Nautobot Device Lifecycle Management – NIST CVE Tracking

Brandon Minnix

May 8, 2025

Application: Nautobot Device Lifecycle Management Application

Application Version: Upgrade to Version 3.1.0

Feature: Automated NIST CVE Tracking for Software Versions

Acronyms:

CVE – Common Vulnerability and Exposures

DLM – Device Lifecycle Management Application

NIST – National Institute of Standards and Technology

NVD – National Vulnerability Database

What:

The Automated NIST CVE Tracking for Software Version feature is designed to help network teams enhance security vulnerability visibility. It automatically identifies and associates vulnerabilities with known software versions in Nautobot, saving time and improving efficiency.

Why:
Managing infrastructure with diverse equipment types means frequently dealing with software vulnerabilities. Vendors often provide email notifications for these vulnerabilities, but managing them can become cumbersome, especially with multiple platforms and versions. This complexity increases with more vendors, turning CVE tracking into a full-time job.

Currently, Nautobot’s Device Lifecycle Management app (DLM) offers CVE Object Tracking, but it requires the following manual steps:

1. Awareness of the CVE.

2. Manual entry of CVE data into DLM.

3. Associating the CVE with the relevant software.

This manual process contributes to technical security debt, as most organizations do not closely track CVEs, leaving many systems with known untracked vulnerabilities that could be leaving the infrastructure at risk.

Automated NIST CVE Tracking:

The new feature searches the NIST National Vulnerability Database, a unified source for CVE tracking that is regularly updated by software and hardware vendors. The DLM search checks the database for CVE entries associated with each software contained in Nautobot Software Versions. If there are any CVE entries associated with a software object, it ensures that the latest known version of the CVE data exists in Nautobot and that the Nautobot CVE Object is associated with the relevant Software.

Manually tracking and associating CVEs with the correct software can lead to oversights, especially as new vulnerabilities are reported. This Nautobot job searches the NIST NVD, automatically identifies the relevant CVEs, and ensures that they are properly recorded and linked to the appropriate software versions. By automating this process, it eliminates the risk of missing critical associations which open the network to attack, while saving engineers time and effort.

How:

During the installation of the 3.1.0 version (and beyond) of the Device Lifecycle Management Application, the following objects are created for you:

– A new External Integration object named “NAUTOBOT DLM NIST EXTERNAL INTEGRATION”.

– A new Secrets Group object named “NAUTOBOT DLM NIST SECRETS GROUP”.

– A new Secret object named “NAUTOBOT DLM NIST API KEY”. This object is created for you during setup with minimum defaults. The Secret name must be exactly as above, but you will need to configure the Secret to properly access the NIST API Key.

To gain an API key, the user must visit https://nvd.nist.gov/developers/request-an-api-key, complete, and submit the form provided.

The job will need to be enabled, and can then be scheduled or ran manually and will perform the following steps in order:

– Obtain a full list of SoftwareVersion objects stored in Nautobot
– Gather the URL(s) for the SoftwareVersion. These URLs are generated using the nist.py module located in the NTC Netutils library.
– With the gathered URL(s), query the NIST CVE Database for vulnerabilities related to the NIST API virtualMatchString parameter.

– Use the data obtained to create or update all CVE objects in Nautobot and ensure they are associated with the proper SoftwareVersion(s).

NOTE: When running the job, you will be given the option to select the External Integration to use. You may select the NAUTOBOT DLM NIST EXTERNAL INTEGRATION object created during setup, or you may create your own External Integration and select it. Either way, the Integration must be configured to use the “NAUTOBOT DLM NIST SECRETS GROUP” object created during setup, and the “NAUTOBOT DLM NIST API KEY” Secret object (although possibly modified to meet your specific needs).

WorkFlow (Before and After):

SCREENSHOTS:

See Job in Jobs:

Select External Integration:

Job Results:

View of CVE created by the job:

Tags :

lifecycle nautobot-app risk-reduction security ssot

Contact Us to Learn More

Share details about yourself & someone from our team will reach out to you ASAP!

Name

Email*

Company name

Title*

Number of Employees*

Number of Devices*

Reason for Inquiry*

How did you hear about us?*

What Podcast?

What Conference/Event?

Webinar Topic/Title*

Message*

Nerizzler

Thanks for submitting the form.

Author

Chiara Geronzi

View all posts

Cookie	Duration	Description
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
__hstc	5 months 27 days	Hubspot set this main cookie for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Nautobot Device Lifecycle Management – NIST CVE Tracking

Automated NIST CVE Tracking:

WorkFlow (Before and After):