After browsing for a bit, Mantis BT came up as a good candidate. It looked like a simple enough setup, yet it provides a SOAP interface and seems to have more then enough features to track issue's.
www.mantisbt.org
Time to try and create the setup :)
I started out with an up-to-date 64bit Debian 7.8 installation in an OpenVZ zone. But I would expect any other setup would do. I'm going to provide the commands I used for this setup. I named the machine mantis-demo.
First part, get extra packages installed:
When prompted don't forget the mysql password for the root user. I'll refer to it as:
Because Mantis needs to mail users their account information, we'll do a basic mail setup for the local system. But you can ofcourse setup a real mail configuration.
When prompted for configuration options, choose the following:
http://sourceforge.net/projects/mantisbt/files/mantis-stable/
When download the current version was 1.2.19, so all commands refer to that version. Follow the next commands to setup the software:
Alias /mantis/ /opt/mantis/ </VirtualHost> EOF cd /etc/apache2/sites-enabled rm 000-default ln -s ../sites-available/mantis-demo mantis-demo /etc/init.d/apache2 restart
For Mantis to be able to populate the database we will create a new user. I personally don't like to use the root user credentials for the mantis database. Mantis will not create a user itself, it will create the database. For this setup we'll create a database named mantis, with a user named mantis with password mantis-demo (it's better to change this to something safer).
So this should now have created a working mantis website. Try and open it in you webbrowser:
http://mantis-demo/mantis/
Fill in the following information:
This should provide no errors. You can now click the link at the bottom of the page.
To keep the installation as secure as possible, remove the admin directory from the installation
Now that the basic installation is done, we can configure Mantis.
Go back to the webinterface and login:
Now you should see the Mantis interface with the Add Project page. We'll make a new project, I will use the name Security here in this example.
Now that we have a project, we need to create a user that will be used in the script to create issue's.
Go to: Manage Users and choose Create New Account.
For this example I will use the user autoissue with password autoissue. The user needs developer Access Level, because this is the lowest level which has rights to assign issue's to users. As email adress I will use root@mantis-demo so the activation email will be sent to the local root user.
On the commandline check for the activation url in the mailbox
Copy and paste the URL in your webbrowser and set the account password. In this example I will use autoissue, but a stronger password is recommended. Choose Update User.
This will return you to the login screen. Log in again as administrator.
Choose Manage and then Manage Projects and click the Security project.
In the section Add user to project choose autoissue with accesslevel developer and click Add User.
This should conclude the (very) basic configuration of Mantis.
Next we need to setup the automatic interface to get data from an RSS feed into mantis. I made a script to do this, called rss2mantis.
Now we need to configure rss2mantis. The example below puts in a test rss feed so you can check if the script works.
[test] url = "https://www.verboom.net/blog/20150206.0/test.xml" name = "test" category = "General" EOF
Now we can test the script.
Go back to the mantis webinterface and go to My View. This should now list an issue.
Click on the issue number to open the issue. This should look something like this:
With the setup now working, you can schedue rss2mantis to run periodically from cron, for example every hour:
The example ini file has most of the available options listed. There might be a few that don't make sense.
The settings section contains all the global settings. This also includes who should get the issue's assigned and what the category should be. Options not used in the example, but that can be useful when doing a real implementation are:
These are login details that will be used when requesting the Mantis SOAP interface and are only required when Mantis is behind a webserver with basic authentication.
It is also handy to know that the only section title that has any special meaning is the one named settings. All the others will have to be feeds. The names of those sections aren't used by the script.
Mandatory per feed is:
It is optional to add a category option to a feed. This will override the category defined in the settings section.
After running the script, it will update the file defined in the settings section under statusfile. This contains the last timestamp per feed when the feed was checked. When checking the feed only entries what were created later then the timestamp in the file will be converted to issue's and posted into Mantis.
With the example configuration, the script isn't very useful. You need to put in some RSS feed that makes sense for what you want to monitor, for example:
https://nvd.nist.gov/download/nvd-rss.xml
Another useful website to find CVE's is:
http://www.cvedetails.com/
You can query for specific vendors or products. With some creativity you can also make RSS feeds out of these, for example for openssh:
http://www.cvedetails.com/vulnerability-feed.php?vendor_id=97&product_id=585&version_id=0&orderby=3&cvssscoremin=0
2015/03/25
There is an update for the script, please check the following aritcle:
rss2mantis script update
