Skip to main content
Splunk Lantern is currently being updated. If you notice anything unusual, it should resolve soon, but you can always report issues on our Community Slack. Thank you for your patience.

Click for Slack
Lantern Home

 

Splunk Lantern

Configuring Cisco Bug Search and Analytics

  1. Last updated
  2. Save as PDF

 

Cisco Bug Search and Analytics searches and analyzes bugs identified through Cisco Bug Search, helping you to mitigate risks and make well-considered upgrade and migration decisions. The software addresses a critical need in cybersecurity, streamlining bug and vulnerability analysis for Cisco products, saving time and providing valuable insights. This app is for Cisco users (CTOs and admins) who need efficient bug analysis and seek comprehensive solutions for cybersecurity. 

Requirements

  • Cisco Login (customers or partners) to access Cisco Bug Search.
  • For JSON: jq CLI tool, available for Linux. For Windows, download jq from here. Alternatively, you can use Notepad++ with a JSON Viewer plugin.
  • For option B below: Excel to convert XLS to CSV.
  • Splunk Enterprise (a free trial is sufficient) or Splunk Cloud Platform, Splunk versions 7.x/8.x/9.x on Windows and Linux platforms.

Installation and configuration

There are several ways to approach installing and configuring the app to work with your list of bugs, and you'll need to decide which option is right for you:

You can import several CSV and/or JSON files for various products and switch between them at any time using the "Source" dropdown in the Cisco Bug Search and Analytics app.

Retrieving the bug data can be tricky and can result in failures such as timeouts. It might be necessary to try this process several times. If you need further assistance, you can contact the app owner and author of this article through the app's Splunkbase page.

  1. Log into the Splunk platform and install the app by clicking on the dropdown list of Apps on the top left > Manage Apps > Install app from file. Alternatively, you can click Apps > Find more Apps.
  2. Log into Cisco Bug Search.
  3. Select your product or technology using Select from list on the right-hand side, e.g. Products > Security > Web Security. Do not apply any filters.
  4. Decide how you want to download and install your list of bugs. Option A uses a JSON download, which is a preferred method as JSON has more fields. Alternatively you can use Option B which exports the results to Excel and then converts them to CSV, however this should be considered as a fallback option as CSV export can be missing some important fields.

Option A - JSON download

For detailed guidance on exporting your bugs in JSON format, see Cisco Bug Search Analyzer: Adv. filtering, workarounds, vuln. stats, CVE search & inventory view.

  1. In a browser (Edge, Chrome, or Firefox) press the F12 key on the keyboard to open the Browser Developer Tools. This opens a new panel with a several tabs. Click on the Network tab.
  2. In the Cisco Bug Search website, press the blue Search button. You'll see several new lines appearing in the Network tab of Developer Tools. Each line represents a web request.
  3. Take a note of the number of found bugs on the results page, for example, "3653 Results". You'll need to refer back to this number later.
  4. Decide how you want to download your JSON file. Option A1 uses the CLI, which is a recommended method and is faster. Alternatively, option A2 uses the UI, however this method can fail if you have a large number of results on the page.

Option A1 - Use the CLI

  1. Locate a line that looks like "search?pf=prdNm..."
  2. Right click on the line and choose Copy > Copy as cURL (bash). Is "(bash)" part of what's displayed on-screen or is it a note you have added?
  3. Open a Bash terminal and paste the curl command from the clipboard.
  4. Add an -o option (save as) with a target filename, for example. WebSec_07.06.24.txt. What does (save as) mean in this context? Can we expand a little on this?
  5. Modify the value of the URL parameter rpp from the default of 20 to the number of found bugs you made a note of earlier, for example, 3653. The resulting URL should look similar to this: 
    https://bst.cloudapps.cisco.com/api/get/search?pf=prdNm&kw=*&bt=custV&sb=anfr&rpp=3653&pageNum=0&prdNam=Web%20Security&random=0.0123456789&observe=response
  6. Use jq command line tool to format json: jq .bugSearchResults[] WebSec_07.06.24.txt > WebSec_07.06.24.json

The resulting file must be in the format [Product]_[Day.Month.Year].json, for example, WebSec_07.06.24.json. This format is used to sort sources properly.

