This is the first of a series of "pre-releases" for the next version of the application, and it is a major one (hence the change from v6.x to 7.x)! Here's a list of the major changes:

• Data Persistence: Databases now maintain vulnerability data between runs, updating the data as you ingest newer files. You also have the option at startup to designate Vulnerator to run "Portably", which automatically places the database in the application's executing folder for easy cleanup. "Persistent" databases can be placed on a (secure!) shared network location to allow team access and collaboration.
• Completely redesigned UI: This is to allow for future growth with regards to new file formats for ingestion, reports, and (hopefully) RMF documentation for all of your accreditations. It also just looks better.
• Completely redesigned database: Again, this is all about making the application more extensible in the future. It also provides better granularity, breaking out items like Ports and Protocols and Software to make them easier to manage and review (and allowing for future reports around these items, as well).
• Updated reports: Items like the Navy RAR and eMASS Importable POA&M have been updated to the latest version, and the STIG Discrepancies report has been cleaned up to actually work again. Some reports are missing, but they should be back in play by the production release. Reporting has been overhauled as well to (hopefully) provide a better experience.
• Mitigations & RMF Fields: You now have the option to add a hardware item to multiple groups of your choosing and create "tiered" mitigation statements. You can also provide group-level RMF details (e.g. "Impact") on a per-plugin / per-STIG basis, then have your POA&M / RAR populate with those details to save you time.
  • NOTE: Group Tiers are inverted - "Level 1" tiers are at the top, with each number higher being "beneath" the tier before it. These tier levels are used to order your mitigation statements to help you create "defense in depth" mitigations more easily across your various environments.

Please take note that this is a pre-release version, so it still has some bugs. Want to help? Please feel free to put Vulnerator through its paces; if you encounter a bug, create a new issue ticket, and @amkuchta will work it as quickly as possible!

Download Instructions

To download the compiled version of the software, please select the file named "Vulnerator_v7-0-0alpha1.zip" below. If you are interested in viewing the source, please feel free to download the source file that best suits your needs (or create your own branch or fork - even better!).

Checksum (Hash) Information

Should you come across any bugs, please feel free to create a new item in the Issue Tracker!

In the latest release, bug fixes are abundant - six, in total! A few highlights are that the pesky "Unreadable Content" error in Excel is now gone (#7), and some additional XCCDF statuses ("error" and "informational") are now reported as such (the remaining XCCDF statuses are also handled properly now, as noted in #66. For a full list of changes, please check out the Wiki Change Log page!

Outside of actual code, some recent changes also occurred on GitHub with respect to Vulnerator. Vulnerator is now considered an "Organization" (it used to be a user), which translates into a few security-related things:

• The "Vulnerator" account no longer exists, which means it cannot be logged into - one less possible attack vector
• The "Vulnerator" organization currently has three members, and only these members can approve merges of code into the "Vulnerator" repository. These members are also required to use two-factor authentication (2FA) to log into GitHub, providing an extra layer of security for the code.
  • 2FA is provided either via SMS (text message) or using the Google Authenticator app (think RSA token) - either way, the user is required to have their phone on them
• The master branch of the "Vulnerator" repository is now a "protected" branch, which ensures the branch:
  • Can't be deleted
  • Can't be force pushed
  • Can't have changes merged until required reviews are approved
  • Can't be edited or have files uploaded from the web

Looking forward, @amkuchta has been hard at work getting ready for v6.2.0, which will see a bevy of new features and some slick user interface enhancements. Items that are planned for v6.2.0 can be tracked via the v6.2.0 Project Page.

Download Instructions

To download the compiled version of the software, please select the file named "Vulnerator_v6-1-9.zip" below. If you are interested in viewing the source, please feel free to download the source file that best suits your needs (or create your own branch or fork - even better!).

Checksum (Hash) Information

Should you come across any bugs, please feel free to create a new item in the Issue Tracker!

This is a super minor update to modify how the application handles findings that have been marked as "Not a Finding" in fortify are parsed in Vulnerator - prior to this update, no handling occurred, but now, they are conveniently marked as "Completed" in all tabs!

For a full list of updates, head over to the Wiki and check out the Change Log!

Download Instructions

To download the compiled version of the software, please select the file named "Vulnerator_v6-1-8.zip" below. If you are interested in viewing the source, please feel free to download the source file that best suits your needs (or create your own branch or fork - even better!).

Checksum (Hash) Information

Should you come across any bugs, please feel free to create a new item in the Issue Tracker!

