Retrieving CVSS Scores for multiple CVEs can be a redundant task. Fortunately, Python can be leveraged to provide an easy way to convert CVE-ID to CVSS 3 or CVSS 2 Scores. In this post, I will show you how to use Python3 to create a simple script to pull the latest CVSS base score from the NIST National Vulnerability Database (NVD). The output of the script can be easily copied and paste into an excel file and separated with text to column.
Python package requirements:
- Requests
- BeautifulSoup4
Import the Python packages
import sys import requests import json import time from bs4 import BeautifulSoup
Setup system arguments to read the target file
if len(sys.argv) < 2: print('Enter File Name (E.g. python3 bulk_cve_lookup.py cve.txt)') exit() with open(sys.argv[1], "r") as cve_file: lines = cve_file.readlines() cve_list = [] for l in lines: as_list = l.split(", ") cve_list.append(as_list[0].replace("\n", ""))
The above code snippet will ensure that the python script only runs when an argument is specified. After a target file is specified as an argument, the script will attempt to read the CVE-ID line by line within the text file.
Use the BeautifulSoup package to perform bulk CVE lookup
print("CVE-ID,","CVSS 3 Base Score,","CVSS 2 Base Score") for CVEs in cve_list: response = requests.get('https://nvd.nist.gov/vuln/detail/'+str(CVEs)) soup = BeautifulSoup(response.content, 'html.parser') try: test1 = (soup.find_all('a')[41].get_text()) if any (c.isdigit() for c in test1): print(CVEs,",",soup.find_all('a')[40].get_text(),",",soup.find_all('a')[41].get_text()) else: print(CVEs,",","N/A",",","N/A") except: None
In this portion of the script, the script will check the BeautifulSoup web request to see if a CVSS 2 score is available. If the CVSS 2 score is not available, the script will display N/A for the output.
Prepare the cve.txt file
The text file containing the CVEs should have the CVE-ID separated line by line as shown above.
Full Code
import sys import requests import json import time from bs4 import BeautifulSoup if len(sys.argv) < 2: print('Enter File Name (E.g. python3 bulk_cve_lookup.py cve.txt)') exit() with open(sys.argv[1], "r") as cve_file: lines = cve_file.readlines() cve_list = [] for l in lines: as_list = l.split(", ") cve_list.append(as_list[0].replace("\n", "")) print("CVE-ID,","CVSS 3 Base Score,","CVSS 2 Base Score") for CVEs in cve_list: response = requests.get('https://nvd.nist.gov/vuln/detail/'+str(CVEs)) soup = BeautifulSoup(response.content, 'html.parser') try: test1 = (soup.find_all('a')[41].get_text()) if any (c.isdigit() for c in test1): print(CVEs,",",soup.find_all('a')[40].get_text(),",",soup.find_all('a')[41].get_text()) else: print(CVEs,",","N/A",",","N/A") except: None
Quick Start
You need Python3 to run the script.
If the python script and cve.txt are in the same directory, you can run the following command:
$ python3 bulk_cve_lookup.py cve.txt
One Response
Thanks for the post. It was super informative and helpful. The script was really well written. Looking forward to your future posts!