The CVE (Common Vulnerabilities and Exposures) list is the most up to date list of publicly disclosed cybersecurity vulnerabilities and bugs. Typically, CVEs are very significant bugs can lead to serious data loss and security breaches, and with an average of 40 new reported CVEs per day in 2017, its simply impossible for any developer to stay up to date with every vulnerability.
We've built a tool that scans your application's dependencies for these known vulnerabilities so you can keep your software secure without having to stay up to date on the latest CVEs.
What it does
The application consists of two parts: a data pipeline and a web application.
The data pipeline is used to scrape the CVE database, parse new CVEs and run our analysis on them, before sending them to our database. This analysis & data transformation stage makes it much easier to take some software and quickly list all of the CVEs it's vulnerable to.
The web application listens to your Github repository, and automatically scans your software for new CVEs, before displaying the new data on the frontend, including visualizations that allow you to see how much of your app is vulnerable.
How we built it
We built the data pipeline in Golang, using Azure's database services to efficiently store and query the CVE data.
The web application's backend was built in Golang with the Echo webserver, while the frontend was built in Angular, using d3.js for the data visualizations.
Challenges we ran into
Querying thousands and thousands of CVEs in a reasonable timespan, to give users near-realtime updates on their code's security.
Processing the raw CVE data to make it easily accessible and queryable.
Parsing software dependency files and CVE data in such a way that made it easy to match a version of a software library to a bug/vulnerability.
Accomplishments that we're proud of
We optimized our query speed and matching engines to such a degree that we can scan an entire codebase for CVEs in under 5 seconds.
The CVE data in our database is more user-accessible than the main CVE data source, from the perspective of directly matching software you use to bugs that affect it.
What we learned
How to visualize data in d3.js, how to optimize querying huge datasets.
What's next for Fuzzbuzz CVE-Scan
We're really happy with how this project turned out, so we plan on integrating it into the larger Fuzzbuzz platform, to improve our application security testing capabilities. To stay up to date, sign up at https://fuzzbuzz.io (we'll be sending one out soon!).
Since our modified CVE data set has proven so useful, we will be maintaining an open API and search engine around the dataset, to provide easy access to relevant CVE information