A collection of tools for managing and automating vulnerability management.
Streamline the way vulnerability management programs are created and run. This project is made to be modular so automation can be put into place at any program level.
-
API keys for both Tenable IO and Jira are required.
-
I developed this tool using Jira on-prem and assume it would work for the cloud version as well however am unable to verify that.
-
There is a bit of setup to use the tool as it is in development, I am planning on creating a quick start script but until then please see How to use.
pip install git+https://github.com/RackReaver/AVMP
Check code coverage
>>> coverage run -m pytest
>>>
>>> coverage report
At this time the tool can only be deployed locally.
$ avmp --help
__ ____ __ _____
/\ \ / / \/ | __ \
/ \ \ / /| \ / | |__) |
/ /\ \ \/ / | |\/| | ___/
/ ____ \ / | | | | |
/_/ \_\/ |_| |_|_|
A collection of tools for managing and automating vulnerability management.
Usage:
avmp run [--config filepath] <process_config>
avmp update [--config filepath] <ticket_db_filepath>
avmp -h | --help
avmp --version
Options:
-h --help Show this screen.
--version Show version.
--config=filepath AVMP configuration file [default: config.json]
vuln_manager
|
+-- process_configs
| |
| +-- dynamic/ # Configurations for generating vulnerability tickets
| +-- static/ # Configurations for generating repetitive project/task tickets
|
+-- config.json
+-- tickets.db # This is generated automatically and is mapped to in the process_configs
{
"creds": {
"tenable": {
"access_key": "",
"secret_key": ""
},
"jira": {
"server": "",
"username": "",
"password": ""
}
},
"types": {
"JIRA_PROJECT_ID": ["JIRA_FIELD_1", "JIRA_FIELD_2", "JIRA_FIELD_3"]
},
"due_dates": {
"Critical": "DAYS_TO_PATCH",
"High": "DAYS_TO_PATCH",
"Medium": "DAYS_TO_PATCH",
"Low": "DAYS_TO_PATCH",
},
"priorities": {
"Critical": "JIRA_ID",
"High": "JIRA_ID",
"Medium": "JIRA_ID",
"Low": "JIRA_ID"
}
Field | Required | Description |
---|---|---|
creds | yes | Data required from APIs to run package |
types | no | List of required fields for a given Jira project (not required, but a good idea to ensure process_configs contain all required fields before making an API request). |
due_dates | yes | Used to set Jira due date based on Tenable's severity rating. |
priorities | yes | Mapping Tenable severity rating to Jira priorities (defaults to Low if others are unavailable). |
See examples for context on use cases.
{
"process_type": "dynamic",
"allow_ticket_duplication": "False",
"scan_name": "TENABLE_SCAN_NAME",
"max_tickets": 10,
"assignee": "",
"min_cvss_score": 6.0,
"ticket_db_filepath": "tickets.db",
"default_ticket_status": "Open",
"time_saved_per_ticket": "10m",
"root_ticket": "",
"comments": [],
"data": {
"project": { "key": "JIRA_PROJECT_KEY" },
"summary": "Vuln: ",
"description": "",
"issuetype": { "id": "JIRA_ISSUE_TYPE_ID" },
"priority": { "id": "" },
"duedate": ""
}
}
Field | Required | Description |
---|---|---|
process_type | yes | Must be dynamic |
allow_ticket_duplication | no | [default: false] Prevent multiple tickets for same plugin_id to be generated (This is based on the ticket_db_filepath provided). |
scan_name | yes | Name of scan inside of Tenable IO |
max_tickets | no | Number of tickets to be created each time this configuration is used (optional - will create all if value is blank). |
assignee | no | Username to assign all created tickets to (optional). |
min_cvss_score | yes | This is based on the CVSS Base Score provided by Tenable IO, allows for configurations based on severity. |
ticket_db_filepath | yes | Location of SQLite database file for tracking tickets (DB will be created if ones doesn't already exist on the path provided). |
default_ticket_status | yes | First status for database entry, this will change when the auto updater is run. |
time_saved_per_ticket | yes | Jira time value to log work for calculating time saved. |
root_ticket | no | If unable to log work against newly created ticket this value will provide a ticket that allows work to be logged against it. |
comments | no | A list of strings that will generate comments. |
data | yes | API values required to generate a Jira ticket (issue). |
See examples for context on use cases.
{
"process_type": "static",
"time_saved_per_ticket": "5m",
"time_saved_comment": "Time saved through automation",
"parent_ticket": {
"project": { "key": "JIRA_PROJECT_KEY" },
"summary": "SUMMARY",
"description": "DESCRIPTION",
"issuetype": { "name": "ISSUE_TYPE_NAME" },
"assignee": { "name": "" },
"priority": { "id": "PRIORITY_ID" }
},
"sub_tasks": {
"sub_task_1": {
"project": { "key": "JIRA_PROJECT_KEY" },
"summary": "SUMMARY",
"description": "DESCRIPTION",
"issuetype": { "name": "Sub-task" },
"assignee": { "name": "" }
},
"sub_task_2": {
"project": { "key": "JIRA_PROJECT_KEY" },
"summary": "SUMMARY",
"description": "DESCRIPTION",
"issuetype": { "name": "Sub-task" },
"assignee": { "name": "" }
}
}
}
Field Name | Required | Description |
---|---|---|
process_name | yes | Must be static |
time_saved_per_ticket | no | Jira time value to log work for calculating time saved. |
time_saved_comment | no | Comment for Jira work log for time saved. |
parent_ticket | yes | API values required to generate a Jira ticket (issue). |
sub_tasks | no | JSON container for any sub tasks that should be created under parent ticket. |
- Add persistent logging to wrapper.main() as a return value
- Add ticket reference table to database
- Track project and process ticket numbers for automated linking
- Add support for SecurityScorecard
- Build tests for code base
- [x]Add example dynamic and static process configs
- Add database tracking of static_process tickets
- Matt Ferreira - Developer - RackReaver
This project is licensed under the Apache License - see the LICENSE file for details