Adding the new NIST CVE Tracking feature for 3.x release.

docs/user/cve_tracking.md

@@ -22,19 +22,20 @@ When creating a CVE object, the following fields are available. Fields in **bold
 | Fix | The software fix (if available) for the CVE |
 | Comments | Any additional comments or details about the CVE |
 | Tags | Arbitrary [tag objects](https://docs.nautobot.com/projects/core/en/stable/models/extras/tag/) that can be applied to this CVE |
+| Last Modified Date | The date that the CVE record was last modified |
 
 !!! note
     In addition to these standard fields, you can also add one or more [Custom Fields](https://docs.nautobot.com/projects/core/en/stable/models/extras/customfield/) to the model.
 
 ### Software Association
 
-As stated previously, you can associate a CVE to one or many [Software objects](./software_lifecycle.md#software-objects). These relationships will present themselves as breadcrumb links on each item's detail view.
+As stated previously, you can associate a CVE to one or many [Software objects](./software_lifecycle.md#software-objects). These relationships will present themselves as breadcrumb links on the CVE item's detail view, and as the "Related CVEs" tab on the Software item's detail view.
 
 Example of a breadcrumb link on a CVE item's view:
 
 ![](../images/lcm_cve_breadcrumb.png)
 
-Example of a breadcrumb link on a Software item's view:
+Example of the "Related CVEs" tab on a Software item's view:
 
 ![](../images/lcm_software_breadcrumb.png)
 
@@ -60,3 +61,32 @@ After a Vulnerability object has been generated, the CVE, Software, Device and I
     In addition to these standard fields, you can also add one or more [Custom Fields](https://docs.nautobot.com/projects/core/en/stable/models/extras/customfield/) to the model.
 
 As was stated previously, running the ``Generate Vulnerabilities`` Job will not modify (or delete) any existing Vulnerability objects - **even if the associations that existed previously no longer exist**. You do have the ability to delete one or more Vulnerability objects via the GUI or API. In addition to manually removing a Vulnerability, if any CVE, Software, Device or Inventory Item objects are removed, any Vulnerability objects that reference the deleted items will also be removed automatically.
+
+## Automated CVE Discovery via NIST API 2.0
+
+### API Key
+In order to utilize the NIST CVE DB for automatic software CVE discovery, you will need to obtain a NIST API Key [here]('https://nvd.nist.gov/developers/request-an-api-key').
+
+Once received, this key will need to be added to your `creds.env`:
+```
+NIST_API_KEY=your-key-will-go-here
+```
+
+### Run Job
+Automated discovery is used by running the ``NIST - Software CVE Search`` Job.
+
+To run this job, use the "Jobs" menu dropdown and navigate to the **CVE Tracking** section. The jobs will appear here and all you will need to do is click the play button.[^1]
+
+![](../images/lcm_cve_nist_job.png)
+
+The job output should indicate the softwares checked and the amount of CVEs received for that software, as well as the amount of CVEs created.  These will not always be the same.  New CVE will be created for software with existing CVE, also software will share CVEs.
+
+![](../images/lcm_cve_nist_job_log.png)
+
+[^1] Warning: If play button is grayed out. You will need to enable the job by clicking on edit button in the row and navigate to "Job" portion and click on "Enable"
+
+
+### Additional Notes:
+Due to the way vendor platform entries vary in NIST, some platforms may work without issue, others may not work so well (false positives/negatives).  Juniper JunOS is a great example and has a custom parser in netutils to handle this.
+
+If the platform you are attempting to gather information from does not work, a custom parser will likely be needed to build a proper NIST search URL.

nautobot_device_lifecycle_mgmt/api/serializers.py

@@ -1,4 +1,5 @@
 """API serializers implementation for the LifeCycle Management app."""
+
 from nautobot.apps.api import NautobotModelSerializer, TaggedModelSerializerMixin
 
 from nautobot_device_lifecycle_mgmt.models import (

nautobot_device_lifecycle_mgmt/filters.py

@@ -594,6 +594,10 @@ class CVELCMFilterSet(NautobotFilterSet, StatusModelFilterSetMixin):  # , Custom
     published_date__gte = django_filters.DateFilter(field_name="published_date", lookup_expr="gte")
     published_date__lte = django_filters.DateFilter(field_name="published_date", lookup_expr="lte")
 
+    last_modified_date = django_filters.DateTimeFromToRangeFilter()
+    last_modified_date__gte = django_filters.DateFilter(field_name="last_modified_date", lookup_expr="gte")
+    last_modified_date__lte = django_filters.DateFilter(field_name="last_modified_date", lookup_expr="lte")
+
     cvss__gte = django_filters.NumberFilter(field_name="cvss", lookup_expr="gte")
     cvss__lte = django_filters.NumberFilter(field_name="cvss", lookup_expr="lte")
 
@@ -612,6 +616,7 @@ class Meta:
         fields = [
             "name",
             "published_date",
+            "last_modified_date",
             "link",
             "status",
             "description",

nautobot_device_lifecycle_mgmt/forms.py

@@ -606,6 +606,7 @@ class CVELCMForm(NautobotModelForm):
     """CVE Lifecycle Management creation/edit form."""
 
     published_date = forms.DateField(widget=DatePicker())
+    last_modified_date = forms.DateField(widget=DatePicker(), required=False)
     severity = forms.ChoiceField(choices=CVESeverityChoices.CHOICES, label="Severity", required=False)
     tags = DynamicModelMultipleChoiceField(queryset=Tag.objects.all(), required=False)
     affected_softwares = DynamicModelMultipleChoiceField(queryset=SoftwareVersion.objects.all(), required=False)
@@ -618,6 +619,7 @@ class Meta:
         fields = [
             "name",
             "published_date",
+            "last_modified_date",
             "link",
             "status",
             "description",
@@ -633,6 +635,7 @@ class Meta:
 
         widgets = {
             "published_date": DatePicker(),
+            "last_modified_date": DatePicker(),
         }
 
 
@@ -673,6 +676,9 @@ class CVELCMFilterForm(NautobotFilterForm):
     published_date_before = forms.DateField(label="Published Date Before", required=False, widget=DatePicker())
     published_date_after = forms.DateField(label="Published Date After", required=False, widget=DatePicker())
 
+    last_modified_date_before = forms.DateField(label="Last Modified Date Before", required=False, widget=DatePicker())
+    last_modified_date_after = forms.DateField(label="Last Modified Date After", required=False, widget=DatePicker())
+
     cvss__gte = forms.FloatField(label="CVSS Score Above", required=False)
     cvss__lte = forms.FloatField(label="CVSS Score Below", required=False)
 
@@ -701,6 +707,8 @@ class Meta:
             "q",
             "published_date_before",
             "published_date_after",
+            "last_modified_date_before",
+            "last_modified_date_after",
             "severity",
             "status",
             "affected_softwares",

nautobot_device_lifecycle_mgmt/jobs/__init__.py

@@ -2,8 +2,13 @@
 
 from nautobot.core.celery import register_jobs
 
-from .cve_tracking import GenerateVulnerabilities
+from .cve_tracking import GenerateVulnerabilities, NistCveSyncSoftware
 from .lifecycle_reporting import DeviceSoftwareValidationFullReport, InventoryItemSoftwareValidationFullReport
 
-jobs = [DeviceSoftwareValidationFullReport, InventoryItemSoftwareValidationFullReport, GenerateVulnerabilities]
+jobs = [
+    DeviceSoftwareValidationFullReport,
+    InventoryItemSoftwareValidationFullReport,
+    GenerateVulnerabilities,
+    NistCveSyncSoftware,
+]
 register_jobs(*jobs)