Loading...

Back to Details

cve-research

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

CVE Research Skill

CVE研究技能

Overview

概述

Research known vulnerabilities for project dependencies using multiple sources.

使用多个来源研究项目依赖项的已知漏洞。

Data Sources

数据源

Source	API	Coverage
NVD	nvd.nist.gov/vuln/api	All CVEs
OSV.dev	api.osv.dev	npm, PyPI, Go, crates, Maven
GitHub Advisory	github.com/advisories	npm, pip, composer, cargo
Exa Search	Via MCP	Real-time web search

数据源	API地址	覆盖范围
NVD	nvd.nist.gov/vuln/api	所有CVE
OSV.dev	api.osv.dev	npm、PyPI、Go、crates、Maven
GitHub安全公告	github.com/advisories	npm、pip、composer、cargo
Exa搜索	通过MCP	实时网页搜索

Workflow

工作流程

Extract dependencies from project (package.json, etc.)
Query each source for known CVEs
Cross-reference findings across sources
Prioritize by CVSS score and exploitability
Report with fix versions and workarounds

提取从项目中提取依赖项（如package.json等）
查询针对每个来源查询已知CVE
交叉引用 跨来源交叉验证发现的漏洞
优先级排序 根据CVSS评分和可利用性排序
报告包含修复版本和临时解决方案

Query Strategy

查询策略

For each dependency:

Search OSV.dev first (fastest, most accurate for packages)
Cross-check NVD for CVSS scoring
Use Exa for recent advisories not yet in databases
Check GitHub Advisory for maintainer responses

针对每个依赖项：

首先搜索OSV.dev（速度最快，对包的准确性最高）
交叉检查NVD获取CVSS评分
使用Exa查找数据库中尚未收录的最新公告
查看GitHub安全公告获取维护者的回应

Severity Mapping

严重程度映射

CVSS Score	Severity	Action
9.0 - 10.0	CRITICAL	Fix immediately
7.0 - 8.9	HIGH	Fix before merge
4.0 - 6.9	MEDIUM	Plan fix
0.1 - 3.9	LOW	Document

CVSS评分	严重程度	处理措施
9.0 - 10.0	CRITICAL	立即修复
7.0 - 8.9	HIGH	合并前修复
4.0 - 6.9	MEDIUM	计划修复
0.1 - 3.9	LOW	记录文档

References

参考资料

CVE APIs Reference
Query Templates

CVE API参考文档
查询模板