# TD Final : Analyse des Avis et Alertes ANSSI avec Enrichissement des CVE
*Solution proposée par Laura Damas, Camille Dommergue, Maxime Cerruti et Elodie Duflaut*

Importation des libraries

In [1]:
import pandas as pd
import feedparser as fp
import requests as req
import re

Etape 1 - Extraction des Flux RSS

In [2]:
url_avis = "https://cert.ssi.gouv.fr/avis/feed"
url_alerte = "https://cert.ssi.gouv.fr/alerte/feed"

rss_feed_avis = fp.parse(url_avis)
rss_feed_alerte = fp.parse(url_alerte)

# Check if the feed was parsed correctly
if rss_feed_avis.bozo:
    raise ValueError("Failed to parse RSS AVIS feed. Please check the URL.\n")
elif rss_feed_alerte.bozo:
    raise ValueError("Failed to parse RSS ALERTE feed. Please check the URL.\n")
else:
    print(f"Successfully parsed RSS AVIS feed from {url_avis}\n")
    print(f"Successfully parsed RSS ALERTE feed from {url_alerte}\n")

rows = []

def get_bulletin_id(ent_id):
    parts = ent_id.split('/')
    bulletin_string = parts[-2]
    return bulletin_string

def clean_title(title_string):
    """
    Removes any text enclosed within square brackets [] or parentheses ()
    from a given string.
    """

    # Remove text in parentheses
    cleaned_string = re.sub(r"\(.*?\)", "", title_string)

    # Remove text in square brackets from the already cleaned string
    cleaned_string = re.sub(r"\[.*?\]", "", cleaned_string)

    # Remove any extra spaces that might result from the removal
    cleaned_string = re.sub(r"\s\s+", " ", cleaned_string).strip()

    return cleaned_string



# Loop through RSS feeds entries and collect data
for entry in rss_feed_avis.entries:
    
    rows.append({
        "Id": get_bulletin_id(entry.id),
        "Title": clean_title(entry.title),
        "Type": "Avis",
        "Link": entry.link,
        "Summary": entry.summary,
        "Published": entry.published
    })

for entry in rss_feed_alerte.entries:
    
    rows.append({
        "Id": get_bulletin_id(entry.id),
        "Title": clean_title(entry.title),
        "Type": "Alerte",
        "Link": entry.link,
        "Summary": entry.summary,
        "Published": entry.published
    })

# Convert list of rows into a DataFrame
df_flux_rss = pd.DataFrame(rows, columns=["Id", "Title", "Type", "Link", "Published", "Summary"])

# Convert 'published' to datetime, handling errors
df_flux_rss["Published"] = pd.to_datetime(df_flux_rss["Published"], format="%a, %d %b %Y %H:%M:%S %z", errors='coerce')

# Order the DataFrame by the "published" column
df_flux_rss = df_flux_rss.sort_values(by="Published", ascending=False)

Successfully parsed RSS AVIS feed from https://cert.ssi.gouv.fr/avis/feed

Successfully parsed RSS ALERTE feed from https://cert.ssi.gouv.fr/alerte/feed



In [3]:
print("\nInfos", df_flux_rss.info())
print("\nHead", df_flux_rss.head())
print("\nTail", df_flux_rss.tail())

<class 'pandas.core.frame.DataFrame'>
Index: 80 entries, 39 to 40
Data columns (total 6 columns):
 #   Column     Non-Null Count  Dtype              
---  ------     --------------  -----              
 0   Id         80 non-null     object             
 1   Title      80 non-null     object             
 2   Type       80 non-null     object             
 3   Link       80 non-null     object             
 4   Published  80 non-null     datetime64[ns, UTC]
 5   Summary    80 non-null     object             
dtypes: datetime64[ns, UTC](1), object(5)
memory usage: 4.4+ KB

Infos None

Head                       Id                                              Title  \
39  CERTFR-2025-AVI-0515                         Vulnérabilité dans Grafana   
38  CERTFR-2025-AVI-0514                 Vulnérabilité dans PostgreSQL JDBC   
37  CERTFR-2025-AVI-0513       Multiples vulnérabilités dans Microsoft Edge   
35  CERTFR-2025-AVI-0511  Multiples vulnérabilités dans les produits Google   
31  CERTF

Etape 2 - Extraction des CVE

In [4]:
def extract_cve_from_link(link):
    json_link = link.rstrip("/") + "/json/" 
    response = req.get(json_link)
    if response.status_code != 200:
        print(f"Erreur: impossible d'accéder à {json_link}")
        return []

    try:
        data = response.json()
    except ValueError:
        print(f"Le contenu de {json_link} n'est pas un JSON valide.")
        return []
    
    cve_list  = [item['name'] for item in data["cves"]]
    
    return cve_list

In [5]:
#extract CVEs from each link in the DataFrame & store them in a new column
df_flux_rss["CVE"] = df_flux_rss["Link"].apply(extract_cve_from_link)

