Prometheus CVE Exporter is a Golang application that scans your system for all installed packages and compares them with the recent NVD JSON feed. It exports metrics that provide insights into the security status of your packages.
- Vulnerability Detection: Identifies installed packages that have known vulnerabilities.
- Prometheus Metrics: Exports detailed metrics to Prometheus for monitoring and alerting.
- Automated Updates: Regularly fetches the latest NVD JSON feed to ensure up-to-date vulnerability information.
| Metric Name | Type | Description | Labels |
|---|---|---|---|
nvd_vulnerable_packages |
GaugeVec | Indicates if a package is vulnerable (1) or not | package, version, cve, impact |
nvd_total_vulnerabilities |
Gauge | Total number of vulnerabilities detected | None |
nvd_last_update_time |
Gauge | Timestamp of the last successful update | None |
# HELP nvd_last_update_time Timestamp of the last successful update
# TYPE nvd_last_update_time gauge
nvd_last_update_time 1.7213802588068807e+09
# HELP nvd_total_vulnerabilities Total number of vulnerabilities detected
# TYPE nvd_total_vulnerabilities gauge
nvd_total_vulnerabilities 6
# HELP nvd_vulnerable_packages Indicates if a package is vulnerable (1) or not (metric not present)
# TYPE nvd_vulnerable_packages gauge
nvd_vulnerable_packages{cve="CVE-2024-21513",impact="HIGH",package="langchain-experimental",version="0.0.17"} 1
nvd_vulnerable_packages{cve="CVE-2024-6072",impact="MEDIUM",package="wp_estore",version="8.5.3"} 1
nvd_vulnerable_packages{cve="CVE-2024-6073",impact="MEDIUM",package="wp_estore",version="8.5.3"} 1
nvd_vulnerable_packages{cve="CVE-2024-6074",impact="MEDIUM",package="wp_estore",version="8.5.3"} 1
nvd_vulnerable_packages{cve="CVE-2024-6075",impact="HIGH",package="wp_estore",version="8.5.3"} 1
nvd_vulnerable_packages{cve="CVE-2024-6076",impact="MEDIUM",package="wp_estore",version="8.5.3"} 1
- Go 1.22 or higher
-
Clone the repository:
git clone https://github.com/zadjadr/prometheus-cve-exporter.git cd prometheus-cve-exporter -
Build the application:
go build -o ./bin/ ./...
-
Run the application:
./bin/prometheus-cve-exporter -help
Alternatively, you can download the precompiled package from the releases section on GitHub.
The Prometheus CVE Exporter will start a web server on port 10250 by default and expose the metrics at the /metrics endpoint.
To customize the settings, use the following flags:
-config string
path to config file
-nvd-feed-url string
URL for the NVD feed (default "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-recent.json.gz")
-package-file string
Path to file containing packages and versions
-port int
Port to run the server on (default 10250)
-severity string
Comma separated list of severity levels for vulnerabilities (default "CRITICAL")
-tls-cert string
Path to TLS certificate file
-tls-key string
Path to TLS key file
-update-interval duration
Update interval duration (default 24h0m0s)
./bin/prometheus-cve-exporter -port 9090 -severity "HIGH,CRITICAL" -update-interval 12h -package-file /tmp/packages.txt{
"package_file": "",
"nvd_feed_url": "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-recent.json.gz",
"update_interval": "5m",
"port": 8080,
"severity": [
"LOW",
"MEDIUM",
"HIGH",
"CRITICAL"
],
"tls_cert": "server.crt",
"tls_key": "server.key"
}./bin/prometheus-cve-exporter -config config.jsonCurrent configuration:
NVD Feed URL: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-recent.json.gz
Update Interval: 5m0s
Severity Levels: [LOW MEDIUM HIGH CRITICAL]
Port: 8080
Use TLS: true
TLS Certificate: ignore-server.crt
TLS Key: ignore-server.key
2024/07/21 20:21:49 Starting server on :8080
2024/07/21 20:21:49 TLS enabled
2024/07/21 20:21:50 Metrics updated successfully
# If you are using a self-signed certificate
curl -k https://localhost:8080/metrics
# If you are using a certificate signed by a trusted party
curl https://localhost:8080/metrics❯ curl -k https://localhost:8080/metrics -vvv
* Host localhost:8080 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:8080...
* Connected to localhost (::1) port 8080
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
* subject: C=DE; ST=Hamburg; L=Hamburg; O=zops.top; CN=localhost
* start date: Jul 21 00:51:56 2024 GMT
* expire date: Jul 21 00:51:56 2025 GMT
* issuer: C=DE; ST=Hamburg; L=Hamburg; O=zops.top; CN=localhost
* SSL certificate verify result: self-signed certificate (18), continuing anyway.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryptionReleased version tags are:
- latest
- major version (e.g.
v1) major.minorversion (e.g.v1.1)- tag name (e.g.
v1.0.0)
For the docker version, you will need to provide a package-file, otherwise the scanner will only
scan the container.
# Create a packages.txt file regularly in /tmp or any other place you prefere
# You should probably use a cronjob to do this.
mkdir /tmp/prometheus-cve-exporter
while true; do pacman -Q > /tmp/prometheus-cve-exporter/packages.txt; sleep 86400; done &
docker run -it -v /tmp/prometheus-cve-exporter:/app -p 10250:10250 --rm ghcr.io/zadjadr/prometheus-cve-exporter:latest -- -package-file /app/packages.txtCurrent configuration:
NVD Feed URL: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-recent.json.gz
Update Interval: 24h0m0s
Severity Levels: [CRITICAL]
Port: 10250
Package file: /app/packages.txt
Use TLS: false
2024/07/21 18:19:45 Starting server on :10250
2024/07/21 18:19:45 TLS disabled
2024/07/21 18:19:46 Metrics updated successfully
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}