Getting Started

The CVE-Search project is developed for a linux environment and therefore this section describes the installation procedure for CVE-Search on Linux. Instructions and scripts of this release are written for the current release of Ubuntu LTS on the x86_64 architecture but will work on most other distributions. In this guide, we assume you are using apt as your package manager. If you are using a different one, install the requirements using your package manager of choice

Before setting up CVE-Search, you have to make sure the all the necessary code is present on your system. Your best choice is to use git to clone CVE-Search from github.

You can clone CVE-Search from

git clone https://github.com/cve-search/cve-search.git

Dependencies

https://github.com/marianoguerra/feedformatter/archive/master.zip
Flask==2.1.1
Werkzeug==2.1.1
Flask-Login==0.6.0
Flask-restx==1.1.0
Flask-Breadcrumbs==0.5.1
Flask-Bootstrap4==4.0.2
Flask-JWT-Extended==4.3.1
Flask-WTF==1.0.1
Flask-plugins==1.6.1
flask-menu==0.7.2
WTForms==3.0.1
Jinja2==3.0.3
python-dateutil==2.8.2
requests==2.31.0
Whoosh==2.7.4
tqdm~=4.66.1
pymongo==4.5.0
dicttoxml==1.7.16
redis==4.5.4
requirements-parser==0.5.0
ansicolors==1.1.8
nltk==3.8.1
nested-lookup==0.2.25
oauthlib==3.2.2
dnspython==2.4.2
gunicorn==21.2.0
cryptography==42.0.4
cvexplore==0.3.30

Standard Installation

Install system requirements:

# Install system dependencies by running
xargs sudo apt-get install -y < requirements.system

Install CVE-Search and its Python dependencies:

pip3 install -r requirements.txt

Install MongoDB Community Edition 7.0:

Please check the mongodb website for installation instructions on different Linux distributions.

The following instructions are for Ubuntu 22.04:

# Import the public key used by the package management system
sudo apt-get install gnupg curl
curl -fsSL https://www.mongodb.org/static/pgp/server-7.0.asc | \
    sudo gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg \
        --dearmor

# Create a list file for MongoDB
echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse" \
     sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list


# Reload local package database & install the MongoDB package
sudo apt-get update
sudo apt-get install -y mongodb-org

# Run MongoDB
sudo systemctl daemon-reload
sudo systemctl start mongod

# Verify status of mongodb
sudo systemctl status mongod

# If all is ok, enable mongodb to start on system startup
sudo systemctl enable mongod

This is the end of the standard installation, you may now proceed with :ref:`configuration`

Production Installation

After the common steps from Standard Installation:

Create a dedicated, unprivileged, user to run the cve-search service

sudo adduser cve --home /opt/cve

Create and activate a python virtual environment called cve-env

sudo su - cve

virtualenv cve-env

source ./cve-env/bin/activate

Installation of cve-search in the home directory of the user cve

cd

git clone https://github.com/cve-search/cve-search.git

cd cve-search

pip3 install -r requirements.txt

exit

Configuration

By default CVE-Search takes assumptions on certain configuration aspects of the application. These defaults are noted in the <<install_dir>>/etc/configuration.ini.sample:

[Redis]
Host: localhost
Port: 6379
Password: None
redisQ: 9
VendorsDB: 10
NotificationsDB: 11
RefDB: 12

[Database]
Host: localhost
Port: 27017
DB: cvedb
Username:
Password:
DnsSrvRecord: False
AuthDB: admin
PluginName: mongodb

[Download]
MaxWorkers: 10

[dbmgt]
Tmpdir: ./tmp

[FulltextIndex]
Indexdir: ./indexdir

[Webserver]
Host: 127.0.0.1
Port: 5000
Debug: True
SSLDebug: False
PageLength: 50
LoginRequired: False
ListLoginRequired: True
authSettings: ./etc/auth.txt
OIDC: False
CLIENT_ID: xx
CLIENT_SECRET: xx
IDP_DISCOVERY_URL: xx
SSL_VERIFY: False
SSL: False
Certificate: ./ssl/cve-search.crt
Key: ./ssl/cve-search.crt
WebInterface: Full
MountPath: /MOUNT

[API]
CVEMaxLimit: 1000
CORS: False
CORS_Allow_Origin: *

[Logging]
Logging: True
Logfile: ./log/cve-search.log
Updatelogfile: log/update_populate.log
MaxSize: 100MB
Backlog: 5

[Proxy]
http: 
IgnoreCerts: False

[CVE]
StartYear: 2002

[Plugins]
loadSettings: ./etc/plugins.txt
pluginSettings: ./etc/plugins.ini

If your setup requires alternate settings and configurations, then copy the etc/configuration.ini.sample to <<install_dir>>/etc/configuration.ini and adjust accordingly.

Once these steps are completed all the conditions are met for CVE-Search to function properly; continue with populating the database