►
From YouTube: Automated Advisory Generation Demo
Description
This is a short demo about adbcurate, a tool for automated advisory generation.
C
A
A
So
today
is
about
the
year
good
luck
as
we
database
and
at
the
moment
the
expression
losing
situation,
I
mean
by
addition
or
modification
of
advisements.
In
the
databases,
my
new
process
largely-
and
we
have
different
data
sources
at
the
moment-
is
mostly
led.
The
preparation
of
health
risks
manual.
B
A
The
workflow
I
saw
first
of
all,
if
the
data
feed
it
has
to
be
checked
like
NBD,
for
example,
and
we
have
to
filter
for
relevant
entries
and
essential
information
from
different
sources,
which
is
also
not
that
revealed
across
the
time
of
study.
No
NBD
advisors
lately
include
leaders,
maybe
even
even
wrong,
so
this
has
to
be
cross
validated
and
cross-checked
and
an
example
for
that
would
be,
for
example,
the
date
and
nvd
here
is
an
old
tile
effect.
So
we
have
to
obtain
the
title
from
someone
else
monetize
we
liked.
A
A
A
So
when
after
I
started,
I
first
had
to
understand
the
structure
of
the
advisors,
so
that
the
first
step
that
I
but
I
did
was
to
understand
the
benefits
that
we
have,
but
not
only
their
semantics,
but
also
how
are
they
related?
Because
this
information
is
useful
for
me
in
order
to
understand?
What's
the
minimum,
the
minimum
set
of
fields
that
I
have
to
provide
and
to
rest
I
could
basically
drive
automatically.
B
A
Depending
on
the
source
can
be,
can
vary,
for
example,
for
any
deed.
This
would
be
CBE,
but
for
other
data,
false
identify,
it
can
be
different.
We
have
a
title
that
trotty
describes
findability
this
description,
which
is
longer
the
date
that
has
been
published.
He
affected
to
range
misses,
which
is
the
machine.
Readable
version
of
the
affect
version
range,
the
fixed
versions,
which
is
a
list
of
concrete
versions.
That's
great.
A
If
you
run
ability
as
fixed
by
versions
which
does
a
human
readable
versions
of
effective
rainfall,
there
is
the
correlation
of
22
fields,
affected
range
of
affected
versions.
Then
the
solution,
which
is
an
advice
for
the
user,
what
you
should
be
versatile
tool
in
order
to
fix
vulnerability,
quite
a
collection
of
field,
URLs.
A
Some
useful
means
the
package
slug,
which
was
essentially
like
the
package
type
and
named
concatenated,
and
you
are
Aggie,
but
this
one
will
be
added
in
the
latest
and
there's
some
redundancies
with
the
dependencies
between
these
fields.
So,
for
example,
there's
a
redundancy
between
effective
range
and
effective
versions.
If
I
know
effective
range,
I
can
automatically
generate
affected
versions,
there's
also
through
dance
between
package
stock.
An
identifier
auntie
after
the
expert
advisory
across
the
path
to
the
Advisory
Andy
never
tries
a
database
is
basically
proposed
off.
A
I
could
stuck
identifier,
and
then
there
is
also
an
interdependency
between
the
packet
stop
and
the
affected
products
course.
The
effective
range
is
expressed
in
terms
of
the
syntax
that's
used
for
the
agate
registry,
for
example,
when
you
have
the
mailing
package
registry
you're
using
the
style,
that's
risk
for
mailing
packages,
Express
going
to
Avengers.
If
you
have
like
pi
PI,
it's
a
different
style
expressing
this
is
v
here
varies
based
on
the
package
lock,
and
then
we
also
have
fixed
burdens
which
didn't
collide
and
affect
the
treasure.
A
So
none
of
the
versions
that
are
fixed
shouldn't
fall
internal
affected
branch
and
the
solution
should
be
correlated
to
the
fixed
version
of
the
affected,
wrench
or
solution.
Sure
to
tell
the
user
that
he
should
use
one
of
the
fixed
versions
and
they
extended
the
transitive
dependency
between
in
solution
and
effective
tragic.
A
And
so,
while
I
was
working
on,
this
I
first
started
to
write
a
sensation,
script
that
uses
the
interrelations
and
dependencies
to
automatically
fix
fix
advisories
by
the
politically
applying
cross
verification,
and
this
has
the
advantage
that
when,
when
we
used
like
the
same
pattern
for
certain
fields,
but
we
have
a
certain
amount
of
consistency
which
which
helps
users
and
critics
cover
for
that
is
affected
versions,
example
and
when
you're
using
the
same
template
or
tool
to
generate
the
effect
for
those
fields.
