I've addressed this issue, fixed in:
#17

Hello!

After I'm testing your application I was faced with an interesting issue.

I was tried to ask CVE-s for postgresql:postgresql:9.3.10. (with: /v1/cpe_with_version/postgresql:postgresql:9.3.10)

And it return some CVE-s: ["CVE-2016-5423","CVE-2016-5424","CVE-2017-12172","CVE-2017-15098","CVE-2017-7484","CVE-2017-7485","CVE-2017-7486","CVE-2017-7546","CVE-2017-7547"]

These are good, but in the JSON what the program fetched there are more CVE-s for that module, and here you can see the remaining missing CVE-s: cvedetails.com

I chceked the CVE-s and it's looks like, where there is exact version number under: configurations->nodes->{0}(just for example)->cpe_match->{0} cpe23uri the endpoint returns it.
BUT if in this node there is a "versionStartIncluding" : "9.3", "versionEndIncluding" : "11.2" (for example) this CVE is not returned. (CVE-2019-9193) This is false, you can see this on cvedetails.com

In the Mongodb here is an example for the good CVE:
{ "_id" : ObjectId("5e85cfb2aac28c4aa9e6c6de"), "id" : "CVE-2016-5424", "summary" : "PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) \" (double quote), (2) \\ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation.", "cwe" : "CWE-94", "published_at" : ISODate("2016-12-09T23:59:00Z"), "updated_at" : ISODate("2018-01-05T02:31:00Z"), "cvss" : { "access_vector" : "NETWORK", "access_complexity" : "HIGH", "authentication" : "SINGLE", "confidentiality_impact" : "PARTIAL", "integrity_impact" : "PARTIAL", "availability_impact" : "PARTIAL", "base_score" : 4.6, "vector" : "AV:N/AC:H/Au:S/C:P/I:P/A:P" }, "cvssv3" : { "attack_vector" : "NETWORK", "attack_complexity" : "HIGH", "privileges_required" : "LOW", "user_interaction" : "REQUIRED", "scope" : "UNCHANGED", "confidentiality_impact" : "HIGH", "integrity_impact" : "HIGH", "availability_impact" : "HIGH", "base_score" : 7.1, "base_severity" : "HIGH", "vector" : "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" }, "references" : [ { "href" : "http://rhn.redhat.com/errata/RHSA-2016-1781.html" }, { "href" : "http://rhn.redhat.com/errata/RHSA-2016-1820.html" }, { "href" : "http://rhn.redhat.com/errata/RHSA-2016-1821.html" }, { "href" : "http://rhn.redhat.com/errata/RHSA-2016-2606.html" }, { "href" : "http://www.debian.org/security/2016/dsa-3646" }, { "href" : "http://www.securityfocus.com/bid/92435" }, { "href" : "http://www.securitytracker.com/id/1036617" }, { "href" : "https://access.redhat.com/errata/RHSA-2017:2425" }, { "href" : "https://security.gentoo.org/glsa/201701-33" }, { "href" : "https://www.postgresql.org/about/news/1688/" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-1-23.html" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-2-18.html" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-3-14.html" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-4-9.html" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-5-4.html" } ], "cpes_affected" : [ ], "cpes" : [ "debian:debian_linux", "postgresql:postgresql" ], "cpes_with_version" : [ "debian:debian_linux:8.0", "postgresql:postgresql", "postgresql:postgresql:9.2", "postgresql:postgresql:9.2.1", "postgresql:postgresql:9.2.2", "postgresql:postgresql:9.2.3", "postgresql:postgresql:9.2.4", "postgresql:postgresql:9.2.5", "postgresql:postgresql:9.2.6", "postgresql:postgresql:9.2.7", "postgresql:postgresql:9.2.8", "postgresql:postgresql:9.2.9", "postgresql:postgresql:9.2.10", "postgresql:postgresql:9.2.11", "postgresql:postgresql:9.2.12", "postgresql:postgresql:9.2.13", "postgresql:postgresql:9.2.14", "postgresql:postgresql:9.2.15", "postgresql:postgresql:9.2.16", "postgresql:postgresql:9.2.17", "postgresql:postgresql:9.3", "postgresql:postgresql:9.3.1", "postgresql:postgresql:9.3.2", "postgresql:postgresql:9.3.3", "postgresql:postgresql:9.3.4", "postgresql:postgresql:9.3.5", "postgresql:postgresql:9.3.6", "postgresql:postgresql:9.3.7", "postgresql:postgresql:9.3.8", "postgresql:postgresql:9.3.9", "postgresql:postgresql:9.3.10", "postgresql:postgresql:9.3.11", "postgresql:postgresql:9.3.12", "postgresql:postgresql:9.3.13", "postgresql:postgresql:9.4", "postgresql:postgresql:9.4.1", "postgresql:postgresql:9.4.2", "postgresql:postgresql:9.4.3", "postgresql:postgresql:9.4.4", "postgresql:postgresql:9.4.5", "postgresql:postgresql:9.4.6", "postgresql:postgresql:9.4.7", "postgresql:postgresql:9.4.8", "postgresql:postgresql:9.5", "postgresql:postgresql:9.5.1", "postgresql:postgresql:9.5.2", "postgresql:postgresql:9.5.3" ] }

