How to retrieve CVSS Scores with Bulk CVE Lookup in NIST NVD via Python

Share on facebook
Share on reddit
Share on twitter
Share on linkedin
Bulk CVE Lookup Output
Command Terminal Output of Python Bulk CVE Lookup Script

Retrieving CVSS Scores for multiple CVEs can be a redundant task. Fortunately, Python can be leveraged to provide an easy way to convert CVE-ID to CVSS 3 or CVSS 2 Scores. In this post, I will show you how to use Python3 to create a simple script to pull the latest CVSS base score from the NIST National Vulnerability Database (NVD). The output of the script can be easily copied and paste into an excel file and separated with text to column.

Python package requirements:

  • Requests
  • BeautifulSoup4

Import the Python packages

import sys
import requests
import json
import time
from bs4 import BeautifulSoup

Setup system arguments to read the target file

if len(sys.argv) < 2:
    print('Enter File Name (E.g. python3 bulk_cve_lookup.py cve.txt)')
    exit()

with open(sys.argv[1], "r") as cve_file:
       lines = cve_file.readlines()

       cve_list = []
       
       for l in lines:
                 as_list = l.split(", ")
                 cve_list.append(as_list[0].replace("\n", ""))

The above code snippet will ensure that the python script only runs when an argument is specified. After a target file is specified as an argument, the script will attempt to read the CVE-ID line by line within the text file. 

Use the BeautifulSoup package to perform bulk CVE lookup

print("CVE-ID,","CVSS 3 Base Score,","CVSS 2 Base Score")

for CVEs in cve_list:
    response = requests.get('https://nvd.nist.gov/vuln/detail/'+str(CVEs))
    soup = BeautifulSoup(response.content, 'html.parser')
    
    try:
        test1 = (soup.find_all('a')[41].get_text())
       
        
        if  any (c.isdigit() for c in test1):
            print(CVEs,",",soup.find_all('a')[40].get_text(),",",soup.find_all('a')[41].get_text())
        else:
            print(CVEs,",","N/A",",","N/A")
    
    except:
        None

In this portion of the script, the script will check the BeautifulSoup web request to see if a CVSS 2 score is available. If the CVSS 2 score is not available, the script will display N/A for the output.

Prepare the cve.txt file

The text file containing the CVEs should have the CVE-ID separated line by line as shown above.

Full Code

import sys
import requests
import json
import time
from bs4 import BeautifulSoup

if len(sys.argv) < 2:
    print('Enter File Name (E.g. python3 bulk_cve_lookup.py cve.txt)')
    exit()

with open(sys.argv[1], "r") as cve_file:
       lines = cve_file.readlines()

       cve_list = []
       
       for l in lines:
                 as_list = l.split(", ")
                 cve_list.append(as_list[0].replace("\n", ""))
      
       
       
print("CVE-ID,","CVSS 3 Base Score,","CVSS 2 Base Score")

for CVEs in cve_list:
    response = requests.get('https://nvd.nist.gov/vuln/detail/'+str(CVEs))
    soup = BeautifulSoup(response.content, 'html.parser')
    
    try:
        test1 = (soup.find_all('a')[41].get_text())
       
        
        if  any (c.isdigit() for c in test1):
            print(CVEs,",",soup.find_all('a')[40].get_text(),",",soup.find_all('a')[41].get_text())
        else:
            print(CVEs,",","N/A",",","N/A")
    
    except:
        None


    

Quick Start

You need Python3 to run the script.

If the python script and cve.txt are in the same directory, you can run the following command:

$ python3 bulk_cve_lookup.py cve.txt

One Response

  1. Thanks for the post. It was super informative and helpful. The script was really well written. Looking forward to your future posts!

Leave a Reply

Your email address will not be published.

Sign up for our Newsletter