05-28-2024 02:35 AM
Hi,
I am using the PSIRT APIs to fetch data from IOS, IOS XE, IOS XR, and NX OS. Through the API, I retrieve the CSAF URL and download the associated JSON. However, there is some missing information regarding which versions are vulnerable to the relevant advisories.
Here are some examples:
This image represents the CSAF JSON file of cisco-sa-snmp-uwBXfqww. As you can see, the information about product versions is displayed. However, in some cases, the versions are not specified in the CSAF. Specifically, for IOS XR, none of the versions are displayed. Here’s an example of a CSAF JSON file for cisco-sa-iosxr-ipxe-sigbypass-pymfyqgB:
To achieve what I want, I actually need those versions. So my question is: If I encounter cases where these versions are missing, how should I handle them? Should it be interpreted as "All versions of this family are affected"?
Thank you
Emanuele Di Salvia
05-28-2024 04:08 AM
The "versions affected" data seems to be provided by Cisco Software Checker, which currently only supports checking versions of the following OSes: ASA, FMC, FTD, FXOS, IOS, IOS XE, NX-OS. AFAIK there is no other API that will give you the same information for IOS XR.
How to handle this comes down to your specific application/program. I believe you will either have to interpret it as "all versions are affected", or you will have to either display/parse the "Fixed releases" potion of each IOS XR advisory.
05-28-2024 02:50 PM
Hello,
Today it is fair to say that Cisco only populates the affected version information in CSAF for products that are supported by Software Checker - IOS, IOS-XE, Cisco ASA, FMC, FTD, FXOS, IOS, IOS XE, NX-OS and NX-OS in ACI Mode.
For all other products the CSAF product tree only indicates the affected product. The affected and fixed releases are typically presented in a table in the Fixed Software portion of the advisory. So if you have a product family with no product versions you need to flag for manual inspection of the advisory/CSAF.
Cisco are considering opening this up for all products (no timeframe), but for all other products it would be a snapshot only at the time of publication, rather than a dynamically updated CSAF.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide