Skip to content

Latest commit

 

History

History
222 lines (180 loc) · 7.79 KB

Readme.md

File metadata and controls

222 lines (180 loc) · 7.79 KB

Test codecov

Prometheus CVE Exporter

Prometheus CVE Exporter is a Golang application that scans your system for all installed packages and compares them with the recent NVD JSON feed. It exports metrics that provide insights into the security status of your packages.

TOC

Features

  • Vulnerability Detection: Identifies installed packages that have known vulnerabilities.
  • Prometheus Metrics: Exports detailed metrics to Prometheus for monitoring and alerting.
  • Automated Updates: Regularly fetches the latest NVD JSON feed to ensure up-to-date vulnerability information.

Exported Metrics

Metric Name Type Description Labels
nvd_vulnerable_packages GaugeVec Indicates if a package is vulnerable (1) or not package, version, cve, impact
nvd_total_vulnerabilities Gauge Total number of vulnerabilities detected None
nvd_last_update_time Gauge Timestamp of the last successful update None

Example output

# HELP nvd_last_update_time Timestamp of the last successful update
# TYPE nvd_last_update_time gauge
nvd_last_update_time 1.7213802588068807e+09
# HELP nvd_total_vulnerabilities Total number of vulnerabilities detected
# TYPE nvd_total_vulnerabilities gauge
nvd_total_vulnerabilities 6
# HELP nvd_vulnerable_packages Indicates if a package is vulnerable (1) or not (metric not present)
# TYPE nvd_vulnerable_packages gauge
nvd_vulnerable_packages{cve="CVE-2024-21513",impact="HIGH",package="langchain-experimental",version="0.0.17"} 1
nvd_vulnerable_packages{cve="CVE-2024-6072",impact="MEDIUM",package="wp_estore",version="8.5.3"} 1
nvd_vulnerable_packages{cve="CVE-2024-6073",impact="MEDIUM",package="wp_estore",version="8.5.3"} 1
nvd_vulnerable_packages{cve="CVE-2024-6074",impact="MEDIUM",package="wp_estore",version="8.5.3"} 1
nvd_vulnerable_packages{cve="CVE-2024-6075",impact="HIGH",package="wp_estore",version="8.5.3"} 1
nvd_vulnerable_packages{cve="CVE-2024-6076",impact="MEDIUM",package="wp_estore",version="8.5.3"} 1

Building

Prerequisites

  • Go 1.22 or higher

Steps

  1. Clone the repository:

    git clone https://github.com/zadjadr/prometheus-cve-exporter.git
    cd prometheus-cve-exporter
  2. Build the application:

    go build -o ./bin/ ./...
  3. Run the application:

    ./bin/prometheus-cve-exporter -help

Alternatively, you can download the precompiled package from the releases section on GitHub.

Usage

The Prometheus CVE Exporter will start a web server on port 10250 by default and expose the metrics at the /metrics endpoint.

To customize the settings, use the following flags:

  -config string
        path to config file
  -nvd-feed-url string
        URL for the NVD feed (default "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-recent.json.gz")
  -package-file string
        Path to file containing packages and versions
  -port int
        Port to run the server on (default 10250)
  -severity string
        Comma separated list of severity levels for vulnerabilities (default "CRITICAL")
  -tls-cert string
        Path to TLS certificate file
  -tls-key string
        Path to TLS key file
  -update-interval duration
        Update interval duration (default 24h0m0s)

Binary without config

./bin/prometheus-cve-exporter -port 9090 -severity "HIGH,CRITICAL" -update-interval 12h -package-file /tmp/packages.txt

Binary with config & TLS enabled

{
  "package_file": "",
  "nvd_feed_url": "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-recent.json.gz",
  "update_interval": "5m",
  "port": 8080,
  "severity": [
    "LOW",
    "MEDIUM",
    "HIGH",
    "CRITICAL"
  ],
  "tls_cert": "server.crt",
  "tls_key": "server.key"
}
./bin/prometheus-cve-exporter -config config.json
Current configuration:
    NVD Feed URL: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-recent.json.gz
    Update Interval: 5m0s
    Severity Levels: [LOW MEDIUM HIGH CRITICAL]
    Port: 8080
    Use TLS: true
    TLS Certificate: ignore-server.crt
    TLS Key: ignore-server.key
2024/07/21 20:21:49 Starting server on :8080
2024/07/21 20:21:49 TLS enabled
2024/07/21 20:21:50 Metrics updated successfully
# If you are using a self-signed certificate
curl -k https://localhost:8080/metrics

# If you are using a certificate signed by a trusted party
curl https://localhost:8080/metrics
❯ curl -k https://localhost:8080/metrics -vvv
* Host localhost:8080 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:8080...
* Connected to localhost (::1) port 8080
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: C=DE; ST=Hamburg; L=Hamburg; O=zops.top; CN=localhost
*  start date: Jul 21 00:51:56 2024 GMT
*  expire date: Jul 21 00:51:56 2025 GMT
*  issuer: C=DE; ST=Hamburg; L=Hamburg; O=zops.top; CN=localhost
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption

Docker

Released version tags are:

  • latest
  • major version (e.g. v1)
  • major.minor version (e.g. v1.1)
  • tag name (e.g. v1.0.0)

For the docker version, you will need to provide a package-file, otherwise the scanner will only scan the container.

# Create a packages.txt file regularly in /tmp or any other place you prefere
# You should probably use a cronjob to do this.
mkdir /tmp/prometheus-cve-exporter
while true; do pacman -Q > /tmp/prometheus-cve-exporter/packages.txt; sleep 86400; done &

docker run -it -v /tmp/prometheus-cve-exporter:/app -p 10250:10250 --rm ghcr.io/zadjadr/prometheus-cve-exporter:latest -- -package-file /app/packages.txt
Current configuration:
    NVD Feed URL: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-recent.json.gz
    Update Interval: 24h0m0s
    Severity Levels: [CRITICAL]
    Port: 10250
    Package file: /app/packages.txt
    Use TLS: false
2024/07/21 18:19:45 Starting server on :10250
2024/07/21 18:19:45 TLS disabled
2024/07/21 18:19:46 Metrics updated successfully