Hi,

any plans to include the brand-new CVE Change History API ?

CVE Change History API
The CVE Change History API is used to easily retrieve information on changes made to a single CVE or a collection of CVE from the NVD. This API provides additional transparency to the work of the NVD, allowing users to easily monitor when and why vulnerabilities change.

https://nvd.nist.gov/developers/vulnerabilities

https://services.nvd.nist.gov/rest/json/cvehistory/2.0?cveId=CVE-2019-1010218

I was querying with api and stumble across this CVE-2023-23605 record.

When I tried to query this CVE with nvdlib.searchCVE(cveId="CVE-2023-23605") the result was empty.

This should be resolved, if the STATE of CVE is set to "RESERVED" ?
Also link for this CVE : https://github.com/CVEProject/cvelist/blob/master/2023/23xxx/CVE-2023-23065.json

Hi, great lib thanks !

as of today, all the Date parameters accepts date-formated string only. What do you think about accepting datetime ?

That is, today, I have to write

end = datetime.datetime.now()
start = end - datetime.timedelta(days=7)
self.cves = nvdlib.searchCVE(
            pubStartDate=start.strftime("%Y-%m-%d %H:%M"),
            pubEndDate=end.strftime("%Y-%m-%d %H:%M")
)

but we could have this interface

end = datetime.datetime.now()
start = end - datetime.timedelta(days=7)
self.cves = nvdlib.searchCVE(
            pubStartDate=start,
            pubEndDate=end
)

I can implemented this if your OK and found a few free hours.

There is another CPE endpoint for doing server-side CPE string matching. The documentation is here under the section titled "Match Criteria API". Could you add support for this?

https://nvd.nist.gov/developers/products

NVD released version 4.0 on Nov 1st.

https://www.first.org/cvss/v4-0/
https://www.first.org/cvss/v4.0/specification-document
https://www.first.org/cvss/cvss-v4.0.json

Are there plans in motion to add v4.0 support?

I noticed that the latest version of nvdlib-0.7.5-py3-none-any.whl no longer recognizes the 'timeout' parameter - was this intentional?

The calls nvdlib.searchCVE_V2 and nvdlib.searchCPE_V2 raise a client error 404 due to 'invalid apiKey'

I could reproduce this with Postman and got the same result

I can resolve this issue by sending an Authorization Header with my API key as Bearer schema. Does anybody have a similar problem? Even the NVD API Developer Documentation states, that the apiKey needs to be passed the way it was implemented in nvdlib

Whereas parameters are passed to the API in the URL, API keys are passed in the request header. The exact method of passing header information with a GET request varies based on the user agent. Including apiKey:{key value}, (without brackets or spaces) allows users to make a greater number of requests in a given time than they could otherwise. Please note, the {key value} is case sensitive.

When trying to send a request I get this

503 Service Unavailable

No server is available to handle this request.

Currently NVDLib only supports version 1 of the NVD API. NVD API version 1 will be deprecated in January of 2023. The upcoming NVDLib version will not include support for version 1 of the API and will only include support for version 2.

The current version of NVDLib (0.6.0) will be the last version supporting version 1 of the API. Earlier versions of NVDLib that support version 1 will still be available here for download.

For more information regarding the deprecation time line of version one, see the NVD article here.

This issue will stay open if anyone has any questions regarding version 2 and its impacts to NVDLib.

nvdlib's support for API 2.0 does not seem to be comprehensive. For example, I hope to use the "startIndex" and "resultsPerPage" parameters to gradually build a local repository. https://nvd.nist.gov/developers/api-workflows
Of course, there are other parameters that I have not tested.

The automation we have in the Node.js project has been reporting errors for the last week or so. I updated to the latest version of nvdlib but still see the issue.

