Currently, there are no programmatic methods to query the NIST National Vulnerability Database (NVD) without downloading the entire database in XML format, parsing the content, loading the resulting data into a self-hosted database, and then developing an interface for querying the content. This tool takes advantage of the fact that NVD provides an interactive user form for query on the website, and extends it to allow for programmatic queries to generate vulnerability reports.

This command line utility queries the NVD by making HTTPS GET requests. The tool queries the local system for software package names and versions in the form of a Common Platform Enumeration (CPE), queries the NVD, and returns a list of Common Vulnerability Enumerations (CVEs) — vulnerabilities associated with the software.

There are other tools that scan computing systems for third-party software, query their own databases built using sources that may include the NVD, and export vulnerability information. However, there are no known tools that perform only the query functionality, which is what this tool provides.

The software will benefit the information security community as this tool can be used to reduce time spent performing manual, one-at-a-time, user-invoked lookups on the NVD website.

This work was done by Christopher J. Dorros of Caltech for NASA’s Jet Propulsion Laboratory. For more information, contact This email address is being protected from spambots. You need JavaScript enabled to view it..

This software is available for commercial licensing. Please contact Dan Broderick at This email address is being protected from spambots. You need JavaScript enabled to view it.. Refer to NPO-49554.