SRTool User Page

From Yocto Project
Revision as of 04:07, 29 December 2018 by David Reyna (talk | contribs) (User documentation for the SRTool)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search


This page summarizes the Security Response Tool (SRTool) user documentation.



Goals

  • A common system to track and share security issues, combining community CVE's
  • A simple yet flexible interface for reporting and exploring the security issues
  • A place to upload and share attachments, including patches, fixes, emails, and documents
  • The ability to generate accurate and up-to-date reports and exports
    • Status on a given CVE and its defects, for a specific product or for all affect products
    • Compliance reports on sensitive CVE's, for example the chain of events and who-knew-what-when
    • Status of each product, for the related CVE defects Compliance reports on sensitive CVE's, for example the chain of events and who-knew-what-when
    • Ability to easily export that data to spreadsheets and to the public CVE database
  • The ability to securely store embargoed CVE's and data, complete with user protection and data encryption
  • Tools to help manage the ongoing influx of CVE's (around 1000 per month) so that expert time is not wasted and crucial CVE's are not lost
  • In general, a managed and automated tool set based on open source to replace splintered email threads and brittle manual systems


Basic Introduction

  • This demo's data set contains the integrated CVE, Defect, and Sustaining data for 'CVE-2015-*' to 'CVE-2018-*'
  • The title bar "SRTool:Security Response Tool" will always link you back to the home page
  • In tables there are three ways to adjust the data set, and they can be used separately and/or together to get the best results
    • The search bar: most of the text fields are searchable. Enter a value (like 'meltdown'), all records that have that string in those fields will appear
    • The column sort: all column titles that appear in blue can be used to sort using that column. Click a second time to reverse the sort
    • The column filter: when you click on the 'cone' symbol in a column title you can select a filter based on that column's data
    • At the bottom of each table you can set the page size and jump to diff pages
  • The user access model is simulated in this demo
    • By default you can see that you are logged in as "Guest" in the top right corner
    • If you click to log-in you can become a system admin, and can see the hidden management data tables
    • If you click again to log out, you will return to the 'Guest' account
  • The top bar also includes general and page-specific tools actions, for example:
    • Export: Generate and download an export or report
    • New CVE or Vulnerability: Create a new custmer CVE, or create a new exploratory Vulnerability
    • Fetch alt data: Fetch additional CVE data source data for a given CVE


Basic Records Objects

CVE's

    • The CVE page is based on the NIST public page, and includes the V3 and V2 severities information, download links, and CPE's
    • There are tabs to see (a) the original NIST source data, (b) alternate CVE sources, and (c) SRTool edits (if added)
    • At the top is a place for the internal tags to help lookups and track status
    • At the top is a place to see the publishing state. It can include future dates, plus a "Publish Now" button
    • The "New CVE" link createa a new custom local CVE record
    • The "Fetch alt data" link adds Mitre, Debian, and other data to this CVE
    • The "Export" link provides CVE specific reports

Vulnerabilities

    • Vulnerability records track the overall status of CVE (or a group of tightly related CVE's)
    • Multiple related CVE's can be attached
    • Multiple Investigations can be attached, one per product
    • Comments and attachments can be added by logged-in users (for traceability)
    • Users can sign up for change notification emails
    • Vulnerabilities can be public, or locked to an invitation-only list of users
    • The "Edit Status ..." button allow changes to the fields like the status, priority, comments
    • The "Create Notification..." button is for notifying owners of status changes for the record
    • The "Delete" button is for deleting this record
    • The "Add product ..." button is for attaching a product and creating a respective Investigation record
    • The "New Vulnerabilities" link createa a new vulnerability record
    • The "Export" link provides Vulnerability specific reports

Investigations

    • Investigation records track the status of a CVE for a given product
    • Multiple defect links can be attached
    • Comments and attachments can be added by logged-in users
    • Users can sign up for change notification emails
    • Investigation can be public, or locked to a controlled list of users
    • The "Edit Status ..." button allow changes to the fields like the status, priority, comments
    • The "Create Notification..." button is for notifying owners of status changes for the record
    • The "Delete" button is for deleting this record
    • The "Export" link provides Investigation specific reports

Defects

    • This table lists all of the defects being tracked by the Vulnerabilities and Investigations
    • A quick status overview of the defects is provided
    • A quick summary page per defect is provided, with a link to the actual defect

Products

    • Products tracked in this tool
    • Access to each product's Vulnerabilities, Investigations, and Defects

Package CPE's

    • This table tracks the packages that have been identified as vulnerable
    • It also maps this package to the affected CVE's, Vulnerabilities, Investigations, and finally the related defects
    • This data can help assist in CVE triage and risk analysis

CWE's

    • The 'Common Weakness Enumerations' (CWE) found in the vulnerable CVE records
    • These fundamental weaknesses are also tracked in this table to the related CVE's