UNPKG

mcp-cve-intelligence-server-lite-test

Version:

Lite Model Context Protocol server for comprehensive CVE intelligence gathering with multi-source exploit discovery, designed for security professionals and cybersecurity researchers - Alpha Release

github.com/gnlds/mcp-cve-intelligence-server

gnlds/mcp-cve-intelligence-server

276 lines 10.3 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
import { createContextLogger } from '../utils/logger.js'; import { getExploitIndicators } from '../utils/validation.js'; import { VERSION, PACKAGE_NAME } from '../version.js'; const logger = createContextLogger('SourceBase'); // Abstract base class for all CVE source implementations // // Custom Authentication: // To implement custom authentication (like MITRE's multi-header system): // 1. Override the getAuthHeaders() method in your source implementation // 2. Return appropriate headers based on your authentication scheme // 3. Configuration fields like authHeaderType and authHeaderName are not needed // when completely overriding the authentication method // // Standard Authentication Types (handled by base class): // - 'apiKey': Simple API key in custom header // - 'bearer': Bearer token in Authorization header // - 'token': Token with 'token' prefix in Authorization header // - 'none': No authentication // export class BaseCVESourceImplementation { // Standard User-Agent for all CVE sources static USER_AGENT = `${PACKAGE_NAME}/${VERSION}`; config; apiKey; constructor(config, apiKey) { this.config = config; this.apiKey = apiKey; } // Validation methods - can be overridden by concrete implementations /** * Validates the source configuration * Default implementation checks basic requirements */ validateConfig() { const errors = []; const warnings = []; // Basic validation that applies to all sources if (!this.config.baseUrl) { errors.push(`Source ${this.config.name}: missing baseUrl`); } if (!this.config.endpoints) { errors.push(`Source ${this.config.name}: missing endpoints`); } if (this.config.priority === undefined || this.config.priority < 0) { errors.push(`Source ${this.config.name}: invalid priority`); } // Check if enabled source has required endpoints if (this.config.enabled) { if (!this.config.endpoints?.search && !this.config.endpoints?.details) { warnings.push(`Source ${this.config.name}: enabled but missing both search and details endpoints`); } } // Allow concrete implementations to add their own validation const specificValidation = this.validateSourceSpecificConfig(); errors.push(...specificValidation.errors); warnings.push(...specificValidation.warnings); return { isValid: errors.length === 0, errors, warnings, }; } /** * Validates API key configuration for this source * Default implementation provides basic API key checks */ validateApiKey() { const errors = []; const warnings = []; // Check if API key is required but missing if (this.config.apiKeyRequired && !this.apiKey) { warnings.push(`Source ${this.config.name}: requires API key but none configured (will use rate-limited access)`); } // Allow concrete implementations to add their own API key validation const specificValidation = this.validateSourceSpecificApiKey(); errors.push(...specificValidation.errors); warnings.push(...specificValidation.warnings); return { isValid: errors.length === 0, errors, warnings, }; } /** * Override this method in concrete implementations for source-specific configuration validation */ validateSourceSpecificConfig() { return { isValid: true, errors: [], warnings: [] }; } /** * Override this method in concrete implementations for source-specific API key validation */ validateSourceSpecificApiKey() { return { isValid: true, errors: [], warnings: [] }; } /** * Gets the expected API key environment variable name for this source * Override in concrete implementations to specify the correct env var */ getApiKeyEnvironmentVariable() { return undefined; } /** * Gets alternative environment variable names that might contain the API key * Override in concrete implementations to specify alternative env vars */ getAlternativeApiKeyEnvironmentVariables() { return []; } /** * Determines if this source can use the provided API key * Override in concrete implementations for source-specific key validation */ canUseApiKey(apiKey) { return !!apiKey; } /** * Gets the source-specific identifier used for API