In [6]:
def display_cve_info(bulletin_id, df):
    """
    Displays the CVE information for a given bulletin ID from the DataFrame.
    """
    # Ensure the 'id' column is cleaned of leading/trailing whitespace before comparison
    filtered_data = df[df["Id"].str.strip() == bulletin_id.strip()]

    print(f"\n--- CVE Info for ID: {bulletin_id} ---")

    if not filtered_data.empty:
        # Get the 'cve' column data for the filtered rows
        cve_info_list = filtered_data["CVE"].iloc[0] # Assuming 'id' is unique, take the first match

        if cve_info_list: # Check if the list of CVEs is not empty
            print("CVEs found:")
            for cve_entry in cve_info_list:
                if isinstance(cve_entry, dict) and 'name' in cve_entry:
                    print(f"- Name: {cve_entry['name']}")
                    if 'url' in cve_entry:
                        print(f"  URL: {cve_entry['url']}")
                else:
                    print(f"  Malformed CVE entry: {cve_entry}")
        else:
            print(f"No CVEs listed for bulletin ID: {bulletin_id}.")
    else:
        print(f"No entry found for bulletin ID: {bulletin_id}.")

print("\nTest CVE | CERTFR-2025-ALE-008:\n", display_cve_info("CERTFR-2025-ALE-008", df_flux_rss))
print("\nTest CVE | CERTFR-2025-AVI-0512:\n",display_cve_info("CERTFR-2025-AVI-0512", df_flux_rss))


--- CVE Info for ID: CERTFR-2025-ALE-008 ---
CVEs found:
  Malformed CVE entry: CVE-2025-49113

Test CVE | CERTFR-2025-ALE-008:
 None

--- CVE Info for ID: CERTFR-2025-AVI-0512 ---
CVEs found:
  Malformed CVE entry: CVE-2025-0917
  Malformed CVE entry: CVE-2018-19361
  Malformed CVE entry: CVE-2023-29483
  Malformed CVE entry: CVE-2021-33036
  Malformed CVE entry: CVE-2019-17267
  Malformed CVE entry: CVE-2024-22201
  Malformed CVE entry: CVE-2025-27516
  Malformed CVE entry: CVE-2018-14719
  Malformed CVE entry: CVE-2020-9546
  Malformed CVE entry: CVE-2024-28757
  Malformed CVE entry: CVE-2025-47944
  Malformed CVE entry: CVE-2024-12797
  Malformed CVE entry: CVE-2025-30065
  Malformed CVE entry: CVE-2025-27219
  Malformed CVE entry: CVE-2024-25638
  Malformed CVE entry: CVE-2023-45853
  Malformed CVE entry: CVE-2017-9047
  Malformed CVE entry: CVE-2020-9548
  Malformed CVE entry: CVE-2023-45288
  Malformed CVE entry: CVE-2023-45178
  Malformed CVE entry: CVE-2024-47076
  Malformed 

Etape 3 - Enrichissement des CVE

In [7]:
def connexion_to_apis(cve_id, verbose=None):
    # CVE API
    url = f"https://cveawg.mitre.org/api/cve/{cve_id}"
    response = req.get(url)

    if response.status_code != 200:
        if verbose:
            print(f"Erreur: impossible d'accéder à l'API CVE pour {cve_id}. Statut: {response.status_code}")
        return None
    try:
        data = response.json()
    except req.exceptions.JSONDecodeError:
        if verbose:
            print(f"Erreur: Impossible de décoder la réponse JSON de l'API CVE pour {cve_id}.")
        return None

    # Description
    description = None
    desc_list = data.get("containers", {}).get("cna", {}).get("descriptions", [])
    for d in desc_list:
        if d.get("lang") == "en":
            description = d.get("value")
            break

    # CVSS score & base severity
    cvss_score = None
    base_severity = None
    metrics = data.get("containers", {}).get("cna", {}).get("metrics", [])
    if metrics:
        for metric in metrics:
            for key in ["cvssV3_1", "cvssV3_0", "cvssV2"]:
                if key in metric:
                    cvss_score = metric[key].get("baseScore")
                    base_severity = metric[key].get("baseSeverity")
            if cvss_score is not None:
                break

    # CWE(s)
    cwes = []
    problem_types = data.get("containers", {}).get("cna", {}).get("problemTypes", [])
    for pt in problem_types:
        for desc in pt.get("descriptions", []):
            if desc.get("lang") == "en":
                cwes.append(desc.get("cweId"))

