# Security Vulnerability Tracking Tool A tool that can scan and parse the upstream security advisories of Apache Tomcat and Apache HTTP Server along with their dependencies(example: OpenSSL, APR, libxml2, curl, mod_security). The tool should trace down any new public CVE on every JWS and JBCS related upstream project. Note: This tool is intended to run as daemon task and notify through email or Redis channel subscribe. So it will not work as the best reliable tool when run manually as it will compare posted cves with your last run of the spider. ### Requirements * Python 3.4+ * Works on Linux, Windows, Mac OSX, BSD ##### Note : Requires the Python header files for completing the installation of requirements( eg , In Fedora OS the twisted package need to have python3-devel pkg installed). So check for libxslt-devel,pyOpenSSL,python-lxml,python-twisted packages. These are dependencies of Scrapy framework and required to complete before installing Scrapy. ## The Code https://github.com/examin/C.A.J.S ## Technologies The entire project is hosted on GitHub. Including entire source code and any accompanying documentation created as part of this project, Developed scraping scripts using Python, and using **web scraper framework** and regex as this is faster and will help scrap data from different web-formats. And with Jenkins will do scheduling of python scripts in Jenkins UI. # It’s alive! #### Note: If you want to get/send new cve's added notification through email or Redis. Then Before running this tool we need to config ## For email: You need to specify settings in the 'config.ini' file and 'contacts.txt' or pass arguments through commandline for eg: ``` Python main.py -E -f {"sender email_Id"} -n {"sender name"} -s {"smtp_provider_address"} -p {"stmp_provider_port"} --user {"username"} --pass {"password"} ``` or you can also save setting in Add some names and their email-ids to send notification to by Configuring "config.ini" file (path : C.A.J.S/Notify/) * Add your Gmail email-id * Add your Gmail password Configuring "contacts.txt" file (path : C.A.J.S/Notify/) * Add all email ids and their name to send email to ## For redis pubish: You need to specify settings in the 'config.ini' file or pass arguments through commandline for eg: ``` Python main.py -R --redis_host { your redis server host } --redis_db {database num to perform action from} --redis_por { your redis server port} ``` # ----------------Milestones--------------- #### Milestone #1 `Target`: * A scanner to trace down any new public CVE. Deliverables: - [x] Scanner scripts for each project of JBoss Web Servers, JBoss Core Services, and its dependencies related security advisories. - [x] Indexed webpages for each jbcs project. - [x] Information to help and support #2. #### Milestone #2 `Target`: *parsing of data from static Html/XML/DOM format security advisory websites.* Deliverables: - [x] A custom ContentHandler for XML and json . - [x] Scripts able to parse data from different formats. - [ ] Some more webpages left to be parsed #### Milestone #2 `Target`: *comparing data with last run of parser and generate norifcation using email: - [x] A custom HTML email template . - [x] A email sending script. #### Milestone #3 `Target`: *performance optimization* Deliverables: - [x] Optimized scripts. - [x] Best implemented design and Optimized code so that it can be used for supporting multiprocessing. #### Milestone #4 `Target`: *send notification using redis: - [x] A script to publish cves on redis channels. #### Milestone #5 `Target`: *Mini Integration tests project(Develop a testing framework that eases testing tools crawling components in different networking and Data processing scenarios)* - [ ]Work left to be done on this milestone