It's
the
same
across
all
advisors.
A
Then
there's
still
room
for
referral
for
misunderstanding
so
and,
as
I
said,
benefit
with
every
component
that
I've
developed
for
the
sensitization.
The
rule
could
be
reused
for
later
generation
that
the
first
thing
I
would
like
to
show.
You
is
how
you
can
sanitize
present
advisories
or
check
different
instances
as
an
adviser,
some
database,
and
for
that.
A
A
A
A
If,
between
a
master,
we
can
maybe
convert
to
the
first
entry
here,
there
is
a
change
to
a
relic
from
the
gem
and,
as
you
can
see,
there
is
an
effective
range
which
says
great
until
2000,
but
no
fixed
fix
burden
and
pendant
and
the
first
version
that
we
changed
it
at
the
defective
versions.
You
want
your
point,
one
and
solution.
There
is
no
solution
for
this
one
immediately.
This
feels
like
the
the
the
text.
A
A
Advantage
of
doing
so
is
that
this
description
is
the
same
across
all
the
vitamins.
So
if
there's
no
solution,
it
will
be
just
a
single
string
and
the
user
can
rely
on
that,
and
the
second
example
that
we
have
is
wet
cloth,
which
is
also
gemmed,
and
here
we
have
a
fixed
version,
for
example,
and
the
solution
string
says
that
upgrade
to
version
4.3
point
0
and
the
affected
versions
also
says
that
all
variants
before
four
point
five
point:
zero
are
affected,
which
is
also
the
same
across
all
advisors.
A
D
A
You
know
what
I,
what
I
did
is:
I
I,
basically
represented
test
as
a
collection
or
a
list
of
scattered
rain,
especially
on
this
top
ranges
and,
and
the
string
will
be
generated
for
this
list.
So
also,
if
you
have
like
multiple
entries
particle
version
ranges,
this
will
be
able
to
work,
considering
just
as
a
this
random.
C
B
A
A
We
wanted
to
automate
this
Advisory
generation
approach,
which
are
fine
begin
first,
and
there
are
some
challenges
which
are
related
to
Nvidia's
data
source.
The
first
one
listed
Nvidia
is
very
generic,
which
makes
the
entry
selection
a
bit
difficult,
because
no,
not
every
nvd
entry
is
related
to
the
package,
so
it
can
be
related
to
other
software.
A
But
we
are
just
interested
in
in
those
those
entries
which
are
related
to
those
packages
which
we
are
caring
about.
So
james
heim
elements
one
and
the
package
name
and
fibers
not
provided
the
title
is
usually
missing.
So
there
is
no
title
field
or
and
B
the
entries.
They
use
two
different
kinds
of
version
presentations.
A
One
is
very
specific,
so
it's
one
less
like
a
list
of
concrete
versions
and
the
other
one
is
a
bit
better
following
this
case,
because
that's
basically
a
version
range
we
could
directly
translate,
but
you
never
know
which
one
daily
meetings
for
you
have
to
be
able
to
cope
with.
Both
version
representations
were
using
and
the
data
feeds
can
inventively
large
between
like
30
14
megabytes
or
taking
from
a
year.
A
As
I
mentioned
in
the
last
slide,
this
entry
selection
is
enough
difficult
because
we
don't
know
in
advance
if
an
entry
is
related
to
a
package
or
not,
and
this
is
something
we
have
to
figure
out.
So
I
had
a
conversation
before
the
end.
Here
this
idea
of
using
information,
that's
called
CPE
common
platform
numerator,
which
is
like
a
string
that
is
associated
with
and
be
the
entry.
So
usually
you
find
column
entry.
A
A
Entries
like
the
MVD
entries
which
are
present
in
this
otherwise
with
database,
then
you
basically
ask
national
vulnerability
database.
Please
give
me
the
cps
related
through
the
city
and
after
you
you're
getting
this
list
of
cps.
If
this,
together
of
the
package
information,
that's
already
present,
remember
that
you
only
can
get
from
the
atomic
lies
with
Oedipus
and
based
on
that
we
can
generate
the
CPE
map,
and
this
is
basically
like
a
map
between
common
platform
enumerators
and
a
few
types
of
place.
A
So
this
is
a
bit
reverse
because
we're
using
it
as
a
data
base
to
obtain
this
information,
but
it's
already
quite
helpful.
