@nodesecure/vulnera
Version:
NodeSecure vulnerabilities strategies
159 lines • 5.25 kB
TypeScript
import type { NVD as NVDFormat } from "../formats/nvd/index.ts";
import type { ApiCredential } from "../credential.ts";
/**
* @description Parameters for querying the NVD API
*
* Note: While NVD API supports CPE-based matching (cpeName, virtualMatchString, etc.),
* we don't use those parameters for npm packages due to compatibility issues with
* the CPE format. Instead, we rely on keywordSearch which provides
* more reliable results for npm packages.
*
* See docs/database/nvd.md for more details on this implementation choice.
*
* @see https://nvd.nist.gov/developers/vulnerabilities
*/
export type NVDApiParameter = {
/**
* Searches CVE descriptions by keyword or phrase.
* Spaces should be encoded as %20; wildcard matching is implicit.
*/
keywordSearch?: string;
/**
* When true, enforces exact phrase matching for multi-term searches.
* Requires keywordSearch.
*/
keywordExactMatch?: boolean;
/**
* Convenience parameter that maps to keywordSearch using the package name.
* Used internally by findOneBySpec.
* @default npm
*/
packageName?: string;
/**
* @default npm
*/
ecosystem?: string;
/**
* Returns a specific CVE by its CVE identifier (e.g. "CVE-2021-44228").
*/
cveId?: string;
/**
* Filters CVE by tag type.
*/
cveTag?: "disputed" | "unsupported-when-assigned" | "exclusively-hosted-service";
/**
* Filters by CWE identifier (e.g. "CWE-79") or placeholders
* "NVD-CWE-Other" / "NVD-CWE-noinfo".
*/
cweId?: string;
/**
* Filters by CVSSv2 severity level.
* Cannot be combined with cvssV3Severity or cvssV4Severity.
*/
cvssV2Severity?: "LOW" | "MEDIUM" | "HIGH";
/**
* Filters by CVSSv3 severity level.
* Cannot be combined with cvssV2Severity or cvssV4Severity.
*/
cvssV3Severity?: "CRITICAL" | "HIGH" | "MEDIUM" | "LOW";
/**
* Filters by CVSSv4 severity level.
* Cannot be combined with cvssV2Severity or cvssV3Severity.
*/
cvssV4Severity?: "CRITICAL" | "HIGH" | "MEDIUM" | "LOW";
/**
* Filters by CVSSv2 vector string (full or partial).
* Cannot be combined with cvssV3Metrics or cvssV4Metrics.
*/
cvssV2Metrics?: string;
/**
* Filters by CVSSv3 vector string (full or partial).
* Cannot be combined with cvssV2Metrics or cvssV4Metrics.
*/
cvssV3Metrics?: string;
/**
* Filters by CVSSv4 vector string (full or partial).
* Cannot be combined with cvssV2Metrics or cvssV3Metrics.
*/
cvssV4Metrics?: string;
/**
* When true, excludes CVE with REJECT or Rejected status.
*/
noRejected?: boolean;
/**
* When true, returns only CVE appearing in the CISA Known Exploited
* Vulnerabilities (KEV) catalog.
*/
hasKev?: boolean;
/**
* When true, returns only CVE with US-CERT Technical Alerts.
*/
hasCertAlerts?: boolean;
/**
* When true, returns only CVE with CERT/CC Vulnerability Notes.
*/
hasCertNotes?: boolean;
/**
* When true, returns only CVE containing MITRE OVAL information.
*/
hasOval?: boolean;
/**
* Start date for the publication date filter (ISO-8601, e.g. "2021-01-01T00:00:00.000Z").
* Must be paired with pubEndDate. Maximum range is 120 days.
*/
pubStartDate?: string;
/**
* End date for the publication date filter (ISO-8601).
* Must be paired with pubStartDate. Maximum range is 120 days.
*/
pubEndDate?: string;
/**
* Start date for the last-modified filter (ISO-8601).
* Must be paired with lastModEndDate. Maximum range is 120 days.
*/
lastModStartDate?: string;
/**
* End date for the last-modified filter (ISO-8601).
* Must be paired with lastModStartDate. Maximum range is 120 days.
*/
lastModEndDate?: string;
/**
* Filters by the exact data source identifier.
*/
sourceIdentifier?: string;
/**
* Maximum number of CVE records returned per response.
* @default 2000
* @maximum 2000
*/
resultsPerPage?: number;
/**
* Zero-based index of the first CVE record to return (for pagination).
* @default 0
*/
startIndex?: number;
};
export interface NVDOptions {
credential: ApiCredential;
/**
* Delay in milliseconds between consecutive requests in findMany.
*
* The NVD API enforces rate limits:
* - Without API key: 5 requests per 30-second window (~6 000 ms between requests)
* - With API key: 50 requests per 30-second window (~600 ms between requests)
*
* @default 6000
* @see https://nvd.nist.gov/developers/start-here
*/
requestDelay?: number;
}
export declare class NVD {
#private;
static readonly ROOT_API = "https://services.nvd.nist.gov/rest/json/cves/2.0";
constructor(options: NVDOptions);
find(parameters: NVDApiParameter): Promise<NVDFormat[]>;
findByCveId(cveId: string): Promise<NVDFormat[]>;
findBySpec(spec: string): Promise<NVDFormat[]>;
findMany<T extends string = string>(specs: T[]): Promise<Record<T, NVDFormat[]>>;
}
//# sourceMappingURL=nvd.d.ts.map