From the errors it looks like an issue on the server side:

Traceback (most recent call last):
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/main.py", line 261, in <module>
    exit(main())
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/main.py", line 236, in main
    nvd_vulnerabilities: list[Vulnerability] = query_nvd(
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/main.py", line [15](https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/9803358356/job/27069412872#step:6:16)5, in query_nvd
    for cve in searchCVE(
  File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/site-packages/nvdlib/cve.py", line [16](https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/9803358356/job/27069412872#step:6:17)1, in searchCVE
    raw = __get('cve', headers, parameters, limit, verbose, delay)
  File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/site-packages/nvdlib/get.py", line 27, in __get
    raw.raise_for_status()
  File "/opt/hostedtoolcache/Python/3.9.[19](https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/9803358356/job/27069412872#step:6:20)/x64/lib/python3.9/site-packages/requests/models.py", line 1024, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 503 Server Error: Service Unavailable for url: https://services.nvd.nist.gov/rest/json/cves/2.0?virtualMatchString=cpe%3A2.3%3Aa%3Aada-url%3Aada%3A2.7.8%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A
Error: Process completed with exit code 1.

Are other people having the same issue?

Hi,

For an unknown reason, between Thursday December 15, 2022 and Monday December 19, 2022, NVD must have changed its JSON generation and this impacts NVDLib. For example the searchCVE function that returns an error :

Here is the JSON response to my request:

We can see that "metrics.cvssMetricV2[0].cvssData.baseSeverity" doesn't exist anymore but we find it here: "metrics.cvssMetricV2[0].baseSeverity".
To correct this I changed line 181 of the file "[...]/nvdlib/classes.py" :

I don't know if it's a permanent change but changing this line solved the problem

Hi,

using latest nvdlib of 0.5.8.

When querying all records from 100 day depth, it breaks while parsing the data.

$ python
Python 3.10.6 (main, Aug  3 2022, 17:39:45) [GCC 12.1.1 20220730] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import nvdlib
>>> import datetime
>>> end = datetime.datetime.now()
>>> start = end - datetime.timedelta(days=100)
>>> cves = nvdlib.searchCVE(pubStartDate=start, pubEndDate=end)
Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/requests/models.py", line 971, in json
    return complexjson.loads(self.text, **kwargs)
  File "/usr/lib/python3.10/json/__init__.py", line 346, in loads
    return _default_decoder.decode(s)
  File "/usr/lib/python3.10/json/decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib/python3.10/json/decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.10/site-packages/nvdlib/cve.py", line 307, in searchCVE
    raw = __get('cve', parameters, limit, key, verbose)
  File "/usr/lib/python3.10/site-packages/nvdlib/get.py", line 65, in __get
    getData = requests.get(link, params=parameters, timeout=30).json()['result']['CVE_Items']
  File "/usr/lib/python3.10/site-packages/requests/models.py", line 975, in json
    raise RequestsJSONDecodeError(e.msg, e.doc, e.pos)
requests.exceptions.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

Hey
Nice work. Any idea how do we get search based on vendor or product info. we get that option when we select advanced in NVD site

The records which i get from NVDLib library and nvd.nist.gov are not matching. using the below query with the parameters
r = nvdlib.searchCVE(pubStartDate='2022-06-18 00:00', pubEndDate = '2022-10-16 00:00', keyword = 'Entity Framework', exactMatch=True, verbose=True)

With NVDlib It returns 3 records. when i do the same search in nvd.nist.gov i get 0 records. i feel the nvdlib library has an issue in applying the filter 'Exact match'. As you see below one of the result returned doesnt contain the term 'Entity framework' but still shown in the result.

can anyone point me why exactmatch is not considered or am i missing something

Hello developer,
I'm using nvdlib-0.7.4 and when I execute the command below:
r = nvdlib.searchCVE(pubStartDate = start, pubEndDate = end,keywordSearch= 'xxxxx', cvssV3Severity = 'Critical', key='xxxxxxxxxxxxxxxxxxxx')

