| name | threatbook-vuln-intel |
|---|---|
| description | collect, normalize, enrich, and summarize vulnerability intelligence from the ThreatBook Online X vulnerability API and public internet sources. Use when the user asks to query ThreatBook vulnerability data, enrich CVE/XVE/CNVD/CNNVD/NVDB/CITIVD/UTSA/KVE identifiers with web intelligence, collect recent vulnerabilities, monitor vendor/product/component exposure, identify vulnerability type, protocol, attack surface, exploitation status, remediation, or generate defensive reports with WAF rule recommendations. |
Collect vulnerability intelligence from the ThreatBook Online X vulnerability API, enrich it with public internet intelligence when needed, normalize the evidence, deduplicate records, and produce defensive vulnerability reports for prioritization, remediation, detection planning, and WAF/virtual patch recommendations.
Use these bundled references as needed:
references/api-contract.md: ThreatBook endpoint, supported parameters, response shape, pagination rules, and normalized schema.references/web-enrichment.md: public source search strategy, enrichment fields, protocol inference, vulnerability type classification, and WAF recommendation template.
The current ThreatBook API endpoint is:
https://api.threatbook.cn/v3/vuln
The API supports GET and POST. Prefer GET unless the user or environment requires POST.
Use an API key from the environment. Prefer, in order:
THREATBOOK_API_KEYTHREATBOOK_APIKEYTHREATBOOK_TOKEN
Never print secrets. Never include API keys in final reports, logs, filenames, or citations. If authentication is missing, tell the user to set one of the environment variables.
- Determine the query mode from the user's request:
- exact vulnerability lookup by
vuln_idsuch as CVE, XVE, CNVD, CNNVD, NVDB, CITIVD, UTSA/UT, KVE, or KYSA - vendor query by
vendor - product query by
product - version-aware product query by
productplusversion - component query by
component_nameand optionalcomponent_package_manager - recent updates by
update_time - recent ThreatBook collection by
threatbook_create_time - high-risk filtering by
is_highrisk
- exact vulnerability lookup by
- Validate API limits:
limitmust be 1 to 50.vuln_idsupports up to 100 comma-separated values; trial customers may be limited to 10.productsupports up to 100 comma-separated values; trial customers may be limited to 10.vendor,component_name, andcomponent_package_managersupport only one exact value.- When
versionis used,productis required and must contain exactly one product.
- Run
scripts/fetch_threatbook_vuln.pywith the appropriate parameters. - Normalize results into the schema in
references/api-contract.md. - Deduplicate by
xve_id, thencve_id, then title plus publish time. - Prioritize results using the priority rules below.
- If the user asks for internet collection, public intelligence, vulnerability type, protocol, WAF recommendations, exploit maturity, or if ThreatBook fields are insufficient, perform web enrichment using
references/web-enrichment.md. - Produce the requested output format with citations for public web claims.
Use web search whenever the task needs current public intelligence, source attribution, WAF recommendations, protocol/exposure inference, or confirmation beyond ThreatBook.
For each high-priority vulnerability:
- Search authoritative sources:
- vendor advisory or release notes
- NVD, CVE.org, CNVD/CNNVD, CISA KEV, OSV, GitHub Security Advisories
- maintainer issue trackers, commits, changelogs, and package registry advisories
- reputable security vendor writeups and incident reports
- PoC indexes only to confirm existence, not to reproduce exploit steps
- Extract and reconcile:
- vulnerability type
- affected protocol, service, endpoint, or dependency context
- default or common ports if applicable
- attack surface and exposure path
- exploit maturity and observed exploitation
- affected versions and fixed versions
- defensive indicators and safe detection clues
- WAF/virtual patch suggestions
- Cite public sources for important claims.
- Mark each enriched claim as
source-backed,inferred, orunknownwhen ambiguity matters.
