Getting Started
The CVE-Search project is developed for a linux environment and therefore this section describes the installation procedure for CVE-Search on Linux. Instructions and scripts of this release are written for the current release of Ubuntu LTS on the x86_64 architecture but will work on most other distributions. In this guide, we assume you are using apt as your package manager. If you are using a different one, install the requirements using your package manager of choice
Before setting up CVE-Search, you have to make sure the all the necessary code is present on your system. Your best choice is to use git to clone CVE-Search from github.
You can clone CVE-Search from
Dependencies
cvexplore==0.3.35
# common dependencies via cvexplore:
# ansicolors default
# dicttoxml default
# pymongo modules/mongodb
# python-dateutil default
# requests default
# tqdm default
cryptography==42.0.4
dnspython==2.4.2
Flask-Bootstrap4==4.0.2
Flask-Breadcrumbs==0.5.1
Flask-JWT-Extended==4.3.1
Flask-Login==0.6.0
flask-menu==0.7.2
Flask-plugins==1.6.1
Flask-restx==1.1.0
Flask-WTF==1.0.1
Flask==2.1.1
gunicorn==21.2.0
Jinja2==3.0.3
nested-lookup==0.2.25
nltk==3.9
oauthlib==3.2.2
redis==4.5.4
Werkzeug==2.1.1
Whoosh==2.7.4
WTForms==3.0.1
https://github.com/marianoguerra/feedformatter/archive/master.zip
Standard Installation
Install system requirements:
# Install system dependencies by running
xargs sudo apt-get install -y < requirements.system
Install CVE-Search and its Python dependencies:
pip3 install -r requirements.txt
Install MongoDB Community Edition 7.0:
Please check the mongodb website for installation instructions on different Linux distributions.
The following instructions are for Ubuntu 22.04:
# Import the public key used by the package management system
sudo apt-get install gnupg curl
curl -fsSL https://www.mongodb.org/static/pgp/server-7.0.asc | \
sudo gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg \
--dearmor
# Create a list file for MongoDB
echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse" \
sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list
# Reload local package database & install the MongoDB package
sudo apt-get update
sudo apt-get install -y mongodb-org
# Run MongoDB
sudo systemctl daemon-reload
sudo systemctl start mongod
# Verify status of mongodb
sudo systemctl status mongod
# If all is ok, enable mongodb to start on system startup
sudo systemctl enable mongod
This is the end of the standard installation, you may now proceed with :ref:`configuration`
Production Installation
After the common steps from Standard Installation:
Create a dedicated, unprivileged, user to run the cve-search service
sudo adduser cve --home /opt/cve
Create and activate a python virtual environment called cve-env
sudo su - cve
virtualenv cve-env
source ./cve-env/bin/activate
Installation of cve-search in the home directory of the user cve
cd
git clone https://github.com/cve-search/cve-search.git
cd cve-search
pip3 install -r requirements.txt
exit
Configuration
By default CVE-Search takes assumptions on certain configuration aspects of the application. These defaults are noted in the <<install_dir>>/etc/configuration.ini.sample:
[Redis]
Host: localhost
Port: 6379
# Password: None
redisQ: 9
VendorsDB: 10
NotificationsDB: 11
RefDB: 12
[Database]
Host: 127.0.0.1
Port: 27017
DB: cvedb
Username:
Password:
DnsSrvRecord: False
AuthDB: admin
PluginName: mongodb
[Download]
MaxWorkers: 10
[dbmgt]
Tmpdir: ./tmp
[FulltextIndex]
Indexdir: ./indexdir
[Webserver]
Host: 127.0.0.1
Port: 5000
Debug: True
SSLDebug: False
PageLength: 50
LoginRequired: False
ListLoginRequired: True
authSettings: ./etc/auth.txt
OIDC: False
CLIENT_ID: xx
CLIENT_SECRET: xx
IDP_DISCOVERY_URL: xx
SSL_VERIFY: False
SSL: False
Certificate: ./ssl/cve-search.crt
Key: ./ssl/cve-search.crt
WebInterface: Full
MountPath: /MOUNT
[API]
CVEMaxLimit: 1000
CORS: False
CORS_Allow_Origin: *
[Logging]
Logging: True
Logfile: ./log/cve-search.log
Updatelogfile: log/update_populate.log
MaxSize: 100MB
Backlog: 5
[Proxy]
http:
[CVE]
StartYear: 2002
[Plugins]
loadSettings: ./etc/plugins.txt
pluginSettings: ./etc/plugins.ini
If your setup requires alternate settings and configurations, then copy the etc/configuration.ini.sample to <<install_dir>>/etc/configuration.ini and adjust accordingly.
Once these steps are completed all the conditions are met for CVE-Search to function properly; continue with populating the database