cve-mcp-server

olegbet/cve-mcp-server

3.2

If you are the rightful owner of cve-mcp-server and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.

The Model Context Protocol (MCP) server template provides a foundational setup for deploying and managing MCP servers using containerization technologies like Podman or Docker.

NIST CVE MCP Server

A Model Context Protocol (MCP) server for interacting with the NIST National Vulnerability Database (NVD) API to search and retrieve CVE (Common Vulnerabilities and Exposures) information.

Features

  • Search CVEs by keyword, CVE ID, date ranges, and severity
  • Enhanced search with exact match and fuzzy search capabilities
  • Get detailed information about specific CVEs
  • Search for recent CVEs (last N days)
  • Search CVEs by vendor/product
  • Get statistics about recent CVE activity
  • NEW: Check vulnerabilities in specific libraries and tools
  • NEW: Analyze multiple project dependencies for security risks
  • NEW: Comprehensive vulnerability reporting with severity analysis

Installation

Prerequisites

  • Python 3.8 or higher (for local installation)
  • Docker and Docker Compose (for containerized deployment - recommended)
  • Internet connection for accessing NIST NVD API

Option 1: Docker Installation (Recommended)

Quick Start with Scripts

  1. Build the Docker image:

    ./build.sh

  2. Deploy the container:

    ./deploy.sh start

  3. Check status:

    ./deploy.sh status

  4. View logs:

    ./deploy.sh logs -f
Using Management Scripts

  1. Start the service:

    ./deploy.sh start

  2. Check status:

    ./deploy.sh status

  3. View logs:

    ./deploy.sh logs -f

  4. Stop the service:

    ./deploy.sh stop
Manual Docker Commands

Build the image:

docker build -f Containerfile -t cve-mcp-server:latest .

Run the container:

docker run -d \
  --name cve-mcp-server \
  --restart unless-stopped \
  -v $(pwd)/logs:/app/logs \
  --security-opt no-new-privileges:true \
  --read-only \
  --memory=512m \
  --cpus=1.0 \
  cve-mcp-server:latest

Option 2: Local Installation

  1. Install the required dependencies:
pip install -r requirements.txt
  1. Test the server (optional but recommended):
python -c "import mcp_server; print('Server imports successfully')"

Usage

Option 1: Direct Usage (for testing)

Run the MCP server directly:

python mcp_server.py

Option 2: Integration with MCP Clients (recommended)

For Claude Desktop:

  1. Open your Claude Desktop configuration file:

    • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
    • Windows: %APPDATA%\Claude\claude_desktop_config.json

  2. Add the server configuration:

{
  "mcpServers": {
    "nist-cve": {
      "command": "python",
      "args": ["/full/path/to/your/cve-mcp-server/mcp_server.py"],
      "env": {
        "MCP_TRANSPORT": "stdio"
      }
    }
  }
}

  1. Replace /full/path/to/your/cve-mcp-server/mcp_server.py with the actual path to your server file.

  2. Restart Claude Desktop.

For other MCP clients:

Use the configuration format appropriate for your client, referencing the config_example.json file.

Available Tools

1. search_cves

Search for CVEs using various filters.

Parameters:

  • keyword: Search term for CVE descriptions (fuzzy search)
  • keyword_exact_match: Exact match search term for CVE descriptions
  • cve_id: Specific CVE ID (e.g., "CVE-2023-1234")
  • pub_start_date: Published start date (ISO 8601 format: YYYY-MM-DDTHH:MM:SS.000Z)
  • pub_end_date: Published end date (ISO 8601 format: YYYY-MM-DDTHH:MM:SS.000Z)
  • mod_start_date: Modified start date (ISO 8601 format: YYYY-MM-DDTHH:MM:SS.000Z)
  • mod_end_date: Modified end date (ISO 8601 format: YYYY-MM-DDTHH:MM:SS.000Z)
  • cvss_v3_severity: CVSS v3 severity (LOW, MEDIUM, HIGH, CRITICAL)
  • is_vulnerable: Filter for only vulnerable configurations (requires cpeName - not implemented yet)
  • results_per_page: Number of results per page (max 2000)
  • start_index: Starting index for pagination

2. get_cve_details

Get detailed information about a specific CVE.

Parameters:

  • cve_id: CVE identifier (e.g., "CVE-2023-1234")

3. search_recent_cves

Search for CVEs published in the last N days.

Parameters:

  • days: Number of days to look back (default: 7)
  • severity: Filter by CVSS v3 severity (LOW, MEDIUM, HIGH, CRITICAL)

4. search_cves_by_vendor

Search for CVEs by vendor/product name.

Parameters:

  • vendor: Vendor name (e.g., "microsoft", "apache")
  • product: Optional product name (e.g., "windows", "httpd")

5. get_cve_statistics

Get basic statistics about recent CVE activity (last 30 days).

