In [15]:
require 'csv'
require 'date'
require 'iruby'
require 'base64'
require 'gruff'
require 'daru'

# Helper to display a Gruff-generated RMagick image inline in Jupyter

def hacky_render(gruff_obj)
  # Gruff::Base subclasses have #to_image which returns an RMagick::Image
  png_data = gruff_obj.to_image.to_blob
  encoded = Base64.strict_encode64(png_data)
  IRuby.html("<img src='data:image/png;base64,#{encoded}' alt='Chart' />")
end

# Loads up data generated with `bin/generate_kev_context_csv.rb`

def load_rows(path = "./kev_flat.csv")
  rows = CSV.read(path, headers: true)

  rows.each do |r|
    # dates
    r["date_generated"]   = DateTime.parse(r["date_generated"]) rescue nil
    r["kev_date_added"]   = Date.parse(r["kev_date_added"]) rescue nil
    r["kev_date_due"]     = Date.parse(r["kev_date_due"]) rescue nil

    # CVSS
    r["cvss_base_score"]  = r["cvss_base_score"]&.to_f

    # EPSS
    r["epss_today"]      = r["epss_today"]&.to_f
    r["epss_percentile"] = r["epss_percentile"]&.to_f
    r["epss_delta"]      = r["epss_delta"]&.to_f

    # integers
    r["attck_technique_count"] = r["attck_technique_count"]&.to_i
    r["metasploit_module_count"] = r["metasploit_module_count"]&.to_i
    r["nuclei_template_count"] = r["nuclei_template_count"]&.to_i
  end

  rows
end

rows = load_rows
puts "Rows loaded: #{rows.size}"
[rows.headers,rows.find {|r| r['cve_id'] == 'CVE-2021-44228'}]

Rows loaded: 1483


[["cve_id", "schema_version", "date_generated", "kev_vulnerability_name", "kev_date_added", "kev_day_added", "kev_date_due", "kev_days_allotted", "kev_short_deadline", "kev_ransomware", "cvss_version", "cvss_attack_vector", "cvss_attack_complexity", "cvss_privileges_required", "cvss_scope", "cvss_user_interaction", "cvss_confidentiality_impact", "cvss_integrity_impact", "cvss_availability_impact", "cvss_vector_string", "cvss_base_score", "cvss_base_severity", "ssvc_exploitation", "ssvc_automatable", "ssvc_technical_impact", "epss_today", "epss_percentile", "epss_delta", "attck_technique_count", "attck_capability_groups", "has_metasploit", "metasploit_module_count", "min_metasploit_delta", "has_nuclei", "nuclei_template_count", "min_nuclei_delta"], #<CSV::Row "cve_id":"CVE-2021-44228" "schema_version":"1.0.0-dev" "date_generated":#<DateTime: 2025-12-29T18:06:40+00:00 ((2461039j,65200s,267000000n),+0s,2299161j)> "kev_vulnerability_name":"Apache Log4j2 Remote Code Execution" "kev_date_add

In [16]:
# Pie chart for KEVs added by times of day, just using CVS parsing and Gruff.

def plot_kev_days_pie(csv_path = './kev-flat.csv')
  rows = CSV.read(csv_path, headers: true)

  day_counts = Hash.new(0)
  rows.each do |r|
    day = r['kev_day_added']
    day_counts[day] += 1 if day && !day.empty?
  end

  weekday_order = %w[Sunday Monday Tuesday Wednesday Thursday Friday Saturday]
  sorted_days = day_counts.sort_by { |day, _| weekday_order.index(day) }

  g = Gruff::Pie.new(600)
  g.title = "KEVs Added by Day of Week"
  sorted_days.each { |day, count| g.data(day, count) }

  hacky_render(g)
end

# Example usage:
plot_kev_days_pie("kev_flat.csv")


In [11]:
require 'csv'
require 'gruff'

def plot_kev_days_allotted(csv_path = './kev_flat.csv')
  rows = CSV.read(csv_path, headers: true)

  # Define your buckets as [label, range]
  buckets = [
    ["< 7 days", 0..6],
    ["7-13 days", 7..13],
    ["14-20 days", 14..20],
    ["21 days", 21..21],
    ["22-30 days", 22..30],
    ["31-60 days", 31..60],
    ["90+ days", 90..Float::INFINITY]
  ]

  # Initialize counts
  counts = Hash[buckets.map { |label, _| [label, 0] }]

  # Tally each row into the appropriate bucket
  rows.each do |r|
    days = r['kev_days_allotted']&.to_i
    next if days.nil?
    bucket_label = buckets.find { |_, range| range.include?(days) }&.first
    counts[bucket_label] += 1 if bucket_label
  end

  puts "Counts by bucket: #{counts}"

  # Create the bar chart
  g = Gruff::Bar.new(800)
  g.title = "KEVs by Days Allotted"

  # Gruff wants arrays: one per dataset. We'll have a single dataset
  labels = counts.keys.each_with_index.map { |k, i| [i, k] }.to_h
  g.labels = labels
  g.data(:count, counts.values)

  hacky_render(g)
end

# Example usage
plot_kev_days_allotted("kev_flat.csv")


Counts by bucket: {"< 7 days"=>16, "7-13 days"=>24, "14-20 days"=>199, "21 days"=>980, "22-30 days"=>2, "31-60 days"=>5, "90+ days"=>257}


In [20]:
require 'daru'
require 'csv'

# Load CSV into a Daru DataFrame
df = Daru::DataFrame.from_csv('kev_flat.csv')

# KEVs with a Friday add that have a short deadline
mask = df['kev_day_added'].eq('Friday') & df['kev_days_allotted'].lt(21)
filtered = df.where(mask)

result = filtered[*['cve_id', 'kev_vulnerability_name', 'cvss_base_severity', 'kev_days_allotted']]

require 'iruby'

# Title
title = "<h1>Friday KEVs with Short Deadlines (&lt;21 days)</h1>"

# HTML table
table_html = result.to_html

# Display both together
IRuby.html("#{title}#{table_html}")



Unnamed: 0,cve_id,kev_vulnerability_name,cvss_base_severity,kev_days_allotted
703,CVE-2021-20038,SonicWall SMA 100 Appliances Stack-Based Buffer Overflow,CRITICAL,14
828,CVE-2021-35247,SolarWinds Serv-U Improper Input Validation,MEDIUM,14
829,CVE-2021-35394,Realtek Jungle SDK Remote Code Execution,CRITICAL,14
884,CVE-2021-44168,Fortinet FortiOS Arbitrary File Download,LOW,14
886,CVE-2021-44228,Apache Log4j2 Remote Code Execution,CRITICAL,14
887,CVE-2021-44515,Zoho Desktop Central Authentication Bypass,CRITICAL,14
908,CVE-2022-21882,Microsoft Win32k Privilege Escalation,MEDIUM,14
916,CVE-2022-22587,Apple Memory Corruption,CRITICAL,14
917,CVE-2022-22620,"Apple iOS, iPadOS, and macOS Webkit Use-After-Free",HIGH,14
937,CVE-2022-24682,Synacor Zimbra Collaborate Suite (ZCS) Cross-Site Scripting,MEDIUM,14
