Skip to content

Deployment & Setup

Tip

The easiest way to run OpenCVE is to use OpenCVE Cloud (no installation, configuration or maintenance needed).

You can install the complete OpenCVE stack with Docker. It will contain all the services you need to run OpenCVE (Django webserver, Airflow services, Redis, PostgreSQL).

Requirements

You need to have your server installed with Debian OS or equivalent, Docker v25.0.x at least and the docker-compose plugin.

The procedure is run as root and has been tested with Debian 11 and Debian 12.

The minimum requirement for the host is 4 cores and 4 Go RAM, the disk usage will be around 25Go or 30Go. The instance d2-8 from OVHcloud is a good fit to start.

Installation

Clone the OpenCVE repository and go into the docker/ directory.

Then run the install.sh script:

./install.sh

It will prepare your environment and run all the services needed by OpenCVE.

Info

The script will configure your OpenCVE instance with default settings. If you want to customize them you can:

  1. run the ./install.sh prepare command, it will prepare the configuration files for you (you just have to launch it once)
  2. customize your settings
  3. run the ./install.sh start command to start all the components

List of Commands

You can run dedicated commands of the install.sh script if you want to proceed step by step:

 add-config-files   : Add default configurations files
 start-docker-stack : Start docker compose stack
 clone-repositories : Clone KB repositories
 import-opencve-kb  : Import OpenCVE KB inside local database
 start-opencve-dag  : Unpause OpenCVE Dag in Airflow

add-config-files

This command initialize the default configuration files.

./install.sh add-config-files
--> Adding airflow config file
--> Adding Django settings file
--> Copying .env file for docker compose
--> Copying opencve.conf.template for Nginx

/!\ Don't forget to update the .env and settings.py files with your inputs before starting the docker compose stack:

Docker .env: ./.env
Webserver .env: ../web/opencve/conf/.env
Django settings: ../web/opencve/conf/settings.py
Airflow settings: ../scheduler/airflow.cfg

Note

You can refer to the configuration section of this documentation to customize OpenCVE settings.

set-airflow-start-date

This command is used to setup the start day at today inside the Airflow configuration file, it needs to be done before starting the stack:

./install.sh set-airflow-start-date
--> Configuring start_start in Airflow configuration file for today
start_date = 2024-04-02

start-docker-stack

This command is used to bootstrap the whole OpenCVE stack.

It will create the containers, add the airflow connections, collect the web static files, update the OPENCVE_SECRET_KEY and create the needed database tables and procedures:

./install.sh start-docker-stack
--> Get PG ENV variables from docker compose env file
--> Starting Docker compose stack
[...]
--> Adding Airflow connections
[...]
--> Updating OpenCVE secret key
[...]
--> Restarting webserver
[...]
--> Collecting static files from Django webserver
[...]

You can check if the docker instances are running correctly:

docker ps
CONTAINER ID   IMAGE                       COMMAND                  CREATED         STATUS                   PORTS                    NAMES
c05be1dcd8a5   opencve-airflow-webserver   "/usr/bin/dumb-init …"   9 minutes ago   Up 7 minutes (healthy)   0.0.0.0:8080->8080/tcp   airflow-webserver
45dde77ffdd7   opencve-airflow-worker      "/usr/bin/dumb-init …"   9 minutes ago   Up 7 minutes (healthy)   8080/tcp                 airflow-worker
08302ce6d0f7   opencve-airflow-scheduler   "/usr/bin/dumb-init …"   9 minutes ago   Up 7 minutes (healthy)   8080/tcp                 airflow-scheduler
041ad3546c46   opencve-webserver           "gunicorn opencve.ws…"   9 minutes ago   Up 9 minutes             8000/tcp                 webserver
5e0d20559b01   nginx:bookworm              "/docker-entrypoint.…"   9 minutes ago   Up 9 minutes             0.0.0.0:80->80/tcp       nginx
b91f0cda0c40   redis/redis-stack:latest    "/entrypoint.sh"         9 minutes ago   Up 9 minutes (healthy)   6379/tcp, 8001/tcp       redis
2be9eeed7d6c   postgres:15                 "docker-entrypoint.s…"   9 minutes ago   Up 9 minutes (healthy)   5432/tcp                 postgres

clone-repositories

This command is used to clone the repositories needed for opencve to work:

