Articles in this section

Vulnerability Scanners Integration

Yotam Krief
  • Updated
Follow

JetPatch is integrated with several vulnerability scanners that are constantly being updated. 

You can import vulnerability information in several ways: 

Vulnerability Menu

To control vulnerability scanners in the JetPatch portal : 

  1. Go to 'Patches' > 'Patch Catalog'
  2. Click the 'Vulnerability' button on the far right corner 

VUL.png

Clear Data

The operation 'Clear Data' will delete all unmanaged patches and endpoints and the link between managed patches and endpoints.

For deleting the report data you can click on "Clear Data" after choosing the requested vulnerability provider.

Import File

The operation 'Import File' will open an interactive upload window, to upload the report generated from the Vulnerability Scanner.

Note - This operation is not applicable for integrations that are using 'Direct API'

 

Integration Types

Direct API

Nexpose

Importing a Report

The default support scanners types are "custom CSV format" and "Nessus" report.

A dedicated parser for your own report can be created. Instructions can be found in Create Custom Parser for Vulnerabilities Report

The existing parsers (out-of-the-box) supports the following reports:

CSV file

  • Import File: You can import a CSV file with patch vulnerability information.
    • The file content should include:
      • IP Address
      • DNS Name
      • Vulnerability ID (Advisory ID)
      • CVE List (Optional) - space-separated list of CVEs
    • Column order - should be in the same order as above
    • Headers - should not be included in the report
  • If you would like to add Headers/information to your reports please contact our customer success representative 
  • Clear Data - All information that was updated from previously imported reports will be erased   

Example content of CSV file can be:

30.30.0.1 endpoint1.domain.com RHSA-2020:4076
30.30.0.1 endpoint1.domain.com RHSA-2020:4060
30.30.0.1 endpoint1.domain.com RHSA-2020:4007
30.30.0.2 endpoint2.domain.com KB4577010
30.30.0.2 endpoint2.domain.com KB4577066
  • endpoint1 - is Linux RHEL7 endpoint 
  • endpoint2 - is Windows endpoint

Notes - No headers are needed

The example CSV is also attached at the end of the article.

 

Nessus

  • Import File: You can import a Nessus report.
    • The report must include the following columns:
      • Plugin Name
      • Family
      • IP Address
      • DNS Name
      • Solution
      • CVE (can be empty)
    • Column order - column order is not important
    • Headers - Should exist in the report, with the same titles as above, case-sensitive.
  • Clear Data

Example CSV file in Nessus format is attached

 

General Configuration

Matching criteria between JetPatch and the Vulnerability Scanner (From JetPatch 4.1.0.104)

# Which criteria should records be merged on between JetPatch and Vulnerability Scanner
# Default is all three.  Order does not matter.  Minimum 1, maximum 3
vulnerability.parsers.match.computer.by=hostname,dnsname,ip

Adding Non-Managed Endpoints into JetPatch (From JetPatch 4.1.0.105)

By default, JetPatch will add the non-managed endpoints discovered from the Vulnerability Scanner.

If you would like to turn that off, set the following variable to false.

# Create new non-managed endpoints if discovred in Vulnerability Scanner information
vulnerability.parsers.computer.create.unknown=true

What is "Not In Repository" for a patch?

Some patches might not exist in JetPatch when importing them from a vulnerability system.

In this case, JetPatch can not manage the patches and they are marked "Not In Repository" in the "Approval Status".

How to fix: Updating the WSUS / Linux repositories should fix the problem. JetPatch will get the new updates and remove the "Not In Repository" property.

How to use JetPatch's RESTful API to import a Vulnerability Report Automatically

If you would you use the file called '~/Documents/jpMine.csv' with the following content:
30.30.54.243,Igor-Cnts6-01,CEBA-2020:XXXY

The call to upload a file should use absolute path with '~' translated. For example: ''~/Documents/jpMine.csv'' -> ''/home/igor/Documents/jpMine.csv''

 

The full cmd:
curl -X POST --digest -u admin:3B5B887F-4E63-45DA-B485-10D3E6E28999 -F 'provider=CSV' -F 'type=CSV' -F 'file=@/home/igor/Documents/jpMine.csv' "http://localhost:8080/vmanage-server/rest/experimental/patch-governance/remediation-plans/action/import"

 

After '-u admin:' you should put API key
'provider=CSV' may be 'provider=Nessus' if needed
'type=CSV' is the only type supported
URL should be changed accordingly

 

Additional Notes

  1. After a report is imported or the direct API integration is established, the endpoints that are related to the vulnerability scanner will appear in the Endpoint Management table. In some cases, endpoints that arrive from a vulnerability scanner are not managed by JetPatch (they are not discovered by any of the discovery sources). The unmanaged endpoints are not remediated and no action can be performed.  
  2. For managed patches and endpoints, JetPatch will add the report data into:
    • "Endpoints > Management" - into "Vulnerability Scan" column
    • "Patches > Patch Catalog" - into "Vulnerability Provider" column
  3. Importing a new report into JetPatch will not override the existing reports.

 

 

 

 

 

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.