Overview

The vulnerability module gives you access to a number of facts.

Attributes

Attribute Name Short Description
cve_list The list of all detected CVE’s on the system.
grype_version Reports the installed version of grype.

cve_list

The list of all detected CVE’s on the system.

This is the core of the vulnerability module. Puppet scans at regular intervals for vulnerabilities and reports them in the fact `cve_list.

Here is part of an extract:

$ puppet facts cve_list
{
  "cve_list": {
    "CVE-2005-2541": {
      "artifact_name": "tar",
      "fix_state": "wont-fix",
      "locations": [
        "/var/lib/rpm/Packages"
      ],
      "severity": "Medium",
      "version": "2:1.30-4.el8"
    },
    "CVE-2008-1145": {
      "artifact_name": "webrick",
      "fix_state": "unknown",
      "locations": [
        "/vagrant/modules/vulnerability/Gemfile.lock"
      ],
      "severity": "Medium",
      "version": "1.7.0"
    },
    ...
    ...
  }
}

The module contains a number of ways to use this fact to:

  • Do something based on a found CVE
  • Do something based on the number of detected CVE’s of a specific level
  • Report on the number of found CVE’s

Back to overview of facts

grype_version

Reports the installed version of grype.

To be able to use Puppet to seamlessly install and do updates of grype, this module fetches the installed version of grype.

Back to overview of facts