Feature Request: Additional Fields for CVE

[JimmyKip]

Environment

• Nautobot version: N/A
• nautobot-plugin-device-lifecycle-mgmt version: latest

Proposed Functionality

For CVE records there are some additional details that may be better included as part of the model rather than custom fields. These aren't necessarily part of the CVE record itself but are often retrievable from vendors in their advisories.

1. A 2nd URL field to include a link to the machine readable version of the CVE from the vendor.
2. A text field that can be used to include any tests that can validate exposure to the CVE.

Use Case

1. eg Cisco provide a CVRF record for their advisories, along with the CVE details (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-httpserv-dos/cvrf/cisco-sa-20190925-httpserv-dos_cvrf.xml). Having this URL included with the CVE in Nautobot is handy as it can be used to pass this on to another tool.
2. Some vendors provide additional information associated with their CVE records, using the same example above (https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20190925-httpserv-dos.html), Cisco note tests that can be run to check exposure; "administrators can log in to the device and use the show running-config | include ip http server|secure-server command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration.". Including this in the CVE entry allows for automated testing to confirm exposure to a particular CVE.