Automating CVE search
I was recently automating the search for CVEs affecting some assets. A real life saver for automating this process is to use CPE codes (Common Platform Enumeration). This standard indicates in different fields things like a vendor for a product, the product itself, its version, etc, following:
cpe:<cpe_version>:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other>(https://en.wikipedia.org/wiki/Common_Platform_Enumeration)
For example, part can have the values “a” (application), “o” (operating system) and “h” (hardware).
The following endpoint of NIST’s NVD returns CVEs discovered in a range of dates:
In this case the findings are from 11th October 2023 to 23rd October 2023. Using this gives an idea of the massive amount of vulnerabilities that are reported every day.
Looking for the most recent ones was not returning any CPE, which was a hurdle for the automation I had in mind. But going to earlier days shows that three or four days after publication, CVE entries have been assigned a CPE.
The next picture shows a Postman response from the above URL, and in the response I have searched for CPE. It’s very clear when new CPEs start to be added:
Zooming in we can see in more detail the moment when CVEs start to get CPEs:
So it seems clear that CVEs start to get CPEs assigned 3–4 days after publication.
This is an example of an entry which has CPEs assigned, under the “configurations” field:
Notice the presence of the field: “operator”: “OR”. It is used even if there is a single CPE entry. There are also times when an AND operator is used, especially when a software version and the operating system version for which it was detected is specified.
And this is an example of a CVE without a CPE:
As can be seen, the “configurations” field doesn’t exist.
Here is some Python code I wrote to automate the retrieval of this information, discard what wasn’t useful for me, and only keep in an easier to handle format what I needed (does not handle the AND operator, it was unnecessary for my case and it would require to create combinations).
Just keep in mind that you may need to modify what you export or how you use it, but the parsing from NVD’s site is done (at least, at the moment of writing) by this function
Hope this helps
Feel free to connect with me!
