verbose show verbose outputcve-ease repodata -p ctyunos2 -m # Set ctyunos2 as the OSV version, cache its repository metadata, and store it in the database.
cve-ease repodata --osv ctyunos2 -p openEuler-23.09 -c # Compare the ctyunos2 repository with the openEuler 23.09 repository.
cve-ease repodata -l # Display the package details available in the database.
cve-ease repodata -t # Fetch and show statistics for the repository data in the database.logger
Usage: cve-ease logger <options>
(Specify the --help global option for a list of other help options)
Options:
-h, --help show this help message and exit
-l, --list list all logger info
-t, --total get logger statistics
-v, --verbose show verbose outputdb
Usage: cve-ease db <options>
(Specify the --help global option for a list of other help options)
Options:
-h, --help show this help message and exit
-p, --purge purge db and recreate it (Danger Operation)
-s, --stats get database statistics
-v, --verbose show verbose outputnotifier Commands
wecom
Usage: cve-ease wecom <options>
(Specify the --help global option for a list of other help options)
Options:
-h, --help show this help message and exit
-t, --test run test
-v, --verbose show verbose output
-c CONTENT, --content=CONTENT
show verbose outputcve-ease wecom -t # Send a test message to a WeCom group.
cve-ease wecom -t -c 'helloworld' # Send a custom test message to a WeCom group.dingding
Usage: cve-ease dingding <options>
(Specify the --help global option for a list of other help options)
Options:
-h, --help show this help message and exit
-t, --test run test
-v, --verbose show verbose output
-c CONTENT, --content=CONTENT
show verbose outputcve-ease dingding -t # Send a test message to a DingTalk group.
cve-ease dingding -t -c 'helloworld' # Send a custom test message to a DingTalk group.feishu
Usage: cve-ease feishu <options>
(Specify the --help global option for a list of other help options)
Options:
-h, --help show this help message and exit
-t, --test run test
-v, --verbose show verbose output
-c CONTENT, --content=CONTENT
show verbose outputcve-ease feishu -t # Send a test message to a Lark group.
cve-ease feishu -t -c 'helloworld' # Send a custom test message to a Lark group.mail163
Usage: cve-ease mail163 <options>
(Specify the --help global option for a list of other help options)
Options:
-h, --help show this help message and exit
-t, --test run test
-v, --verbose show verbose output
-c CONTENT, --content=CONTENT
show verbose outputcve-ease mail163 -t # Send a test message to a 163 mail address.
cve-ease mail163 -t -c 'helloworld' # Send a custom test message to a 163 mail address.mailqq
Usage: cve-ease mailqq <options>
(Specify the --help global option for a list of other help options)
Options:
-h, --help show this help message and exit
-t, --test run test
-v, --verbose show verbose output
-c CONTENT, --content=CONTENT
show verbose outputcve-ease mailqq -t # Send a test message to a QQ mail address.
cve-ease mailqq -t -c 'helloworld' # Send a custom test message to a QQ mail address.How to Contribute
- Fork the repository.
- Since the project is in fast-paced development with only the master branch active, make your changes on the master branch and submit them.
- Create a pull request (PR) with a clear description of its functionality and purpose, along with relevant test cases.
- Notify the repository maintainer to review your PR.
Core Developers and Contact Details
- You Yifeng - Gitee Private Message
- Wu Kaishun - Gitee Private Message
Licensed under the MulanPSL2
J.G.W.A.B. No. 11030102011597