https://github.com/rogolabs/cnascorecard

An open-source tool for scoring and auditing CVE Numbering Authorities (CNAs) based on the quality, timeliness, and completeness of their vulnerability disclosures.
https://github.com/rogolabs/cnascorecard

cna cve vulnerabilities

Last synced: 2 months ago
JSON representation

An open-source tool for scoring and auditing CVE Numbering Authorities (CNAs) based on the quality, timeliness, and completeness of their vulnerability disclosures.

• Host: GitHub
• URL: https://github.com/rogolabs/cnascorecard
• Owner: RogoLabs
• Created: 2025-06-19T18:26:14.000Z (4 months ago)
• Default Branch: main
• Last Pushed: 2025-07-31T06:17:09.000Z (2 months ago)
• Last Synced: 2025-07-31T09:51:55.252Z (2 months ago)
• Topics: cna, cve, vulnerabilities
• Language: Python
• Homepage:
• Size: 10.6 MB
• Stars: 2
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# CNA Scorecard

An automated data pipeline and web front-end for scoring and analyzing the quality of CVE data published by CVE Numbering Authorities (CNAs). The system analyzes **only the most recent 6 months of CVE data** to provide current, actionable insights into CNA performance.

## Introduction

The CNA Scorecard project addresses a critical need in the cybersecurity ecosystem: ensuring high-quality, complete vulnerability data. As the number of CVE records continues to grow exponentially, the quality and completeness of these records directly impacts the security community's ability to understand, prioritize, and respond to vulnerabilities effectively.

This project provides transparent, data-driven insights into how well CVE Numbering Authorities (CNAs) are fulfilling their responsibility to publish comprehensive vulnerability information. By automating the analysis and scoring process, we create accountability while helping CNAs identify areas for improvement in their vulnerability disclosure practices.

## Key Features

• **Automated scoring of CNA performance** based on a comprehensive set of data quality rules

• **Detailed completeness analysis** of CVE record fields against the official CVE 5.1 schema

• **Modern, responsive web interface** with interactive data visualizations and charts

• **Fully automated data pipeline** that refreshes data every 6 hours via GitHub Actions

• **Individual CNA profiles** with detailed performance metrics and recent CVE analysis

• **Mobile-optimized design** for accessibility across all devices

## How It Works

The CNA Scorecard operates as a two-part system: an automated data pipeline that processes CVE data and a modern web front-end that presents the results.

### Data Pipeline (`cnascorecard_pipeline/`)

The Python-based data pipeline follows a systematic four-step process:

1. **Ingest**: Fetches CVE data from the official [CVEProject/cvelistV5](https://github.com/CVEProject/cvelistV5) repository, filtering to analyze only the **last 6 months** of published CVE records for current performance assessment.

2. **Score & Analyze**: Applies comprehensive scoring rules across five key categories:

   - Foundational Completeness (50 points)

   - Root Cause Analysis (15 points) 

   - Severity and Impact Context (15 points)

   - Software Identification (10 points)

   - Patch Information (10 points)

3. **Aggregate**: Generates summary statistics, calculates CNA rankings, performs trend analysis, and creates completeness metrics for each CNA.

4. **Output**: Writes structured JSON files to the `web/data/` directory, including individual CNA profiles, combined rankings, and completeness reports.

### Web Front-End (`web/`)

The web interface is built with vanilla HTML, CSS, and JavaScript for maximum performance and compatibility:

- **Technology Stack**: Pure web technologies with no external frameworks or dependencies

- **Data Loading**: Dynamically fetches JSON data generated by the pipeline

- **Real-time Updates**: Automatically reflects the latest data whenever the pipeline runs

- **Responsive Design**: Optimized for desktop, tablet, and mobile viewing

- **Interactive Features**: Search, sort, filter, and detailed drill-down capabilities

## Automation

The CNA Scorecard maintains fresh, up-to-date data through a fully automated GitHub Actions workflow (`.github/workflows/run-pipeline.yml`) that ensures the website always reflects the latest CVE information.

