gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1479db43ad
secubox-openwrt/package/secubox/secubox-cve-triage
History
..
files
Makefile
README.md

README.md

SecuBox CVE Triage Agent

AI-powered CVE analysis and vulnerability management for SecuBox.

Features

  • Automated CVE Scanning: Monitors installed packages (opkg, LXC, Docker)
  • NVD Integration: Fetches latest vulnerabilities from NIST NVD API
  • CrowdSec Correlation: Matches CVE-related CrowdSec alerts
  • AI Analysis: LocalAI-powered impact assessment and recommendations
  • Approval Workflow: Queue-based patch approval for critical changes
  • Multi-Source Monitoring: opkg packages, LXC containers, Docker images

CLI Reference

# Status and monitoring
cve-triage status          # Agent status
cve-triage scan            # Scan installed packages
cve-triage fetch           # Fetch latest CVE data
cve-triage run             # Full triage cycle

# CVE analysis
cve-triage analyze CVE-2024-1234   # Analyze specific CVE

# Recommendation management
cve-triage list-pending    # List pending recommendations
cve-triage approve <id>    # Approve recommendation
cve-triage reject <id>     # Reject recommendation
cve-triage approve-all     # Approve all pending

# Alerts
cve-triage alerts          # Show active alerts

# Reports
cve-triage summary         # Security summary
cve-triage export          # Export full report (JSON)

# Daemon
cve-triage daemon          # Run as background daemon

Configuration

Edit /etc/config/cve-triage:

config cve-triage 'main'
    option enabled '1'
    option interval '3600'           # Triage interval (seconds)
    option localai_url 'http://127.0.0.1:8081'
    option localai_model 'tinyllama-1.1b-chat-v1.0.Q4_K_M'
    option min_severity 'high'       # low/medium/high/critical
    option affected_only '1'         # Only CVEs affecting installed packages
    option auto_apply_patches '0'    # Queue patches for approval
    option min_confidence '80'       # AI confidence threshold

Data Flow

1. COLLECT
   ├─ opkg list-installed
   ├─ LXC container packages (dpkg/apk)
   └─ Docker images

2. FETCH CVEs
   ├─ NVD API (last 7 days, high severity)
   └─ CrowdSec CVE alerts

3. MATCH
   └─ CVE descriptions ↔ package names

4. ANALYZE (LocalAI)
   ├─ Impact assessment
   ├─ OpenWrt relevance
   └─ Action recommendation

5. RECOMMEND
   ├─ patch: opkg upgrade <pkg>
   ├─ mitigate: manual steps
   └─ monitor: no action

6. APPROVE/APPLY
   ├─ Auto-apply (if enabled)
   └─ Queue for review

LocalAI Integration

Requires LocalAI running at http://127.0.0.1:8081.

Without LocalAI, the agent uses basic CVSS-based analysis.

Files

  • /etc/config/cve-triage - Configuration
  • /var/lib/cve-triage/ - State and recommendations
  • /var/cache/cve-triage/ - CVE data cache
  • /var/lib/cve-triage/pending_actions.json - Approval queue

Part of SecuBox v0.19 AI Gateway