As
with
this
information
we
can
identify
which
and
the
entry
is
related
to
a
package-
at
least
the
packages
caviar,
and
what
this
process
is
called
city
map
bootstrapping
and
the
supported
sources
for
this
procedure.
A
A
A
A
Okay
and
I
have
also
a
mega
target
for
this,
and
this
target
is
called
a
bootstrap,
make
boot
up
speed
and
when
I'm
running
this,
this
will
basically
come
through
other
sub
modules
like
Ruby,
steadfast
HP
and
the
advisor
database.
It
will
and
it
will
collect
the
corresponding
CPS
Wendy
and
link
them
to
package
by
that
type
and,
as
a
result,
we
will
get
a
mapping
that
looks
like.
A
D
A
I
added
an
exclusion
flag,
so
if
you
like
to
some
stuff
to
be
excluded
to
be
incited
to
exclude
what
wouldn't
be
considered
anymore.
But
at
the
moment
since
these
are
this
is
like
a
sort
of
a
ground
truth.
Every
CPE
that
we
have
at
the
moment
in
this
database
is
related
to
a
package
type
and
name
so
at
least
the
current
state
of
the
state
of
base.
It
wouldn't
make
sense
to
accept
like
enough
can't
respect,
but
just
as
it
is
functionality.
A
A
But
this
was
the
our
CP
would
step
in
and
that
we
can
move
on
to
the
next
part,
which
is
the
Advisory
generation
itself.
So
now
we
have
generated
our
CPD
map
and
we
have
the
information
about
CPS
package,
name
and
type,
and
when
we're
getting
an
NB
d
benefit,
I
could
Jesse
fine,
essentially,
if
you're
doing
firsts,
we're
running
like
a
filter
and
fifth
step.
But
what
it
does
is
it's
worth
it.
A
It's
gains
from
the
whole
J'son
file
and
it
tries
to
figure
out
if
there
is
an
entry
that
is
relevant
by
looking
at
the
EPE.
Let's
link
to
this
entry
and
I
was
looking
at
the
package
name
and
type.
That's
linked
to
that
and
for
the
relevant
entries.
We
will
basically
write
single
like
Jason
pockets.
We
will
write
them
into
a
separate
directory
as
single
jason
files,
and
we
will
also
had
some
information,
for
example,
by
looking
at
this
information
here.
A
If
you
have
a
separate
file
for
our
CBE,
you
can
just
go
go
inside
well,
you
have
a
small
file
or
you
can
easily
easily
navigate
through
so
I
think
I
to
them
as
editing,
and
then
the
next
step
is
the
advisement
generation
which
takes
the
these
gentle
files
as
input
and
generates
the
actual
llaman
files
and
worth
the
fight
by
using
the
package,
luck
as
a
the
path
and
to
see
the
IDS.
Finally,
we
also
collecting
the
title
information
for
twe.
B
A
Every
first
charity
and
the
entries
generally
generate
advisors
on
and
the
generation
or
covers
all
of
the
fields,
except
for
fixed
versions,
because
this
turns
out
to
be
a
bit
tricky
because
for
generating
the
fixed
version
of
you
automatically
you
you
have
to
get
information
from
the
packet
tracer
registries,
essentially,
which
is
due
to
the
fact
that
the
Bertie
bombs
can
be
can
be
like
different,
so
then
usually
know
who
they
like
or
a
sequential
might
be
that
you
have
a
version
from
two
point.
Five
to
two
point.
A
So
you
cannot
just
know
in
firmly
you
have
to
basically
look
at
the
package.
I
just
feel
out
what
other
releases
out
there
and
then
you
have
to
threaten
recording
the
the
hood
rule
is
implemented
and
whether
it's
using
trees.
So
we
consider
like
two
data
feed
as
a
stream.
We
never
keep
any
state
memory,
so
the
Flexi
process,
relatively
quick
to
go
through
to
the
jetty
feeds
and
also
that
will
implemented
in
a
way
that
we
have
valuation
is
always
possible.
A
A
A
A
B
A
A
B
A
A
A
For
the
500
points,
okay
and
after
I've
downloaded
the
data
feed
the
first
step
that
we
follow
slides.
This
filter
has
clicked
so
I
also
make
target
for
that.
Just
odd
well
make
it
has
little
body
and
it
goes
through
the
data
feed,
and
it
only
collects
the
one
that
are
relevant
based
on
the
CPD
map
that
we
currently
have,
and
it
will
make
generate
differentiation
files
for
them.
