JetPatch is integrated with several vulnerability scanners that are constantly being updated.
There are two ways of importing vulnerabilities into JetPatch:
- Vulnerability Connector - Connects to the Vulnerability Scanner using direct API communication. Works for:
- Report Upload - Uploading the report into the JetPatch portal. Works for:
Vulnerability Menu
To control vulnerability scanners in the JetPatch portal :
- Go to 'Patches' > 'Patch Catalog'
- Click the 'Vulnerability' button on the far right corner
Clear Data
The operation 'Clear Data' will delete all unmanaged patches and endpoints and the link between managed patches and endpoints.
For deleting the report data you can click on "Clear Data" after choosing the requested vulnerability provider.
Import File
Relevant for "Report Upload" integrations only.
The operation 'Import File' will open an interactive upload window, to upload the report generated from the Vulnerability Scanner.
Integration Types
API Connector
Nexpose & InsightVM
- To learn more about Nexpose integration please visit Vulnerability Connector to Nexpose & InsightVM
Tenable.sc
- To learn more about Tenable.sc integration please visit Vulnerability Connector to Tenable.sc
Report Upload
A dedicated parser for your own report can be created. Instructions can be found in Create Custom Parser for Vulnerabilities Report
Any report must include:
- Endpoint Identifications - IP and/or EP name (can be hostname or DNSname).
- Advisory information - Advisory ID
The existing parsers (out-of-the-box) supports the following reports:
Tenable.io
- To learn more about Nexpose integration please visit Report Upload - Tenable.io
Nessus
- Import File: You can import a Nessus report.
- The report must include the following columns:
- Plugin Name
- Family
- IP Address
- DNS Name
- If DNS Name is empty in your report, configure the vulnerability integration on IP only.
- Solution
- CVE (can be empty)
- Column order - column order is not important
- Headers - Should exist in the report, with the same titles as above, case-sensitive.
- The report must include the following columns:
- Clear Data
Example CSV file in Nessus format is attached
CSV file
- Import File: You can import a CSV file with patch vulnerability information.
- The file content should include:
- IP Address
- DNS Name
- If DNS Name is empty in your report, configure the vulnerability integration on IP only.
- Vulnerability ID (Advisory ID)
- CVE List (Optional) - space-separated list of CVEs
- Column order - should be in the same order as above
- Headers - should not be included in the report
- The file content should include:
- If you would like to add Headers/information to your reports please contact our customer success representative
- Clear Data - All information that was updated from previously imported reports will be erased
Example content of CSV file can be:
| 30.30.0.1 | endpoint1.domain.com | RHSA-2020:4076 |
| 30.30.0.1 | endpoint1.domain.com | RHSA-2020:4060 |
| 30.30.0.1 | endpoint1.domain.com | RHSA-2020:4007 |
| 30.30.0.2 | endpoint2.domain.com | KB4577010 |
| 30.30.0.2 | endpoint2.domain.com | KB4577066 |
- endpoint1 - is Linux RHEL7 endpoint
- endpoint2 - is Windows endpoint
Notes - No headers are needed
The example CSV is also attached at the end of the article.
General Configuration
Matching criteria between JetPatch and the Vulnerability Scanner
# Which criteria should records be merged on between JetPatch and Vulnerability Scanner
# Default is all three. Order does not matter. Minimum 1, maximum 3
vulnerability.parsers.match.computer.by=hostname,dnsname,ip
Note - if your report does not include FQDN, the configuration should be changed to match via IP only.
Adding Non-Managed Endpoints into JetPatch
By default, JetPatch will add the non-managed endpoints discovered from the Vulnerability Scanner.
If you would like to turn that off, set the following variable to false.
# Create new non-managed endpoints if discovred in Vulnerability Scanner information
vulnerability.parsers.computer.create.unknown=true
What is "Not In Repository" for a patch?
Some patches might not exist in JetPatch when importing them from a vulnerability system.
In this case, JetPatch can not manage the patches and they are marked "Not In Repository" in the "Approval Status".
How to fix: Updating the WSUS / Linux repositories should fix the problem. JetPatch will get the new updates and remove the "Not In Repository" property.
How to use JetPatch's RESTful API to import a Vulnerability Report Automatically
If you would you use the file called '~/Documents/jpMine.csv' with the following content:
30.30.54.243,Igor-Cnts6-01,CEBA-2020:XXXY
The call to upload a file should use absolute path with '~' translated. For example: ''~/Documents/jpMine.csv'' -> ''/home/igor/Documents/jpMine.csv''
The full cmd:
curl -X POST --digest -u admin:3B5B887F-4E63-45DA-B485-10D3E6E28999 -F 'provider=CSV' -F 'type=CSV' -F 'file=@/home/igor/Documents/jpMine.csv' "http://localhost:8080/vmanage-server/rest/experimental/patch-governance/remediation-plans/action/import"
After '-u admin:' you should put API key
'provider=CSV' may be 'provider=Nessus' if needed
'type=CSV' is the only type supported
URL should be changed accordingly
Additional Notes
- After a report is imported or the direct API integration is established, the endpoints that are related to the vulnerability scanner will appear in the Endpoint Management table. In some cases, endpoints that arrive from a vulnerability scanner are not managed by JetPatch (they are not discovered by any of the discovery sources). The unmanaged endpoints are not remediated and no action can be performed.
- For managed patches and endpoints, JetPatch will add the report data into:
- "Endpoints > Management" - into "Vulnerability Scan" column
- "Patches > Patch Catalog" - into "Vulnerability Provider" column
- Importing a new report into JetPatch will not override the existing reports.
Comments
0 comments
Please sign in to leave a comment.