Provides a simple HTTP API built with FastAPI to query cvelist data.
This code will build an SQLite database using cvelist, and then provide a FastAPI endpoint that can be used for querying.
This should be as straight forward as building and running the container:
# building
docker image build -t simple_cve_api:latest .
# running
docker container run --publish 8000:8000 simple_cve_api:latest
Note: As part of the build process the Dockerfile will do a git pull of cvelist to generate the SQLite database. I had ambitiously tried to do this nicely with submodules, but couldn't find a good way to keep things synced.
A small test suite is included and can be run with:
pytest
curl -X GET "http://localhost:8000/v1/cve/cve-2019-10842" -H "accept: application/json"
[
{
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"cve_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-10842",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Arbitrary code execution (via backdoor code) was discovered in bootstrap-sass 3.2.0.3, when downloaded from rubygems.org. An unauthenticated attacker can craft the ___cfduid cookie value with base64 arbitrary code to be executed via eval(), which can be leveraged to execute arbitrary code on the target system. Note that there are three underscore characters in the cookie name. This is unrelated to the __cfduid cookie that is legitimately used by Cloudflare."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"cve_references": {
"reference_data": [
{
"url": "https://github.com/twbs/bootstrap-sass/issues/1195",
"refsource": "MISC",
"name": "https://github.com/twbs/bootstrap-sass/issues/1195"
},
{
"url": "https://snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem/",
"refsource": "MISC",
"name": "https://snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem/"
},
{
"url": "https://snyk.io/vuln/SNYK-RUBY-BOOTSTRAPSASS-174093",
"refsource": "MISC",
"name": "https://snyk.io/vuln/SNYK-RUBY-BOOTSTRAPSASS-174093"
},
{
"refsource": "MISC",
"name": "http://dgb.github.io/2019/04/05/bootstrap-sass-backdoor.html",
"url": "http://dgb.github.io/2019/04/05/bootstrap-sass-backdoor.html"
}
]
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0"
}
]
Note: This response is limited to 100 results.
curl -X GET "http://localhost:8000/v1/search/?q=bootstrap-sass" -H "accept: application/json"
[
{
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"cve_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-10842",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Arbitrary code execution (via backdoor code) was discovered in bootstrap-sass 3.2.0.3, when downloaded from rubygems.org. An unauthenticated attacker can craft the ___cfduid cookie value with base64 arbitrary code to be executed via eval(), which can be leveraged to execute arbitrary code on the target system. Note that there are three underscore characters in the cookie name. This is unrelated to the __cfduid cookie that is legitimately used by Cloudflare."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"cve_references": {
"reference_data": [
{
"url": "https://github.com/twbs/bootstrap-sass/issues/1195",
"refsource": "MISC",
"name": "https://github.com/twbs/bootstrap-sass/issues/1195"
},
{
"url": "https://snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem/",
"refsource": "MISC",
"name": "https://snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem/"
},
{
"url": "https://snyk.io/vuln/SNYK-RUBY-BOOTSTRAPSASS-174093",
"refsource": "MISC",
"name": "https://snyk.io/vuln/SNYK-RUBY-BOOTSTRAPSASS-174093"
},
{
"refsource": "MISC",
"name": "http://dgb.github.io/2019/04/05/bootstrap-sass-backdoor.html",
"url": "http://dgb.github.io/2019/04/05/bootstrap-sass-backdoor.html"
}
]
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0"
}
]
This project is licensed under the MIT License - see the LICENSE file for details.