cve ape

A non-intrusive CVE scanner for embedding in test and CI environments that can scan package lists and individual packages for existing CVEs via locally stored CVE database. Can also be used as an offline CVE scanner for e.g. OT/ICS.
cve ape logo

CVE Ape

A free and open-source tool that helps find registered Common Vulnerabilities and Exposures (CVEs) at the National Vulnerability Database (NVD) list.


Main Usage

Help with reviewing Linux-based IoT devices, but can also be integrated into CI/CD pipelines for better security maintenance.


Not Precise

Does not check backports nor vendors unless specifically supplied. This means it may not provide precise results, but is still useful for a general overview.


Offline Capabilities

Can be used offline after a first update, which creates a local CVE database at ~/.cache/ cve-ape/.


Installation

Works only with python3. Install using pip:

pip install cve-ape

Source code available on GitHub: https://github.com/Baalmor/cve-ape


Usage

Requires a package list in CSV or text format (e.g., curl-7.77.0-r0). Run the tool with:

cve-ape -L pkglist.txt


Commands

Supported commands include:

  • -h or --help: Show help message and exit
  • --offline: Operate in offline mode
  • -n {api,json} or --nvd {api,json}: Choose method for getting CVE lists from NVD
  • -u {now,daily,never,latest} or --update {now,daily,never,latest}: Update schedule for NVD database (default: daily)
  • --cache-dir CACHE_DIR: Specify the NVD database and cache location (default: ~/.cache/cve-ape)
  • --nvd-api-key NVD_API_KEY: Specify NVD API key (used to improve NVD rate limit)

Input Options

  • -L PACKAGE_LIST or --package-list PACKAGE_LIST: Provide a package list
  • -C CSV_FORMAT or --csv-format CSV_FORMAT: Comma-separated headers if file is a CSV, or comma-separated column numbers started from 0 where the first is a package and the second is a version
  • -d CSV_DELIMITER or --csv-delimiter CSV_DELIMITER: A delimiter used in the csv file (default: ;)
  • --no-scan: Don't do scanning. Just an update.
  • -p PACKAGE or --package PACKAGE: Check a specific package from any vendor
  • -v VENDOR or --vendor VENDOR: Check all packages from the specific vendor

Output Options

  • -q or --quiet: Suppress output
  • -l {debug,info,warning,error,critical} or --log {debug,info,warning,error,critical}: Log level (default: info)
  • -o OUTPUT_FILE or --output-file OUTPUT_FILE: Provide output filename (default: output to stdout)
  • -f {csv,json,console} or --format {csv,json,console}: Update output format (default: console)
  • -c CVSS or --cvss CVSS: Minimum CVSS score (as integer in range 0 to 10) to report (default: 0)
  • -S {low,medium,high,critical} or --severity {low,medium,high,critical}: Minimum CVE severity to report (default: low)

Disclaimer

Some parts of the code were taken as is from another open-source project cve- bin-tool from Intel. A lot of respect should be given to those guys.


License

CVE Ape is licensed under the MIT License - see the LICENSE.rst file for details.





> Visit cve ape Website <
Best Search
Popular Tags