CVE-Search Scheduling

SW360 gets vulnerability information from an external provider of Common Vulnerability Enumeration (CVE) data. By default SW360 can connect to cve-search [https://www.circl.lu/services/cve-search/] which is either available as an online service [http://cve.circl.lu] or can be installed locally. For security and privacy reasons it is strongly advised to install a local cve-search service.

In what follows the synchronization between SW360 and the external CVE provider is described.

CveSearch-updates can either be scheduled automatically when launching the schedule-service (e.g. when re/starting SW360) or it can be scheduled or unscheduled manually by an SW360 admin. It is automatically scheduled with the start of the scheduling service, if in the /resources/sw360.properties file of the schedule-service in the backend, cvesearchService is mentioned in the autostart-property:

autostart = cvesearchService

According to the default settings, cveSearch is not auto-started with the scheduling service.

For manually scheduling the CVE search service, open the Schedule Portlet of the Admin menu. Note that the Admin menu is only visible to SW360 admins.

In the Schedule Portlet of the Admin menu, a user with admin rights can turn on or off automatic updates of the cve-search service manually. In the UI of the portlet, the admin can see whether or not the CVE-service is scheduled: if the service is scheduled, the Schedule CveSearch Updates-button is inactive, whereas the Cancel Scheduled CveSearch Updates-button is active and vice versa:

The offset (first run of the update) and the interval between updates can also be adjusted in the /resources/sw360.properties file of the src-schedule service. The corresponding properties are schedule.cvesearch.firstOffset.seconds and schedule.cvesearch.interval.seconds. The offset has to be given in seconds since midnight and also the interval has to be entered in seconds. The default is to update the vulnerabilities by CVEsearch every night at midnight, which corresponds to an offset of 0 and an interval of 24 hours (= 86400 seconds).

schedule.cvesearch.firstOffset.seconds = 0

schedule.cvesearch.interval.seconds = 86400

With automatic scheduling the next synchronization moment according to the offset and the interval is computed. This will be the first moment when a cveSearch-update is run. There is nothing like an initial run when autostarting of manually scheduling the CveSearch-updates. Moreover, the configuration, i.e. offset, interval and next synchronization (where the latter is a consequence of offset and interval) are shown in the portlet:

Setup of a local instance

It is recommended to set up and use a local instance instead of the public cve-search instance. The accompanying project sw360-chores contains a Dockerfile that can easily setup this service.