facts
Overview
The vulnerability module gives you access to a number of facts.
Attributes
Attribute Name | Short Description |
---|---|
cve_list | The list of all detected CVE’s on the system. |
grype_version | Reports the installed version of grype . |
cve_list
The list of all detected CVE’s on the system.
This is the core of the vulnerability module. Puppet scans at regular intervals for vulnerabilities and reports them in the fact `cve_list.
Here is part of an extract:
$ puppet facts cve_list
{
"cve_list": {
"CVE-2005-2541": {
"artifact_name": "tar",
"fix_state": "wont-fix",
"locations": [
"/var/lib/rpm/Packages"
],
"severity": "Medium",
"version": "2:1.30-4.el8"
},
"CVE-2008-1145": {
"artifact_name": "webrick",
"fix_state": "unknown",
"locations": [
"/vagrant/modules/vulnerability/Gemfile.lock"
],
"severity": "Medium",
"version": "1.7.0"
},
...
...
}
}
The module contains a number of ways to use this fact to:
- Do something based on a found CVE
- Do something based on the number of detected CVE’s of a specific level
- Report on the number of found CVE’s
grype_version
Reports the installed version of grype
.
To be able to use Puppet to seamlessly install and do updates of grype
, this module fetches the installed version of grype
.