Traceback (most recent call last):
File "", line 1, in
File "/home/maxlin/.local/lib/python3.9/site-packages/nvdlib/cve.py", line 156, in searchCVE
raw = __get('cve', headers, parameters, limit, verbose, delay)
File "/home/maxlin/.local/lib/python3.9/site-packages/nvdlib/get.py", line 23, in __get
raw = requests.get(link, params=stringParams, headers=headers, timeout=30)
File "/usr/local/lib/python3.9/site-packages/requests/api.py", line 76, in get
return request('get', url, params=params, **kwargs)
File "/usr/local/lib/python3.9/site-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python3.9/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.9/site-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.9/site-packages/requests/adapters.py", line 529, in send
raise ReadTimeout(e, request=request)
requests.exceptions.ReadTimeout: HTTPSConnectionPool(host='services.nvd.nist.gov', port=443): Read timed out. (read timeout=30)
If I remove "keywordSearch= 'xxxxx'" , it works fine. It is possible that the keyword has been banned.

Thank you

While making an serachCVE call im facing an weird issue. Line number 67 (commented) works and line 66 fails. the only difference between them is the startdate and enddate are passed as variable in ln66 and hardcoded in ln67. the values are same and they are string in both the places. not sure why it fails. I dont get any specific error. API call fails in ln66 and returns result in ln67

Hi @vehemont, thanks for this wonderful library.

I've noticed that in searchCVE_V2() method.
At the NIST NVD Document, it has such parameter that can be passed in.

Will this parameter be added?

One minor suggest:
How about adding **kwargs for the searchCVE_V2() method?

Hi,

i'm using the nvdlib to search CVEs for a few CPEs and notify if they have an CVE-Score.

This worked like a charm in the last weeks, but since a few days i get randomly JSONDecodeErrors like this:

Invalid search criteria syntax: <Response [403]>
Attempted search criteria: modStartDate=2022-07-09T00:00:00:000 UTC-00:00&modEndDate=2022-07-19T00:00:00:000 UTC-00:00&cpeName=cpe:2.3:a:vmware:vcenter_server:*:*:*:*:*:*:*:*

Because this exception ends with an "exit()" my program stops there. Now i had exchanged the "exit()" to "raise", so i can react on this error, but this doesn't explain why i'm now getting this messages.

This happens when i'm using the following functions:

cve_return = nvdlib.searchCVE(cpeName=cpe,modStartDate=modStartDate,modEndDate=modEndDate)

result = nvdlib.getCVE(cve,False)

Btw. my changes on the get.py (Line 22-29):

old:

    try: # Try to convert the request to JSON. If it is not JSON, then print the response and exit.
        raw = raw.json() 
        if 'message' in raw:
            raise LookupError(raw['message'])
    except JSONDecodeError:
        print('Invalid search criteria syntax: ' + str(raw))
        print('Attempted search criteria: ' + searchCriteria)
        exit()

new:

    try: # Try to convert the request to JSON. If it is not JSON, then print the response and exit.
        raw = raw.json() 
        if 'message' in raw:
            raise LookupError(raw['message'])
    except JSONDecodeError:
        print('Invalid search criteria syntax: ' + str(raw))
        print('Attempted search criteria: ' + searchCriteria)
        raise

Additionally i tried the CPEs manually in a Python Shell and it worked like a charm. So it doesn't seem like an syntax problem.

Maybe anyone have an idea? At this moment is the script working, but i need a few re-runs to get every CVE.

Kind Regards
~Ithrasiel

I am trying to search for all critical/high/medium/low vulnerabilities that were released within the last month, using the below line for criticals:
crit_monthly_cves = nvdlib.searchCVE(pubStartDate=prev_month_first, pubEndDate=prev_month, cvssV3Severity='Critical')

This line works as soon as I take out the 'cvssV3Severity' parameter, however it throws this error when trying it with the parameter:

Invalid search criteria syntax: <Response [403]> Attempted search criteria: {'pubStartDate': '2022-09-01T00:00:42:000 UTC-00:00', 'pubEndDate': '2022-09-30T00:00:42:000 UTC-00:00', 'cvssV3Severity': 'CRITICAL'}