key mapping * Override in concrete implementations to specify the correct identifier */ getApiKeyIdentifier() { return this.config.name.toLowerCase(); } /** * Determines if this source matches the given source name/identifier * Used for API key resolution from external mappings */ matchesSourceIdentifier(identifier) { const lowerIdentifier = identifier.toLowerCase(); const sourceName = this.config.name.toLowerCase(); // Default matching logic - override in concrete implementations for more specific matching return lowerIdentifier === sourceName || lowerIdentifier === this.getApiKeyIdentifier(); } /** * Performs comprehensive validation of the source */ validateFull() { const allErrors = []; const allWarnings = []; // Run all validation checks const configValidation = this.validateConfig(); const apiKeyValidation = this.validateApiKey(); allErrors.push(...configValidation.errors, ...apiKeyValidation.errors); allWarnings.push(...configValidation.warnings, ...apiKeyValidation.warnings); return { isValid: allErrors.length === 0, errors: allErrors, warnings: allWarnings, }; } // Default implementation for connection testing (can be overridden) async testConnection() { try { const response = await fetch(this.getBaseUrl(), { method: 'HEAD', signal: AbortSignal.timeout(5000), }); return response.ok; } catch { return false; } } // Helper methods available to all implementations getBaseUrl() { return this.config.baseUrl; } getTimeout() { return this.config.requestTimeout || 5000; } /** * Gets authentication headers for API requests. * Override this method in concrete implementations for custom authentication schemes. * * @returns Record of header name to header value */ getAuthHeaders() { const headers = {}; // No authentication required if (!this.config.authHeaderType || this.config.authHeaderType === 'none') { return headers; } // Standard single-header authentication types if (!this.apiKey) { logger.debug(`No API key available for ${this.config.name}`); return headers; } if (!this.config.authHeaderName) { const warnMsg = `Auth header name not specified for ${this.config.name} ` + `with auth type ${this.config.authHeaderType}`; logger.warn(warnMsg); return headers; } switch (this.config.authHeaderType) { case 'apiKey': headers[this.config.authHeaderName] = this.apiKey; break; case 'bearer': headers[this.config.authHeaderName] = `Bearer ${this.apiKey}`; break; case 'token': headers[this.config.authHeaderName] = `token ${this.apiKey}`; break; default: logger.warn(`Unknown auth header type: ${this.config.authHeaderType}`); } return headers; } /** * Public method to get authentication headers for external use (e.g., SourceManager) * This method delegates to the protected getAuthHeaders() method that can be overridden by subclasses * * @returns Record of header name to header value */ getRequestAuthHeaders() { return this.getAuthHeaders(); } /** * Gets the standard User-Agent string for all CVE sources */ getUserAgent() { return BaseCVESourceImplementation.USER_AGENT; } // Get source configuration getConfig() { return this.config; } // Configuration getters for convenience getName() { return this.config.name; } isEnabled() { return this.config.enabled; } getPriority() { return this.config.priority; } getFeatures() { return this.config.features || []; } // Check if source supports a specific feature supportsFeature(feature) { return this.config.features?.includes(feature) || false; } // Alias for supportsFeature for backward compatibility hasFeature(feature) { return this.supportsFeature(feature); } /** * Calculate exploit indicators for a CVE based on its references * This method should be called during CVE normalization */ calculateExploitIndicators(references) { if (!references || references.length === 0) { return { hasExploitIndicators: false, indicators: [], calculatedAt: new Date().toISOString(), }; } const indicators = []; const exploitIndicators = getExploitIndicators(); for (const ref of references) { for (const [source, pattern] of Object.entries(exploitIndicators)) { if (pattern.test(ref.url)) { indicators.push({ source, type: source === 'metasploit' ? 'metasploit' : 'exploit', url: ref.url, title: `${source} reference`, verified: false, }); } } } return { hasExploitIndicators: indicators.length > 0, indicators, calculatedAt: new Date().toISOString(), }; } } //# sourceMappingURL=base.js.map