NAME

Net::NVD - query CVE data from NIST's NVD (National Vulnerability Database)

SYNOPSIS

use Net::NVD;

my $nvd = Net::NVD->new;

my $cve = $nvd->get( 'CVE-2019-1010218' );

my @cves = $nvd->search(
    keyword_search      => 'perl cpan',
    last_mod_start_date => '2023-01-15T13:00:00.000-03:00',
    no_rejected         => 1,
);

DESCRIPTION

This modules provides a Perl interface to NIST's National Vulnerability Database (NVD)

METHODS

new( %params )

my $nvd = Net::NVD->new;
my $nvd = Net::NVD->new( api_key => 'your secret key' );

Instantiates a new object. If you want a better rate limit, you should request an API key for your organization. But you should probably only do it if you actually hit the limit, as their API is quite generous.

get( $cve_id )

my $cve_data = $nvd->get( 'CVE-2003-0521' );

Retrieves data for a given CVE. It is a shortcut to:

my $cve_data = (Net::NVD->new->search(cve_id => 'CVE-2003-0521'))[0]{cve};

search( %params )

my @cves = $nvd->search(
  keyword search      => 'Microsoft Outlook',
  keyword_exact_match => true,
);

Queries NVD's API with the following parameters:

  • cpe_name - a given CPE v2.3 name.

  • cve_id - a specific CVE id.

  • cvssv2_metrics - a full or partial CVSSv2 vector string.

  • cvssV2Severity - LOW, MEDIUM or HIGH.

  • cvssv3_metrics - a full or partial CVSSv3 vector string.

  • cvssv3_severity - LOW, MEDIUM, HIGH or CRITICAL.

  • cwe_id - a CWE (Common Weakness Enumeration) id.

  • has_cert_alerts - set to true to return only CVEs containing a Technical Alert from US-CERT.

  • has_cert_notes - set to true to return only CVEs containing a Vulnerability Note from CERT/CC.

  • has_kev - set to true to return only CVEs that appear in CISA's Known Exploited Vulnerabilities (KEV) Catalog.

  • has_oval - set to true to return only CVEs that contain information from MITRE's Open Vulnerability and Assessment Language (OVAL) before this transitioned to the Center for Internet Security (CIS).

  • is_vulnerable - set to true to return only CVEs associated with a specific CPE, where the CPE is also considered vulnerable (if you use this parameter, you must also set cpe_name).

  • keyword_search - return CVEs with ANY of the given words found in the current description. To search for an exact phrase, set keyword_exact_match to true.

  • keyword_exact_match - set to true to make keyword_search look for an exact phrase match.

  • last_mod_start_date / last_mod_end_date - CVEs that were last modified during the specified period (iso8061 format). Must be used together.

  • no_rejected - set to true to return only CVE records with the REJECT or Rejected status.

  • pub_start_date / pub_end_date - CVEs that were added to NVD (i.e. published) during the specified period (iso8061 format). Must be used together.

  • results_per_page - maximum number of CVE records to return. Defaults to the maximum of 2_000 (and NIST recommends you keep it like so).

  • start_index - the index of the first CVE to be returned in the response data (zero based).

  • source_identifier - CVE records with the given source identifier appearing as a data source in the CVE record.

  • virtual_match_string - a broader CPE filter than cpe_name. May be augmented by the parameters below.

  • version_end - augments virtual_match_string filtering CPEs in specific version ranges.

  • version_end_type - 'including' or 'excluding', specifying the type for version_end.

  • version_start - augments virtual_match_string filtering CPEs in the specific version ranges.

  • version_start_type - 'including' or 'excluding', specifying the type for version_start.

Please refer to NIST NVD API Specification for more information on the search parameters above.

LICENSE AND COPYRIGHT

Copyright 2023- Breno G. de Oliveira <garu at cpan.org>. All rights reserved.

This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself. See perlartistic.

This product uses data from the NVD API but is not endorsed or certified by the NVD.

DISCLAIMER OF WARRANTY

BECAUSE THIS SOFTWARE IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE SOFTWARE, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE SOFTWARE "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE SOFTWARE IS WITH YOU. SHOULD THE SOFTWARE PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR, OR CORRECTION.

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE SOFTWARE AS PERMITTED BY THE ABOVE LICENCE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE SOFTWARE TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

1 POD Error

The following errors were encountered while parsing the POD:

Around line 106:

Unterminated L< ... > sequence