Templates
VulDB provides a wide variety of summaries and descriptions for vulnerabilities. Under certain circumstances these might not be enought. You might need summaries highlighting specific things or very detailed technical summaries considering environmental aspects of your environment.
Paying customers are able to create their own text templates. These might be used on the web site, custom RSS feeds and API requests.
Creating Statements
The basics of a template are the statements. A statement sub-sentence, single sentence or multiple sentences.
Static Statements
This is a static sentence which might be used during text generation:
This product contains a severe security issue.
Dynamic Statements with Variables
It is possible to use dynamic parts to reflect attributes of an entry within a statement. These dynamic parts are variables established with a prepending dollar sign like $variable
. The name of the variables is the same like the data points used in the API. The static example from above does now show the name of the affected product:
The product with the name $software_name contains a severe security issue.
Dynamic statements with Conditions
Under certain circumstances you might want to show a statement only if a specific condition is true. The following dynamic statement checks if the variable advisory_falsepositive
has the value 1
. If this is true, the statement in the then
section is shown.
{name:advisory_falsepositive; if:1; then:This issue appears to be a false-positive.}
If the condition is not met, then the sentence is not shown. If you want to show another sentence if the condition is not met, you have to use the else
section:
{name:advisory_falsepositive; if:1; then:This issue appears to be a false-positive.; else: This issue appears to be valid.}
Such conditions can also be part of static statements. For example, it is possible to simplify like this:
This issue appears to be {name:advisory_falsepositive; if:1; then:a false-positive; else:valid}.
Using embedded conditions introduces additional complexity as you have to understand the structure of your statements in detail to show the correct statements.
Possibilities for conditions are if:foobar
to check for a specific value foobar
. It is possible to compare numeric values with if:>0
. This condition is only true if the compared variable has a numeric value bigger than 0. You might also use if:len()
to check if a value exists.
Variety of Statements
Using the same statements might make reading entries very boring. Especially if the reader has to process large quantities of entries. To prevent this effect it is possible to add multiple variants of the same statement:
A vulnerability classified as $vulnerability_risk_name has been found in $software_product. A vulnerability classified as $vulnerability_risk_name was found in $software_product. A vulnerability, which was classified as $vulnerability_risk_name, has been found in $software_product.
The more variants of a statements exist, the better. The text generation engine will chose "random" variants depending on the entry ID to compile organic texts. Two variants are recommended, three are working very well and more are ideal.
Defining Report Structures
To show the reports it is required to compile the different statements in a report structure. The statements have identifiers like vulnerability_detected
, potential_false-positive
, and countermeasure_recommend_upgrade
. These identifiers need to be defined line by line. A very quick summary might look like this:
vulnerability_detected potential_false-positive countermeasure_recommend_upgrade
Paragraphs are possible by adding multiple newlines. Adding head.
will define the line as a header. It is also possible to uncomment lines or add comments with the hashtag symbol #
.
Aktualizacje: 2022-04-07 przez VulDB Documentation Team