CVE-in-My-Code is a tool specifically created to fetch the latest CVEs periodically, and extract information about the vulnerable product and its version, and then search for occurrences of these vulnerable components in the organization's GitHub repositories. This tool offers near real-time monitoring of the most up-to-date CVE data and promptly notifies users about actionable CVEs via Slack.

• Automated retrieval and storage of CVE data periodically using nvd API.
• Extract vulnerable components (Product/Framework/Libraries) using mitre API.
• Search for vulnerable components using Github API.
• Slack Notifications for each new actionable CVE entries using slack webhooks.
• Health check mechanism using webhooks.

• Python 3.x is required.
• SQLite database.

1. Clone the repository:

git clone https://github.com/abhiunix/cve-in-my-code
cd cve-in-my-code

2. Install the required dependencies:

pip install -r requirements.txt

3. Set up environment variables:

• Create a .env file in the project directory.
• Define the following variables in the .env file:

  webhook_url=<your_slack_webhook_url>
  health_check_webhook=<your_health_check_webhook_url>
  github_token=<your-personal github token>
  

Run the script manually for the initial setup:

python3 timestamp.py
python3 cve-in-my-code.py

• Open the crontab file:

  crontab -e
  

• Add the following line to run the script every 5 minutes:

  */5 * * * * /usr/bin/python3 /path/to/cve-in-my-code.py
  

• Save and exit the crontab file.

Contributions to CVE-in-My-Code are welcome! Please fork the repository, make your enhancements, and submit a pull request.

• Parse the description of the vulnerabilities and extract framework/Library/Software name and vulnerable version.
• Search for the extracted library and version in organizations codebase using github/bitbucket APIs.
• Actionable alerts on slack if any vulnerable library/framework found in code base.
• Add other CVE databases.
• Search feature for Bitbucket, GitLabs.