Skip to content
Shodan Book

CVEDB

The cvedb dataset is a SQLite database containing vulnerability information from NVD that powers both the vulnerability enrichment for the banners-daily/ banners-hourly datasets as well as the CVEDB API. The SQLite database is optimized for looking up vulnerabilities based on a CPE but it can also be used to lookup information by CVE identifier. Most of the details for a specific CVE are stored as a gzip-compressed JSON object in the compressed_cve_data property. In order to see the JSON you need to decompress the blob. The schema for the SQLite file is:

CREATE TABLE IF NOT EXISTS "cveXcpe" (
  cve_id VARCHAR NOT NULL,
  cve_name VARCHAR(50),
  compressed_cve_data BLOB,
  epss FLOAT,
  kev BOOLEAN,
  status BOOLEAN,
  part VARCHAR(100),
  vendor VARCHAR(100),
  product VARCHAR(100),
  version VARCHAR(100),
  published_timestamp INTEGER,
  PRIMARY KEY (cve_id)
);
CREATE INDEX kev_index ON "cveXcpe" (kev);
CREATE INDEX cve_name_index ON "cveXcpe" (cve_name);
CREATE INDEX epss_index ON "cveXcpe" (epss);
CREATE INDEX ix_cpe_composite ON "cveXcpe" (part, vendor, product, version);
CREATE INDEX published_timestamp ON "cveXcpe" (published_timestamp DESC);
CREATE INDEX product_index ON "cveXcpe" (product);

Quickstart

  1. Download the database file:

    Terminal window
    shodan data download cvedb cvedb.sqlite.gz

  2. Uncompress it:

    Terminal window
    gunzip cvedb-cvedb.sqlite.gz

  3. Rename it to something more convenient:

    Terminal window
    mv cvedb-cvedb.sqlite cvedb.sqlite

  4. Use the sqlite3 tool to query it for test purposes:

    Terminal window
    sqlite3 cvedb.sqlite

Examples

Lookup CVE-2014-0160

SELECT cve_name,
        compressed_cve_data,
        epss,
        kev,
        '' || GROUP_CONCAT('cpe:2.3:' || part || ':' || vendor || ':' || product || ':' || version) || '' AS cpes,
        published_timestamp
    FROM cveXcpe
    WHERE cve_name = 'CVE-2014-0160'
    GROUP BY cve_name;

The cveXcpe table is optimized for lookups by CPE so we need to concatenate and merge rows in order to get a single row with all the vulnerability information.

Lookup vulnerabilities for Nginx 0.1.0

SELECT DISTINCT cve_name,
        kev
    FROM cveXcpe
    WHERE product = 'nginx' and version='0.1.0';

The above query will return the list of vulnerabilities for nginx version 0.1.0 and whether it's in the Known Exploited Vulnerabilities (KEV) catalog.