UNPKG

@scarlet-mesh/mcp-cve

Version:

CVE MCP Server providing security vulnerability analysis and Red Hat CVE data

150 lines (101 loc) 4.71 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# Red Hat CVE Information MCP Server ## Overview This MCP (Model Context Protocol) server, `cve`, provides comprehensive access to Red Hat's Common Vulnerabilities and Exposures (CVE) information through Red Hat's CSAF (Common Security Advisory Framework) feed. It enables AI tools and applications to retrieve detailed security vulnerability information, including severity ratings, affected products, remediation steps, and reference links. ## Features * **CVE Data Retrieval**: Fetch detailed information for any CVE from Red Hat's security feed * **Severity Assessment**: Get CVSS v3 severity ratings (Critical, Important, Moderate, Low) * **Affected Products**: Identify which Red Hat products and versions are impacted by specific vulnerabilities * **Remediation Information**: Access detailed remediation steps and security patches * **Rich HTML Summaries**: Generate formatted HTML cards with comprehensive CVE information * **Reference Links**: Direct access to security advisories and additional documentation ## Tools The server provides the following MCP tools: * `summarize-cve`: Fetch and summarize a CVE from Red Hat's CSAF feed with detailed markdown formatting * `get-cve-summary-html`: Generate a rich HTML card-style summary with severity, products, links, and remediation info ## Data Source The server fetches CVE data from Red Hat's CSAF v2 VEX feed: `https://security.access.redhat.com/data/csaf/v2/vex/{year}/cve-{year}-{number}.json` This provides the most up-to-date and comprehensive security information directly from Red Hat's security team. ## Setup ### Prerequisites * Node.js * Internet connection (for accessing Red Hat's CSAF feed) * An MCP client (e.g., a compatible AI tool or application) ### Installation 1. Clone this repository or navigate to the cve package. 2. Install the dependencies: ```bash npm install ``` ### Running the Server 1. Start the server: ```bash npm start ``` The server will listen for MCP requests via standard input/output. ### Usage To use the server, send MCP requests from a compatible client. Here are example requests for each tool: * **Get CVE summary (Markdown format):** ```json { "tool_name": "summarize-cve", "input": { "cveId": "CVE-2024-53907" } } ``` * **Get CVE summary (HTML format):** ```json { "tool_name": "get-cve-summary-html", "input": { "cveId": "CVE-2024-53907" } } ``` ### CVE ID Format The server accepts CVE IDs in the standard format: `CVE-YYYY-NNNNN` Examples: * `CVE-2024-53907` * `CVE-2023-12345` * `CVE-2022-67890` Refer to the MCP client documentation for instructions on sending requests and handling responses. ## Response Formats ### Markdown Summary The `summarize-cve` tool provides comprehensive information in markdown format including: * **Title**: Full CVE title and description * **Tracking ID**: Internal Red Hat tracking identifier * **Severity**: CVSS v3 severity rating * **Notes**: Detailed vulnerability description and context * **Affected Products**: List of impacted Red Hat products and versions * **References**: Links to security advisories and additional resources ### HTML Summary The `get-cve-summary-html` tool generates a rich, styled HTML card featuring: * **Color-coded severity indicators**: - Critical: Red background - Important: Orange background - Moderate: Yellow background - Low: Blue background * **Structured product listings** * **Formatted remediation steps** * **Clickable reference links** * **Professional card-style presentation** ## Severity Levels The server recognizes the following CVSS v3 severity levels: * **Critical**: Immediate action required * **Important**: High priority patching needed * **Moderate**: Standard patching timeline * **Low**: Lower priority, patch when convenient ## Supported CVE Years The server can retrieve CVE information for any year that Red Hat has published CSAF data, typically covering: * Current year vulnerabilities * Historical CVEs from previous years * All Red Hat product security advisories ## Error Handling The server provides meaningful error messages for: * **Invalid CVE format**: Guidance on proper CVE ID formatting * **CVE not found**: Information when a CVE doesn't exist in Red Hat's feed * **Network issues**: Helpful messages for connectivity problems * **Malformed responses**: Graceful handling of API response issues ## Security Context This server provides access to public CVE information and does not require authentication. All CVE data retrieved is publicly available security information that Red Hat publishes as part of their commitment to transparency and security.