CVEdb

CVEdb is yet another Python CVE database library and utility. There are lots already available. Why create another? Most existing libraries rely on a third party API like cve.circl.lu, which can and do throttle usage, require registration, and/or demand an internet connection. Some libraries are bloated, including web interfaces for search.

CVEdb Features:

• Can be used either as a library or a command line utility
• Simple API
• Download directly from the National Vulnerability Database
• Automatically, incrementally update at any time

CVEdb Anti-Features:

• Does not require many dependencies
• Does not have a web server
• Does not require Internet connectivity other than to download new CVEs

Installation

$ pip3 install cvedb

Command Line Usage

$ cvedb --help

Python Examples

from cvedb.db import CVEdb

with CVEdb.open() as db:
    for cve in db:
        print(cve)

By default, the CVEs downloaded from NIST are saved to a sqlite database stored in cvedb.db.DEFAULT_DB_PATH, which is set to ~/.config/cvedb/cvedb.sqlite. This can be customized by passing the db_path argument to CVEdb.open.

The db.data() function returns an instance of a cvedb.feed.Data object, which has numerous methods to query CVEs. For example:

with CVEdb.open() as db:
    for cve in db.data().search("search term"):
        print(cve)

In addition to accepting strings, the data().search(...) function will accept any cvedb.search.SearchQuery object.

Known Issues

The NIST National Vulnerability Database is in the process of transitioning to a new REST API. The datasets on which CVEdb is built are still available, but it is unclear whether they may become deprecated. Also, NIST has started rate limiting downloads, which may affect CVEdb syncing. Therefore, CVEdb ships pre-seeded with a database. Therefore, CVEdb does not require any Internet connectivity after it is installed, other than to download new CVE definitions. Also, the behavior of CVEdb was changed from automatically checking for updates as necessary to now requiring the user explicitly request an update with the new --update argument. Support for the new REST API is being tracked in this GitHub issue.

License and Acknowledgements

CVEdb was created by Trail of Bits. It is licensed under the GNU Lesser General Public License v3.0. Contact us if you're looking for an exception to the terms. © 2021, Trail of Bits.

The CVE database shipped with CVEdb is created and maintained by NIST and is released in the public domain.