    # Produits & versions affectés
    affected_products = []
    affected = data.get("containers", {}).get("cna", {}).get("affected", [])
    for prod in affected:
        vendor = prod.get("vendor")
        product = prod.get("product")
        versions = prod.get("versions", [])
        version_lst = []
        for elt in versions:
            version = elt.get("version", None)
            if version == "unspecified":
                if elt.get("lessThan") is not None:
                    version = f">{elt.get('lessThan')}"
            version_lst.append(version)
        affected_prod = {
            "vendor": vendor,
            "product": product,
            "versions": version_lst,
        }
        affected_products.append(affected_prod)


    # EPSS API
    url = f"https://api.first.org/data/v1/epss?cve={cve_id}"
    response = req.get(url)

    if response.status_code != 200:
        if verbose:
            print(f"Erreur: impossible d'accéder à l'API EPSS pour {cve_id}. Statut: {response.status_code}")
        return None
    try:
        data = response.json()
    except req.exceptions.JSONDecodeError:
        if verbose:
            print(f"Erreur: Impossible de décoder la réponse JSON de l'API EPSS pour {cve_id}.")
        return None

    # EPSS score
    infos = data["data"]
    epss_score = None
    epss_percentile = None
    if infos:
        epss_info = infos[0]
        epss_score = epss_info.get("epss", None)
        epss_percentile = epss_info.get("percentile", None)

    return {
        "CVE_id": cve_id,
        "Description": description,
        "CVSS_score": cvss_score,
        "Base_severity": base_severity,
        "CWE": cwes,
        "Affected_products": affected_products,
        "EPSS_score": epss_score,
        "EPSS_percentile": epss_percentile
    }


In [8]:
set_cve_uniques = set() #unique values

cve_list=df_flux_rss["CVE"]
for cve_list in df_flux_rss["CVE"]:
    for cve_id in cve_list:  # cve_list est une liste de dicts
        set_cve_uniques.add(cve_id)
print(set_cve_uniques)

{'CVE-2024-25638', 'CVE-2024-53168', 'CVE-2024-55573', 'CVE-2024-4603', 'CVE-2023-48786', 'CVE-2023-6780', 'CVE-2021-38593', 'CVE-2022-49080', 'CVE-2024-37529', 'CVE-2025-21854', 'CVE-2023-52606', 'CVE-2025-37958', 'CVE-2024-58009', 'CVE-2018-5711', 'CVE-2025-21796', 'CVE-2023-51385', 'CVE-2024-50029', 'CVE-2025-21728', 'CVE-2025-49709', 'CVE-2024-57882', 'CVE-2023-1916', 'CVE-2020-3992', 'CVE-2025-24068', 'CVE-2025-23138', 'CVE-2023-50298', 'CVE-2025-22486', 'CVE-2025-22115', 'CVE-2024-26596', 'CVE-2025-20163', 'CVE-2025-0282', 'CVE-2025-3052', 'CVE-2023-42115', 'CVE-2025-21767', 'CVE-2025-37785', 'CVE-2025-21913', 'CVE-2025-43577', 'CVE-2025-42999', 'CVE-2022-49564', 'CVE-2025-37886', 'CVE-2024-49766', 'CVE-2025-1516', 'CVE-2023-29184', 'CVE-2025-5281', 'CVE-2025-27789', 'CVE-2025-32316', 'CVE-2025-37798', 'CVE-2025-21875', 'CVE-2025-49113', 'CVE-2022-49830', 'CVE-2024-58070', 'CVE-2023-53131', 'CVE-2025-37842', 'CVE-2025-21743', 'CVE-2025-22021', 'CVE-2024-56326', 'CVE-2025-22055', 

In [9]:
liste_cve_info = []

for cve_id in set_cve_uniques:
    data = connexion_to_apis(cve_id)  
    #print(f"\n{data} for {cve_id}")
    if data:
        liste_cve_info.append(data)

In [10]:
df_cves = pd.DataFrame(liste_cve_info)

print(df_cves.info())
print(df_cves.head())
print(df_cves.tail())

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 1105 entries, 0 to 1104
Data columns (total 8 columns):
 #   Column             Non-Null Count  Dtype  
---  ------             --------------  -----  
 0   CVE_id             1105 non-null   object 
 1   Description        1023 non-null   object 
 2   CVSS_score         325 non-null    float64
 3   Base_severity      325 non-null    object 
 4   CWE                1105 non-null   object 
 5   Affected_products  1105 non-null   object 
 6   EPSS_score         1100 non-null   object 
 7   EPSS_percentile    1100 non-null   object 
dtypes: float64(1), object(7)
memory usage: 69.2+ KB
None
           CVE_id                                        Description  \
0  CVE-2024-25638  dnsjava is an implementation of DNS in Java. R...   
1  CVE-2024-53168  In the Linux kernel, the following vulnerabili...   
2  CVE-2024-55573  An issue was discovered in Centreon centreon-w...   
3   CVE-2024-4603  Issue summary: Checking excessively long DSA k...

