Simple CVE API

Provides a simple HTTP API built with FastAPI to query cvelist data.

Getting Started

This code will build an SQLite database using cvelist, and then provide a FastAPI endpoint that can be used for querying.

Building

This should be as straight forward as building and running the container:

# building
docker image build -t simple_cve_api:latest .

# running
docker container run --publish 8000:8000 simple_cve_api:latest

Note: As part of the build process the Dockerfile will do a git pull of cvelist to generate the SQLite database. I had ambitiously tried to do this nicely with submodules, but couldn't find a good way to keep things synced.

Running Tests

A small test suite is included and can be run with:

pytest

Examples

Query CVE ID

curl -X GET "http://localhost:8000/v1/cve/cve-2019-10842" -H  "accept: application/json"

Response

[
  {
    "affects": {
      "vendor": {
        "vendor_data": [
          {
            "product": {
              "product_data": [
                {
                  "product_name": "n/a",
                  "version": {
                    "version_data": [
                      {
                        "version_value": "n/a"
                      }
                    ]
                  }
                }
              ]
            },
            "vendor_name": "n/a"
          }
        ]
      }
    },
    "cve_data_meta": {
      "ASSIGNER": "cve@mitre.org",
      "ID": "CVE-2019-10842",
      "STATE": "PUBLIC"
    },
    "description": {
      "description_data": [
        {
          "lang": "eng",
          "value": "Arbitrary code execution (via backdoor code) was discovered in bootstrap-sass 3.2.0.3, when downloaded from rubygems.org. An unauthenticated attacker can craft the ___cfduid cookie value with base64 arbitrary code to be executed via eval(), which can be leveraged to execute arbitrary code on the target system. Note that there are three underscore characters in the cookie name. This is unrelated to the __cfduid cookie that is legitimately used by Cloudflare."
        }
      ]
    },
    "problemtype": {
      "problemtype_data": [
        {
          "description": [
            {
              "lang": "eng",
              "value": "n/a"
            }
          ]
        }
      ]
    },
    "cve_references": {
      "reference_data": [
        {
          "url": "https://github.com/twbs/bootstrap-sass/issues/1195",
          "refsource": "MISC",
          "name": "https://github.com/twbs/bootstrap-sass/issues/1195"
        },
        {
          "url": "https://snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem/",
          "refsource": "MISC",
          "name": "https://snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem/"
        },
        {
          "url": "https://snyk.io/vuln/SNYK-RUBY-BOOTSTRAPSASS-174093",
          "refsource": "MISC",
          "name": "https://snyk.io/vuln/SNYK-RUBY-BOOTSTRAPSASS-174093"
        },
        {
          "refsource": "MISC",
          "name": "http://dgb.github.io/2019/04/05/bootstrap-sass-backdoor.html",
          "url": "http://dgb.github.io/2019/04/05/bootstrap-sass-backdoor.html"
        }
      ]
    },
    "data_format": "MITRE",
    "data_type": "CVE",
    "data_version": "4.0"
  }
]

Search for string

Note: This response is limited to 100 results.

curl -X GET "http://localhost:8000/v1/search/?q=bootstrap-sass" -H  "accept: application/json"

Response

[
  {
    "affects": {
      "vendor": {
        "vendor_data": [
          {
            "product": {
              "product_data": [
                {
                  "product_name": "n/a",
                  "version": {
                    "version_data": [
                      {
                        "version_value": "n/a"
                      }
                    ]
                  }
                }
              ]
            },
            "vendor_name": "n/a"
          }
        ]
      }
    },
    "cve_data_meta": {
      "ASSIGNER": "cve@mitre.org",
      "ID": "CVE-2019-10842",
      "STATE": "PUBLIC"
    },
    "description": {
      "description_data": [
        {
          "lang": "eng",
          "value": "Arbitrary code execution (via backdoor code) was discovered in bootstrap-sass 3.2.0.3, when downloaded from rubygems.org. An unauthenticated attacker can craft the ___cfduid cookie value with base64 arbitrary code to be executed via eval(), which can be leveraged to execute arbitrary code on the target system. Note that there are three underscore characters in the cookie name. This is unrelated to the __cfduid cookie that is legitimately used by Cloudflare."
        }
      ]
    },
    "problemtype": {
      "problemtype_data": [
        {
          "description": [
            {
              "lang": "eng",
              "value": "n/a"
            }
          ]
        }
      ]
    },
    "cve_references": {
      "reference_data": [
        {
          "url": "https://github.com/twbs/bootstrap-sass/issues/1195",
          "refsource": "MISC",
          "name": "https://github.com/twbs/bootstrap-sass/issues/1195"
        },
        {
          "url": "https://snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem/",
          "refsource": "MISC",
          "name": "https://snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem/"
        },
        {
          "url": "https://snyk.io/vuln/SNYK-RUBY-BOOTSTRAPSASS-174093",
          "refsource": "MISC",
          "name": "https://snyk.io/vuln/SNYK-RUBY-BOOTSTRAPSASS-174093"
        },
        {
          "refsource": "MISC",
          "name": "http://dgb.github.io/2019/04/05/bootstrap-sass-backdoor.html",
          "url": "http://dgb.github.io/2019/04/05/bootstrap-sass-backdoor.html"
        }
      ]
    },
    "data_format": "MITRE",
    "data_type": "CVE",
    "data_version": "4.0"
  }
]

License

This project is licensed under the MIT License - see the LICENSE file for details.