cve-research
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCVE Research Skill
CVE研究技能
Overview
概述
Research known vulnerabilities for project dependencies using multiple sources.
使用多个来源研究项目依赖项的已知漏洞。
Data Sources
数据源
| Source | API | Coverage |
|---|---|---|
| NVD | nvd.nist.gov/vuln/api | All CVEs |
| OSV.dev | api.osv.dev | npm, PyPI, Go, crates, Maven |
| GitHub Advisory | github.com/advisories | npm, pip, composer, cargo |
| Exa Search | Via MCP | Real-time web search |
| 数据源 | API地址 | 覆盖范围 |
|---|---|---|
| NVD | nvd.nist.gov/vuln/api | 所有CVE |
| OSV.dev | api.osv.dev | npm、PyPI、Go、crates、Maven |
| GitHub安全公告 | github.com/advisories | npm、pip、composer、cargo |
| Exa搜索 | 通过MCP | 实时网页搜索 |
Workflow
工作流程
- Extract dependencies from project (package.json, etc.)
- Query each source for known CVEs
- Cross-reference findings across sources
- Prioritize by CVSS score and exploitability
- Report with fix versions and workarounds
- 提取 从项目中提取依赖项(如package.json等)
- 查询 针对每个来源查询已知CVE
- 交叉引用 跨来源交叉验证发现的漏洞
- 优先级排序 根据CVSS评分和可利用性排序
- 报告 包含修复版本和临时解决方案
Query Strategy
查询策略
For each dependency:
- Search OSV.dev first (fastest, most accurate for packages)
- Cross-check NVD for CVSS scoring
- Use Exa for recent advisories not yet in databases
- Check GitHub Advisory for maintainer responses
针对每个依赖项:
- 首先搜索OSV.dev(速度最快,对包的准确性最高)
- 交叉检查NVD获取CVSS评分
- 使用Exa查找数据库中尚未收录的最新公告
- 查看GitHub安全公告获取维护者的回应
Severity Mapping
严重程度映射
| CVSS Score | Severity | Action |
|---|---|---|
| 9.0 - 10.0 | CRITICAL | Fix immediately |
| 7.0 - 8.9 | HIGH | Fix before merge |
| 4.0 - 6.9 | MEDIUM | Plan fix |
| 0.1 - 3.9 | LOW | Document |
| CVSS评分 | 严重程度 | 处理措施 |
|---|---|---|
| 9.0 - 10.0 | CRITICAL | 立即修复 |
| 7.0 - 8.9 | HIGH | 合并前修复 |
| 4.0 - 6.9 | MEDIUM | 计划修复 |
| 0.1 - 3.9 | LOW | 记录文档 |
References
参考资料
- CVE APIs Reference
- Query Templates
- CVE API参考文档
- 查询模板