adulau / cve-search Goto Github PK

This project forked from cve-search/cve-search

cve-search is a tool to import CVE (Common Vulnerabilities and Exposures) and CPE (Common Platform Enumeration) into a MongoDB to facilitate search and processing of CVEs.

Home Page: https://www.cve-search.org/

License: GNU Affero General Public License v3.0

Python 78.10% CSS 2.06% JavaScript 4.75% HTML 15.08%

cve-search's Introduction

cve-search

cve-search is a tool to import CVE (Common Vulnerabilities and Exposures) and CPE (Common Platform Enumeration) into a MongoDB to facilitate search and processing of CVEs.

The main objective of the software is to avoid doing direct and public lookups into the public CVE databases. Local lookups are usually faster and you can limit your sensitive queries via the Internet.

cve-search includes a back-end to store vulnerabilities and related information, an intuitive web interface for search and managing vulnerabilities, a series of tools to query the system and a web API interface.

cve-search is used by many organizations including the public CVE services of CIRCL.

This document gives you basic information how to start with cve-search. For more information please refer to the documentation in the /doc folder of this project.

Getting started

Check the documentation to get you started

Usage

You can search the database using search.py.

usage: search.py [-h] [-q Q] [-p P [P ...]] [--only-if-vulnerable] [--strict_vendor_product] [--lax] [-f F] [-c C] [-o O]
                 [-l] [-n] [-r] [-a] [-v V] [-s S] [-t T] [-i I]

Search for vulnerabilities in the National Vulnerability DB. Data from http://nvd.nist.org.

options:
  -h, --help            show this help message and exit
  -q Q                  Q = search pip requirements file for CVEs, e.g. dep/myreq.txt
  -p P [P ...]          S = search one or more products, e.g. o:microsoft:windows_7 or o:cisco:ios:12.1 or
                        o:microsoft:windows_7 o:cisco:ios:12.1. Add --only-if-vulnerable if only vulnerabilities that
                        directly affect the product are wanted.
  --only-if-vulnerable  With this option, "-p" will only return vulnerabilities directly assigned to the product. I.e.
                        it will not consider "windows_7" if it is only mentioned as affected OS in an adobe:reader
                        vulnerability.
  --strict_vendor_product
                        With this option, a strict vendor product search is executed. The values in "-p" should be
                        formatted as vendor:product, e.g. microsoft:windows_7
  --lax                 Strict search for software version is disabled. Likely gives false positives for earlier
                        versions that were not yet vulnerable. Note that version comparison for non-numeric values
                        is done with simplifications.
  -f F                  F = free text search in vulnerability summary
  -c C                  search one or more CVE-ID
  -o O                  O = output format [csv|html|json|xml|cveid]
  -l                    sort in descending mode
  -n                    lookup complete cpe (Common Platform Enumeration) name for vulnerable configuration
  -r                    lookup ranking of vulnerable configuration
  -a                    Lookup CAPEC for related CWE weaknesses
  -v V                  vendor name to lookup in reference URLs
  -s S                  search in summary text
  -t T                  search in last n day
  -i I                  Limit output to n elements (default: unlimited)

Examples:

./bin/search.py -p cisco:ios:12.4
./bin/search.py -p cisco:ios:12.4 -o json
./bin/search.py -f nagios -n
./bin/search.py -p microsoft:windows_7 -o html

If you want to search all the WebEx vulnerabilities and only printing the official references from the supplier.

./bin/search.py -p webex: -o csv  -v "cisco"

You can also dump the JSON for a specific CVE ID.

./bin/search.py -c CVE-2010-3333 -o json

Or dump the last 2 CVE entries in RSS or Atom format.

./bin/dump_last.py -f atom -l 2

Or you can use the webinterface.

./web/index.py

Usage of the ranking database

There is a ranking database allowing to rank software vulnerabilities based on their common platform enumeration name. The ranking can be done per organization or department within your organization or any meaningful name for you.

As an example, you can add a partial CPE name like "sap:netweaver" which is very critical for your accounting department.

