Search vulnarabilities using a CPE string

[gboulle]

Is your feature request related to a problem?
Actually, vulnerabilities are parsed using criteria like vendor or product string.
As an asset admin role, I would like search for vulnerabilities using a CPE (This code might be stored in my CMDB for example).
The idea is to get notified when a critical CVE match my asset/version database.

Do you have a solution in mind, or a suggestion to improve OpenCVE?
Example : I have a Cisco switch running IOS XE in version 17.9.2
I would like to search in opencve for vulnerabilities database using this pattern.
Are there wulnerabilities that match cpe:2.3:o:cisco:ios_xe:17.9.2 ?

The challenge is to:

• parse the CVE table for vulnerabilities that match cisco:ios_xe
• For each CVE found, test for a CPE matching pattern
  => is CVE has a direct match with cpe:2.3:o:cisco:ios_xe:17.9.2:::::::*
  => is CVE has an wildcard match with cpe:2.3:o:cisco:ios_xe:::::::: and a matchCriteriaId ?
  => is matchCritieriaId contains reference to "cpeName": "cpe:2.3:o:cisco:ios_xe:17.9.2:::::::*" ?

I don't know if it is the right way to do it but it would be very helpfull for people playing this IT role.

Regards,
Guillaume

[ncrocfer]

Thanks for your issue and the details you provided in it, keeping this feature in the backlog 👍

[Propolisa]

Agree that this feature would be invaluable for doing vuln lookups for a known product + version combination. The public NVD API cves API supports this (partial / complete CPE search), but it is unreliable and has strict rate limits.

It would be most useful for my scenario to extend the current API endpoint for this by adding a version spec to the search, e.g.
/api/cve?vendor=apache&product=age&version=1.2.3

I could do the CPE parsing myself, although it would be nice if a dedicated CPE filter param exists like /api/cve?cpe=cpe:2.3:a:apache:age:1.2.3:*:*:*:*:*:*:*