A
We
can
find
them
in
the
end
video
clip
directory,
so
the
JD
files
that
have
been
created
by
two-
and
this
is
like
the
first-
are
the
one
that
is
related
to
a
I
own
XMPP
and
also,
as
you
can
see
here,
we
already
added
the
import.
The
package
laugh
because
all
you
had
this
information,
so
just
put
it
to
chosen
for
him.
Also.
We
can
see
here
that
this
is
like
the
the
version.
Syntax,
that's
using
version
ranges
which
is
the
easier
fast
at
the
parse.
At
least.
A
A
A
The
process
is
a
bit
slower
than
the
filter
and
split
step,
because
here
we
are
actually
communicating
with
gwe,
forgetting
the
title
or
we
could
make
it
quicker
by
I
may
be
having
a
like
some
phones,
local
CWB
database,
where
you
could
get
to
see
more.
But
at
the
moment
it's
just
telling
me
breasts
to
the
website.
Basically,
and
so
now
we
have
our
advisory
so
joining
the
advisories
out
directory
and
let's
just
go.
A
It's
contains
the
context
switches
as
it
be
directly
taken
from
from
Kennedy
description,
state
and
the
effective
range,
and
the
range
here
is
generated
according
to
the
syntax,
that's
used
for
pajamas.
So
if
this
would
be
made
in
a
kitchen
at
the
effective
range,
it
would
look
differently
and
the
effect
that
version
a
field
here
is
generated
from
the
affected
ranch.
So
this
is
for
something.
This
is
a
case
where
we
have
a
list
of
version
Arrangements,
basically,
and
at
this
furious
te
texture
for
generating.
A
A
A
A
This
was
the
advice
of
generation
part
and
now
we.
This
is
the
the
whole
approach
link
in
a
nutshell
and
there's
there's
one
piece
that
that's
missing:
that's
become
our
generation.
That's
just
sure
we
get
step
two,
but
this
is
basically
the
overview
of
the
approach
and
the
I'm
calling
like
step
two,
which
was
that
fourth
benefit
called
MVD
pipeline
and
I've
also
created
an
egg
target
that
you
don't
have
to
invoke
every
single
step
so
that
you
can
basically
run
just
well
just
make
target
and
run
the
whole
pipeline
for
you.
A
Now
we
only
have
generated
the
advisory,
but
but
what's
still
missing
is
generating
or
creating
crunches
and
and
adding
1
advisory
reverie
prawns
with
them,
creating
a
much
requested
from
them.
So
for
that
I
was
doing
a
target,
which
is
which
is
a
lot
of
prepare
and
are
and
what
it
will
do.
It
will
basically
create
a
branch
for
every
single
advised
me
that
we
have.
A
A
You
this
is
an
example
for
a
yard
and
yeah.
It's
sentence
before
just
the
advisories,
but
I
think
you
know
in
the
initial
meeting,
Lee
kind
of
discussed
about
using
either
merge
request
or
or
issues
and
I
think
that
we
create
on
using
basically
one
worse
requests
for
heavily
every
advised
me.
This
is
the
way
how
its
implemented
and
this
aspect
of
it
you
know,
generation
apart
for
that.
A
This
was
all
about,
and
there
is
still
a
couple
of
to
Do's
and
here
I'm,
one
of
the
two
deuces
to
include
the
CP
dictionary
in
nd
into
the
city
map
generation,
which
would
help
us
to
get
more
more
mappings
between
CPD's
I
could
change
the
types,
because
the
whole
approach
specifically
depends
on
that
on
the
city
map
to
better
the
subpoena.
But
the
better
are
possibly
results
of
this
approach,
and
we
could
also
include
respects
to
scan
for
interesting
cities
based
on
the
description
text.
A
Then
also
one
thing
I'm
really
working
on
is
to
infra
Sentinel
values
for
the
fixed
30
fields,
which
is
a
bit
more
evolved,
because
you
have
to
look
at
the
package
registries.
Basically
to
get
this
information.
Then
indeed,
I
picked.
There's
once
mentioned
said.
It
would
be
nice
to
run
this
as
a
csv
pipeline
and
automatically
january.
Merge,
requests
and
yeah.
A
D
D
A
Can
you
see
the
donk
yeah,
oh
yeah,
so
the
Ganga
CP
data
feed?
This
is
easily
available
on
nvd,
so
they
have
like
Culberson
xml
file.
Essentially,
so
they
have
a
collection
of
CPS
and
with
the
CPS
they
also
provide
links
to
resources,
and
these
resources
can
be
also
links
to
package
registries
reproduce
these
links
in.
D
A
A
D
A
Functionality
into
the
tool
that
helps
you
to
scan
for
interesting
CPS
by
using
maybe
a
couple
of
patterns
or
regular
expressions
that
they
could
they
could
adjust.
So
we
can
think
better
and
better
over
time
and
then
use
this
to
kind
of
audit
and
envy
defeat
or
cpe
said
that
we
did.
We
missed
it
or
not
present
in
a
city
map,
but
we
may
be
still
adjusting
to
X
when
this
would
be
failure
very
easy
to
implement.
A
C
I,
just
actually
sorry
I
just
have
an
idea
about
this.
Maybe
we
can
have
another
like
like
list
of
CPU,
so
we
can
just
like
found
relevant
CPU.
We
can
add
for
a
lock
panel,
creating
advisories
and
the
rest,
which
that
is
blacklisted.
We
can
just
stand,
looks
or
manual
when
operation,
and
then
we
can
improve,
was
CP
and
CP
blacklist.
D
Without
your
tooth,
the
two
could
create
like
an
issue
listing
all
the
the
CVE
that
was
kept
because
it
was
not
matching
a
relevant
CPE
and
bed,
and
at
least
we
should
create
a
blacklist
file
to
put
the
sepia
that
we
think
I'm
not
relevant
to
her,
so
that
any
on
only
next
friend,
if
there
is
a
similar
CP,
we
just
you
know
them
and
don't
put
them
in
the
duration
issue
make
sense.
This
is
what
you
were
telling
each
other
right.
Yeah.
C
C
D
A
The
where
I
was
and
his
life
was
this
capability
of
food
processing,
so
I
was
thinking
that,
if
you
can
quickly
reprocess
entities,
then
missing.
One
is
actually
not
that
big
of
a
problem,
because
when
you
just
know
you
have
to
once
you've
noticed
a
few
misses
one.
You
could
basically
at
cpa
entry
to
the
to
the
map
and
then
rerun
the
whole
analysis
as
we
are.
So
he
is.
D
I
agree
and
I
like
this,
because
this
is
also
super
useful
when
we
would
add
support
for,
for
example,
a
new
package
type,
so
we
can
quickly
reprocess
aswell
DB
and
get
a
lot
more
information
for
all
CDEs,
but
again,
I
think
we
had
the
discussion
recently
with
someone
at
the
Remember
Who.
But
it's
it's
good
to
to
correct
a
mistake
like
we
miss
the
CV
and
we
can
quickly
respond
as
far
as
soon
as
we
know.
D
We
missed
it,
but
the
problem
is
that
we
can
maybe
stay
for
several
weeks
without
knowing
about
we've
missing
the
CD,
and
then
we
have
a
customer
recording
that
hey
you're
not
checking
against
that
CVE.
Why
oops?
We
just
missed
it!
Sorry
we
can
add
it
quickly,
but
we
already
heard
harmed
the
users
because
it
passed
several
weeks
without
checking
for
it.
So
the
at
a
point.
D
A
D
Last
one
I
got
was
about
this
minute:
request:
creation:
I,
don't
know
if
you
aware
of
that,
but
you
can
use
fresh
options
to
automatically
create
a
merge
request
when
you're
pushing
the
branch,
so
you
can
create
a
branch
locally
and
call
Gil
get
push
with
some
options
to
automatically
create
a
merge
request.
Oh.
A
D
D
D
A
A
D
And
man
this
is
maybe
getting
too
deep
and
we
already
15
minutes
and
I
was
just
thinking
about.
Maybe,
instead
of
creating
an
issue
we
could
create
directly,
we
could
create
directly
a
merge
request
with
adding
all
those
information
to
the
white
to
the
black
list
and
then
manually
curating
that
and
removing
the
entries
that
are
relevant
after
we
did
this
manual
check
so
that
we
we
speed
up
a
bit
this
this
process,
but
anyway,
that's
implementation.
Detail,
because
that
in
the
issue
right.
Thank
you
very
much
again
Julian.
D
E
E
B
B
A
Yeah
we
can
convey
everything.
I
saw,
it
was
based
on
the
master
branch,
current
master
of
the
tool.
So
you
could,
you
could
run
instantaneously.
The
only
thing
you
have
to
do
at
the
beginning
is
you
have
to.
After
putting
the
ripple,
you
have
to
get
a
run,
make
update,
which
will
pull
all
the
sub
modules
and
and
after
that
evoke
all
the
targets.