I am writing an analysis to list the number of CVE ID’s a machine is susceptible to. I am doing this by searching all sites for any fixlet that has a CVE listed with it. It works great for Linux and Windows machines…
sum of number of substrings separated by "; " of unique values of (values of headers "x-fixlet-cve" of it as lowercase) of relevant fixlets whose (value of headers "x-fixlet-cve" of it as lowercase contains "cve") of sites
… but when it is run on a Mac it fails (see my thread on Consitency Issues with Mac Fixlets). The reason it fails is that the Mac Fixlets use a “,” instead of a “;” to separate their CVE ID’s when multiple CVE’s are addressed in a single update/patch/fixlet.
Does anyone know how you could do an either/or option for the substring separation? I can make an if/then/else statement for the Mac OS, but I was hoping for a more elegant solution.
to get the CVEs that all computers are vulnerable to you could get the cve id list of the fixlets that are relevant. I did this in the Web Reports QNA page (mine runs on port 8080). http://BIGFIXSERVER:8080/webreports?page=QNA
As you know when there’s more than one CVE for a fixlet you’ll get the separated list on the line.
I think that these all come back comma separated - I have CentOS patches in this system so I’m not sure about Mac.
Q: cve id lists whose (it contains "CVE") of relevant fixlets of bes computers
A: CVE-2015-0103
A: CVE-2015-0104
A: CVE-2015-0105
A: CVE-2015-0106
A: CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511
You could try changing the format to fit your convention before separating out the strings - something like
sum of number of substrings separated by "; " of concatenation "; " of substrings separated by ", " of unique values of (values of headers "x-fixlet-cve" of it as lowercase) of relevant fixlets whose (value of headers "x-fixlet-cve" of it as lowercase contains "cve") of sites
That converts any embedded commas into semicolons, before splitting on semicolons (leaving the original semicolons as is). Should work as long as there are no other uses for commas in the field.
Actually, I haven’t paid that much attention to how BigFix formats the CVE listings; as written, I think you would get duplicates if you had two fixlets with CVE values like “cvs-123” and “cve-123; cve-456”. In that case, these are unique values, that end up resulting int he duplicate “cvs-123” after the second value is split. You may want to move the “unique values” to reference the already-separated values. In fact I’m not sure you’d have to sum them up in that case, "number of " is (I think) what you’re looking for already…and then you also don’t have to recombine the "substrings separated by “,” ".
You’d also not need to filter on relevant fixlets whose (value of headers “x-fixlet-cve”). The fixlets that don’t have an “x-fixlet-cve” header will simply not return a result, and the values of the header that do not contain “cve” would be filtered out after splitting on both semicolons and on commas.
number of unique values whose (it as lowercase contains "cve") of substrings separated by "; " of substrings separated by ", " of unique values of (values of headers "x-fixlet-cve" of it as lowercase) of relevant fixlets of sites
I will have to take a look tomorrow, but I believe the “x-fixlet-cve” is in every header, and the value is or something like that. I was filtering it out as I don’t quite trust how IBM/BigFix handles meta data between sites.
sum of number of unique values of (if (it contains "; ") then (substrings separated by "; " of it) else (substrings separated by ", " of it) ) of unique values of (values of headers "x-fixlet-cve" of it as lowercase) of relevant fixlets whose (value of headers "x-fixlet-cve" of it as lowercase contains "cve") of sites
I’d suggest you try using session relevance unless you’ve got a real need to do it with client relevance.
Reason I say this is that your clients are already figuring out what fixlets are relevant and reporting that back to the server, and on the server you have got the cve id list of the fixlets and other properties.
This is just a quick hack at handing both , and ; separated CVE lists using session relevance, which you could drop into a custom report in Web Reports. You could fine tune with the parsing and counting styles in the earlier posts.
I’m using the cve id list property of the bes fixlet object instead of the headers or the mime field.
number of (unique values of ( substrings separated by "," of substrings separated by ";" of it) of cve id lists whose (it contains "CVE") of it) of relevant fixlets of bes computers
If you need help using session relevance in web reports let us know and also if you need some help fine tuning the session relevance.