CLI to convert csv to cyclonedx VEX documents
This application enables you to create Vulnerability Exploitability eXchange JSON documents in the CycloneDX standard.
In order to install csv2cdx the following prerequisites are required:
- Git
- Python3
- Pip
Run command:
pip install git+https://github.com/cybeats/csv2vex.git@mainRun commands:
git clone https://github.com/cybeats/csv2vex.git@main
cd csv2vex
pip install -e .NOTE: If you are using Python 3.12 or above, especially on Linux, you may not be able to install this CLI without forcing potentially breaking changes. In such a case, substituting pipx for pip may be warranted.
To use this tool, you will require:
- The csv2vex application
- A configuration file
- A data file in csv/xlsx format
{
"bom_ref": null,
"id": null,
"source": {
"url": null,
"name": null
},
"references": [
{
"id": null,
"source": {
"url": null,
"name": null
}
}
],
"ratings": [
{
"source": {
"url": null,
"name": null
},
"score": null,
"severity": null,
"method": null,
"vector": null,
"justification": null
}
],
"cwes": null,
"description": null,
"detail": null,
"recommendation": null,
"workaround": null,
"advisories": [
{
"title": null,
"url": null
}
],
"created": null,
"published": null,
"updated": null,
"rejected": null,
"credits": {
"organizations": [
{
"bom-ref": null,
"name": null,
"urls": null,
"contact": [
{
"bom-ref": null,
"name": null,
"email": null,
"phone": null
}
]
}
],
"individuals": [
{
"bom-ref": null,
"name": null,
"email": null,
"phone": null
}
]
},
"tools": [
{
"name": null,
"version": null
}
],
"analysis": {
"state": null,
"justification": null,
"detail": null,
"response":[]
},
"affects": [
{
"ref": null,
"versions": []
}
],
"properties": []
}An empty configuration file can be generated by running:
csv2vex template -name <name>To set up the configuration file, populate the JSON by adding the names of your csv/xlsx column to its corresponding parameter e.g.:
"description": "VEX Description",
"detail": "VEX Detail",
"recommendation": "VEX Recommendation",For array fields, the JSON object can be duplicated for each occurence e.g.:
"tools": [
{
"name": "name1",
"version": "version1"
},
{
"name": "name2",
"version": "version2"
},
{
"name": "name3",
"version": "version3"
}
]- CWEs must be in the format "[CWE-]" or "[]".
- Dates corresponding to "created", "published", "updated", "rejected" must be in <dd/mm/yyyy> formatted strings.
The basic command format to create a VEX is as follows:
csv2vex build -f <csv/xslx-file-path> -c <config-json-file> -o <optional-output-filename>-
-f: "file". CSV/XLSX file path e.g. data.csv
-
-c: "config". JSON config file e.g. vex_config_template.json
-
-o: "output file". Optional output file e.g. vex_result.json. Defaults to vex.json
Please email [email protected]