What's the simplest way to build out Vulnerability Classification Rules?

Dommer · ‎07-18-2022

Hi all,

We are looking to use VCR rules to classify our vulnerabilities (platform vs application). We want to use the Common Platform Enumeration (CPE) in the VCR rule condition. The following is an example how I want to build out a VCR rule to classify vulnerabilities as an application.

All of these conditions must be met:

CPE contains cpe:/a

Set these values:

Classification = Application

Classification Type = Other

Problem is the CPE data doesnt seem to be available to select from in the condition. Am I missing it or is this not an option? I can see the CPE data in the Tenable System Import sets, but CPE is not being populated in the Third-Party vulnerability entry's or anywhere else that I can see. Is this possible?

Chris McDevitt · ‎07-20-2022

Sidenote: This is so weird, I have had at least three people ask me about CPE in the last week. Anyways....

The CPE data is on the Third-Party Vulnerability Entry table.

So, the CPE's Vendor and Product are copied over to the Third-Party Vulnerability Entry [sn_vul_third_party_entry] (i.e., your Tenable, Rapid7, Qualys, etc. vul library)... but the "Part" (aka Type: a,h,o) is not.

Vote up this idea so we can get the "Part" included in the TPE.

Until then, you will need customization..... the TenableTPEUtil Script Include. Customization should not be taken lightly and must be accounted for in each release.

Basic Steps

Add a new field to the TPE
Modify _processCpeData() (In TenableTPEUtil )
the "obj" variable contains the raw CPE data

View solution in original post

lomo1014 · ‎01-31-2023

Tokyo - Could this be done with

sn_vul_m2m_entry_software?

lomo1014 · ‎01-31-2023

Quick test is negative. I'll try again in the morning