Use the bundled script for deterministic ThreatBook collection and normalization:
python scripts/fetch_threatbook_vuln.py --vuln-id CVE-2021-44228 --format markdownCommon examples:
python scripts/fetch_threatbook_vuln.py --update-time 1d --highrisk true --format markdown
python scripts/fetch_threatbook_vuln.py --product log4j --format csv --output threatbook_vulns.csv
python scripts/fetch_threatbook_vuln.py --vendor "Cisco Systems Inc." --limit 50 --all-pages --format json
python scripts/fetch_threatbook_vuln.py --component-name log4j-jars --component-package-manager maven --format markdownFor local testing with a saved API response:
python scripts/fetch_threatbook_vuln.py --input-file response.json --format markdownRank vulnerabilities higher when any of these are true:
has_kevis true, indicating known exploitation or in-the-wild exploitation.is_highriskis true.has_poc_publicorhas_poc_threatbookis true.x_vpt.vpris 9.0 or higher.cvss_v3.cvss_basic_scoreis 9.0 or higher, or CVSS grade is serious/critical/high.- Public sources confirm active exploitation, mass scanning, weaponization, or CISA KEV inclusion.
- The title, vendor, product, component, protocol, endpoint, or CPE matches the user's stated assets.
- The vulnerability was recently published, updated, collected, or newly disclosed by the vendor.
When the user requests a report, summary, or internet-enriched intelligence, return markdown using this structure:
# 漏洞情报融合分析报告
## 摘要
- 数据来源:ThreatBook API + 公开互联网情报
- 查询条件:...
- 漏洞总数:...
- 高风险漏洞:...
- 已知利用漏洞:...
- 存在公开 PoC:...
- 需要优先处置:...
## 优先处置漏洞
| 优先级 | 漏洞编号 | 漏洞名称 | 漏洞类型 | 协议/暴露面 | 风险等级 | VPR | CVSSv3 | 已知利用 | PoC | 修复状态 |
|---|---|---|---|---|---|---:|---:|---|---|---|
## 重点漏洞详情
### [漏洞编号] [漏洞名称]
- 风险结论:...
- 漏洞类型:...
- 协议/端口/暴露面:...
- 影响范围:...
- 利用状态:...
- ThreatBook 证据:...
- 互联网公开情报:...
- 修复建议:...
- 参考来源:...
### WAF/边界防护建议
- 适用范围:HTTP/HTTPS / API / 管理后台 / 文件上传 / 其他
- 规则目标:阻断或告警 [漏洞类型] 相关恶意请求
- 匹配位置:URI、Query、Body、Header、Cookie、文件名、Content-Type、HTTP Method
- 建议逻辑:
1. [高层检测逻辑,不包含可直接复用的攻击载荷]
2. [正向限制或访问控制]
3. [速率限制、认证、来源限制或虚拟补丁建议]
- 误报风险:低/中/高,并说明原因
- 验证方式:在测试环境用安全样例和业务正常请求回归验证,确认不影响关键业务路径
## 处置建议
1. 立即处置:...
2. 短期排查:...
3. 持续监控:...
## 信息缺口与不确定性
- ...When there are many results, provide:
- Top 10 prioritized vulnerabilities with full enrichment.
- A compact table for the remaining vulnerabilities.
- A note explaining pagination, API limits, or web-enrichment coverage limits.
- Use the data for vulnerability management, exposure assessment, patch prioritization, detection planning, WAF/virtual patching, and remediation.
- Do not provide exploit walkthroughs, weaponized payloads, bypass strings, step-by-step exploitation guidance, or instructions to download and run PoC code.
- It is acceptable to report that PoC exists, whether ThreatBook has verified it, whether known exploitation exists, and what defensive controls can reduce exposure.
- Do not expand PoC descriptions into operational exploitation steps.
- For WAF rules, provide high-level matching logic and safe defensive examples only. Avoid complete attack payloads.
- Prefer vendor patches, upgrade paths, mitigations, compensating controls, detection logic, and validation plans in final recommendations.
- Do not invent missing fields. Use
unknownfor absent values. - Preserve original identifiers: XVE, CVE, CNVD, CNNVD, NVDB, CITIVD, UTSA/UT, KVE, and KYSA.
- Convert Unix timestamps in seconds to ISO-like local date strings when presenting reports.
- When the API returns nested
intelligence,evaluation,pocs,solutions, orpatchesunderimpact, still normalize them correctly. - Clearly state when results are limited by pagination, API permissions, trial account limits, missing credentials, unavailable public sources, or inference uncertainty.
- Cite public web sources whenever web enrichment is used.