Filter CVE records by CVSS scores

Does anyone have a search that filters CVE objects by CVSS scoring?

For example; only show CVEs with a CVSS Exploitability Score > 2.

Hey @0101001001001

You can do it with a search like this:

FOR doc IN nvd_cve_vertex_collection
FILTER doc.type == "vulnerability"
LET refs = (
  FOR ref IN doc.external_references
  FILTER ref != null
    AND ref.source_name == "cvssMetricV31-exploitabilityScore"
    AND TO_NUMBER(ref.description) > 2.0
  RETURN ref
)
FILTER LENGTH(refs) > 0
LET keys = ATTRIBUTES(doc)
  LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
  RETURN KEEP(doc, filteredKeys)

You can modify the cvssMetricV31-exploitabilityScore to another _key of your choice.

You can also add add multiple keys to filter on in this way like so

FOR doc IN nvd_cve_vertex_collection
FILTER doc.type == "vulnerability"

LET exploitabilityScoreRefs = (
  FOR ref IN doc.external_references
  FILTER ref != null
    AND ref.source_name == "cvssMetricV31-exploitabilityScore"
    AND TO_NUMBER(ref.description) > 2.0
  RETURN ref
)

LET impactScoreRefs = (
  FOR ref IN doc.external_references
  FILTER ref != null
    AND ref.source_name == "cvssMetricV31-impactScore"
    AND TO_NUMBER(ref.description) > 5.0
  RETURN ref
)

FILTER LENGTH(exploitabilityScoreRefs) > 0 AND LENGTH(impactScoreRefs) > 0

LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]

RETURN KEEP(doc, filteredKeys)

Note, the two searches above are focused on CVSS 3.1.

The CVE data currently include CVSSv2, v3.0, and v3.1 (v4.0 is coming soon)

You prob only care about 3.0 and 3.1 given how old v2 is. So you want to expand your search to the following;

FOR doc IN nvd_cve_vertex_collection
FILTER doc.type == "vulnerability"

LET exploitabilityScore31Refs = (
  FOR ref IN doc.external_references
  FILTER ref != null
    AND ref.source_name == "cvssMetricV31-exploitabilityScore"
    AND TO_NUMBER(ref.description) > 2.0
  RETURN ref
)

LET impactScore31Refs = (
  FOR ref IN doc.external_references
  FILTER ref != null
    AND ref.source_name == "cvssMetricV31-impactScore"
    AND TO_NUMBER(ref.description) > 5.0
  RETURN ref
)

LET exploitabilityScore30Refs = (
  FOR ref IN doc.external_references
  FILTER ref != null
    AND ref.source_name == "cvssMetricV30-exploitabilityScore"
    AND TO_NUMBER(ref.description) > 2.0
  RETURN ref
)

LET impactScore30Refs = (
  FOR ref IN doc.external_references
  FILTER ref != null
    AND ref.source_name == "cvssMetricV30-impactScore"
    AND TO_NUMBER(ref.description) > 5.0
  RETURN ref
)

FILTER (LENGTH(exploitabilityScore31Refs) > 0 AND LENGTH(impactScore31Refs) > 0) OR 
       (LENGTH(exploitabilityScore30Refs) > 0 AND LENGTH(impactScore30Refs) > 0)

LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]

RETURN KEEP(doc, filteredKeys)