TheCyberByte

Twitter

How to retrieve CVSS Scores with Bulk CVE Lookup in NIST NVD via Python

Share on facebook
Share on reddit
Share on twitter
Share on linkedin
Bulk CVE Lookup Output
Command Terminal Output of Python Bulk CVE Lookup Script

Retrieving CVSS Scores for multiple CVEs can be a redundant task. Fortunately, Python can be leveraged to provide an easy way to convert CVE-ID to CVSS 3 or CVSS 2 Scores. In this post, I will show you how to use Python3 to create a simple script to pull the latest CVSS base score from the NIST National Vulnerability Database (NVD). The output of the script can be easily copied and paste into an excel file and separated with text to column.

Python package requirements:

  • Requests
  • BeautifulSoup4

Import the Python packages

import sys
import requests
import json
import time
from bs4 import BeautifulSoup

Setup system arguments to read the target file

if len(sys.argv) < 2:
    print('Enter File Name (E.g. python3 bulk_cve_lookup.py cve.txt)')
    exit()

with open(sys.argv[1], "r") as cve_file:
       lines = cve_file.readlines()

       cve_list = []
       
       for l in lines:
                 as_list = l.split(", ")
                 cve_list.append(as_list[0].replace("\n", ""))

The above code snippet will ensure that the python script only runs when an argument is specified. After a target file is specified as an argument, the script will attempt to read the CVE-ID line by line within the text file. 

Use the BeautifulSoup package to perform bulk CVE lookup

print("CVE-ID,","CVSS 3 Base Score,","CVSS 2 Base Score")

for CVEs in cve_list:
    response = requests.get('https://nvd.nist.gov/vuln/detail/'+str(CVEs))
    soup = BeautifulSoup(response.content, 'html.parser')
    
    try:
        test1 = (soup.find_all('a')[41].get_text())
       
        
        if  any (c.isdigit() for c in test1):
            print(CVEs,",",soup.find_all('a')[40].get_text(),",",soup.find_all('a')[41].get_text())
        else:
            print(CVEs,",","N/A",",","N/A")
    
    except:
        None

In this portion of the script, the script will check the BeautifulSoup web request to see if a CVSS 2 score is available. If the CVSS 2 score is not available, the script will display N/A for the output.

Prepare the cve.txt file

The text file containing the CVEs should have the CVE-ID separated line by line as shown above.

Full Code

import sys
import requests
import json
import time
from bs4 import BeautifulSoup

if len(sys.argv) < 2:
    print('Enter File Name (E.g. python3 bulk_cve_lookup.py cve.txt)')
    exit()

with open(sys.argv[1], "r") as cve_file:
       lines = cve_file.readlines()

       cve_list = []
       
       for l in lines:
                 as_list = l.split(", ")
                 cve_list.append(as_list[0].replace("\n", ""))
      
       
       
print("CVE-ID,","CVSS 3 Base Score,","CVSS 2 Base Score")

for CVEs in cve_list:
    response = requests.get('https://nvd.nist.gov/vuln/detail/'+str(CVEs))
    soup = BeautifulSoup(response.content, 'html.parser')
    
    try:
        test1 = (soup.find_all('a')[41].get_text())
       
        
        if  any (c.isdigit() for c in test1):
            print(CVEs,",",soup.find_all('a')[40].get_text(),",",soup.find_all('a')[41].get_text())
        else:
            print(CVEs,",","N/A",",","N/A")
    
    except:
        None

Quick Start

You need Python3 to run the script.

If the python script and cve.txt are in the same directory, you can run the following command:

$ python3 bulk_cve_lookup.py cve.txt

5 Responses

  1. Thanks for the post. It was super informative and helpful. The script was really well written. Looking forward to your future posts!

    Reply

  2. Hi – just found this and apparently NIST has updated their site, the script no longer works “as is”.. I’m dabbling to see what adjustment can be made and looking at related documentation.

    Could you provide helpful suggestions or updates to this script?

    Reply

  3. Update – here’s an updated Python 3 script based on your sample code that is pulling the scores out nicely. Thanks again for your post!

    Respectfully,

    Orlando Stevenson

    ———-
    import sys
    import requests
    import json
    import time
    from bs4 import BeautifulSoup

    Cvss2id = “Cvss2CalculatorAnchor”
    Cvss3id = “Cvss3NistCalculatorAnchor”

    if len(sys.argv) 10:
    fsC2 = tsC2.split(Cvss2id,1)[1]
    VsC2 = fsC2[2:fsC2.find(” “)]
    else:
    VsC2 = “”

    if len(tsC3) > 10:
    fsC3 = tsC3.split(Cvss3id,1)[1]
    VsC3 = fsC3[2:fsC3.find(” “)]
    else:
    VsC3 = “”

    print(CVEs,”,”,VsC3,”,”,VsC2)

    Reply

  4. Update – here’s an updated Python 3 script based on your sample code that is pulling the scores out nicely. Thanks again for your post!

    Respectfully,

    Orlando Stevenson

    ===================

    import sys
    import requests
    import json
    import time
    from bs4 import BeautifulSoup

    Cvss2id = “Cvss2CalculatorAnchor”
    Cvss3id = “Cvss3NistCalculatorAnchor”

    if len(sys.argv) 10:
    fsC2 = tsC2.split(Cvss2id,1)[1]
    VsC2 = fsC2[2:fsC2.find(” “)]
    else:
    VsC2 = “”

    if len(tsC3) > 10:
    fsC3 = tsC3.split(Cvss3id,1)[1]
    VsC3 = fsC3[2:fsC3.find(” “)]
    else:
    VsC3 = “”

    print(CVEs,”,”,VsC3,”,”,VsC2)

    Reply

Leave a Reply

Your email address will not be published.

Recent Comments

Recent Posts

Sign up for our Newsletter