first commit

Author: mkmurali

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "npm" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,71 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+  schedule:
+    - cron: "41 0 * * 4"
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["javascript"]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # queries: security-extended,security-and-quality
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+      # - run: |
+      #   echo "Run, Build Application using script"
+      #   ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2

.github/workflows/npm-publish.yml

@@ -0,0 +1,35 @@
+# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
+# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
+
+name: Node.js Package
+
+on:
+  push:
+    tags-ignore:
+      - "**"
+    branches:
+      - main
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v1
+        with:
+          node-version: 18
+      - run: npm ci
+  #       - run: npm test
+
+  publish-npm:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v1
+        with:
+          node-version: 18
+          registry-url: https://registry.npmjs.org/
+      - run: npm ci
+      - run: npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}

.gitignore

@@ -0,0 +1 @@
+node_modules

LICENSE

@@ -0,0 +1,9 @@
+MIT License
+
+Copyright (c) 2023 Softrams LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,112 @@
+# CVE Risk Scores
+
+Check CVSS v3.1 and EPSS scores for a given CVE ID by querying the NIST NVD API and FIRST EPSS database.
+Also check if the CVE is listed in the CISA Known Exploited Vulnerability (KEV) catalog.
+
+## About CVSS
+
+CVSS stands for Common Vulnerability Scoring System. It is a standardized system for rating the severity of security vulnerabilities in software. The CVSS score is a number between 0 and 10, with a higher score indicating a more severe vulnerability. The CVSS score is calculated using a variety of factors, including the severity of the vulnerability, the availability of exploit code, and the number of known attacks.
+
+See CVSS at [https://www.first.org/cvss](https://www.first.org/cvss).
+
+## About EPSS
+
+EPSS stands for Exploit Prediction Scoring System. It is a machine learning-based model that predicts the likelihood of a software vulnerability being exploited in the wild. The EPSS score is a number between 0 and 1, with a higher score indicating a higher likelihood of exploitation. The EPSS score is calculated using a variety of factors, including the severity of the vulnerability, the availability of exploit code, and the number of known attacks.
+
+See EPSS at [https://www.first.org/epss](https://www.first.org/epss).
+
+## About CISA Known Exploited Vulnerability (KEV) catalog
+
+> For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild: the Known Exploited Vulnerability (KEV) catalog. CISA strongly recommends all organizations review and monitor the KEV catalog and prioritize remediation of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors. All federal civilian executive branch (FCEB) agencies are required to remediate vulnerabilities in the KEV catalog within prescribed timeframes.
+
+See CISA KEV Catalog at [https://www.cisa.gov/known-exploited-vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities).
+
+## Usage
+
+### Usage via npx
+
+```bash
+## Run the tool in the project directory
+npx cve-risk-scores@latest
+```
+
+### Usage via global install option
+
+```bash
+## Install the tool globally
+npm install -g cve-risk-scores@latest
+
+## Run the tool in the project directory
+cve-risk-scores CVE-YYYY-XXXXX
+```
+
+### Options
+
+```bash
+Usage: cve-risk-scores [-v|--verbose] [-r|--refresh] [-f|--fail-on-past-duedate] [-t|--threshold] [-s|--score]
+
+Options:
+      --version               Show version number                      [boolean]
+  -v, --verbose               Verbose output
+  -r, --refresh               Refresh EPSS scores
+  -f, --fail-on-past-duedate  Fail on past CISA KVE due date
+  -t, --threshold             EPSS score threshold to fail the audit
+                                                           [number] [default: 0]
+  -s, --score                 CVSS score threshold to fail the audit
+                                                           [number] [default: 0]
+      --help                  Show help                                [boolean]
+
+```
+
+### Exit Codes
+
+For use in CI pipelines and automation tools, the tool will exit with the following exit codes:
+
+- 0: Ran successfully and no vulnerabilities found
+- 1: Failed to run due to errors or other configuration issues
+- 2: Ran successfully and vulnerabilities found that
+  - exceeded the EPSS Score threshold (default: 0.0, means all vulnerabilities are reported) or
+  - exceeded the CVSS Score threshold (default: 0.0, means all vulnerabilities are reported) or
+  - are past the CISA KEV due date (default: false, means all vulnerabilities are reported)
+
+You may use one or more of the following options to fail the audit:
+
+- `--fail-on-past-duedate` option to fail the audit if any of the vulnerabilities are past the CISA KEV due date or
+- set the `--threshold` option to a value of your choice greater than 0.0 to fail the audit if EPSS Score exceeds threshold or
+- set the `--score` option to value of your choice greater than 0.0 to fail the audit if CVSS Score is greater than the threshold.
+
+Audit will fail if any of these conditions are met.
+
+### Example output
+
+```bash
+# Run with default options
+cve-risk-scores CVE-2023-20273
+
+ Auditing CVE-2023-20273 at 10/25/2023, 5:55:24 PM
+
+
+ EPSS score is : 0.01182 (0.83503%)
+
+ CISA KEV Date Added: 2023-10-23, Due Date: 2023-10-27
+
+ CVSS v3.1 Base Score: 7.2 (HIGH)
+
+```
+
+### Configuration Options
+
+On first run, the tool will create a folder named .epss in the ${HOME} or "/tmp" folder.
+This folder will contain the raw EPSS Data file and uncompressed CSV file.
+If you would like to choose a different folder, you may set the `EPSS_DATA_FOLDER` environment variable to the desired folder.
+
+## How to contribute
+
+If you would like to contribute to this project, feel free to fork and create PR if you can.
+Otherwise, create an issue with your thoughts and ideas.
+
+## References
+
+- [EPSS](https://www.first.org/epss/data_stats)
+- [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities)
+- [CVSS](https://www.first.org/cvss)