./sbin/db_ranking.py  -c "sap:netweaver" -g "accounting" -r 3

and then you can lookup the ranking (-r option) for a specific CVE-ID:

./bin/search.py -c CVE-2012-4341  -r  -n

Advanced usage

As cve-search is based on a set of tools, it can be used and combined with standard Unix tools. If you ever wonder what are the top vendors using the term "unknown" for their vulnerabilities:

python3 bin/search_fulltext.py -q unknown -f \
    | jq -c '. | .vulnerable_configuration[0]' \
    | cut -f5 -d: | sort  | uniq -c  | sort -nr | head -10

1500 oracle
381 sun
372 hp
232 google
208 ibm
126 mozilla
103 microsoft
100 adobe
 78 apple
 68 linux

You can compare CVSS (Common Vulnerability Scoring System ) values of some products based on their CPE name. Like comparing oracle:java versus sun:jre and using R to make some statistics about their CVSS values:

python3 bin/search.py -p oracle:java -o json \
  | jq -r '.cvss' | Rscript -e 'summary(as.numeric(read.table(file("stdin"))[,1]))'

Min. 1st Qu.  Median    Mean 3rd Qu.    Max.
1.800   5.350   9.300   7.832  10.000  10.000

python3 bin/search.py -p sun:jre -o json \
  | jq -r '.cvss' | Rscript -e 'summary(as.numeric(read.table(file("stdin"))[,1]))'

Min. 1st Qu.  Median    Mean 3rd Qu.    Max.
0.000   5.000   7.500   7.333  10.000  10.000

Fulltext indexing

If you want to index all the CVEs from your current MongoDB collection:

./sbin/db_fulltext.py -l 0

and you query the fulltext index (to get a list of matching CVE-ID):

./bin/search_fulltext.py -q NFS -q Linux

or to query the fulltext index and output the JSON object for each CVE-ID:

./bin/search_fulltext.py -q NFS -q Linux -f

Fulltext visualization

The fulltext indexer visualization is using the fulltext indexes to build a list of the most common keywords used in CVE. NLTK is required to generate the keywords with the most common English stopwords and lemmatize the output. NTLK for Python 3 exists but you need to use the alpha version of NLTK.

./bin/search_fulltext.py  -g -s >cve.json

You can see a visualization on the demo site.

Web interface

The web interface is a minimal interface to see the last CVE entries and query a specific CVE. You'll need flask in order to run the website and Flask-PyMongo. To start the web interface:

cd ./web
./index.py

Then you can connect on http://127.0.0.1:5000/ to browser the last CVE.

Web API interface

The web interface includes a minimal JSON API to get CVE by ID, by vendor or product. A public version of the API is also accessible on cve.circl.lu.

List the know vendors in JSON

curl "http://127.0.0.1:5000/api/browse/"

Dump the product of a specific vendor in JSON

curl "http://127.0.0.1:5000/api/browse/zyxel"
{
  "product": [
    "n300_netusb_nbg-419n",
    "n300_netusb_nbg-419n_firmware",
    "p-660h-61",
    "p-660h-63",
    "p-660h-67",
    "p-660h-d1",
    "p-660h-d3",
    "p-660h-t1",
    "p-660h-t3",
    "p-660hw",
    "p-660hw_d1",
    "p-660hw_d3",
    "p-660hw_t3"
  ],
  "vendor": "zyxel"
}

Find the associated vulnerabilities to a vendor and a product.

curl "http://127.0.0.1:5000/api/search/zyxel/p-660hw" | jq .
[
  {
    "cwe": "CWE-352",
    "references": [
      "http://www.exploit-db.com/exploits/33518",
      "http://secunia.com/advisories/58513",
      "http://packetstormsecurity.com/files/126812/Zyxel-P-660HW-T1-Cross-Site-Request-Forgery.html",
      "http://osvdb.org/show/osvdb/107449"
    ],
    "vulnerable_configuration": [
      "cpe:/h:zyxel:p-660hw:_t1:v3"
    ],
    "Published": "2014-06-16T14:55:09.713-04:00",
    "id": "CVE-2014-4162",
    "Modified": "2014-07-17T01:07:29.683-04:00",
    "cvss": 6.8,
    "summary": "Multiple cross-site request forgery (CSRF) vulnerabilities in the Zyxel P-660HW-T1 (v3) wireless router allow remote attackers to hijack the authentication of administrators for requests that change the (1) wifi password or (2) SSID via a request to Forms/WLAN_General_1."
  },
  {
    "cwe": "CWE-20",
    "references": [
      "http://www.kb.cert.org/vuls/id/893726"
    ],
    "vulnerable_configuration": [
      "cpe:/h:zyxel:p-660h-63:-",
      "cpe:/h:zyxel:p-660h-t1:-",
      "cpe:/h:zyxel:p-660h-d3:-",
      "cpe:/h:zyxel:p-660h-t3:v2",
      "cpe:/h:zyxel:p-660h-t1:v2",
      "cpe:/h:zyxel:p-660h-d1:-",
      "cpe:/h:zyxel:p-660h-67:-",
      "cpe:/h:zyxel:p-660h-61:-",
      "cpe:/h:zyxel:p-660hw_t3:v2",
      "cpe:/h:zyxel:p-660hw_t3:-",
      "cpe:/h:zyxel:p-660hw_d3:-",
      "cpe:/h:zyxel:p-660hw_d1:v2",
      "cpe:/h:zyxel:p-660hw_d1:-",
      "cpe:/h:zyxel:p-660hw:_t1:v2",
      "cpe:/h:zyxel:p-660hw:_t1:-"
    ],

