The vulnerability management workflow included in OT-BASE allows you to match your installed base against known (published) vulnerabilities. In order to do that, vulnerability information from NIST must be imported. Such information is publicly available on the NIST web site.
Automatic CVE import
(Note: The following setting only applies for the on-premise version of OT-BASE Asset Center. In the SaaS version, CVEs are imported automatically by default.)
CVEs can be imported automatically if the hosting environment for Asset Center allows for an outgoing Internet connection to the NIST CVE database.
In order to activate CVE auto-import you must go to the MAINTENANCE page and select the Metadata tab.
In the CVE auto import settings section, choose the desired update interval (daily, every other day, or every five days). You can also specify the time of day when the import is started, using 24-hour-notation (for example, 3 p.m. would be 15:00). The check the "Active" box and click on "Save". -- If you have used CVE manual import (see below), no automatic import will be executed that same day for the purpose of preserving system resources.
In addition to downloading CVE data from nvd.nist.gov, OT-BASE also downloads KEV data from cisa.gov. This allows OT-BASE to expose vulnerabilities with known exploits.
You can check the result of the auto-import in the log area. Also, below the log area is a breakdown of how many CVEs are in the OT-BASE database for the various calendar years.
Testing CVE auto-import, and doing an initial load of CVEs
You can test the auto-import by clicking the "Import Now" button. This will initiate the import of CVEs and also the assignment of any new CPEs and CVEs to the product database in Asset Center. This operation can take a long time (several hours), so don't worry if you don't see an immediate success message. If you don't want to wait for the operation to finish, simply log off and check the Log output in your next Asset Center session.
The "Import Now" function also checks if you have already loaded CVEs of previous years, and automatically imports them if you haven't.
Importing Microsoft Security Update information
CVEs as downloaded from NIST don't tell you if a given CVE is already patched on your computers. That's bad -- because at the end of the day you want to know about any unpatched vulnerabilities, and not necessarily about vulnerabilities that in principle affect your systems. In order to close the gap we need patch data as provided by Microsoft's Security Update Guide API (SUGAPI). OT-BASE can download this data automatically for you if you check the appropriate box.
In order to join CVE data with patch data, both data sets are "post processed". This is done automatically after all imports have been successfully completed. If you have selected a longer download interval, let's say five days, and want to check vulnerability status before the next download is scheduled, you can manually trigger the post-processing with the button "Post-process now".
Manual CVE import
(Note: When using the SaaS version of OT-BASE Asset Center, there is no need to manually import CVEs as they are imported automatically)
If the hosting environment for Asset Center does not have Internet access, you can use a different method to import CVEs. This assumes that you have already downloaded CVE files to the computer from which you access Asset Center.
Go to INVENTORY/IMPORT and select the "CVE" tab. In the "Import CVE JSON File", select a compressed (.ZIP) CVE file that you have downloaded from NIST and click on "Import".
The diagram below the file selector dialog tells you how many CVEs are in the database, broken down by year.
In order to import CVEs, you don't have to be the OT-BASE Asset Center administrator. Regular users can do that as well, given that they are member of a group where the "Import" permission is set to "Yes".