### Workflow Triggers

The automated pipeline runs in three scenarios:

- **Scheduled Updates**: Every 6 hours around the clock (using cron: `0 */6 * * *`)

- **Code Changes**: Automatically when changes are pushed to the main branch

- **Manual Execution**: Can be triggered manually via GitHub's workflow dispatch feature

### Automation Process

When triggered, the workflow performs the following steps:

1. **Environment Setup**: Provisions Ubuntu environment with Python 3.13

2. **Dependency Installation**: Installs required Python packages from `requirements.txt`

3. **Pipeline Execution**: Runs `python ./cnascorecard_pipeline/pipeline.py` to process the most recent 6 months of CVE data

4. **Data Commit**: Automatically commits updated JSON files back to the repository

5. **GitHub Pages Deployment**: Deploys the updated website to GitHub Pages

### Benefits of Automation

- **Always Current**: Data never becomes stale, reflecting CVE publications within hours

- **Zero Maintenance**: No manual intervention required for regular updates

- **Reliable Deployment**: Consistent, error-free deployment process

- **Audit Trail**: All updates are tracked through Git commits with timestamps

## How to View the Scorecard

The CNA Scorecard website provides multiple views to explore CVE data quality and CNA performance:

### 🏠 **Homepage** 

[**index.html**](https://cnascorecard.org/) - Main dashboard with overview statistics, recent CVE highlights, and key insights into the current state of CVE data quality across the ecosystem.

### 🏆 **CNA Leaderboard**

[**cna/index.html**](https://cnascorecard.org/cna/) - Complete rankings of all CNAs with sortable performance metrics, search functionality, and detailed scoring breakdowns. View medal-style rankings for top performers.

### 📊 **Record Completeness Analysis**

[**completeness/index.html**](https://cnascorecard.org/completeness/) - Comprehensive analysis of how well CNAs populate CVE record fields according to the official CVE 5.1 schema. Includes field-by-field completeness metrics and visualizations.

### 📖 **Scoring Methodology**

[**scoring.html**](https://cnascorecard.org/scoring.html) - Detailed documentation of the Enhanced Aggregate Scoring (EAS) methodology, explaining how CNA performance is calculated and what each score component represents.

### 🔍 **Individual CNA Profiles**

[**cna/cna-detail.html**](https://cnascorecard.org/cna/cna-detail.html) - Detailed pages for each CNA showing recent CVE analysis, performance trends, category breakdowns, and official CNA metadata.

---

**💡 Pro Tip**: All pages are mobile-optimized and include interactive search, filtering, and sorting capabilities to help you find the information you need quickly.

## Contributing

We welcome contributions from the cybersecurity community! The CNA Scorecard project thrives on collaborative input to improve CVE data quality analysis and make vulnerability information more accessible.

### 🐛 **Reporting Issues**

Found a bug or have a feature suggestion? Please help us improve by:

- **Opening a GitHub Issue**: Visit our [Issues page](https://github.com/gamblin/CNAScoreCard/issues) to report bugs, request features, or ask questions

- **Providing Details**: Include specific examples, error messages, or screenshots when reporting issues

- **Checking Existing Issues**: Search existing issues to avoid duplicates

### 🔧 **Development Setup**

To contribute code changes:

```bash

# Fork and clone the repository

git clone https://github.com/your-username/CNAScoreCard.git

cd CNAScoreCard

# Install dependencies

pip install -r requirements.txt

# Run the pipeline locally

cd cnascorecard_pipeline

python pipeline.py

# Serve the web interface

cd ../web

python -m http.server 8000

```

**Ready to contribute?** Start by exploring our [open issues](https://github.com/gamblin/CNAScoreCard/issues) or proposing your own improvements!

## License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

[![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)

---

## Acknowledgments

- Inspired by the [CNA Enrichment Recognition program](https://www.cve.org/About/Metrics#CNAEnrichmentRecognition)

- Built on data from the [CVE Project](https://www.cve.org/) and [CVEProject/cvelistV5](https://github.com/CVEProject/cvelistV5) repository

- Special thanks to the cybersecurity community for their ongoing efforts to improve vulnerability disclosure

[![GitHub Actions Status](https://github.com/gamblin/CNAScoreCard/workflows/Scheduled%20Data%20Pipeline/badge.svg)](https://github.com/gamblin/CNAScoreCard/actions/workflows/run-pipeline.yml)

[![Last Updated](https://img.shields.io/badge/Last%20Updated-Auto--Generated-blue)](https://github.com/gamblin/CNAScoreCard)