Build a local copy of CPE(Common Platform Enumeration)
Switch branches/tags
Nothing to show
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
commands V0.2.0 (#7) Sep 25, 2018
config V0.2.0 (#7) Sep 25, 2018
cpe V0.2.0 (#7) Sep 25, 2018
db V0.2.0 (#7) Sep 25, 2018
models V0.2.0 (#7) Sep 25, 2018
nvd support nvd json v1 (#11) Nov 7, 2018
testutil V0.2.0 (#7) Sep 25, 2018
util V0.2.0 (#7) Sep 25, 2018
.gitignore V0.2.0 (#7) Sep 25, 2018
GNUmakefile V0.2.0 (#7) Sep 25, 2018
Gopkg.lock V0.2.0 (#7) Sep 25, 2018
Gopkg.toml V0.2.0 (#7) Sep 25, 2018
LICENSE Initial commit Apr 16, 2016
README.md Remove changelog link from README (#9) Oct 29, 2018
main.go V0.2.0 (#7) Sep 25, 2018
make V0.2.0 (#7) Sep 25, 2018

README.md

go-cpe-dictionary

This is tool to build a local copy of the CPE (Common Platform Enumeration) [1].

CPE is a structured naming scheme for information technology systems, software, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name.

go-cpe-dictionary download CPE data from NVD (National Vulnerabilities Database) [2]. Copy is generated in sqlite format.

[1] https://nvd.nist.gov/cpe.cfm
[2] https://en.wikipedia.org/wiki/National_Vulnerability_Database

asciicast

Install requirements

go-cpe-dictionary requires the following packages.

$ sudo yum -y install sqlite git gcc
$ wget https://storage.googleapis.com/golang/go1.6.linux-amd64.tar.gz
$ sudo tar -C /usr/local -xzf go1.6.linux-amd64.tar.gz
$ mkdir $HOME/go

Put these lines into /etc/profile.d/goenv.sh

export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin

Set the OS environment variable to current shell

$ source /etc/profile.d/goenv.sh

Deploy go-cpe-dictionary

To install:

$ mkdir -p $GOPATH/src/github.com/kotakanbe
$ cd $GOPATH/src/github.com/kotakanbe
$ git clone https://github.com/kotakanbe/go-cpe-dictionary.git
$ cd go-cpe-dictionary
$ make install

Fetch CPE data from NVD. It takes about 1 minutes.

$ go-cpe-dictionary fetch
... snip ...
$ ls -alh cpe.sqlite3
-rw-r--r-- 1 ec2-user ec2-user 7.0M Mar 24 13:20 cpe.sqlite3

Now we have a local copy of CPE data in sqlite3.

How to search CPE name by application name

This example use Peco for incremental search.

$ ls cpe.sqlite3
cpe.db
$ sqlite3 ./cpe.sqlite3 'select cpe_uri from categorized_cpes' | peco

asciicast

Usage:

$ go-cpe-dictionary -help
Usage of ./go-cpe-dictionary:
  -dbpath string
        /path/to/sqlite3/datafile (default "/Users/kotakanbe/go/src/github.com/kotakanbe/go-cpe-dictionary/cpe.db")
  -dump-path string
        /path/to/dump.json (default "/Users/kotakanbe/go/src/github.com/kotakanbe/go-cpe-dictionary/cpe.json")
  -fetch
        Fetch CPE data from NVD
  -http-proxy string
        HTTP Proxy URL (http://proxy-server:8080)
  -load
        load CPE data from dumpfile
  -v    Debug mode
  -vv
        SQL debug mode

Misc

  • HTTP Proxy Support
    If your system is behind HTTP proxy, you have to specify --http-proxy option.

  • How to cross compile

    $ cd /path/to/your/local-git-reporsitory/go-cpe-dictionary
    $ GOOS=linux GOARCH=amd64 go build -o cvedict.amd64
  • Debug
    Run with --debug, --sql-debug option.


Data Source


Authors

kotakanbe (@kotakanbe) created go-cpe-dictionary and these fine people have contributed.


Contribute

  1. fork a repository: github.com/kotakanbe/go-cpe-dictionary to github.com/you/repo
  2. get original code: go get github.com/kotakanbe/go-cpe-dictionary
  3. work on original code
  4. add remote to your repo: git remote add myfork https://github.com/you/repo.git
  5. push your changes: git push myfork
  6. create a new Pull Request

Licence

Please see LICENSE.


Additional License

How can my organization use the NVD data within our own products and services?
All NVD data is freely available from our XML Data Feeds. There are no fees, licensing restrictions, or even a requirement to register. All NIST publications are available in the public domain according to Title 17 of the United States Code. Acknowledgment of the NVD when using our information is appreciated. In addition, please email nvd@nist.gov to let us know how the information is being used.