Get notified about new CVEs right in your Discord server!
Invite the bot to your Discord server using this link: https://discord.com/api/oauth2/authorize?client_id=1147880351901962300&permissions=2048&scope=bot%20applications.commands, if you choose to self host the bot, the link will be print to the stdout once the bot have started.
All commands requires the user running them to have the "Administrator" permission, and all of them returns an ephemeral message that can only be seen by the user who ran it.
The bot needs the "Send Message" permission in channels with active subscriptions in order to send new alerts.
Use the commands /subscribe products
or /subscribe vendor
in the channel where you wish to receive alerts about new CVEs, you can specify multiple entries at once by separating them with a comma, and get some help with the built-in autocompletion.
To stop receiving alerts about a vendor or product in a channel, run in the channel the command /unsubscribe products
or /unsubscribe vendor
and specify the entries, you can specify multiple entries at once by separating them with a comma, and get some help with the built-in autocompletion.
You can also unsubscribe from all vendors or products at once by entering an asterisk (*
)
You can change at any time the base URL used for linking CVE IDs, vendor and products, remember that these changes will only take affect on new alerts. You can also specify a channel
to change the URL only in the specified channel.
The bot will confirm the change, and will also provide a URL for you to test this new URL.
Use the command /see-settings
commands to see all the settings of your server, like the set OpenCVE frontend URL server-wide or for specific channels, and subscribed vendors and products
.
Remember that there might be multiple pages and you can navigate them with the arrow buttons, these buttons will stop working 24 hours after not using them.
If your Discord server is public, you may want to limit the visibility of the channel used to notify new CVEs, as a malicious user could actively watch for new CVEs affecting your software to exploit them.
Hover the channel with the mouse and click on the gear wheel icon.
Now click on the "Permissions" tab on the left side menu.
And now toggle on the private channel.
Finally, click the "Add members or roles" button, and check the roles or individual members you want to allow to see the CVEs, once you are done, you may click the "Done" button.
- A Discord bot (head to the Discord Developer Portal, create an application with the desired name, go to "Bot" tab and regenerate the token and save it for later)
- An instance of OpenCVE, or access to its database (you can also install it with docker)
- Docker
Clone the repository (or download and extract it if you don't have git), and change directory to it
git clone [email protected]:eduardozgz/cve-bot.git
cd cve-bot
Create a .env
file (or you can copy it directly from .env.example
) or set the environment variables to configure the bot
Variable | Description |
---|---|
DISCORD_TOKEN |
The token of your discord bot |
GUILD_TO_DEPLOY_APPLICATION_COMMANDS |
For development purposes, the Discord server ID where slash commands will be redeployed more quickly than globally, you can leave this blank |
OPENCVE_DATABASE_URL |
The database URL of the OpenCVE's database instance |
OPENCVE_DEFAULT_FRONTEND |
Base URL used to provide links to CVEs, vendors and products, defaults to https://www.opencve.io |
DATABASE_URL |
The database URL where the bot's persistent configurations will be stored, it can be the same as OPENCVE_DATABASE_URL but changing the database name (e.g: postgres://opencve:opencve@opencve-postgres-instance/opencve -> postgres://opencve:opencve@opencve-postgres-instance/cve-bot ) |
POSTGRES_USER |
If you choose to deploy the database later with the provided docker-compose files, set here the username that will be used for storing the bot's persistent configurations, it can be anything like cve-bot |
POSTGRES_PASSWORD |
If you choose to deploy the database later with the provided docker-compose files, set here the password that will be used for storing the bot's persistent configurations, it can be anything, but choose a secure password! If you choose to deploy the database later with the provided docker-compose files, set here the database name that will be used for storing the bot's persistent configurations, it can be anything like cve-bot |
docker compose up -d