Software using cve-search

MISP modules cve-search to interact with MISP
MISP module cve-advanced to import complete CVE as MISP objects
cve-portal which is a CVE notification portal
cve-search-mt which is a set of management tools for CVE-Search
cve-scan which is a NMap CVE system scanner
Mercator which is an application that allow the mapping of an information system

Docker versions

Official dockerized version of cve-search:

CVE-Search-Docker

There are some unofficial dockerized versions of cve-search (which are not maintained by us):

Changelog

You can find the changelog on GitHub Releases (legacy changelog).

License

cve-search is free software released under the "GNU Affero General Public License v3.0"

Copyright (c) 2012 Wim Remes - https://github.com/wimremes/
Copyright (c) 2012-2024 Alexandre Dulaunoy - https://github.com/adulau/
Copyright (c) 2015-2019 Pieter-Jan Moreels - https://github.com/pidgeyl/
Copyright (c) 2020-2024 Paul Tikken - https://github.com/P-T-I

cve-search's People

Contributors

Stargazers

Watchers

cve-search's Issues

Review current and known reference ID

Following the talk about VRDX

VRDX catalog of index will be soon available.

Add support for CVSS v3 in the API for CVEs

Hello, I was super pleasantly surprised when I found your API. However, one thing that is still missing is a section for the CVSS v3 base vector & score e.g. in https://cve.circl.lu/api/cve/CVE-2020-0001

I've taken a look at the raw JSON that NVD provides and could see that they provide a section "baseMetricV2", which you parse via sbin/db_mgmt_json.py, but there is also a section for CVSS v3 there.

Would it be possible if you could also store this additional information in the future? Or is there a reason why there is no CVSS v3 support as of yet?

Web API interface in the XMPP interface

403 Forbidden

Requests from my local environment are working fine, but requests from my server are receiving a 403 Forbidden.

403 Forbidden
Forbidden
You don't have permission to access /api/cve/CVE-2017-17480 on this server.

Did I get blacklisted from the API? I didn't see a mention of request limit.
Also created this issue here: cve-search#358.

RedHat data to import in cve-search

https://www.redhat.com/security/data/metrics/

Mainly the CPE/CVE mapping:

https://www.redhat.com/security/data/metrics/rhsamapcpe.txt

and the custom CPE from RedHat:

https://www.redhat.com/security/data/metrics/cpelist-rhel6server-default-install.txt

Something else? the oval definition maybe?

blacklist and whitelist in search.py support

blacklist and whitelist in search.py

JSONP doesn't work

Looking at the code, it seems that you try to support JSONP (great!) but it doesn't work:

$ curl 'https://cve.circl.lu/api/cve/CVE-2017-9366?callback=xxx'
HTTP/1.1 0 (Content-Type: application/json
Server: TornadoServer/4.4.2
Content-Length: 1

x

Note that only the first character of the callback is returned, and that the headers appear unexpectedly in the body.

Looking at the code again, this seems to happen because the api function in web/api.py executes

return Response(data[0], mimetype=returnType), data[1]

while data is a string, not the usual (json, code) tuple.

