Support multiple CVEs

mkmurali · mkmurali · commit 2427172032cf · 2023-10-25T21:24:41.000-05:00
diff --git a/README.md b/README.md
@@ -26,8 +26,8 @@ See CISA KEV Catalog at [https://www.cisa.gov/known-exploited-vulnerabilities](h
 ### Usage via npx
 
 ```bash
-## Run the tool with a CVE ID
-npx cve-risk-scores@latest CVE-YYYY-XXXXX
+## Run the tool with a list of CVE IDs separated by comma
+npx cve-risk-scores@latest "CVE-YYYY-XXXX1, CVE-YYYY-XXXX2,..."
 ```
 
 ### Usage via global install option
@@ -36,8 +36,8 @@ npx cve-risk-scores@latest CVE-YYYY-XXXXX
 ## Install the tool globally
 npm install -g cve-risk-scores@latest
 
-## Run the tool with a CVE ID
-cve-risk-scores CVE-YYYY-XXXXX
+## Run the tool with a list of CVE IDs separated by comma
+cve-risk-scores "CVE-YYYY-XXXX1, CVE-YYYY-XXXX2,..."
 ```
 
 ### Options
@@ -54,6 +54,8 @@ Options:
                                                            [number] [default: 0]
   -s, --score                 CVSS score threshold to fail the audit
                                                            [number] [default: 0]
+  -d, --delay                 Delay between each CVE audit, in seconds
+                                                           [number] [default: 0]
       --help                  Show help                                [boolean]
 
 ```
@@ -81,16 +83,42 @@ Audit will fail if any of these conditions are met.
 
 ```bash
 # Run with default options
-cve-risk-scores CVE-2023-20273
+cve-risk-scores "CVE-2021-21295, CVE-2017-7525"
+
+ Auditing 1 of 2 CVE-2021-21295 at 10/25/2023, 8:48:11 PM
+
+
+ EPSS score (probability of exploitation) : 89.162%
+
+ No CISA KEV data found for CVE CVE-2021-21295
+
+ CVSS v3.1 Base Score: 5.9 (MEDIUM)
+
+         Exploitability Score: 2.2 Impact Score : 3.6
+
+----------------------------------------
+
+ Auditing 2 of 2 CVE-2017-7525 at 10/25/2023, 8:48:11 PM
 
- Auditing CVE-2023-20273 at 10/25/2023, 5:55:24 PM
 
+ EPSS score (probability of exploitation) : 69.982%
 
- EPSS score is : 0.01182 (0.83503%)
+ No CISA KEV data found for CVE CVE-2017-7525
 
- CISA KEV Date Added: 2023-10-23, Due Date: 2023-10-27
+ CVSS v3.1 Base Score: 9.8 (CRITICAL)
 
- CVSS v3.1 Base Score: 7.2 (HIGH)
+         Exploitability Score: 3.9 Impact Score : 5.9
+
+----------------------------------------
+
+ Audit Summary
+
+┌─────────┬──────────────────┬────────────┬─────────────────┬───────────────────┐
+│ (index) │      CVE ID      │ EPSS Score │ CVSS Base Score │ CISA KEV Due Date │
+├─────────┼──────────────────┼────────────┼─────────────────┼───────────────────┤
+│    0    │ 'CVE-2021-21295' │   89.162   │       5.9       │       'N/A'       │
+│    1    │ 'CVE-2017-7525'  │   69.982   │       9.8       │       'N/A'       │
+└─────────┴──────────────────┴────────────┴─────────────────┴───────────────────┘
 
 ```
 
@@ -100,6 +128,16 @@ On first run, the tool will create a folder named .epss in the ${HOME} or "/tmp"
 This folder will contain the raw EPSS Data file and uncompressed CSV file.
 If you would like to choose a different folder, you may set the `EPSS_DATA_FOLDER` environment variable to the desired folder.
 