Option A2 - Use the UI

  1. Locate a line that looks like "search?pf=prdNm..."
  2. Right click on this line and choose Open in new tab.
  3. Switch to this new tab. You'll see a lot of text - these are your results in JSON format.
  4. Modify the value of the URL parameter rpp from the default of 20 to the number of found bugs you made a note of earlier, for example, 3653. The resulting URL should look similar to this: 
    https://bst.cloudapps.cisco.com/api/get/search?pf=prdNm&kw=*&bt=custV&sb=anfr&rpp=3653&pageNum=0&prdNam=Web%20Security&random=0.0123456789&observe=response
  5. Press enter to download and save it locally.
  6. Rename the file to something like WebSec_07.06.24.txt. It will be easier to work with the app if the source file name is short and descriptive.
  7. Format to "pretty-print":
    • Open it with Notepad++. Go to Plugins > JSON Viewer > Format JSON, and save it. Note that you must have JSON Viewer installed to see it as an option.
    • Alternatively, you can use the jq command line tool to format json: jq .bugSearchResults[] WebSec_07.06.24.txt > WebSec_07.06.24.json

Option B - Export to Excel then convert to CSV

  1. In the Bug Search Tool press Export Results to Excel. If you get an error that reads "The list exceeds the maximum of 10,000 results", apply filters or export in parts (for example first Fixed, then Open, Terminated and Other).
  2. Open the bugsearch.xls file in Excel and export it in CSV UTF-8 format. Do it for every XLS and merge all the CSVs into one file.
    • Linux bash: cat bugsearch_Open.csv bugsearch_Fixed.csv > ASA_07.06.24.csv
    • Windows CMD: type ASA_Open.csv ASA_Fixed.csv > ASA_07.06.24.csv

    The resulting file must be in the format [Product]_[Day.Month.Year].json, for example, WebSec_07.06.24.json. This format is used to sort sources properly.

  3. Launch the Cisco Bug Search and Analytics app.
  4. Import the CSV file:
    1. In the Splunk platform, click Settings in the top toolbar > Add Data > Upload > Select File > Next.
    2. Select source type "cisco:bugs:csv" from the dropdown list of source types.
    3. Check that the parsing is correct and there are no warnings in the pane on the right-hand side of the screen.
    4. Click Next > Next > Review > Submit > Start Searching.

Deleting old results

It's not required for you to delete old results. A specific search macro is used in the app to filter all sources and show only recent source types in the input source field. This function relies on the name of the source being in a specific naming format: [Product]_[Day.Month.Year].[suffix] (e.g. ASA_07.06.24.json or ASA_07.06.24.csv).

If you want to delete your old results before importing new results into the Splunk platform, you can do this as long as you have "delete events" permissions: 

( sourcetype=cisco:bugs:csv OR sourcetype=cisco:bugs:json ) source="<your_old_source>" | delete

Working with the Cisco Bug Search and Analytics app

Additional tips and best practices

  • Look for similar issues in older releases to find potential workarounds.
  • Identify components or conditions responsible for frequent problems. Disabling non-critical components or reducing the load can help avoid certain bugs.
  • Be aware that some software packages or components have poor security records and may contribute to instability.
  • Recognize that complex code tends to be more buggy and insecure. Simplifying your code can improve both security and stability.

Available fields

Most fields are explained in the Bug Search Tool Help.

JSON field CSV field Comment
averageRneRating n/a Content quality information, which is an average of all ratings information provided by customers. For example, ratings for "Was the description about this Bug Helpful?" on a scale from 0 to 5 (stars).
behaviorChangedFlag n/a Whether a bug changes the behaviour of the product.
bugId BugId A unique identifier (ID) of the bug in format CSCxxNNNNN, where x is any letter (a-z) and N is any number (0-9).
bugLastModifiedDate Last_Modified The last time the bug details were changed.
bugVisiblity n/a Customer visible.
component n/a Software component related to a bug: e.g. amp, logging, tls, dns, etc.
createDate n/a Date/time when a bug entry was created.
deManagerUserId n/a  
duplicateOfBugId n/a Duplicate bugs (status="D") have a reference to the BugId that they are the duplicate of.
engineerUserId n/a  
headLine headLine A one line summary (maximum 100 characters) or title of a bug.
id BugId see BugId
knownAffectedReleases Affected_Releases This field displays the software releases known to be impacted by this bug.
knownAffectedReleasesSds n/a  
knownFixedReleases Fixed_Releases This field displays the software releases known to contain a fix for this bug.
knownFixedReleasesSds n/a  
mdfConceptId    
mdfConceptName    
mdfConcepts    
mdfSeriesNames    
mdfSoftwareFamilies    
product n/a Cisco product name or software where the bug occurs, e.g. WSA, ESA.
project n/a  
projectExcludedStatus n/a  
psirtCves CVE List of CVEs.
releaseNoteText releaseNoteText Symptom, conditions and workaround.
rneRatingCount n/a How many users have rated the bug.
securityStatus n/a Released.
severityCode severityCode Numeric representation of the bug severity, from 1 (catastrophic) to 6 (enhancement).
severityName severityName Bug severity: Enhancement, Cosmetic, Minor, Moderate, Severe, Catastrophic.
status n/a Short (one letter) version of statusName field.
statusGroup statusGroup Open - The bug has not been fixed. Fixed - The bug has been fixed. Other - The bug is a duplicate of another bug. Terminated - A decision was made not to fix the bug. Duplicate. Unreproducible.
statusGroups n/a See statusGroup.
statusName n/a Provides detailed internal case status: Closed (C), Duplicate (D), Held (H), Info_req (I), Junked (J), More (M), New (N), Open (O), Opened (O), Postponed (P), Resolved (R), Unreproducible (U), Verified (V), Wait (W).
submitterUserId n/a  
troubleTicketNumbersCount n/a Number of opened tickes related to this BugId.
troubleTicketNumbers n/a Tickets IDs related to this BugId.

