vFeed – The open source cross-linked local vulnerability database Beta Released

Concept introduction

vFeed is an open source naming scheme concept that provides extra structured detailed 3rd parties references for a CVE entry. While the emergence of the Open Standards helped undeniably to shape a new way to communicate about vulnerabilities, the new vFeed is adding an intelligent structured xml feed that provides effective level of information (meta-data) related to vulnerability. The vFeed database is the main asset of this project.

Target audience

Security auditors who want to report accurate information about findings. vFeed could be the best way to describe a CVE with attributes based on standards and 3^rd party references as vendors or companies involved into standarization efforts.
Security tools vendors / security open source developers who need to implement libraries to enumerate useful information about CVEs without wasting time to correlate and to create a proprietary database. vFeed is by far the best solution. Methods can be invoked from programs or scripts with a simple call.
Penetration testers who want to analyze CVEs and gather extra information to help shape avenues to exploit vulnerabilities.
Any security hacker who is conducting researches and need a very fast and accurate way to enumerate available exploits or techniques to check a vulnerability

Key features

Built using open source technologies
Fully downloadable SQLite local vulnerability database
Structured new XML format to describe vulnerabilities
Based on major open standards CVE, CPE, CWE, CVSS..
Support correlation with 3^rd party security references (CVSS, OSVDB, OVAL…)
Extended to support correlation with security assessment and patch vendors (Nessus, Exploit-DB, Redhat, Microsoft..)
Simple & ready to use Python module with more than 15 methods

Beta 1 changelog

Full SQLite vulnerability database correlated with the following
- CVE (http://cve.mitre.org)
- CWE (http://cwe.mitre.org)
- CPE (http://cpe.mitre.org)
- OVAL (http://oval.mitre.org)
- CVSS (http://www.first.org/cvss)
- OVAL (http://oval.mitre.org)
- Exploit DB (http://www.exploit-db.com)
- Nessus IDs and Files (http://www.nessus.org)
- Microsoft MS and KB IDs (http://www.microsoft.com)
- Redhat IDs (http://www.redhat.com/)
- SUSE IDs (https://www.suse.com/)
- AIXAPAR IDs (http://www.ibm.com)
Python module with 15 implemented methods
- checkCVE
- checkCVSS
- checkReferences
- checkCWE
- checkCPE
- checkRISK
- checkMS
- checkKB
- checkREDHAT
- checkSUSE
- checkAIXAPAR
- checkOVAL
- checkNESSUS
- checkEDB
- exportXML
Ability to export meta-data to the new structured vFeed XML format to describe vulnerabilities
2 python scripts to explore the concept
Documentation

License

vFeed concept & vFeed API are released under the BSD License.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

* Neither the name of vFeed/vFeedApi nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The vFeed Concept & vFeed API is provided under the 3-clause BSD license above.

This license does not apply to the following components:

– openCVSS.py v1.3 ( written by Brandon Dixon from 9b+) library used to calculate the scores within vFeedCore (not distributed yet)

Last but not least, feel free to do whatever you like with vFeed/vFeedApi as long as you give credit for the author. As reward, you still can offer me a book or just a kind word thanking me for spending my nights and weekends doing this while you were enjoying barbecues & fresh beers.