OVVL Server provides the OVVL Frontend with the required data and includes a product (CPE) and vulnerability (CVE) API which can be used for external use cases. OVVL is developed at University of Applied Sciences Offenburg and part of the BMBF KMU-Innovation Project "CloudProtect" (Förderkennzeichen 16KIS0850).
The server is built on Spring boot 2.1.0 and Swagger. It requires Java 8 to run and a MongoDB to work correctly.
Threats were created with the "Elevation of Privilege Card Game" from Microsoft. The game is licensed under the Creative Commons Attribution 3.0 United States License.
Build the server using Gradle.
gradle clean build
Then run it:
gradle bootRun
You can also run the Server using docker, but make sure to set up a network bridge with your MongoDB.
docker build
--build-arg mongoConnection=$MONGODB_CONNECTION
--build-arg jwtSecret=$OVVL_JWT_SECRET
--build-arg supportMail=$SUPPORT_MAIL_SENDER
--build-arg supportMailPW=$SUPPORT_MAIL_SENDER_PW
--build-arg supportMailReceiver=$SUPPORT_MAIL_RECEIVER -t ovvl-docker .The following environment variables have to be set in order for the server to run correctly.
MONGODB_CONNECTION - The URI for the MongoDB connection. E.g. mongodb://ovvl-mongo:27017/ovvl-dbOVVL_JWT_SECRET - The secret for the JSON Web-Token generation.SUPPORT_MAIL_SENDER - The mail address used to send support mails.SUPPORT_MAIL_SENDER_PW - The password of that mail address.SUPPORT_MAIL_RECEIVER - The mail address receiving the support mails. The server requires a MongoDB connection in order to work correctly. If you want to utilize the CPE and CVE lookup feature, you need to fill the database with the data provided by the NVD (CPE / CVE). Place the unpacked files under src/main/resources and specify the years of the downloaded CVE data in the CVEService under src/main/java/com/tam/services/meta/ -> getNVDFileSpecifications(). Once you uncomment the fillDBWith...() function in ThreatServer.java, the files will be automatically parsed and fill your MongoDB.
To API is specified in src/main/resources/swagger with the help of yamlinc. If you want to add to the existing API, specify your requirements following the existing structure and after building the API-documentation with yamlinc, run the gradle generateApi task. Code generated by this method is placed under src/generated.
When running, the API documentation can be viewed at localhost:8080/swagger-ui.html.
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.