Some shell scripts to cross reference public CVE with a list of components described as a list of CPE. I created those scripts for my own personal needs : they are simple, crude, without any proper options or input sanitization. Use them at your own risks.
Update Q1 2024 : With the NVD breaking API and JSON schema, we are obliged to do things differently.
Those scripts assume the following is in your $PATH :
JQ- curl
- Standard POSIX utilities like
shandawk(disclaimer : I use some common-but-not-POSIX awk options)
Those scripts have been tested on FreeBSD and GNU/Linux.
Create a tab separated text file called cpe.tsv with whatever you want in the first column (usually package names) and CPE identifiers in the second column. Then :
# install pre-requisites
pkg install jq curl
# create a new correlation report between your CPE and CVE
# with description, CVSS base vector and score
./cpe2cve.sh ./inventory/cpe.tsv
# if you have errors because the NVD API is down, you can resume your previous session
./cpe2cve.sh -x
You can add your own CVSS environmental vectors in the last report, then recalculate the CVSS score with the following command :
./cve_calculate.sh ./reports/cve_somedate.tsv > ./reports/cve_somedate_with_env.tsv
Let's say you have an old report you edited by hand (environmental vector only) called cve_oldate.tsv and you want to make an update :
# create a new correlation
./cpe2cve.sh ./inventory/cpe.tsv
# comparison with the old report
./cve_compare.sh ./reports/cve_oldate.tsv ./reports/cve_newdate.tsv > ./reports/cve_newdate_consolidated.tsv
# then complete the report by hand with the missing CVSS environmental vectors, then re-run the caculations
./cve_calculate.sh ./reports/cve_newdate_consolidated.tsv > ./reports/cve_newdate_with_env.tsv