No description
  • Go 99.6%
  • Makefile 0.4%
Find a file
2026-06-01 11:53:59 +02:00
cmd added makefile and version information 2026-06-01 11:53:59 +02:00
internal initial commit 2026-06-01 11:33:40 +02:00
.env.example initial commit 2026-06-01 11:33:40 +02:00
.gitignore initial commit 2026-06-01 11:33:40 +02:00
go.mod initial commit 2026-06-01 11:33:40 +02:00
go.sum initial commit 2026-06-01 11:33:40 +02:00
LICENSE initial commit 2026-06-01 11:33:40 +02:00
main.go added makefile and version information 2026-06-01 11:53:59 +02:00
Makefile added makefile and version information 2026-06-01 11:53:59 +02:00
Readme.md added makefile and version information 2026-06-01 11:53:59 +02:00

cvekit

A CLI to query the NIST National Vulnerability Database (NVD) locally.

Disclaimer: This product uses data from the NVD API but is not endorsed or certified by the NVD. You may use the NVD name to identify the source of the data. You may not use the NVD name to imply endorsement of any product, service, or entity. For information on how to cite the NVD, please consult NIST's Public Data Repository.


How it works

On first run, cvekit downloads the full NVD CPE dataset (~450 MB) into a local SQLite database at ~/.cvekit/nvd.db. Subsequent runs perform an incremental sync if the last sync is older than 6 hours. All queries are then answered locally — no network round-trip per search.


Installation

git clone https://github.com/antoineggg/cvekit
cd cvekit
make install

This compiles the binary and installs it into $GOPATH/bin (usually ~/go/bin), making cvekit available system-wide. Make sure ~/go/bin is in your $PATH.


Build & versioning

The version is injected at compile time via Go linker flags — the source code is never modified.

Development build (version = dev):

make build
# or: go build .

Release build:

make build VERSION=1.0.0

Install globally:

make install VERSION=1.0.0

Check the version:

cvekit --version
# cvekit version 1.0.0

A build without VERSION produces a binary tagged dev, making it easy to distinguish from official releases.


Without an API key the NVD rate-limits you to 5 requests / 30 s, which makes the initial full sync very slow. With a key the limit rises to 50 requests / 30 s.

Get a free key at https://nvd.nist.gov/developers/request-an-api-key, then either:

Option 1 — .env file (recommended, picked up automatically):

cp .env.example .env
# edit .env and set your key
NVD_API_KEY=your_api_key_here

Option 2 — environment variable:

export NVD_API_KEY=your_api_key_here

Option 3 — flag per command:

cvekit --api-key your_api_key_here vendor search openssl

CPE format

A CPE (Common Platform Enumeration) name is a structured string of 13 components separated by ::

cpe:2.3: a : apache : http_server : 2.4.51 : * : * : * : * : * : * : *
  [1] [2] [3]  [4]       [5]         [6]   [7] [8] [9] [10][11][12][13]
# Name Example Description
1 prefix cpe Always cpe
2 schema version 2.3 Always 2.3
3 part a a = application, o = OS, h = hardware
4 vendor apache Organisation that publishes the product
5 product http_server Product name
6 version 2.4.51 Exact version
7 update * Patch/update level (e.g. sp1, beta)
8 edition * Legacy edition field (almost always *)
9 language * Language (e.g. fr, en)
10 sw_edition * Software edition (e.g. enterprise)
11 target_sw * Target OS (e.g. windows, linux)
12 target_hw * Target architecture (e.g. x86, arm)
13 other * Free-form field

* is a wildcard meaning "any value". In practice, fields 713 are almost always * — what matters is part + vendor + product + version.

Examples:

cpe:2.3:a:microsoft:windows_10:21h2:*:*:*:*:*:x64:*   (x64 only)
cpe:2.3:o:linux:linux_kernel:5.15:*:*:*:*:*:*:*        (OS)
cpe:2.3:h:cisco:catalyst_9300:*:*:*:*:*:*:*:*          (hardware)

Commands

osv search <ecosystem> <package>

Search the OSV database for vulnerabilities affecting a specific package. Unlike the NVD/CPE commands, OSV queries are made directly against the API — no local database required.

cvekit osv search <ecosystem> <package> [--version <version>]

Ecosystem names are case-insensitive (pypi, Pypi and PyPI all work).

Examples:

$ cvekit osv search PyPI requests
$ cvekit osv search pypi requests --version 2.28.0
$ cvekit osv search Go k8s.io/client-go
$ cvekit osv search npm lodash --version 4.17.15

osv ecosystems

List all ecosystems supported by OSV.

cvekit osv ecosystems

Supported ecosystems: Go, npm, PyPI, crates.io, RubyGems, Maven, NuGet, Packagist, Hex, Pub, CRAN, Bioconductor, SwiftURL, ConanCenter, GitHub Actions, Debian, Alpine, Ubuntu, Rocky Linux, AlmaLinux, Android, Linux, OSS-Fuzz.


vendor search <product>

Search all NVD entries whose vendor or product name contains the given keyword. Deprecated entries are filtered out. Results are deduplicated per vendor:product pair.

cvekit vendor search <product>

Example:

$ cvekit vendor search openssl

VENDOR                  PRODUCT              TITLE
jean-paul_calderone     pyopenssl            Jean-Paul Calderone pyOpenSSL 0.13.1
openssl                 openssl              OpenSSL Project OpenSSL
redhat                  openssl              Red Hat openssl
...

Use this command to find the exact vendor string to use in a CPE identifier, e.g. cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*.


Global flags

Flag Description
--api-key NVD API key (overrides NVD_API_KEY env var)

Database

The local database lives at ~/.cvekit/nvd.db (SQLite). It is created automatically on first use. You can delete it at any time to force a full re-sync on the next run.