Builds Flask-based vulnerability exception tracking system with approval workflows, compensating controls, expiration management, and audit logging using PostgreSQL/SQLite. For vulnerability management compliance.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
漏洞例外跟踪系统管理无法在 SLA 时间线内完成修复的漏洞情况。它提供结构化的工作流用于申请例外、记录补偿控制、获取风险接受批准,并在有效期结束时自动使例外失效。这确保组织在符合 PCI DSS、SOC 2 和 NIST CSF 等框架的同时,保持对已接受风险的可见性。
Builds vulnerability exception tracking system with approval workflows, compensating controls documentation, and expiration management. For cybersecurity risk acceptance and compliance.
Guides building a Flask/Python vulnerability exception tracking system with approval workflows, compensating controls documentation, risk acceptance, and auto-expiration.
Builds vulnerability aging dashboards and SLA tracking to measure remediation performance by severity timelines, track KPIs, and enforce accountability in vulnerability management.
Share bugs, ideas, or general feedback.
漏洞例外跟踪系统管理无法在 SLA 时间线内完成修复的漏洞情况。它提供结构化的工作流用于申请例外、记录补偿控制、获取风险接受批准,并在有效期结束时自动使例外失效。这确保组织在符合 PCI DSS、SOC 2 和 NIST CSF 等框架的同时,保持对已接受风险的可见性。
flask、sqlalchemy、requests、jinja2| 类别 | 描述 | 最长有效期 | 审批级别 |
|---|---|---|---|
| 修复延迟 | 补丁可用但部署受阻 | 30 天 | 团队负责人 + 安全团队 |
| 无可用修复 | 供应商尚未发布补丁 | 90 天 | 安全总监 |
| 业务关键 | 系统修补将导致停机 | 60 天 | VP 工程 + CISO |
| 误报 | 发现结果并非真实漏洞 | 永久 | 安全分析师 |
| 补偿控制 | 已部署替代缓解措施 | 180 天 | 安全架构师 |
exception_schema = {
"cve_id": "CVE-2024-XXXX",
"finding_id": "unique-finding-reference",
"asset_hostname": "prod-db-01.corp.local",
"severity": "high",
"cvss_score": 8.1,
"category": "remediation_delay",
"justification": "数据库升级完成前无法应用补丁",
"compensating_controls": [
"已部署封锁利用模式的 WAF 规则",
"网络分段仅允许受信任 VLAN 访问",
"通过 Splunk 告警对利用指标进行增强监控"
],
"requested_expiration": "2024-06-15",
"requestor_email": "dbadmin@company.com",
"approver_emails": ["security-lead@company.com", "ciso@company.com"],
"risk_rating": "medium",
}
CREATE TABLE vulnerability_exceptions (
id SERIAL PRIMARY KEY,
cve_id VARCHAR(20) NOT NULL,
finding_id VARCHAR(100) NOT NULL,
asset_hostname VARCHAR(255),
severity VARCHAR(20),
cvss_score DECIMAL(3,1),
category VARCHAR(50) NOT NULL,
justification TEXT NOT NULL,
compensating_controls TEXT,
status VARCHAR(20) DEFAULT 'pending',
requested_by VARCHAR(255) NOT NULL,
approved_by VARCHAR(255),
requested_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
approved_at TIMESTAMP,
expires_at TIMESTAMP NOT NULL,
expired BOOLEAN DEFAULT FALSE,
risk_rating VARCHAR(20),
review_notes TEXT,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
CREATE TABLE exception_audit_log (
id SERIAL PRIMARY KEY,
exception_id INTEGER REFERENCES vulnerability_exceptions(id),
action VARCHAR(50) NOT NULL,
actor VARCHAR(255) NOT NULL,
details TEXT,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
CREATE INDEX idx_exception_status ON vulnerability_exceptions(status);
CREATE INDEX idx_exception_expires ON vulnerability_exceptions(expires_at);
CREATE INDEX idx_exception_cve ON vulnerability_exceptions(cve_id);
from flask import Flask, request, jsonify
from datetime import datetime, timezone
import json
app = Flask(__name__)
@app.route("/api/exceptions", methods=["POST"])
def create_exception():
data = request.json
required = ["cve_id", "finding_id", "category", "justification", "expires_at", "requestor_email"]
for field in required:
if field not in data:
return jsonify({"error": f"缺少必填字段:{field}"}), 400
# 验证到期时间未超过类别最长有效期
max_days = {"remediation_delay": 30, "no_fix": 90, "business_critical": 60,
"false_positive": 365, "compensating_control": 180}
# 插入数据库并通知审批人
return jsonify({"status": "pending", "id": "exc-12345"})
@app.route("/api/exceptions/<exc_id>/approve", methods=["POST"])
def approve_exception(exc_id):
approver = request.json.get("approver_email")
notes = request.json.get("notes", "")
# 更新状态为已批准,记录审批人和时间戳
return jsonify({"status": "approved"})
@app.route("/api/exceptions/<exc_id>/reject", methods=["POST"])
def reject_exception(exc_id):
reviewer = request.json.get("reviewer_email")
reason = request.json.get("reason")
# 更新状态为已拒绝,记录审核人和拒绝原因
return jsonify({"status": "rejected"})
# 每日检查已过期的例外
python3 scripts/process.py --check-expirations
# 生成每月例外报告
python3 scripts/process.py --report --output exception_report.json
每项例外的补偿控制必须覆盖以下方面: