Skip to content

Custom vulnerabilities

User CVE DB

Custom CVEs let you define your own vulnerabilities and have ONEKEY match them against firmware components. Use this to extend vulnerability coverage from any source – regional databases (such as China's CNVD or the EU's EUVD) or proprietary findings from internal security research.

To open the custom CVE database:

  1. Click Configuration in the top menu bar.
  2. Select User CVE DB.

To add a custom CVE:

  1. Click + New vulnerability.
  2. Fill in the Summary tab:
    • IDs — at least one ID is required; the first entry becomes the primary identifier shown in the table and firmware views
    • Published date and Last modified date — both required
  3. Fill in CVSS 3.1, CVSS 4.0 or both.

  4. On the Configurations tab, define which components the CVE affects:

    • PURL — a Package URL plus a version spec
    • CPE — a vendor and product name plus a version spec

    At least one configuration is required.

    Version specs support both exact matches (= 1.2.3) and ranges (e.g., >= 1.0.0 to < 2.0.0). Multiple ranges can be added per configuration.

  5. Click Save in the top-right corner.

Info

  • You need the View CVEs permission to access the User CVE DB, and Edit CVEs to create, update, or delete entries.
  • User CVE entries are scoped to your tenant. They are stored separately from the global CVE database and are not visible to other tenants.
  • The table displays up to 1,000 entries. If your tenant's user CVE database exceeds this limit, an alert is shown and older entries are hidden.

Rerun analysis on affected firmware for the new entry to appear in results. User CVE entries carry a User source tag; edits and deletions are recorded in the Audit trail.

Click a row in the table to open its details. Click Edit to modify the entry, or Delete to remove it.

Custom issues

Custom issues allow you to define organization-specific security rules that extend beyond ONEKEY's standard detection framework. Using custom OQL queries, these rules identify specific files, patterns, or conditions in firmware that indicate security vulnerabilities unique to your environment.

To get started:

  1. Click Configuration in the top menu bar and select Custom Issues
  2. Click Add new custom issue rule.

  3. Provide a unique name, select your confidence level, add an optional description, and configure the CVSS 3.1 and 4.0 metrics.

    Note

    Both CVSS versions are mandatory.

  4. In the File query field, write an OQL rule to define which files or conditions will flag the custom issue. For example, the query:

    path CONTAINS "httpd.conf" OR path CONTAINS "nginx.conf" OR path CONTAINS "apache2.conf"

    Creates a custom issue that flags web server configuration files that may contain insecure settings.

    See the complete list of file OQL fields for available options.

  5. Click Create Issue Definition.

  6. Rerun analysis on affected firmware for the changes to take effect.

Your custom issues will appear in both the Global Issues page and the individual firmware analysis views after analysis completes under Custom user defined.

Click the Edit icon to update a custom issue; click the Delete icon to remove it.

A good example of when a custom issue might come in handy is detecting an SMTP credential leak – a security issue where, for instance, employee credentials might be stored in a PHP configuration file (php.ini). To flag this, create a custom issue using the following OQL query:

name = "php.ini" AND string =~ "username =" AND string =~ "password ="

Set the CVSS 3.1 and 4.0 scores, and optionally add a comment describing the nature of the vulnerability.