Problems in lib/DatabaseLayer.py

Just a couple of typos in DatabaseLayer.py

On line 316:
item = findRanking(cpe):

Traceback (most recent call last):
File "./db_updater.py", line 22, in <module>
    import lib.DatabaseLayer as dbLayer
  File "/opt/cve-search/sbin/../lib/DatabaseLayer.py", line 316
    item = findRanking(cpe):

On line 328:
colRANKING..remove

Traceback (most recent call last):
  File "./db_updater.py", line 22, in <module>
    import lib.DatabaseLayer as dbLayer
  File "/opt/cve-search/sbin/../lib/DatabaseLayer.py", line 328
    return sanitize(colRANKING..remove({'cpe': {'$regex': cpe}}))

Web /browse failes with "'NoneType' is not iterable" in minimal.py

127.0.0.1 - - [26/May/2020 13:49:56] "GET /browse HTTP/1.1" 500 -
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/flask/app.py", line 2464, in __call__
    return self.wsgi_app(environ, start_response)
  File "/usr/lib/python3.8/site-packages/flask/app.py", line 2450, in wsgi_app
    response = self.handle_exception(e)
  File "/usr/lib/python3.8/site-packages/flask/app.py", line 1867, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/lib/python3.8/site-packages/flask/_compat.py", line 39, in reraise
    raise value
  File "/usr/lib/python3.8/site-packages/flask/app.py", line 2447, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/lib/python3.8/site-packages/flask/app.py", line 1952, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/lib/python3.8/site-packages/flask/app.py", line 1821, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/lib/python3.8/site-packages/flask/_compat.py", line 39, in reraise
    raise value
  File "/usr/lib/python3.8/site-packages/flask/app.py", line 1950, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/lib/python3.8/site-packages/flask/app.py", line 1936, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/path/cve-search/web/minimal.py", line 140, in browse
    if 'product' in data and 'vendor' in data:
TypeError: argument of type 'NoneType' is not iterable

hardcoded limit in API + argument "limit" doesn't work

the "query" API seems to have an hardcoded limit of maximum 50 results to return. And, the "limit" argument doesn't work

support@houdini:~$ date
Thu Aug  3 09:54:08 CEST 2017
support@houdini:~$ curl -s 'http://cve.circl.lu/api/query?time_start=01-07-2017&time_modifier=from&time_type=last-modified' | grep -c "\{"
50
support@houdini:~$ curl -s 'http://cve.circl.lu/api/query?time_start=01-07-2017&time_modifier=from&time_type=last-modified&limit=500' | grep -c "\{"
50
support@houdini:~$ curl -s 'http://cve.circl.lu/api/query?time_start=01-07-2017&time_modifier=from&time_type=last-modified&limit=10' | grep -c "\{"
50

Flag for "and previous"

When we look at CVE/CPE entries on other services, such as NIST CPE DB, we see that CPE searches help match with past versions. For example if version 0.50 was vulnerable, as well as anything previously, the CVE may not have all the versions set in the CPE.

In an example, CVE-2016-7409, the JSON data available via the cve-search dump includes:

...
 'id': 'CVE-2016-7409',
...
 'summary': 'The dbclient and server in Dropbear SSH before 2016.74, when '
            'compiled with DEBUG_TRACE, allows local users to read process '
            'memory via the -v argument, related to a failed remote ident.',
 'vulnerable_configuration': [{'id': 'cpe:2.3:a:dropbear_ssh_project:dropbear_ssh:2016.73',
                               'title': 'cpe:2.3:a:dropbear_ssh_project:dropbear_ssh:2016.73'}],
 'vulnerable_configuration_cpe_2_2': ['cpe:/a:dropbear_ssh_project:dropbear_ssh:2016.73']}

However, checking on https://nvd.nist.gov/vuln/detail/CVE-2016-7409 and clicking "Show Matching CPEs" expands to show the 53 calculated CPEs that are vulnerable to this.

Likewise, their search from CPE to CVEs captures this: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&cves=on&cpe_version=cpe%3a%2fa%3adropbear_ssh_project%3adropbear_ssh%3a0.50.

Meanwhile, a search on https://cve.circl.lu/api/cvefor/cpe:2.3:a:dropbear_ssh_project:dropbear_ssh:0.50:*:*:*:*:*:*:* only returns a single CVE, which is the one that explicitly lists the CPE in it's vulnerable_configuration field.

The dataset would be significantly more useful if there is a way we can capture the data needed to compute the other CPEs affected, or if you can pre-compute these.

Create LICENSE file

You state that this software is available under a modified BSD license, but you don't have a LICENSE file with the text of the license. Will you please add a LICENSE file? (Many open source licenses require that the license text accompany the source code.)