./install.sh clone-repositories
--> Cloning OpenCVE needed repositories
Cloning into '/home/airflow/repositories/opencve-kb'...
[...]
Cloning into '/home/airflow/repositories/opencve-nvd'...
[...]
Cloning into '/home/airflow/repositories/opencve-redhat'...
[...]
Cloning into '/home/airflow/repositories/cvelistV5'...
[...]
Cloning into '/home/airflow/repositories/vulnrichment'...
[...]

You can now reach OpenCVE web portal at your configured IP/FQDN on the port 80 and the Airflow webserver on the port 8080.

create-superuser

This command creates the superuser needed to access to the admin part of your OpenCVE website:

$ ./install.sh create-superuser
--> Creating superuser on OpenCVE
Username: xxx
Email address: xxx
Password:
Password (again):
Superuser created successfully.
--> Get PG ENV variables from docker compose env file
--> Confirm the new user
INSERT 0 1

import-opencve-kb

This command imports the OpenCVE KB in your database:

./install.sh import-opencve-kb
--> Importing OpenCVE KB inside the database, this can take 15 to 30min.
Parsing the OpenCVE KB repository (/app/repositories/opencve-kb)
Found 260248 CVEs, adding them in database...
Done in 768.394s

start-opencve-dag

This command unpauses the main DAG so Airflow can execute the opencve workflow:

./install.sh start-opencve-dag
--> Unpausing the dag
Dag: opencve, paused: False

Configuration

docker/.env

We recommend to verify and update your docker . env file. It's advised to change the following variables:

  • POSTGRES_PASSWORD
  • _AIRFLOW_WWW_USER_USERNAME
  • _AIRFLOW_WWW_USER_PASSWORD
  • AIRFLOW__CORE__FERNET_KEY

Warning

You need to set the above env variables before starting OpenCVE stack as they are configured at the first run of docker compose.

To customize the fernet key: how to generate a new fernet key.

web/opencve/conf/.env

This file is dedicated to the OpenCVE webserver. You can find these among others:

  • OPENCVE_DATABASE_URL: you need to update it if you have changed some of the postgresql parameters in the docker compose env file. The postgresql connection parameters need to be the same in both web and docker compose .env files.
  • OPENCVE_SECRET_KEY: this variable has to be replaced with a new secret when the web server is up the first time, it's done later in this installation.

web/opencve/conf/settings.py

This files is used to override the Django default settings defined in web/opencve/conf/base.py.

Tip

You can check the list of Django settings here to customize your OpenCVE instance.

You may need to change the email settings to use you own smtp relay, otherwise the emails are displayed in the webserver logs.

To specify your smtp, add the following lines inside the settings.py file:

# Email backend
EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend"

EMAIL_HOST = "smtp.example.com"
EMAIL_HOST_USER = "user"
EMAIL_HOST_PASSWORD = "password"
EMAIL_PORT = 587
EMAIL_USE_TLS = True

DEFAULT_FROM_EMAIL = "OpenCVE.dev <no-reply@example.com>"

If you keep the default email backend (i.e django.core.mail.backends.console.EmailBackend), you can consult the emails that would be sent in the logs of the webserver container like this:

docker logs webserver

scheduler/airflow.cfg

This file is used to configure the Airflow scheduler of OpenCVE.

Tip

You can check the list of Airflow configurations here to customize your Airflow instance.

You may want to customize the following parameters in the Airflow configuration file:

# The base URL of the OpenCVE webserver
web_base_url = <your_listening_ip or fqdn>

# The SMTP server used to send the email notifications
notification_smtp_host = smtp.example.com
notification_smtp_user = user
notification_smtp_password = password
notification_smtp_mail_from = john@example.com
notification_smtp_port = 587
notification_smtp_use_tls = True
notification_smtp_validate_certs = True
notification_smtp_timeout = 30