{"id":22915415,"url":"https://github.com/pandatix/cvedetect","last_synced_at":"2025-05-12T14:25:51.159Z","repository":{"id":38747191,"uuid":"497523822","full_name":"pandatix/cvedetect","owner":"pandatix","description":"Yet another Vulnerability Assessment Tool for efficient CVE detection.","archived":false,"fork":false,"pushed_at":"2023-04-26T05:33:07.000Z","size":216,"stargazers_count":12,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-05-12T14:25:43.090Z","etag":null,"topics":["cve","detection","go","graphql","vulnerability-assessment","vulnerability-detection"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pandatix.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-05-29T07:47:57.000Z","updated_at":"2024-08-22T08:00:54.000Z","dependencies_parsed_at":"2024-06-20T22:07:40.166Z","dependency_job_id":null,"html_url":"https://github.com/pandatix/cvedetect","commit_stats":{"total_commits":54,"total_committers":2,"mean_commits":27.0,"dds":0.01851851851851849,"last_synced_commit":"1e67bea60acee112e9601bda39cc78777502c3e6"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pandatix%2Fcvedetect","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pandatix%2Fcvedetect/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pandatix%2Fcvedetect/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pandatix%2Fcvedetect/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pandatix","download_url":"https://codeload.github.com/pandatix/cvedetect/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253754418,"owners_count":21958859,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve","detection","go","graphql","vulnerability-assessment","vulnerability-detection"],"created_at":"2024-12-14T05:26:58.489Z","updated_at":"2025-05-12T14:25:51.133Z","avatar_url":"https://github.com/pandatix.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cvedetect\n\n\u003cdiv align=\"center\"\u003e\n    \u003ca href=\"https://github.com/pandatix/cvedetect/blob/master/LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/github/license/pandatix/cvedetect?style=for-the-badge\" alt=\"License\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://coveralls.io/github/pandatix/cvedetect?branch=master\"\u003e\u003cimg src=\"https://img.shields.io/coverallsCoverage/github/pandatix/cvedetect?style=for-the-badge\" alt=\"Coverage Status\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://hub.docker.com/r/pandatix/cvedetect\"\u003e\u003cimg src=\"https://img.shields.io/docker/pulls/pandatix/cvedetect?style=for-the-badge\" alt=\"Docker pull\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/pandatix/cvedetect/actions/workflows/ci.yaml\"\u003e\u003cimg src=\"https://img.shields.io/github/actions/workflow/status/pandatix/cvedetect/ci.yaml?label=CI\u0026style=for-the-badge\" alt=\"CI\"\u003e\u003c/a\u003e\n\u003c/div\u003e\n\ncvedetect is state of the art Vulnerability Assessment Tool (VAT) working on a non-cylic oriented graph of assets.\n\n\u003e This product uses the NVD API but is not endorsed or certified by the NVD.\n\n## TODO\n\n - [ ] Implement complete `match` algorithm\n - [ ] Implement `MDCN` algorithm\n - [ ] Harden inputs through scalars\n - [ ] Add score filtering (filter on base, environmental and temporal scores + attributes values)\n - [ ] Improve support of CPE v2.3 Release 4 with `github.com/pandatix/go-cpe` when released\n - [ ] Provide API validation tests\n\n## Disclaimer\n\nTake a look at the license before using this project.\n\nMoreover, there are many TODOs that disable this sample app to be used professionnaly/safely :\n - the database is memory-only, so the system does not provide integrity/saves on the data through time (in case the binary reboots).\n - the scalability of such a system is impossible because of the memory-only database.\n - there is a lack of interesting data supported by the data model, like references and their tags for a SIEM.\n - API transactions are not ACID, which could lead to inconsistencies in HA deployments.\n - `MDC1` is currently used for detections, covering ~80% of the whole NVD. `MDCN` should be implemented in order to give better results based on the context.\n - the `match` algorithm used by MDCs depends on an external dependency that is not perfectly suited for CPEs versions, and does not depend on any SCAP-approved version criteria (condition in which a version interval should be replaced by an enumeration). Additionaly, it is a simpler implementation of`match` as it does not cover wildcards in versions.\n - The NIST-IR 7695, CPE dictionnary and NVD contains known vulnerabilities/issues that are still not fixed, so can't be handled by this implementation.\n - it does not provide a way to create an inventory that will be consumed by the tool.\n - it does not provide a way to raise alerts in case of new detections, update, or deletes.\n - according to [Varonis](https://www.varonis.com/blog/what-is-siem), it does not gives enough metrics and tracability to become a SIEM (\"When was it detected ?\", \"Since when the CVE exist ?\" are questions that can't be answered ; MatchCircuit is not handled to explain why it matched).\n - it does not strongly validates inputs, especially of the NVD (that must be considered as out of trust).\n - there is not access control, so it can't be used out of a single team with no privilege management, which is not a good idea/security practice.\n - the API has not been tested (but needs to, with RobotFramework maybe).\n\nTo sum up : **do not use in production environment, or as a safe tool for security monitoring**.\n\n## Examples\n\n### Getting all CVEs related to a VP\n\n```graphql\nquery QueryCVEs($input: QueryCVEInput!) {\n    queryCVEs(input: $input) {\n        id\n        description\n        configurations {\n            negate\n            operator\n            cpeMatches {\n                vulnerable\n                cpe23\n            }\n        }\n        cvss31 {\n            vector\n            baseScore\n        }\n    }\n}\n```\n\n```json\n{\n    \"input\": {\n        \"vp\": \"gitea:gitea\"\n    }\n}\n```\n\nThe previous has the equivalent curl command.\n\n```bash\ncurl -X POST http://localhost:8080/graphql \\\n    -d '{\"query\":\"query QueryCVEs($input:QueryCVEInput){queryCVEs(input:$input){id description configurations{negate operator cpeMatches{vulnerable cpe23}}cvss31{vector baseScore}}}\",\"variables\":{\"input\":{\"vp\":\"gitea:gitea\"}}}'\n```\n\n### Adding an Asset\n\n```graphql\nmutation AddAsset($input: AddAssetInput!) {\n    addAsset(input: $input) {\n        id\n        name\n        cpe23\n        cves {\n            id\n            description\n            configurations {\n                negate\n                operator\n                cpeMatches {\n                    vulnerable\n                    cpe23\n                    versionStartIncluding\n                    versionStartExcluding\n                    versionEndIncluding\n                    versionEndExcluding\n                }\n            }\n            cvss31 {\n                vector\n                baseScore\n            }\n        }\n    }\n}\n```\n\n```json\n{\n    \"name\": \"Gitea\",\n    \"cpe23\": \"cpe:2.3:a:gitea:gitea:1.12.6:*:*:*:*:docker:amd64:*\"\n}\n```\n\nThe previous has the equivalent curl command.\n\n```bash\ncurl -X POST http://localhost:8080/graphql \\\n    -d '{\"query\":\"mutation AddAsset($input:AddAssetInput!){addAsset(input:$input){id name cpe23 cves{id description configurations{negate operator cpeMatches{vulnerable cpe23 versionStartIncluding versionStartExcluding versionEndIncluding versionEndExcluding}}cvss31{vector baseScore}}}}\",\"variables\":{\"input\":{\"name\":\"Gitea\",\"cpe23\":\"cpe:2.3:a:gitea:gitea:1.12.6:*:*:*:*:docker:amd64:*\"}}}'\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpandatix%2Fcvedetect","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpandatix%2Fcvedetect","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpandatix%2Fcvedetect/lists"}