Strobes provides support to onboard multiple vulnerabilities at once using the 'Import Bugs from CSV' connector. There is a format in which Strobes expects your data to be. The following explains the usage of certain essential options that are needed to import a vulnerabilities CSV file.
Table 1. Asset types and corresponding values
Asset Type | Value |
Web | 1 |
Mobile | 2 |
Network | 3 |
Cloud | 4 |
Table 2. Cloud types and corresponding values
Cloud Type | Value |
Others | 1 |
AWS | 2 |
Azure | 3 |
Table 3. Vulnerability level and corresponding values
Bug Level | Value |
Code | 1 |
Web | 2 |
Mobile | 3 |
Network | 4 |
Cloud | 5 |
Package | 6 |
Table 4. Severity and corresponding values
Severity Type | Value |
Info | 1 |
Low | 2 |
Medium | 3 |
High | 4 |
Critical | 5 |
The following are the fields that are expected to be filled:
- asset_target: This is the asset against which you want to log vulnerabilities. If you provide the value of an asset which is already existing, then the vulnerabilities will be logged against that asset. If you provide the value of an asset which does not exist, then a new asset will be created and the vulnerabilities will be logged against that asset.
- asset_type: The type of the asset which you want to create. Refer to table 1 for the values that can be passed in this field.
- hostname: The hostname of the asset against which you want to log a vulnerability. This is applicable only for network vulnerabilites.
- mac_address: The mac address of the asset against which you want to log a vulnerabilitiy. This is applicable only for network vulnerabilities.
- title: The title of the vulnerability which you want to log.
- bug_level: The type of vulnerability which you want to log. Refer to table 3 for the values that can be passed in this field.
- description: The description of the vulnerability which you are logging.
- steps_to_reproduce: The steps to reproduce for the vulnerability which you are logging.
- mitigation: The mitigation for the vulnerability which you are logging.
- severity: The severity of the vulnerability which you are logging. Refer to table 4 for the values that can be passed in this field.
- vulnerable_code: The vulnerable code snippet of the vulnerability which you are logging. This is applicable for only Code level vulnerabilities.
- file_name: The name of the file which contains the vulnerability which you are logging. This is applicable for only Code level vulnerabilities.
- start_line_number: The start line number of the vulnerable code snippet. This is applicable for only Code level vulnerabilities.
- end_line_number: The end line number of the vulnerable code snippet. This is applicable for only Code level vulnerabilities.
- affected_endpoint: The affected endpoint where the vulnerability exists. This is applicable for only Web level vulnerabilities.
- request: The request of the affected endpoint where the vulnerability exists. This is applicable for only Web level vulnerabilities.
- response: The response of the affected endpoint where the vulnerability exists. This is applicable for only Web level vulnerabilities.
- port: The affected port number where the vulnerability has been identified. This is applicable for only Network level vulnerabilities.
- package_name: The vulnerable package name. This is applicable for only Package level vulnerabilities.
- affected_version: The affected version of the package. This is applicable for only Package level vulnerabilities.
- installed_version: The currently installed version of the package. This is applicable for only Package level vulnerabilities.
- fixed_version: The version of the package where the vulnerability has been fixed. This is applicable for only Package level vulnerabilities.
- cve_list: The list of CVEs you need to report for the vulnerability being logged.
- cwe_list: The list of CWEs you need to report for the vulnerability being logged.
- tags_list: The list of tags you need to add for the vulnerability being logged.
- region: The region of the asset where the vulnerability has been identified. This is applicable for only Cloud level vulnerabilities.
- aws_category: The aws service against which the vulnerability is being logged. This is applicable for only Cloud level vulnerabilities.
- aws_account_id: The aws account id against which the vulnerability is being logged. This is applicable for only Cloud level vulnerabilities.
- cloud_type: The type of cloud for the vulnerability which is being logged. This is applicable for only Cloud level vulnerabilities.
- azure_category: The azure service against which the vulnerability is being logged. This is applicable for only Cloud level vulnerabilities.
- azure_resource: The azure resource against which the vulnerability is being logged. This is applicable for only Cloud level vulnerabilities.
