Scroll to navigation

Net::CVE(3pm) User Contributed Perl Documentation Net::CVE(3pm)

NAME

Net::CVE - Fetch CVE (Common Vulnerabilities and Exposures) information from cve.org

SYNOPSIS

 use Net::CVE;
 my $cr = Net::CVE->new ();
 $cr->get ("CVE-2022-26928");
 my $full_report = $cr->data;
 my $summary     = $cr->summary;
 $cr->diag;
 use Data::Peek;
 DDumper $cr->summary ("CVE-2022-26928");

DESCRIPTION

This module provides a Perl interface to retrieve information from the CVE database <https://www.cve.org/Downloads> provided by <https://cve.org> based on a CVE tag.

METHODS

new

 my $reporter = CVE->new (
     url  => "https://cveawg.mitre.org/api/cve",
     ua   => undef,
     lang => "en",
     );

Instantiates a new object. All attributes are optional.

Base url for REST API
User agent. Needs to know about "->get". Defaults to HTTP::Tiny. Initialized on first use. 

 my $reporter = CVE->new (ua => HTTP::Tiny->new);

Other agents not yet tested, so they might fail.

Set preferred language for "summary". Defaults to "en".

If the preferred language is present in descriptions use that. If it is not, use "en". If that is also not present, use the first language found.

get

 $reporter->get ("CVE-2022-26928");
 $reporter->get ("2022-26928");
 $reporter->get ("Files/CVE-2022-26928.json");

Fetches the CVE data for a given tag. On success stores the results internally. Returns the object. The leading "CVE-" is optional.

If the argument is a non-empty file, that is parsed instead of fetching the information from the internet.

The decoded information is stored internally and will be re-used for other methods.

"get" returns the object and allows to omit a call to "new" which will be implicit but does not allow attributes

 my $reporter = Net::CVE->get ("2022-26928");

is a shortcut to

 my $reporter = Net::CVE->new->get ("2022-26928");

data

 my $info = $reporter->data;

Returns the data structure from the last successful fetch, "undef" if none.

Giving an argument enables you to skip the "get" call, which is implicit, so

 my $info = $reporter->data ("CVE-2022-26928");

is identical to

 my $info = $reporter->get ("CVE-2022-26928")->data;

or

 $reporter->get ("CVE-2022-26928");
 my $info = $reporter->data;

or even, without an object

 my $info = Net::CVE->data ("CVE-2022-26928");

summary

 my $info = $reporter->summary;
 my $info = $reporter->summary ("CVE-2022-26928");

Returns a hashref with basic information from the last successful fetch, "undef" if none.

Giving an argument enables you to skip the "get" call, which is implicit, so

 my $info = $reporter->summary ("CVE-2022-26928");

is identical to

 my $info = $reporter->get ("CVE-2022-26928")->summary;

or

 $reporter->get ("CVE-2022-26928");
 my $info = $reporter->summary;

or even, without an object

 my $info = Net::CVE->summary ("CVE-2022-26928");

The returned hash looks somewhat like this

 { date        => "2022-09-13T18:41:25",
   description => "Windows Photo Import API Elevation of Privilege Vulnerability",
   id          => "CVE-2022-26928",
   problem     => "Elevation of Privilege",
   score       => "7",
   severity    => "high",
   status       => "PUBLISHED",
   vendor      => [ "Microsoft" ]
   platforms   => [ "32-bit Systems",
       "ARM64-based Systems",
       "x64-based Systems",
       ],
   product     => [
       "Windows 10 Version 1507",
       "Windows 10 Version 1607",
       "Windows 10 Version 1809",
       "Windows 10 Version 20H2",
       "Windows 10 Version 21H1",
       "Windows 10 Version 21H2",
       "Windows 11 version 21H2",
       "Windows Server 2016",
       "Windows Server 2019",
       "Windows Server 2022",
       ],
   }

As this is work in progress, likely to be changed

status

 my $status = $reporter->status;

Returns the status of the CVE, most likely "PUBLISHED".

vendor

 my @vendor  = $reporter->vendor;
 my $vendors = $reporter->vendor;

Returns the list of vendors for the affected parts of the CVE. In scalar context a string where the (sorted) list of unique vendors is joined by ", " in list context the (sorted) list itself.

product

 my @product  = $reporter->product;
 my $products = $reporter->product;

Returns the list of products for the affected parts of the CVE. In scalar context a string where the (sorted) list of unique products is joined by ", " in list context the (sorted) list itself.

platforms

 my @platform  = $reporter->platforms;
 my $platforms = $reporter->platforms;

Returns the list of platforms for the affected parts of the CVE. In scalar context a string where the (sorted) list of unique platforms is joined by ", " in list context the (sorted) list itself.

diag

 $reporter->diag;
 my $diag = $reporter->diag;

If an error occurred, returns information about the error. In void context prints the diagnostics using "warn". The diagnostics - if any - will be returned in a hashref with the following fields:

Status code
Failure reason
Tag of where the failure occurred
The URL or filename leading to the failure
Help message

Only the "action" field is guaranteed to be set, all others are optional.

BUGS

None so far

TODO

Obviously
There are none yet
Readme, Changelog, Makefile.PL, ...
Optionally. It does not (yet) provide vendor, product and platforms. It however provides nice search capabilities.
Extend to return results for "RHSA-2023:1791" type vulnerability tags. 

 https://access.redhat.com/errata/RHSA-2023:1791
 https://access.redhat.com/hydra/rest/securitydata/crf/RHSA-2023:1791.json

The CRF API provides the list of CVE's related to this tag:

 my $url = "https://access.redhat.com/hydra/rest/securitydata/crf";
 my $crf = decode_json ($ua->get ("$url/RHSA-2023:1791.json"));
 my @cve = map { $_->{cve} }
           @{$crf->{cvrfdoc}{vulnerability} || []}

Will set @cve to

 qw( CVE-2023-1945  CVE-2023-1999  CVE-2023-29533 CVE-2023-29535
     CVE-2023-29536 CVE-2023-29539 CVE-2023-29541 CVE-2023-29548
     CVE-2023-29550 );

See the API documentation <https://access.redhat.com/documentation/en-us/red_hat_security_data_api/1.0/html-single/red_hat_security_data_api/index>.

SEE ALSO

<https://cve.org> and <https://cve.mitre.org/cve/search_cve_list.html>
Returns OpenSource Vulnerabilities.
<https://www.cvedetails.com/>

AUTHOR

H.Merijn Brand <hmbrand@cpan.org>

COPYRIGHT AND LICENSE

Copyright (C) 2023-2024 H.Merijn Brand

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself. See perlartistic.

This interface uses data from the CVE API but is not endorsed by any of the CVE partners.

DISCLAIMER OF WARRANTY

BECAUSE THIS SOFTWARE IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE SOFTWARE, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE SOFTWARE "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE SOFTWARE IS WITH YOU. SHOULD THE SOFTWARE PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR, OR CORRECTION.

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE SOFTWARE AS PERMITTED BY THE ABOVE LICENSE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE SOFTWARE TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

2025-08-29 perl v5.40.1