Found another small error in how FPR files are processed with regards to reporting AS&D STIG references! This should be the last one, and I apologize and thank you for your patience! v6.1.6 has been marked as "Obsolete" in the change log. As a side note, it is worth mentioning that large (10MB+) FPR files take a bit to processes - this is due to the way that they are designed and the fact that Vulnerator has to do a lot of replacement on the back end as it writes items - after you launch the application, please be patient, I promise that it is just thinking, and that I will work on trying to find a more efficient way to read the data!

For a full list of updates, check out the included change log file (or head over to the Wiki and check it out there!)

Download Instructions

To download the compiled version of the software, please select the file named "Vulnerator_v6-1-7.zip" below. If you are interested in viewing the source, please feel free to download the source file that best suits your needs (or create your own branch or fork - even better!).

Checksum (Hash) Information

Should you come across any bugs, please feel free to create a new item in the Issue Tracker!

Courtesy of @helms-rj, a bug was found during HP Fortify processing due to variances in XML files structure - this release corrects that issue. Additionally, v6.1.5 has been marked as "Obsolete" in the change log.

For a full list of updates, check out the included change log file (or head over to the Wiki and check it out there!)

Download Instructions

To download the compiled version of the software, please select the file named "Vulnerator_v6-1-6.zip" below. If you are interested in viewing the source, please feel free to download the source file that best suits your needs (or create your own branch or fork - even better!).

Checksum (Hash) Information

Should you come across any bugs, please feel free to create a new item in the Issue Tracker!

To ring in the new year, Vulnerator is getting a minor update to incorporate a single new feature that has been requested several times:

• #35: Vulnerator now has the ability to ingest HP Fortify *.fpr files and parse them into the RAR, POA&M, and a "Fortify Details" report
  • Note: Only finidngs that are linked back to an AS&D STIG finding report severity, which happens to be the STIG Severity associated with that finding. The Fortify software uses a floating system to determine its severity rating based on a few key determiners, which I am unaware of. Without this knowledge, I cannot reproduce the result
• Updates to the UI (literally just changed the button styling, because why not?)

For a full list of updates, check out the included change log file (or head over to the Wiki and check it out there!)

Download Instructions

To download the compiled version of the software, please select the file named "Vulnerator_v6-1-5.zip" below. If you are interested in viewing the source, please feel free to download the source file that best suits your needs (or create your own branch or fork - even better!).

Checksum (Hash) Information

Should you come across any bugs, please feel free to create a new item in the Issue Tracker!

A small update to address some concerns that have been raised by v6.1.4 (and introduces some nifty UI enhancements):

A few key updates:

• #61: Consolidated CKL files were only showing the first STIG name of the bunch - this update corrects that issue, ensuring that all STIG names are pulled from the file (as long as they are created by STIG Viewer v2.x+)
• #62: In accordance with DoD / RMFKS guidance that the RAR be only a document of non-compliant security controls, the report has been updated to only show those findings that are "Ongoing". All findings will still remain on the other reports ("POA&M", "ACAS Output", "STIG Details")
• User Interface Enahancements: To make items easier to find, I have shuffled some links around and added a new one:
  • The "Project Page", "Repository", and "Wiki" links are no longer in the "About" Flyout - instead, I have moved these to the Title Bar as links in the form of clickable icons. "Issues" now has its own link as well, making it that much easier to report a bug or request an enhancement.
  • I have also added a "Version" indicator at the bottom right-hand corner of the window - if you are on the latest version, it will say so. If there is an update available, it will let you know, provide the number, and give you a button that takes you straight to the download page. Obviously, this requires an internet connection that allows access to GitHub to work

Updated Title Bar:

Latest Version Indicator:

Update Version with Button:

• Army CoN: I was recently alerted to the fact that the Army has issued a CoN for the Vulnerator Application - I will be including it in the download from now on. If you are on an Army network, this will be of great use to you. As for the other DoD Components, this may provide yo uwith some leverage to get it approved on your network, as well. Thank you to whoever got the application approved!

For a full list of updates, check out the included change log file (or head over to the Wiki and check it out there!)

Download Instructions

To download the compiled version of the software, please select the file named "Vulnerator_v6-1-4.zip" below. If you are interested in viewing the source, please feel free to download the source file that best suits your needs (or create your own branch or fork - even better!).

Checksum (Hash) Information

As always, enjoy!

This is a big one! Closing out 12 issues, this update provides enhanced functionality, report template updates, a new report, and additional "fall back" measures in the case of missing data. This update does not do too much on the back-end side of the project, so reliability and performance are much the same (read: awesome).

