The cli is a spring-boot command line tool built with picocli. The example
below does run the setup - which creates both the vulnz symlink (in /usr/local/bin)
and a completion script. If using zsh, the completion will be added to
/etc/bash_completion.d or /usr/local/etc/bash_completion.d (depending
on if they exist); see permanently installing completion
for more details. We may add a brew formula in the future.
After running install you may need to restart your shell for the completion to work.
$ ./gradlew build
$ cd vulnz/build/libs
$ ./vulnz-1.0.0.jar install
$ vulnz cve --cveId CVE-2021-44228 --prettyPrintExample of using the CLI with an API key stored in 1password using
the op CLI (see getting started with op):
export NVD_API_KEY=op://vaultname/nvd-api/credential
eval $(op signin)
op run -- vulnz cve --threads 4 > cve-complete.jsonThe vulnz cli can create a cache of the NVD CVE data obtained from the API. The
data is stored in json files with the data saved in the traditional yearly groupings
starting with 2002 and going to the current year. In addition, a cache.properties is
created that contains the lastModifiedDate datetime as well as the prefix used for the
generated JSON files (by default nvdcve- is used). Additionally, a modified JSON file
is created that will hold the CVEs that have been modified in the last 7 days. After running
the below command you will end up with a directory with:
cache.propertiesnvdcve-modified.jsonnvdcve-2002.jsonnvdcve-2003.json- ...
nvdcve-2023.json
If an API Key is used and you receive a 404 error:
ERROR
io.github.jeremylong.openvulnerability.client.nvd.NvdApiException: NVD Returned Status Code: 404
There is a good chance that the API Key is set incorrectly or is invalid. To check if the API Key works
the following curl command should return JSON:
curl -H "Accept: application/json" -H "apiKey: ########-####-####-####-############" -v https://services.nvd.nist.gov/rest/json/cves/2.0\?cpeName\=cpe:2.3:o:microsoft:windows_10:1607:\*:\*:\*:\*:\*:\*:\*
If no JSON is returned and you see a 404 error the API Key is invalid and you should request a new one.
Create the local cache may result in an out-of-memory error. To resolve the error simply increase the available memory for Java:
export JAVA_OPTS="-Xmx2g"Alternatively, run the CLI using the -Xmx2g argument:
java -Xmx2g -jar ./vulnz-5.0.2.jarTo create a local cache of the NVD CVE Data you can execute the following command via a daily schedule to keep the cached data current:
vulnz cve --cache --directory ./cache
cd cache
for file in *.json; do gzip -k "${file}"; done Alternatively, without using the above install command:
./vulnz-5.0.2.jar cve --cache --directory ./cache
cd cache
for file in *.json; do gzip -k "${file}"; done When creating the cache all other arguments to the vulnz cli
will still work except the --lastModEndDate and --lastModStartDate.
As such, you can create --prettyPrint the cache or create a cache
of only "application" CVE using the --virtualMatchString=cpe:2.3:a.