Thanks!

Missing CVEs with en-US language

Hi,

I noticed a few missing published CVEs in your search. Example being CVE-2023-36036. I believe this is because you're only checking for English descriptions using the en language code. However, CVE are now using en-US instead, which CVE-2023-36036 and CVE-2023-36030 have.

I haven't looked at the code to confirm that this is exactly what's happening but have seen it on similar systems recently.

Log update - history like for CVE updates

Log update - history like for CVE on the web interface or the vty. Keeping track of the database updates.

Bugs in browse

browse/gratta_%26_vinci%3f_project

API search example doesn't work

Hi.
I tried to play with API and started from examples here.

$ curl http://cve.circl.lu/api/search/microsoft/office
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>

It looks like searching for the product through the API doesn't work. Have I missed something? Other examples work fine.

db_updater.py fails for pathes with whitespace

Running ./sbin/db_updater.py in a path like /path/with/whitespace here/ fails:

$ ./sbin/db_updater.py -c
./sbin/db_updater.py:105: SyntaxWarning: "is not" with a literal. Did you mean "!="?
  if not Configuration.includesFeed(source['name']) and source['name'] is not "redis-cache-cpe":
./sbin/db_updater.py:107: SyntaxWarning: "is not" with a literal. Did you mean "!="?
  if args.f and source['name'] is not "redis-cache-cpe":
./sbin/db_updater.py:111: SyntaxWarning: "is" with a literal. Did you mean "=="?
  if source['name'] is "cpeother":
./sbin/db_updater.py:114: SyntaxWarning: "is not" with a literal. Did you mean "!="?
  if source['name'] is not "redis-cache-cpe":
./sbin/db_updater.py:117: SyntaxWarning: "is" with a literal. Did you mean "=="?
  if args.f and source['name'] is "cpe":
./sbin/db_updater.py:120: SyntaxWarning: "is" with a literal. Did you mean "=="?
  elif args.f and source['name'] is "cve":
./sbin/db_updater.py:129: SyntaxWarning: "is" with a literal. Did you mean "=="?
  elif (args.c is True and source['name'] is "redis-cache-cpe"):
INFO:root:Starting cpe
/usr/bin/python3: can't open file '/path/with/whitespace': [Errno 2] No such file or directory
INFO:root:cpe has 307341 elements (0 update)
INFO:root:Starting cve
/usr/bin/python3: can't open file '/path/with/whitespace': [Errno 2] No such file or directory
INFO:root:cve has 144323 elements (0 update)
INFO:root:Starting cwe
/usr/bin/python3: can't open file '/path/with/whitespace': [Errno 2] No such file or directory
INFO:root:cwe has 0 elements (0 update)
INFO:root:Starting capec
/usr/bin/python3: can't open file '/path/with/whitespace': [Errno 2] No such file or directory
INFO:root:capec has 0 elements (0 update)
INFO:root:Starting redis-cache-cpe
/usr/bin/python3: can't open file '/path/with/whitespace': [Errno 2] No such file or directory
INFO:root:redis-cache-cpe updated
INFO:root:Starting via4
/usr/bin/python3: can't open file '/path/with/whitespace': [Errno 2] No such file or directory
INFO:root:via4 has 0 elements (0 update)
INFO:root:Starting ensureindex
/usr/bin/python3: can't open file '/path/with/whitespace': [Errno 2] No such file or directory
INFO:root:
[-] No plugin loader file!

Ability to limit result fields returned

For some queries, there will be a large amount of data returned. For example, when doing a cvefor query, a user may not want the full CVE entry for things -- but rather may benefit from a smaller subset of fields. This is important to make the query more efficient in terms of data transfer on both sides.

For example, when GETing https://cve.circl.lu/api/cvefor/cpe:2.3:a:openssl:openssl:0.9.8a:*:*:*:*:*:*:*, there is a large amount of Nessus data coming back. In some cases (such as mine), there is no need for this data at all. Furthermore, if one runs entirely on CPE v2.3, they may not need the CPE v2.2 fields.

This would bring the API in line with common practices to make it possible request the fields desired to be returned.

Feature request: add version in search terms

Hi,

Is it possible to implement a search function which can search specific version of software.

Example:
https://cve.circl.lu/api/search/microsoft/office/2010 .

It could be useful when searching CVE from a user-agent which contain a specific version.