File "C:\Users\xxx\PycharmProjects\xxx\venv\lib\site-packages\nvdlib\cve.py", line 308, in searchCVE
    raw = __get('cve', parameters, limit, key, verbose)
  File "C:\Users\xxx\PycharmProjects\xxx\venv\lib\site-packages\nvdlib\get.py", line 41, in __get
    totalResults = raw['totalResults']
TypeError: 'Response' object is not subscriptable

I'm using nvdlib-0.7.4 and occasionally I get a time out error from urllib3 when executing:
r = nvdlib.searchCVE(cveId=s2,key='xyz',verbose=True,delay=6)
Timeout is currently set to 30
Is there a way I can increase the timeout?
Thanks

Hi,

I got a 404 error when I called searchCPE function using NIST API key.

I figured out that the header might need to be changed as follows.

• Current (Line 114 in nvdlib/cpe.py & Line 233 in nvdlib/cve.py)
  headers = {'content-type': 'application/json', 'apiKey': key}

• Modified
  headers={'content-type': 'application/json', 'Authorization': f'apiKey {key}'}

It seems that the current header might be applicable only for V1 api.

Thank you for making a great library!

Ive recently upgraded to 0.7.0. earlier versions In advance search for searching all versions i used to give '' and it was working. shown as below URL(.net_core:),

https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:a:Microsoft:.net_core:*&pubStartDate=2022-07-12T00:00:00&pubEndDate=2022-11-09T00:00:00

The below url works when version is mentioned(.net_core:3.1)
https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:a:Microsoft:.net_core:3.1&pubStartDate=2022-07-12T00:00:00&pubEndDate=2022-11-09T00:00:00

Im using nvdlib which creates this URL i believe. What should i pass instead of '*' to search for all versions.

Hi,

Do you plan to integrate the CVE Changelog API into the library in the future?
It's described here: https://nvd.nist.gov/developers/vulnerabilities

Hi @vehemont. Thank you for this excellent library 😁

Have you considered adding type hints to function parameters, return values, and class attributes?
Something along the way like this:

def searchCVE(
        cpeName: str=None,
        cveId: str=None,
        ...
) -> CVE:

i get this error always

HTTPSConnectionPool(host='services.nvd.nist.gov', port=443): Read timed out. (read timeout=30)

NVD udate their API version to 2.0.
Source: https://nvd.nist.gov/developers/vulnerabilities#

During the retrieval of CVE's for CWE-1233, the nvdlib.searchCVE function ends up in an endless loop:

Error during lookup for cve entry ..
 -> 'NoneType' object is not subscriptable 
 Retrying.

I got an an HTTP 404 error when searching for CVEs using the CPE name returned from a CPE search. It appears that CPE names may contain special characters that if not escaped, will cause the NVD API to return a 404.

>>> import nvdlib
>>> terms='wptaskforce'
>>> cpes = nvdlib.searchCPE(keywordSearch=terms, key=key, limit=1)
>>> for eachCPE in cpes:
...     print(eachCPE.cpeName)
... 
cpe:2.3:a:wptaskforce:track_\&_trace:6.9.5:*:*:*:*:wordpress:*:*
>>> for eachCPE in cpes:
...     cves = nvdlib.searchCVE(cpeName=eachCPE.cpeName, key=key)
... 
Traceback (most recent call last):
  File "<stdin>", line 2, in <module>
  File "/Users/rthew/Library/Python/3.9/lib/python/site-packages/nvdlib/cve.py", line 270, in searchCVE
    raw = __get('cve', headers, parameters, limit, verbose, delay)
  File "/Users/rthew/Library/Python/3.9/lib/python/site-packages/nvdlib/get.py", line 24, in __get
    raw.raise_for_status()
  File "/Users/rthew/Library/Python/3.9/lib/python/site-packages/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 404 Client Error:  for url: https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:a:wptaskforce:track_%5C&_trace:6.9.5:*:*:*:*:wordpress:*:*

I can get around this by escaping each cpeName using the urllib library, but it would be nice if the searchCVE function handled this itself.

Thanks!