And for the bad one:
{ "_id" : ObjectId("5e85cfb2aac28c4aa9e6cc56"), "id" : "CVE-2016-7048", "summary" : "The interactive installer in PostgreSQL before 9.3.15, 9.4.x before 9.4.10, and 9.5.x before 9.5.5 might allow remote attackers to execute arbitrary code by leveraging use of HTTP to download software.", "cwe" : "CWE-284", "published_at" : ISODate("2018-08-20T21:29:00Z"), "updated_at" : ISODate("2018-10-12T20:12:00Z"), "cvss" : { "access_vector" : "NETWORK", "access_complexity" : "MEDIUM", "authentication" : "NONE", "confidentiality_impact" : "COMPLETE", "integrity_impact" : "COMPLETE", "availability_impact" : "COMPLETE", "base_score" : 9.3, "vector" : "AV:N/AC:M/Au:N/C:C/I:C/A:C" }, "cvssv3" : { "attack_vector" : "NETWORK", "attack_complexity" : "HIGH", "privileges_required" : "NONE", "user_interaction" : "NONE", "scope" : "UNCHANGED", "confidentiality_impact" : "HIGH", "integrity_impact" : "HIGH", "availability_impact" : "HIGH", "base_score" : 8.1, "base_severity" : "HIGH", "vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "references" : [ { "href" : "https://bugzilla.redhat.com/show_bug.cgi?id=1378043" }, { "href" : "https://www.postgresql.org/support/security/" } ], "cpes_affected" : [ ], "cpes" : [ "postgresql:postgresql" ], "cpes_with_version" : [ "postgresql:postgresql" ] }

Could you fix that problem? So the server should watch for this versionStartIncluding and versionEndIncluding numbers.

Thank you!

When doing a request to http://localhost:9292/v1/cves/CVE-2018-5744 I get multiple CVEs:

Hi, nice work.
I am setting up this server, I am getting this error, meanwhile server itself working when I check with CVE.

