OWASP Patton

Patton

GitHub Releases

Patton - The vulnerability knowledge database

Patton is a set of tools for helping admins and security auditors to search for vulnerabilities in software components and computer systems.

Patton contains, at this moment, the tools needed to analyze vulnerabilities on Ubuntu, Debian and RHEL 8 or newer systems and we are currently working on increasing the targets to include Python dependencies.

Description

Searching for vulnerabilities is a really hard task. Vulnerabilities databases have they own format and they index vulnerabilities in a way that makes difficult to match with the package names you install in your systems or with the libraries your software depends on.

Patton pre-cooks a vulnerabilities database, this database is really small to ease downloading and contains only the needed data to allow the match of the vulnerable component.

Patton contains a series of small epecialized tools that are able of making the match between the vulnerability and the software package or library and offers a single interface to invoke all the tools in a consistent way.

Contribution

Everyone is welcome and encouraged to participate in our Project.

Licensing

This project is distributed under Apache 2 license.


Setup

Patton, in its current version, is a shell script that orchestrates the available tools to search for vulnerabilities in order to be run it needs the following dependencies:

  • zstd
  • Docker
  • Patton database

Install

After installing the dependencies run the following commands in order to finish the installation.

$ wget https://github.com/BBVA/patton/releases/download/latest/patton.db.zst
$ wget https://github.com/BBVA/patton/raw/develop/bin/patton
$ install patton /usr/local/bin/patton

By default Patton looks for its database in the current directory, if not the -d option flag can be used to give it the database location.

Examples

Usage

$ patton --help
Usage: patton [OPTION]... [PATTERN]
Try '/usr/local/bin/patton -h|--help' for more information
  -h, --help           display this help text and exit
  -V, --version        display version information and exit
  -d, --database-file  path to database file
  -t, --search-type    type of search to execute: product|pkg_debian|pkg_ubuntu|fulltext
  -s, --search-subtype for search-type:(debian|ubuntu), sets the suite
    e.g.: buster, potato, fossa, xenial, precise, trusty...
  -v, --pkg-version    cpe version when searching by cpe
  -n, --pkg-name       path to database file
  -w, --pkg-vendor     path to database file

Search for vulnerabilities in a Debian system

patton -t pkg_debian < /var/lib/dpkg/status

Search for vulnerabilities in an Ubuntu system

patton -t pkg_ubuntu < /var/lib/dpkg/status

Search for vulnerabilities in a Red Hat Enterprise Linux

patton -t pkg_rhel

NOTE: Have to be run on RHEL 8 or newer

Search for vulnerabilities with a free-format string

patton -d patton.db.zst -t fulltext openssl