cve-vulnerability-scanner 1.0.0

A Python tool that scans software dependencies for known vulnerabilities using NIST's National Vulnerability Database (NVD)

CVE Vulnerability Scanner

A Python tool that scans software dependencies for known vulnerabilities using NIST's National Vulnerability Database (NVD).

Features

• 🔍 Scan software libraries for known vulnerabilities
• 📝 Generate detailed vulnerability reports in markdown format
• 🚀 Fast scanning with local caching support
• 🔑 Uses official NVD API with authentication for better rate limits
• 📊 Support CSV input format for batch processing
• 🔄 Cache results to reduce API calls

Installation

# Using pip
pip install cve-vulnerability-scanner

# From source
git clone https://github.com/changyy/py-cve-vulnerability-scanner.git
cd py-cve-vulnerability-scanner
pip install -e .

Usage

Basic Usage

# Set your NVD API key
export NVD_API_KEY='your-api-key-here'

# Run the scanner
cve-vulnerability-scanner packages.csv -o report.md

Input CSV Format

Create a CSV file (packages.csv) with your dependencies:

library_name,version
busybox,1.31.1
libiconv,1.13.1

Command Line Options

cve-vulnerability-scanner --help

Options:
  -i, --input FILE      Input CSV file containing libraries [default: packages.csv]
  -o, --output FILE     Output report file [default: report.md]
  --no-cache           Disable caching
  --cache-dir DIR      Specify cache directory [default: ./cache]
  --verbose            Enable verbose output
  -h, --help           Show this help message
  -v, --version        Show program version

Sample Output

The tool will generate a markdown report like this:

# Vulnerability Scan Report
Generated at: 2024-03-08 10:00:00

## Summary
- Total libraries scanned: 2
- Libraries with vulnerabilities: 1
- Total vulnerabilities found: 30

## Details

### Busybox (1.31.1)
Found 30 vulnerabilities:
1. CVE-2022-28391 (CVSS: 5.5)
   - Description: Integer overflow in Busybox wget applet...
   - Published: 2022-05-20
   - References: [Link]

### libiconv (1.13.1)
No known vulnerabilities found.

Authentication

Get your NVD API key from: https://nvd.nist.gov/developers/request-an-api-key

The API key can be provided in three ways (in order of precedence):

1. Environment variable: NVD_API_KEY
2. Config file: ~/.config/cve-scanner/config.ini
3. Command line argument: --api-key

Development

Setup Development Environment

# Create virtual environment
python -m venv venv
source venv/bin/activate  # Linux/Mac
# or
.\venv\Scripts\activate   # Windows

# Install dependencies
pip install -e ".[dev]"

Running Tests

pytest tests/

Contributing

1. Fork the repository
2. Create your feature branch (git checkout -b feature/amazing-feature)
3. Commit your changes (git commit -m 'Add some amazing feature')
4. Push to the branch (git push origin feature/amazing-feature)
5. Open a Pull Request

License

This project is licensed under the MIT License - see the LICENSE file for details.

Acknowledgments

• NIST National Vulnerability Database (NVD) for providing the vulnerability data
• All contributors who help improve this tool