NVD (National Vulnerability Database) is a database of vulnerability information managed by NIST, and NVD is very often taken care of when checking software and hardware vulnerability information.
Although it is such NVD, I was hoping that I could get information on the vulnerabilities of each CVE. I found NVD publishing a REST API in September 2019. https://nvd.nist.gov/General/News/New-NVD-CVE-CPE-API-and-SOAP-Retirement
Since I was able to get the information quite easily, I will publish the program for information sharing.
I think that the exact meaning will come out if you google, so here is a rough level.
REST API
If you want to get the information of a certain CVE, execute the following request.
https://services.nvd.nist.gov/rest/json/cve/1.0/<cveId>
If you want to get the information of CVE that matches the conditions, execute the following request. Note that the previous request was "cve", whereas this one is "cves".
https://services.nvd.nist.gov/rest/json/cves/1.0
For example, if you want to get CVE information that matches CPE, you can send the following request. Example: If you want to get CVE information for OpenSSL 1.1.1c
https://services.nvd.nist.gov/rest/json/cves/1.0?cpeMatchString=cpe:2.3:a:openssl:openssl:1.1.1c:*:*:*:*:*:*:*
The response will be returned in JSON format.
Details are below. https://csrc.nist.gov/CSRC/media/Projects/National-Vulnerability-Database/documents/web%20service%20documentation/Automation%20Support%20for%20CVE%20Retrieval.pdf
If you want to get the current description of the vulnerability described in NVD, access the JSON data of the response as follows.
json_data['result']['CVE_Items'][x]['cve']['description']['description_data'][0]['value']
If you want to get CWE, access the JSON data of the response as follows.
json_data['result']['CVE_Items'][x]['cve']['problemtype']['problemtype_data'][0]['description'][0]['value']
If you want to get BaseScore, access the JSON data of the response as follows.
json_data['result']['CVE_Items'][x]['impact']['baseMetricV3']['cvssV3']['baseScore']
If you want to get VectorString (example: AV: N/AC: M/Au: N/C: P/I: P/A: P), access the JSON data of the response as follows.
json_data['result']['CVE_Items'][x]['impact']['baseMetricV3']['cvssV3']['vectorString']
If you want to get BaseScore, access the JSON data of the response as follows.
json_data['result']['CVE_Items'][x]['impact']['baseMetricV2']['cvssV2']['baseScore']
If you want to get VectorString, access the JSON data of the response as follows.
json_data['result']['CVE_Items'][x]['impact']['baseMetricV2']['cvssV2']['vectorString']
Based on the above, we implemented a program that acquires and outputs CVE information that matches the CPE.
get_software_vuln.py
#!/usr/bin/env python
import requests
import json
import argparse
import textwrap
def main():
#Command line argument Parse
parser = argparse.ArgumentParser()
parser.add_argument('cpe_name', help='CPE Name')
args = parser.parse_args()
#Obtain vulnerability information corresponding to CPE from NVD in JSON format
cpe_name = args.cpe_name
api = 'https://services.nvd.nist.gov/rest/json/cves/1.0?cpeMatchString={cpe_name}'
uri = api.format(cpe_name=cpe_name)
response = requests.get(uri)
json_data = json.loads(response.text)
vulnerabilities = json_data['result']['CVE_Items']
for vuln in vulnerabilities:
cve_id = vuln['cve']['CVE_data_meta']['ID'] # CVE-Get ID
current_description = vuln['cve']['description']['description_data'][0]['value'] #Get Current Description
cwe_id = vuln['cve']['problemtype']['problemtype_data'][0]['description'][0]['value'] # CWE-Get ID
#Get BaseScore and VectorString if you have CVSS v3 information
if 'baseMetricV3' in vuln['impact']:
cvssv3_base_score = vuln['impact']['baseMetricV3']['cvssV3']['baseScore']
cvssv3_vector_string = vuln['impact']['baseMetricV3']['cvssV3']['vectorString']
else:
cvssv3_base_score = None
cvssv3_vector_string = None
#Get BaseScore and VectorString for CVSS v2
cvssv2_base_score = vuln['impact']['baseMetricV2']['cvssV2']['baseScore']
cvssv2_vector_string = vuln['impact']['baseMetricV2']['cvssV2']['vectorString']
#output
print('---------')
text = textwrap.dedent('''
CVE-ID:{cve_id}
CWE-ID:{cwe_id}
CVSSv3 BaseScore:{cvssv3_base_score} CVSSv3 VectorString:{cvssv3_vector_string}
CVSSv2 BaseScore:{cvssv2_base_score} CVSSv2 VectorString: {cvssv2_vector_string}
Current Description:
{current_description}
''')
print(text.format(cve_id=cve_id, cwe_id=cwe_id, cvssv3_base_score=cvssv3_base_score, cvssv3_vector_string=cvssv3_vector_string,
cvssv2_base_score=cvssv2_base_score, cvssv2_vector_string=cvssv2_vector_string, current_description=current_description))
print('---------')
main()
You can do it as follows:
python get_software_vulns.py <CPE>
Example: When running for openssl 1.1.1c
python get_software_vulns.py cpe:2.3:a:openssl:openssl:1.1.1c:*:*:*:*:*:*:*
GitHub https://github.com/riikunn1004/NVDAPI The code is available at. for your information.
The following Python program is open to the public. get_software_vuln.py: The above program get_cve_info.py: Program to get the specified CVE information
I described how to get vulnerability information using REST API. Since the contents described this time are a part, please see the document published by NVD for details. There are various tools for managing vulnerability information, You can also use this REST API to develop your own tools that meet your needs.
Recommended Posts