Adding Web Vulnerabilities
The following are the fields for which data is expected to be provided for Web Vulnerabilities
Mandatory Fields:
- asset_target: Provide the URL of your asset
- asset_type: Provide the value as 1
- title: Provide the title of the vulnerability you are creating
- bug_level: Provide the value as 2
- mitigation: Provide the mitigation for the vulnerability you are creating
- severity: Provide the severity of the vulnerability you are creating. Refer to table 4
- affected_endpoints: Provide the endpoints which are affected by the vulnerability you are creating
Optional Fields:
- description: Provide a description for the vulnerability you are creating
- steps_to_reproduce: Provide the steps to reproduce the vulnerability you are creating
- request: Provide the HTTP Request for the vulnerable endpoint
- response: Provide the HTTP Response for the vulnerability you are creating
- cve_list: Provide the list of cves that are affecting the asset
- cwe_list: Provide the list of cwes that are affecting the asset
- tags_list: Provide a list of tags that you need to add for the vulnerability you are creating
Adding Code Vulnerabilities
The following are the fields for which data is expected to be provided for Code Vulnerabilities
Mandatory Fields:
- asset_target: Provide the name/URL of your asset
- asset_type: Provide the value as 1
- title: Provide the title of the vulnerability you are creating
- bug_level: Provide the value as 1
- mitigation: Provide the mitigation for the vulnerability you are creating
- severity: Provide the severity of the vulnerability you are creating. Refer to table 4
- vulnerable_code: Provide the code snippet that is responsible for the vulnerability
- file_name: Provide the name of the file that contains the vulnerability
- start_line_number: Provide the start line number of the vulnerable code
- end_line_number: Provide the end line number of the vulnerable code
Optional Fields:
- description: Provide a description for the vulnerability you are creating
- cve_list: Provide the list of cves that are affecting the asset
- cwe_list: Provide the list of cwes that are affecting the asset
- tags_list: Provide a list of tags that you need to add for the vulnerability you are creating
Adding Package Vulnerabilties
The following are the fields for which data is expected to be provided for Package Vulnerabilities
Mandatory Fields:
- asset_target: Provide the name/URL of your asset
- asset_type: Provide the value as 1
- title: Provide the title of the vulnerability you are creating
- bug_level: Provide the value as 6
- mitigation: Provide the mitigation for the vulnerability you are creating
- severity: Provide the severity of the vulnerability you are creating. Refer to table 4
- package_name: Provide the name of the package that contains the vulnerability
- affected_versions: Provide the list of package versions that are vulnerable
Optional Fields:
- description: Provide a description for the vulnerability you are creating
- installed_version: Provide the installed version of the package
- fixed_version: Provide the fixed version of the package
- cve_list: Provide the list of cves that are affecting the asset
- cwe_list: Provide the list of cwes that are affecting the asset
- tags_list: Provide a list of tags that you need to add for the vulnerability you are creating
Adding Network Vulnerabilities
The following are the fields for which data is expected to be provided for Network Vulnerabilities
Mandatory Fields:
- asset_target: Provide the IP Address/Hostname of your asset
- asset_type: Provide the value as 3
- title: Provide the title of the vulnerability you are creating
- bug_level: Provide the value as 4
- mitigation: Provide the mitigation for the vulnerability you are creating
- severity: Provide the severity of the vulnerability you are creating. Refer to table 4
- port: Provide the port number which is running the service that is affected by the vulnerability you are creating
Optional Fields:
- hostname: Provide the hostname of the asset which is affected by the vulnerability you are creating
- description: Provide a description for the vulnerability you are creating
- steps_to_reproduce: Provide the steps to reproduce the vulnerability you are creating
- cve_list: Provide the list of cves that are affecting the asset
- cwe_list: Provide the list of cwes that are affecting the asset
- tags_list: Provide a list of tags that you need to add for the vulnerability you are creating
Adding Cloud Vulnerabilities
The following are the fields for which data is expected to be provided for Cloud Vulnerabilities
Mandatory Fields:
- asset_target: Provide the name of your cloud asset
- asset_type: Provide the value as 4
- title: Provide the title of the vulnerability you are creating
- bug_level: Provide the value as 5
- mitigation: Provide the mitigation for the vulnerability you are creating
- severity: Provide the severity of the vulnerability you are creating. Refer to table 4
- cloud_type: Provide the type of cloud. Refer to table 2
Optional Fields:
- description: Provide a description for the vulnerability you are creating
- region: Provide the region of your cloud asset
- aws_category: Provide the aws service which is affected by the vulnerability you are creating
- aws_account_id: Provide the aws account id which is affected by the vulnerability you are creating
- azure_category: Provide the azure category which is affected by the vulenerability you are creating
- azure_resource: Provide the azure resource which is affected by the vulnerability you are creating
- steps_to_reproduce: Provide the steps to reproduce the vulnerability you are creating
- cve_list: Provide the list of cves that are affecting the asset
- cwe_list: Provide the list of cwes that are affecting the asset
- tags_list: Provide a list of tags that you need to add for the vulnerability you are creating
Instructions to Import Bugs:
- Navigate to 'Connectors' and select 'Report Import'.
- Select the 'Import Bugs from CSV' connector.
- Click on 'Next'.
- Select the CSV file where you have filled in all the relevant data.
- If you need to merge the assets which you are about to upload with the assets which you have already added before, then Enable merging of asset.
- Click on 'Upload' and your vulnerabilities will get added onto Strobes.
You can find examples of CSV files for different types of bugs here and here.
Comments
Article is closed for comments.