6. check_library_vulnerabilities

Check for vulnerabilities in a specific library or tool.

Parameters:

  • library_name: Name of the library/tool (e.g., "express", "lodash", "spring-boot")
  • version: Specific version to check (e.g., "4.18.0") [optional]
  • exact_match: Use exact match search instead of fuzzy search (default: false)
  • severity_filter: Filter by severity (LOW, MEDIUM, HIGH, CRITICAL) [optional]
  • only_vulnerable: Only return CVEs with vulnerable configurations (default: true)

Returns:

  • CVE results with vulnerability summary including severity counts and most critical CVEs

7. check_project_dependencies

Check multiple project dependencies for vulnerabilities.

Parameters:

  • dependencies: Comma-separated list of dependencies (e.g., "express,lodash,react")
  • package_manager: Package manager type (npm, pip, maven, etc.) for context (default: "npm")
  • severity_threshold: Minimum severity to report (LOW, MEDIUM, HIGH, CRITICAL) (default: "MEDIUM")

Returns:

  • Comprehensive project vulnerability report with summary statistics and per-dependency results

Usage Examples

Search for CVEs containing "buffer overflow"

await search_cves(keyword="buffer overflow", results_per_page=10)

Get details for a specific CVE

await get_cve_details(cve_id="CVE-2023-1234")

Search for critical CVEs from the last 7 days

await search_recent_cves(days=7, severity="CRITICAL")

Search for Microsoft Windows CVEs

await search_cves_by_vendor(vendor="microsoft", product="windows")

Get CVE statistics

await get_cve_statistics()

Check vulnerabilities in a specific library

# Check Express.js vulnerabilities
await check_library_vulnerabilities(library_name="express", version="4.18.0")

# Check with exact match for more precise results
await check_library_vulnerabilities(library_name="lodash", exact_match=True, severity_filter="HIGH")

Check multiple project dependencies

# Check Node.js project dependencies
await check_project_dependencies(
    dependencies="express,lodash,react,axios",
    package_manager="npm",
    severity_threshold="MEDIUM"
)

# Check Python project dependencies
await check_project_dependencies(
    dependencies="django,requests,flask",
    package_manager="pip",
    severity_threshold="HIGH"
)

Use exact match search for precise results

# Search for exact matches only
await search_cves(keyword_exact_match="Spring Boot", is_vulnerable=True)

# Combine with severity filtering
await search_cves(
    keyword_exact_match="Apache Log4j",
    cvss_v3_severity="CRITICAL",
    is_vulnerable=True
)

Docker Deployment

This project uses pure Docker without docker-compose for simplicity and reduced dependencies.

Container Features

  • Security Hardened: Runs as non-root user with read-only filesystem
  • Resource Limited: Memory and CPU limits for production use
  • Health Checks: Built-in health monitoring
  • Logging: Structured logging with rotation
  • Multi-stage Build: Optimized image size and security
  • No Compose Required: Simple Docker commands only
  • OCI Compliant: Uses Containerfile instead of Dockerfile

Management Scripts

Build Script (./build.sh)
# Build with default tag
./build.sh

# Build with custom tag
./build.sh v1.0

# Features:
# - Multi-stage build for smaller images
# - Security scanning with Trivy (if available)
# - Image testing and validation
# - Proper labeling and metadata
Deploy Script (./deploy.sh)
# Start container
./deploy.sh start

# Stop container
./deploy.sh stop

# Restart container
./deploy.sh restart

# Show status
./deploy.sh status

# View logs
./deploy.sh logs -f

# Open shell in container
./deploy.sh shell

# Create Docker network
./deploy.sh network

# Clean up everything
./deploy.sh clean

Container Configuration

The Docker setup includes:

  • Base Image: Python 3.11-slim for minimal attack surface
  • User: Non-root mcp user for security
  • Filesystem: Read-only root filesystem with specific writable mounts
  • Resources: 512MB memory limit, 1 CPU limit
  • Security: No new privileges, proper capability dropping
  • Networking: Isolated bridge network
  • Persistence: Log volume mounting for data persistence

Using with MCP Clients (Docker)

When using the containerized version with MCP clients like Claude Desktop, you have two options:

  1. Expose via stdio (modify container to use stdio transport)
  2. Use TCP transport (future enhancement)

For now, the recommended approach is to use the local installation for MCP client integration.

API Rate Limits

The NIST NVD API has rate limits:

  • Without an API key: 5 requests per 30 seconds
  • With an API key: 50 requests per 30 seconds

To use an API key, you would need to modify the make_request function to include the API key in the headers.

Data Source

This MCP server uses the NIST National Vulnerability Database (NVD) API v2.0:

License

This project is open source and available under the MIT License.