+## Future Roadmap
+
+- [ ] Download NVD Database and use it for offline mode
+
+## Rate Limits
+
+> NVD API may be rate limited. If you run into any issues, you may try with smaller batches of CVE IDs.
+
+- Use the `--delay` option to add a delay between each CVE audit. This will help avoid rate limiting issues.
+
 ## How to contribute
 
 If you would like to contribute to this project, feel free to fork and create PR if you can.
diff --git a/bin/index.js b/bin/index.js
@@ -96,91 +96,160 @@ async function loadScores(refresh = false) {
 
 // Check CVSS Score in NVD database for the CVE
 async function checkCVSS(cveID) {
-  const response = await fetch(
-    `https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=${cveID}`
-  );
-  const data = await response.json();
-  if (data.totalResults == 0) {
-    return;
-  }
+  try {
+    const response = await fetch(
+      `https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=${cveID}`
+    );
+
+    const data = await response.json();
+    if (data.totalResults == 0) {
+      return;
+    }
 
-  const cvssScoreV31 = data.vulnerabilities[0].cve.metrics.cvssMetricV31;
-  return cvssScoreV31 ? cvssScoreV31[0] : null;
+    const cvssScoreV31 = data.vulnerabilities[0].cve.metrics.cvssMetricV31;
+    return cvssScoreV31 ? cvssScoreV31[0] : null;
+  } catch (err) {
+    console.log(`Error fetching CVSS score for ${cveID}`);
+    console.error(err);
+    return null;
+  }
 }
 
 async function audit(
-  cveID,
+  cveIDStr,
   verbose = false,
   threshold = 0.0,
   failOnPastDue = false,
-  score = 0.0
+  score = 0.0,
+  delay = 0.0
 ) {
   let tabularData = [];
+  let cveIDs = [];
+  let counter = 0;
 
-  const cveRegex = new RegExp(`^CVE-\\d{4}-\\d{4,}$`);
-  if (!cveRegex.test(cveID)) {
-    console.warn(
-      `\n Invalid CVE number ${cveID}. Expecting number as: CVE-YYYY-XXXX.\n`
-    );
-    process.exit(1);
+  let cveAuditFail = false;
+  let epssAuditFail = false;
+  let kevAuditFail = false;
+
+  // If multiple CVEs are provided, audit each one
+  if (cveIDStr.includes(",")) {
+    cveIDs = cveIDStr.split(",").map((cve) => cve.trim());
+  } else {
+    cveIDs.push(cveIDStr.trim());
   }
 
-  const today = new Date();
+  for (const cveID of cveIDs) {
+    const cveRegex = new RegExp(`^CVE-\\d{4}-\\d{4,}$`);
 
-  console.log(`\n Auditing ${cveID} at ${new Date().toLocaleString()} \n`);
+    let epssScore = null;
+    let kevDueDate = null;
+    let cvssScore = null;
+
+    if (!cveRegex.test(cveID)) {
+      console.warn(
+        `\n Invalid CVE number ${cveID}. Expecting number as: CVE-YYYY-XXXX. Skipping.\n`
+      );
+      // continue the loop
+      continue;
+    }
+
+    const today = new Date();
+
+    counter++;
 
-  if (!epssScores[cveID]) {
-    console.log(` No EPSS score found for CVE ${cveID}\n`);
-  } else {
-    const { epss, percentile } = epssScores[cveID];
     console.log(
-      `\n EPSS score (probability of exploitation) : ${+Number(
-        epss * 100.0
-      ).toFixed(3)}% \n`
+      `\n Auditing ${counter} of ${
+        cveIDs.length
+      } ${cveID} at ${new Date().toLocaleString()} \n`
     );
 
-    // If EPSS score is above threshold, fail the audit
-    if (Number(threshold) > 0.0 && parseFloat(epss) > threshold) {
-      console.warn(
-        ` EPSS score is above threshold of ${threshold}. Failing the audit.\n`
+    if (!epssScores[cveID]) {
+      console.log(` No EPSS score found for CVE ${cveID}\n`);
+    } else {
+      const { epss, percentile } = epssScores[cveID];
+
+      epssScore = +Number(epss * 100.0).toFixed(3);
+
+      console.log(
+        `\n EPSS score (probability of exploitation) : ${+Number(
+          epss * 100.0
+        ).toFixed(3)}% \n`
       );
-      process.exit(2);
+
+      // If EPSS score is above threshold, fail the audit
+      if (Number(threshold) > 0.0 && parseFloat(epss) > threshold) {
+        console.warn(
+          ` EPSS score is above threshold of ${threshold}. Failing the audit.\n`
+        );
+        epssAuditFail = true;
+      }
     }
-  }
 
-  if (!kevData[cveID]) {
-    console.log(` No CISA KEV data found for CVE ${cveID}\n`);
-  } else {
-    const { dateAdded, dueDate } = kevData[cveID];
-    console.log(` CISA KEV Date Added: ${dateAdded}, Due Date: ${dueDate}\n`);
+    if (!kevData[cveID]) {
+      console.log(` No CISA KEV data found for CVE ${cveID}\n`);
+    } else {
+      const { dateAdded, dueDate } = kevData[cveID];
+      kevDueDate = dueDate;
 