Etape 4 - Consolidation des Données

In [None]:
''' Current dataframes and their contents:
df_flux_rss : Id, Title, Type, Link, Published, Summary, CVE(list)
df_cves : CVE_id, Description, CVSS_score, Base_severity, CWE, Affected_products(dictionnaire), EPSS_score, EPSS_percentile

Wanted dataframe:
df_consolidated : Id, Link, Title, Type, Published, Summary, CVE_id, Description, CVSS_score, Base_severity, EPSS_score, EPSS_percentile, CWE, vendor, product, version


df_flux_rss_exploded = df_flux_rss.explode('CVE')

df_consolidated = pd.merge(df_flux_rss_exploded, df_cves, left_on="CVE", right_on="CVE_id", how="left")
# Reorder the columns in the desired order 
df_consolidated = df_consolidated[[
    "Id", "Link", "Title", "Type", "Published", "Summary",
    "CVE_id", "Description", "CVSS_score", "Base_severity",
    "CWE", "Affected_products", "EPSS_score", "EPSS_percentile"
]]

print("\nConsolidated DataFrame Info:")
print(df_consolidated.info())
print("\nConsolidated DataFrame Head:")
print(df_consolidated.head())
print("\nConsolidated DataFrame Tail:") 
print(df_consolidated.tail())'''


Consolidated DataFrame Info:
<class 'pandas.core.frame.DataFrame'>
RangeIndex: 1282 entries, 0 to 1281
Data columns (total 14 columns):
 #   Column             Non-Null Count  Dtype              
---  ------             --------------  -----              
 0   Id                 1282 non-null   object             
 1   Link               1282 non-null   object             
 2   Title              1282 non-null   object             
 3   Type               1282 non-null   object             
 4   Published          1282 non-null   datetime64[ns, UTC]
 5   Summary            1282 non-null   object             
 6   CVE_id             1253 non-null   object             
 7   Description        1166 non-null   object             
 8   CVSS_score         344 non-null    float64            
 9   Base_severity      344 non-null    object             
 10  CWE                1253 non-null   object             
 11  Affected_products  1253 non-null   object             
 12  EPSS_score        

In [None]:
df_flux_exploded = df_flux_rss.explode('CVE')  # une ligne par CVE

# Convertir les dictionnaires de 'Affected_products' en DataFrame à part
affected_rows = []

for _, row in df_cves.iterrows():
    cve_id = row['CVE_id']
    products = row['Affected_products']
    for prod in products:
        affected_rows.append({
            'CVE_id': cve_id,
            'vendor': prod.get('vendor'),
            'product': prod.get('product'),
            'version': prod.get('versions', [])
        })

df_products = pd.DataFrame(affected_rows)

# Exploser les DataFrames pour avoir une ligne par trucs
df_prod_exploded = df_products.explode('version')
df_cves_exploded = df_cves.explode('CWE')

# Fusionner df_cves avec les produits détaillés
df_cves_flat = pd.merge(df_cves_exploded.drop(columns=['Affected_products']), df_prod_exploded, on='CVE_id', how='left')

# Fusion finale avec les flux RSS
df_consolidated = pd.merge(
    df_flux_exploded,
    df_cves_flat,
    left_on='CVE',
    right_on='CVE_id',
    how='left'
)

# Réorganiser les colonnes
df_consolidated = df_consolidated[[
    'Id', 'Link', 'Title', 'Type', 'Published', 'Summary',
    'CVE_id', 'Description', 'CVSS_score', 'Base_severity',
    'EPSS_score', 'EPSS_percentile', 'CWE',
    'vendor', 'product', 'version'
]]

In [None]:
df_consolidated.head(2)
#ATTENTION: La colonne 'version' peut contenir des listes mal gerer donnant des celulle avec : '>= 42.7.4, < 42.7.7'

Unnamed: 0,Id,Link,Title,Type,Published,Summary,CVE_id,Description,CVSS_score,Base_severity,EPSS_score,EPSS_percentile,CWE,vendor,product,version
0,CERTFR-2025-AVI-0515,https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-...,Vulnérabilité dans Grafana,Avis,2025-06-16 00:00:00+00:00,Une vulnérabilité a été découverte dans Grafan...,,,,,,,,,,
1,CERTFR-2025-AVI-0514,https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-...,Vulnérabilité dans PostgreSQL JDBC,Avis,2025-06-16 00:00:00+00:00,Une vulnérabilité a été découverte dans Postgr...,CVE-2025-49146,pgjdbc is an open source postgresql JDBC Drive...,8.2,HIGH,0.00014,0.01669,CWE-287,pgjdbc,pgjdbc,">= 42.7.4, < 42.7.7"


In [59]:
# Convert dataframe to CSV
df_consolidated.to_csv("DataFrame_Complet.csv", index=False, encoding='utf-8-sig')