NVDBuddy

NVDBuddy is a command-line tool designed to streamline the process of searching, analyzing and reporting on vulnerabilities in software. It leverages the NVD API to search for vulnerabilities given a CPE string.

Motivation

As a security researcher and penetration tester, I found myself googling for CVEs and copy + pasting a lot of CVE data / descriptions into reports. NVDBuddy seeks to solve this issue, by providing a command line interface that can grab CVEs affecting certain software versions. The result is a tool that I use daily to streamline my reporting workflow.

Features

NVDBuddy offers a comprehensive set of features for vulnerability research:

• CVE Search: Query the NVD API by CVEs, CPEs, and return relevant data such as descriptions and CVSS scores.
• Dynamic CPE generation: Given criteria, NVDBuddy will assemble valid CPE strings for given software.
• HTML Formatting: Found CVE data is formatted into a neat HTML table, which can simply be pasted into reports.
• Caching: Previous query results are cached to the local system to avoid unnecessary API calls.
• API Keys: Support for NVD API keys is available, which allows for higher volumes of API calls.

NVDBuddy is developed in Python, with careful attention to performance optimization for handling large volumes of vulnerability data. This project helped me learn more about the NVD API, CPE strings and parsing JSON data for useful information.

Example Usage

Conclusion

NVDBuddy exemplifies how targeted tools can significantly improve security workflows. By streamlining access to vulnerability information, it enables security professionals to focus more on analysis and further testing rather than data collection and processing.

This project is open source, and I actively encourage contributions from the security community. Whether you're interested in adding new features, improving documentation, or reporting bugs, your involvement helps make this tool more valuable for everyone.