Skip to content

Check CVSS v3.1 and EPSS scores for a given CVE ID and whether its in CISA KEV catalog

License

Notifications You must be signed in to change notification settings

softrams/cve-risk-scores

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CVE Risk Scores

Check CVSS v3.1 and EPSS scores for a given CVE ID by querying the NIST NVD API and FIRST EPSS database. Also check if the CVE is listed in the CISA Known Exploited Vulnerability (KEV) catalog.

About CVSS

CVSS stands for Common Vulnerability Scoring System. It is a standardized system for rating the severity of security vulnerabilities in software. The CVSS score is a number between 0 and 10, with a higher score indicating a more severe vulnerability. The CVSS score is calculated using a variety of factors, including the severity of the vulnerability, the availability of exploit code, and the number of known attacks.

See CVSS at https://www.first.org/cvss.

About EPSS

EPSS stands for Exploit Prediction Scoring System. It is a machine learning-based model that predicts the likelihood of a software vulnerability being exploited in the wild. The EPSS score is a number between 0 and 1, with a higher score indicating a higher likelihood of exploitation. The EPSS score is calculated using a variety of factors, including the severity of the vulnerability, the availability of exploit code, and the number of known attacks.

See EPSS at https://www.first.org/epss.

About CISA Known Exploited Vulnerability (KEV) catalog

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild: the Known Exploited Vulnerability (KEV) catalog. CISA strongly recommends all organizations review and monitor the KEV catalog and prioritize remediation of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors. All federal civilian executive branch (FCEB) agencies are required to remediate vulnerabilities in the KEV catalog within prescribed timeframes.

See CISA KEV Catalog at https://www.cisa.gov/known-exploited-vulnerabilities.

Usage

Usage via npx

## Run the tool with a list of CVE IDs separated by comma
npx cve-risk-scores@latest "CVE-YYYY-XXXX1, CVE-YYYY-XXXX2,..."

Usage via global install option

## Install the tool globally
npm install -g cve-risk-scores@latest

## Run the tool with a list of CVE IDs separated by comma
cve-risk-scores "CVE-YYYY-XXXX1, CVE-YYYY-XXXX2,..."

Options

Usage: cve-risk-scores [-v|--verbose] [-r|--refresh] [-f|--fail-on-past-duedate] [-t|--threshold] [-s|--score]

Options:
      --version               Show version number                      [boolean]
  -v, --verbose               Verbose output
  -r, --refresh               Refresh EPSS scores
  -f, --fail-on-past-duedate  Fail on past CISA KVE due date
  -t, --threshold             EPSS score threshold to fail the audit
                                                           [number] [default: 0]
  -s, --score                 CVSS score threshold to fail the audit
                                                           [number] [default: 0]
  -d, --delay                 Delay between each CVE audit, in seconds
                                                           [number] [default: 0]
      --help                  Show help                                [boolean]

Exit Codes

For use in CI pipelines and automation tools, the tool will exit with the following exit codes:

  • 0: Ran successfully and no vulnerabilities found
  • 1: Failed to run due to errors or other configuration issues
  • 2: Ran successfully and vulnerabilities found that
    • exceeded the EPSS Score threshold (default: 0.0, means all vulnerabilities are reported) or
    • exceeded the CVSS Score threshold (default: 0.0, means all vulnerabilities are reported) or
    • are past the CISA KEV due date (default: false, means all vulnerabilities are reported)

You may use one or more of the following options to fail the audit:

  • --fail-on-past-duedate option to fail the audit if any of the vulnerabilities are past the CISA KEV due date or
  • set the --threshold option to a value of your choice greater than 0.0 to fail the audit if EPSS Score exceeds threshold or
  • set the --score option to value of your choice greater than 0.0 to fail the audit if CVSS Score is greater than the threshold.

Audit will fail if any of these conditions are met.

Example output

# Run with default options
cve-risk-scores "CVE-2021-21295, CVE-2017-7525"

 Auditing 1 of 2 CVE-2021-21295 at 10/25/2023, 8:48:11 PM


 EPSS score (probability of exploitation) : 89.162%

 No CISA KEV data found for CVE CVE-2021-21295

 CVSS v3.1 Base Score: 5.9 (MEDIUM)

         Exploitability Score: 2.2 Impact Score : 3.6

----------------------------------------

 Auditing 2 of 2 CVE-2017-7525 at 10/25/2023, 8:48:11 PM


 EPSS score (probability of exploitation) : 69.982%

 No CISA KEV data found for CVE CVE-2017-7525

 CVSS v3.1 Base Score: 9.8 (CRITICAL)

         Exploitability Score: 3.9 Impact Score : 5.9

----------------------------------------

 Audit Summary

┌─────────┬──────────────────┬────────────┬─────────────────┬───────────────────┐
│ (index) │      CVE ID      │ EPSS Score │ CVSS Base Score │ CISA KEV Due Date │
├─────────┼──────────────────┼────────────┼─────────────────┼───────────────────┤
│    0    │ 'CVE-2021-21295' │   89.162   │       5.9       │       'N/A'       │
│    1    │ 'CVE-2017-7525'  │   69.982   │       9.8       │       'N/A'       │
└─────────┴──────────────────┴────────────┴─────────────────┴───────────────────┘

Configuration Options

On first run, the tool will create a folder named .epss in the ${HOME} or "/tmp" folder. This folder will contain the raw EPSS Data file and uncompressed CSV file. If you would like to choose a different folder, you may set the EPSS_DATA_FOLDER environment variable to the desired folder.

Future Roadmap

  • Download NVD Database and use it for offline mode

Rate Limits

NVD API may be rate limited. If you run into any issues, you may try with smaller batches of CVE IDs.

  • Use the --delay option to add a delay between each CVE audit. This will help avoid rate limiting issues.

How to contribute

If you would like to contribute to this project, feel free to fork and create PR if you can. Otherwise, create an issue with your thoughts and ideas.

References