Link to vFeed github

Hi guys;

Can you please add a link to vFeed github page here vfeed (cross-references to CVE ids (e.g. OVAL, OpenVAS, ...)) - source vfeed . The link is >> https://github.com/toolswatch/vFeed

And change name vfeed to vFeed ;)

Thanks guys
@toolswatch

Support JSON format feeds

Will cve-search support the JSON CVE feeds, one the XML feeds won't be updated after 9 October?

Watch list for the CVE

Watch list for the CVE.

bin/db_mgmt_cpe_other_dictionary.py

Starting cpeother
Traceback (most recent call last):
File "/home/adulau/git/cve-search/bin/db_mgmt_cpe_other_dictionary.py", line 65, in
for item in progressbar(list(collections)):
File "/home/adulau/git/cve-search/bin/../lib/ProgressBar.py", line 21, in progressbar
_show(0)
File "/home/adulau/git/cve-search/bin/../lib/ProgressBar.py", line 17, in _show
x = int(size * _i / count)
ZeroDivisionError: division by zero

Testing HEAD

/api/last broken

127.0.0.1 - - [28/Dec/2016 11:34:59] "GET /api/last HTTP/1.1" 500 -
Traceback (most recent call last):
  File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1836, in __call__
    return self.wsgi_app(environ, start_response)
  File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1820, in wsgi_app
    response = self.make_response(self.handle_exception(e))
  File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1403, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python3.4/dist-packages/flask/_compat.py", line 33, in reraise
    raise value
  File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1817, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1478, in full_dispatch_request
    response = self.make_response(rv)
  File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1577, in make_response
    rv = self.response_class.force_type(rv, request.environ)
  File "/usr/local/lib/python3.4/dist-packages/werkzeug/wrappers.py", line 841, in force_type
    response = BaseResponse(*_run_wsgi_app(response, environ))
  File "/usr/local/lib/python3.4/dist-packages/werkzeug/wrappers.py", line 57, in _run_wsgi_app
    return _run_wsgi_app(*args)
  File "/usr/local/lib/python3.4/dist-packages/werkzeug/test.py", line 867, in run_wsgi_app
    app_rv = app(environ, start_response)
TypeError: 'list' object is not callable

/api/search/microsoft/office broken

127.0.0.1 - - [28/Dec/2016 11:38:30] "GET /api/search/microsoft/office HTTP/1.1" 500 -
Traceback (most recent call last):
  File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1836, in __call__
    return self.wsgi_app(environ, start_response)
  File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1820, in wsgi_app
    response = self.make_response(self.handle_exception(e))
  File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1403, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python3.4/dist-packages/flask/_compat.py", line 33, in reraise
    raise value
  File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1817, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1478, in full_dispatch_request
    response = self.make_response(rv)
  File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1577, in make_response
    rv = self.response_class.force_type(rv, request.environ)
  File "/usr/local/lib/python3.4/dist-packages/werkzeug/wrappers.py", line 841, in force_type
    response = BaseResponse(*_run_wsgi_app(response, environ))
  File "/usr/local/lib/python3.4/dist-packages/werkzeug/test.py", line 867, in run_wsgi_app
    app_rv = app(environ, start_response)
TypeError: 'list' object is not callable

How are space characters represented in the cvefor API?

Searching the CVE database using cvefor and an product name works fine:

curl 'https://cve.circl.lu/api/cvefor/cpe:2.3:a:*:putty'

But I don't seem to get products matched with a space in it. In the cpe part of the response of an API call, the space characters in the product name are replaced with an underscore character (_), but if I search with an underscore (or without space character or with tilde or asteriks instead of a space character) does not result in a response. For example (placing the space of foxit reader with _):

curl 'https://cve.circl.lu/api/cvefor/cpe:2.3:a:*:foxit_reader'

Gives an empty result, while foxit_reader does have some cve's registered.

ERROR:__main__:Exception on /link/map_cve_oval/ovalid/oval:org.mitre.oval:def:16228 [GET]
Traceback (most recent call last):
  File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1817, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1477, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1381, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python3.4/dist-packages/flask/_compat.py", line 33, in reraise
    raise value
  File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1475, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1461, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "minimal-web.py", line 294, in link
    stats={'maxCVSS': max(cvssList), 'minCVSS': min(cvssList),'count':len(cve)}
ValueError: max() arg is an empty sequence