Adding the new NIST CVE Tracking feature for 3.x release.

[bminnix]

Closes: #80

This issue was marked as closed, but then briefly discussed in #81 that is open regarding last_modified_date (or similar). See summary below.

What's Changed

Summary:

• Creates field for last_modified_date (Issue Feature Request: Last Updated Date field (for the vendor's update timestamps) #80) that is used as a method for NIST to know when a record needs updating.
• Adds job that goes through all SoftwareVersion objects and queries NIST for associated CVE records.
  • Creates/Updates the CVE record and associates to the SoftwareVersion being queried

New "NIST - Software CVE Search" Job

Job Results

[progala]

Should this be configurable? Feels a bit arbitrary.

[progala]

Should this be configurable?

[progala]

Is this still needed?

[bminnix]

I believe the last commit resolved this.

[progala]

We'll need to rename/regenerate this. I had to pull in migration for Nautobot 2.3 compatibility into next3.0

[bminnix]

This has been regenerated.

[progala]

Thinking about this again. We should move this to the plugin config and set the default in app init. Then we can do:

self.nist_api_key = PLUGIN_CFG["NAUTOBOT_DLM_NIST_API_KEY"]

Also, we should guard for this being empty and return early with error.

[progala]

We always send the same headers so let's set them when we init our Session object.

Suggested change

	self.headers = {"ContentType": "application/json", "apiKey": self.nist_api_key}
	# Set session attributes for retries
	self.session = Session()
	headers = {"ContentType": "application/json", "apiKey": self.nist_api_key}
	# Set session attributes for retries
	self.session = Session()
	self.session.headers.update(headers)

[progala]

I don't think this method is needed. We are making call to the external code, we could move it to the caller method.

[progala]

This is not needed.

Suggested change

continue

[progala]

We already have those objects in the method that's calling this one. Perhaps we could get rid of this method and do the association directly in the calling method.

[progala]

We already have SoftwareVersion object in the calling method so it's probably better to use that instead of passing software_id around.

[progala]

Suggested change

	dlc_cves = [cve.name for cve in CVELCM.objects.all()]
	dlc_cves = CVELCM.objects.values_list("name", flat=True)

[progala]

Suggested change

	if cve_list:
	for cve in cve_list:
	cve_name = cve["id"]
	if cve_name.startswith("CVE"):
	if cve_name not in dlc_cves:
	processed_cve_info["new"].update({cve_name: self.prep_cve_for_dlc(cve)})
	else:
	processed_cve_info["existing"].update({cve_name: self.prep_cve_for_dlc(cve)})
	self.logger.info(
	"Prepared %s CVE for creation." % len(processed_cve_info["new"]),
	extra={"object": SoftwareVersion.objects.get(id=software_id), "grouping": "CVE Creation"},
	)
	if not cve_list:
	return processed_cve_info
	for cve in cve_list:
	cve_name = cve["id"]
	if not cve_name.startswith("CVE"):
	continue
	if cve_name not in dlc_cves:
	processed_cve_info["new"].update({cve_name: self.prep_cve_for_dlc(cve)})
	else:
	processed_cve_info["existing"].update({cve_name: self.prep_cve_for_dlc(cve)})
	self.logger.info(
	"Prepared %s CVE for creation." % len(processed_cve_info["new"]),
	extra={"object": SoftwareVersion.objects.get(id=software_id), "grouping": "CVE Creation"},
	)

[progala]

We'll set headers when we init session.

Suggested change

	result = self.session.get(url, headers=self.headers)
	result = self.session.get(url)

[progala]

Do we need try..except in case JSON decoding fails?