There are further fields that are extracted from the bug's description text (releaseNoteText):

  • CVE
  • CVSS
  • CVSS link
  • pre symptom text
  • is_vulnerability
  • Symptom
  • Conditions
  • Workaround
  • Further Problem Description
  • PSIRT_Evaluation
  • URL

There are also further Common Information Model (CIM) fields extracted for Vulnerabilities event datasets:

  • cve
  • cvss
  • severity
  • severity_id
  • vendor_product

FAQ

  1. Why do my CSV exports contain more bugs than shown in the table? 

    CSV files can contain duplicate entries. The app removes duplicates with the dedup command. 

  2. How can I see when a bug was introduced?

    The Create_Date field is available only in option A JSON export.

  3. Can the bug open-to-fixed duration be calculated?

    No, the date when the bug was fixed isn't included. The last_modified field is unreliable for this purpose as it can reflect updates to the bug description long after the bug is resolved. But you can collect data over prolonged period of time (e.g. daily) and capture the Last_Modified date when the Status changed to Fixed. The Bug Tracking view allows you to do this.

  4. What do the different bug severity statuses mean?

    The different bug severity statuses are explained here.

    1 - Catastrophic
    2 - Severe
    3 - Moderate
    4 - Minor
    5 - Cosmetic
    6 - Enhancement

  5. What do the different bug statuses mean?

    The different bug statuses are explained here.

    Other - The bug is a duplicate of another bug.
    Terminated - A decision was made not to fix the bug

  6. What do FCS/ED/GD/LD/MD/HP mean?

    These are release terminology acronyms, explained here.

    FCS - First Customer Ship (old name for ED)
    ED - Early Deployment
    GD - General Deployment
    LD - Limited Deployment
    MD - Maintenance Deployment
    HP - Hot Patch

  7. Are there any restrictions to access the Cisco Bug Search Tool?

    Anyone who has a valid Cisco.com account can access Bug Search online, but only customers and partners can utilize its advanced features. Registered users can view up to 200 bugs per month without a service contract using a Bug ID. Customers and partners who have a valid service contract can leverage advance features like Product, keyword, and release-based searches. For more information, see the Help and FAQ page for Cisco Bug Search Tool.

  8. How can I normalize various version formats ( for example, 1.2.3, 1.2.3.423, 001.002(000.123), 1.2(0.123))?

    Open it in search and add a rex, for example:

    Regex Meaning
    | rex mode=sed field=Affected_Releases "s/\(0+\.?/(/g") Remove leading zeros in brackets: 123(002) -> 123(2)
    | rex mode=sed field=Affected_Releases "s/^0+/_/g" Remove leading zeros: 001.123 -> 1.123
    | rex mode=sed field=Affected_Releases "s/-HP\d+-/-/g" Remove Hot Patch labels: 123-HP3-456 -> 123-456
    | rex mode=sed field=Affected_Releases "s/\([a-zA-Z]+\)//g" Remove internal names enclosed in brackets: 123(SomeText)-456 -> 123-456

  9. What does this error mean? "Events might not be returned in sub-second order due to search memory limits. See search.log for more information. Increase the value of the following limits.conf setting:[search]:max_rawsize_perchunk"

    This error shouldn't have any impact on results but can slow down your searches. You can increase limits as suggested if you have enough memory available.