-    // If CVE is past due date, fail the audit
-    if (failOnPastDue && new Date(dueDate) < today) {
-      console.warn(
-        `\n CVE is past due date of ${dueDate}. Failing the audit.\n`
-      );
-      process.exit(2);
+      console.log(` CISA KEV Date Added: ${dateAdded}, Due Date: ${dueDate}\n`);
+
+      // If CVE is past due date, fail the audit
+      if (failOnPastDue && new Date(dueDate) < today) {
+        console.warn(
+          `\n CVE is past due date of ${dueDate}. Failing the audit.\n`
+        );
+        kevAuditFail = true;
+      }
     }
-  }
 
-  const cvssScoreV31 = await checkCVSS(cveID);
-  if (!cvssScoreV31) {
-    console.log(` No CVSS score found for CVE ${cveID}\n`);
-  } else {
-    const { exploitabilityScore, impactScore } = cvssScoreV31;
-    const { baseScore, baseSeverity } = cvssScoreV31.cvssData;
-    console.log(` CVSS v3.1 Base Score: ${baseScore} (${baseSeverity}) 
+    const cvssScoreV31 = await checkCVSS(cveID);
+    if (!cvssScoreV31) {
+      console.log(` No CVSS score found for CVE ${cveID}\n`);
+    } else {
+      const { exploitabilityScore, impactScore } = cvssScoreV31;
+      const { baseScore, baseSeverity } = cvssScoreV31.cvssData;
+      console.log(` CVSS v3.1 Base Score: ${baseScore} (${baseSeverity}) 
                 \n\t Exploitability Score: ${exploitabilityScore} Impact Score : ${impactScore} \n`);
 
-    // If CVSS score is above threshold, fail the audiat
-    if (Number(score) > 0.0 && parseFloat(baseScore) > score) {
-      console.warn(
-        ` CVSS v3.1 Base Score is above threshold of ${score}. Failing the audit.\n`
-      );
-      process.exit(2);
+      cvssScore = baseScore;
+
+      // If CVSS score is above threshold, fail the audiat
+      if (Number(score) > 0.0 && parseFloat(baseScore) > score) {
+        console.warn(
+          ` CVSS v3.1 Base Score is above threshold of ${score}. Failing the audit.\n`
+        );
+        cveAuditFail = true;
+      }
+    }
+
+    tabularData.push({
+      "CVE ID": cveID,
+      "EPSS Score (%)": epssScore ? epssScore : "N/A",
+      "CVSS Base Score": cvssScore ? cvssScore : "N/A",
+      "CISA KEV Due Date": kevDueDate ? kevDueDate : "N/A",
+    });
+
+    // print a line separator
+    console.log("-".repeat(40));
+
+    // Try adding a delay to avoid rate limiting
+    if (Number(delay) > 0.0 && cveIDs.length > 2 && counter < cveIDs.length) {
+      await new Promise((resolve) => setTimeout(resolve, Number(delay) * 1000));
     }
   }
 
+  if (tabularData.length > 0) {
+    console.log("\n Audit Summary \n");
+    console.table(tabularData);
+  }
+
+  if (cveAuditFail || epssAuditFail || kevAuditFail) {
+    console.warn(
+      `\n Audit failed. Please review the CVEs above and take appropriate action.\n`
+    );
+    process.exit(2);
+  }
+
   process.exit(0);
 }
 
@@ -212,6 +281,12 @@ async function audit(
         type: "number",
         default: 0.0,
       })
+      .option("d", {
+        alias: "delay",
+        describe: "Delay between each CVE audit, in seconds",
+        type: "number",
+        default: 0.0,
+      })
       .help(true).argv;
 
     // If no CVE number is provided, print help
@@ -231,7 +306,8 @@ async function audit(
       options.verbose,
       options.threshold,
       options["fail-on-past-duedate"],
-      options.score
+      options.score,
+      options["delay"]
     );
   } catch (err) {
     console.error(err);
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "cve-risk-scores",
-  "version": "0.0.4",
+  "version": "0.0.5",
   "description": "Check risk scores for CVEs",
   "main": "bin/index.js",
   "bin": {

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "cve-risk-scores",`
`3`		`- "version": "0.0.4",`
	`3`	`+ "version": "0.0.5",`
`4`	`4`	`"description": "Check risk scores for CVEs",`
`5`	`5`	`"main": "bin/index.js",`
`6`	`6`	`"bin": {`