Uncompressing /root/cve_server/lib/cve_server/../../nvd_data/nvdcve-2002.xml.gz
Exporting data into the CVE collection
/usr/local/rvm/gems/ruby-2.3.0/gems/nokogiri-1.6.7.2/lib/nokogiri/xml/searchable.rb:165:in evaluate': Undefined namespace prefix: .//vuln:summary (Nokogiri::XML::XPath::SyntaxError) from /usr/local/rvm/gems/ruby-2.3.0/gems/nokogiri-1.6.7.2/lib/nokogiri/xml/searchable.rb:165:in block in xpath'
from /usr/local/rvm/gems/ruby-2.3.0/gems/nokogiri-1.6.7.2/lib/nokogiri/xml/searchable.rb:156:in map' from /usr/local/rvm/gems/ruby-2.3.0/gems/nokogiri-1.6.7.2/lib/nokogiri/xml/searchable.rb:156:in xpath'
from /root/cve_server/lib/cve_server/nvd/entry.rb:30:in xpath_content' from /root/cve_server/lib/cve_server/nvd/entry.rb:16:in to_hash'
from /root/cve_server/lib/cve_server/nvd/reader.rb:17:in block in all_cve' from /usr/local/rvm/gems/ruby-2.3.0/gems/nokogiri-1.6.7.2/lib/nokogiri/xml/node_set.rb:187:in block in each'
from /usr/local/rvm/gems/ruby-2.3.0/gems/nokogiri-1.6.7.2/lib/nokogiri/xml/node_set.rb:186:in upto' from /usr/local/rvm/gems/ruby-2.3.0/gems/nokogiri-1.6.7.2/lib/nokogiri/xml/node_set.rb:186:in each'
from /root/cve_server/lib/cve_server/nvd/reader.rb:16:in collect' from /root/cve_server/lib/cve_server/nvd/reader.rb:16:in all_cve'
from ./bin/seed:18:in block in <main>' from ./bin/seed:13:in each'
from ./bin/seed:13:in `

• Version 3.4.0 (ruby 2.3.0-p0), codename: Owl Bowl Brawl
• Min threads: 0, max threads: 16
• Environment: production
• Daemonizing...

Thanks in advance

I think we can really drive adoption and interest in the CVE server project if we simply provide a ready-made VM with the CVE server installed. Alternatively, what if you could provide an installation/setup script that made it dirt simple for someone to take a vanilla Ubuntu build and "curl path | bash" for a guided install.

I think this is the one missing link to getting people really excited about using this internally.

I'm also willing to help if you guys haven't already started pursuing this or have interest in doing it yourselves.

HUGS

Creating this because I noticed all the default URLs are HTTP, which could be MiTM'd.

Maybe cve_server could be adapted to support LetsEncrypt using something like this:

https://github.com/unixcharles/acme-client

By default maybe it could serve a self-signed certificate as a fall-back, but there could be a STDERR/STDOUT nag upon invocation for setting the users specific LetsEncrypt API key.

References:

https://nvd.nist.gov/vuln/data-feeds#JSON_FEED

It also could be good idea to add the CVSS 3 attributes and support for new CVE-ID format.

There are vulnerabilities for the following gems:

• nokogiri (CVE-2017-9050)
• sinatra (CVE-2018-7212)

Update those gems to more recent versions

There are several gems based on Capistrano, it is good idea to find a better way to implement a easy deployment.

There are ruby gems that are not compatible with 2.4.1, we must update them.

CWEs are clubbed as a string.

For example, for CVE-2016-2107, we get:

"id": "CVE-2016-2107",
...
"cwe": "CWE-310CWE-200",
...

Anyhow, the correct result might be something like:

    "id": "CVE-2016-2107",
...
    "cwe": [
      "CWE-310",
      "CWE-200"
    ],

The reason this is happening is the join in https://github.com/SpiderLabs/cve_server/blob/master/lib/cve_server/nvd/json/entry.rb#L45

The NVD was recently updated and the URL to get the XML files is:

https://nvd.nist.gov/download.cfm'

https://github.com/SpiderLabs/cve_server/blob/master/scripts/install.sh#L122

these arguments should be properly escaped

proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

when this is echoed to the user, the variables are empty, so the copy/paste does not work

A call to http://IP/v1/cpes_affected/ returns []

A call to http://IP/v1/cpes_affected/some_cpe returns {"error":"not-found"}

travis ci is pretty handy for public projects like this, just add a .travis file and have an org admin enable it on the repo. This will mean that new PRs will automatically be run against the unit-tests and will report in the PR request.

This would make the deployment of a CVE server so much easier to do.

Let me know if you want help or suggestions there, I know for a fact if it were dockerized I could make use of this tomorrow

When the node.xpath(path)[0] object is nil there is no way to invoke to the content method.