A few key updates:

• RAR: The RAR Template has been updated to use the DoN RMF format; this format was chosen because it contains all fields required to satisfy DoD requirements as well as a few needed specifically for the DoN. By going with the template that requires the most information, I am ensuring reciprocity requirements are met.
• Test Plan: In response to a popular request, v6.1.3 now includes a Test Plan report, which generates a 1:1 mapping of asset to file. Every time an asset is found in a STIG checklist, XCCDF output, or ACAS result, an entry will be created in the Test Plan to map the data for you (including Nessus scanner and plugin feed version along with CKL / XCCDF version and release information)
• DIACAP-to-RMF Auto-Convert: Due to the fact that not all STIG checklists and benchmarks have been updated to contain CCI information yet, this update will auto convert any DIACAP IACs to NIST SP 800-53 controls instead of leaving a blank entry. In turn, this will reduce the amount of workload on analysts to hand-map items back to their respective controls.

For a full list of updates, check out the included change log file (or head over to the Wiki and check it out there!)

Download Instructions

To download the compiled version of the software, please select the file named "Vulnerator_v6-1-3.zip" below. If you are interested in viewing the source, please feel free to download the source file that best suits your needs (or create your own branch or fork - even better!).

Checksum (Hash) Information

• MD5: 22D0942F4FCFEAF06677B3611A2CD5F0
• SHA256: 0BA67D4B8F0D4490F7B0FF7FF00F71F312569360D67149F01D7604160336245D

As always, enjoy!

Time for another release! This one comes with few aesthetic changes, but plenty of "behind the scenes" goodness that helps the developers help you! Additionally, with a severe lessening of bugs being reported, the decision has been made to move the application out of "beta" and into general availability. This is the first stable build, and any builds from here on out marked "beta" will be for any testers who would like to try out new features.

A few key notes:

• Logging: Logging has been enhanced using the Apache "log4net" library - this will provide a vast improvement over the current, "home-grown" solution, which will aid with troubleshooting as issues arise.
• No More MAC: All references to the "MAC Level" of a group or system have been removed - RMF is a-comin', and this update further acknowledges that fact.
• CKL "Release" Data: Updates have been made to improve how the application handles the "release" information of a CKL file generated via STIG Viewer 2.x.

For a full list of updates, check out the included change log file (or head over to the Wiki and check it out there!)

Download Instructions

To download the compiled version of the software, please select the file named "Vulnerator_v6-1-2.zip" below. If you are interested in viewing the source, please feel free to download the source file that best suits your needs (or create your own branch or fork - even better!).

Checksum (Hash) Information

• MD5: CE62A7A537729A5821956C2C2378F886
• SHA256: 7110B53AEE8ED6F45586AD002B77886BCDCC9811E2175E1C011A1DC9E038CA60

As always, enjoy!

A number of changes later (some aesthetic, some behind the scenes), and the latest version is up! This is an extremely exciting release, as it is the first version to be publicly advertised on GitHub! But enough sentimentality, let's get into what's new!

• Update to .NET 4.5.2: .NET 4.0 recently reached end-of-life, and the DoD has finally gotten on board with upgrading - it's about time that we did, too!
• News Feed: Vulnerator now has a "news" button in the title bar that allows you to quickly and easily view the latest information about Vulnerator's releases and issues. It does, however, require an internet connection to function properly (sorry, standalones!)
• STIG Mitigation Selection: Now you can decide where to pull STIG mitigations from ("Comments" or "Finding Details")
• STIG Details Report: A quick, easy way to review STIG checklists

These are just a few of the more noteworthy items - be sure to check out the change log included in the download file for a full list of fixes and features.

Download Instructions

To download the compiled version of the software, please select the file named "Vulnerator_v6-1-1_Beta.zip" below. If you are interested in viewing the source, please feel free to download the source file that best suits your needs (or create your own branch or fork - even better!).

Checksum (Hash) Information

• MD5: 9df1d38166bbbefe7ab673993f704d81
• SHA256: 47f2d2a843913f23f39cca4b08096563986c60c5e1da6baad9cd2549f4a3d6ed

Pre-Release Note

Although this has been tagged as a "pre-release" beta, this is not due to bugs or a lack of production readiness. Given the recent changes made for this version, this is by far the most capable and stable subversion of 6.x yet. The pre-release marking is due to the fact that some features are not finalized, as demonstrated by the disabled controls - as these features are finalized, the project will move into full maturity.

Enjoy!