Pipe CLI output to jq
vulncheck index list ipintel-3d | jq
Parse all objects in the VulnCheck response
vulncheck index list ipintel-3d | jq '.[]'
Parse the first object in the VulnCheck response
vulncheck index list ipintel-3d | jq '.[0]'
Find the objects of type initial-access
vulncheck index list ipintel-3d | jq '.[] | select(.type.id == "initial-access")'
How many findings were of type initial-access
vulncheck index list ipintel-3d | jq '[.[] | select(.type.id == "initial-access")] | length'
Search for the finding with a specific ip address and port
vulncheck index list ipintel-3d | jq '.[] | select(.port == 9443 and .ip == "217.171.231.74")'
Search for findings by CVE
vulncheck index list ipintel-3d | jq '.[] | select(.cve[] == "CVE-2022-40684")'
CVSS base scores with source from vulncheck-nvd2
vulncheck index list vulncheck-nvd2 --cve CVE-2024-3400 | jq -r '.[].metrics.cvssMetricV31[] | "\(.source): \(.cvssData.baseScore)"'
CWEs from vulncheck-nvd2 with source as json
vulncheck index list nist-nvd2 --cve CVE-2024-3400 | jq '.[] | {id,
weaknesses: [.weaknesses[] as $w
| {source: $w.source,
type: $w.type,
cwes: ($w.description[]
| select(.lang=="en" and (.value|startswith("CWE-")))
| .value) } ]
}'
THe last 10 days of recent VulnCheck KEVs
vulncheck index list vulncheck-kev | jq --argjson now "$(date +%s)" '
map(select(
(.date_added | fromdateiso8601) > ($now - (10 * 24 * 60 * 60))
)
| {
cve: .cve,
date_added: .date_added,
vendorProject: .vendorProject,
product: .product
}
)
'
.[] | .cve
.[] | {cve: .cve, description: .shortDescription}
.[] | ._timestamp
.[] | .public_exploit_found
.[] | .exploits
.[] | .weaponized_exploit_found
.[] | .reported_exploited_by_threat_actors
.[] | select(.reported_exploited_by_threat_actors and .weaponized_exploit_found) | .id
.[] | select(.reported_exploited_by_threat_actors and .weaponized_exploit_found)
.[] | .reported_exploited_by_ransomware
.[] | .counts.exploits
.[] | .counts.threat_actors
.[] | .counts.botnets
.[] | select(.counts.botnets > 5) | .id
.[] | .timeline.first_exploit_published
.[] | select(.timeline.vulncheck_kev_date_added == "2024-10-11T00:00:00Z") | .id
.[] | select(.public_exploit_found == true) | .id
.[] | .max_exploit_maturity
.[] | select(.trending.github) | .id
.[] | .botnet_name
.[] | .reported_exploited_by_threat_actors
.[] | .counts.ransomware_families
.[] | .timeline.most_recent_exploit_reported
.[] | select(.weaponized_exploit_found and .inKEV) | .id
.[] | select(.timeline.vulncheck_kev_date_added >= "2024-10-10T00:00:00Z" and .timeline.vulncheck_kev_date_added <= "2024-10-12T23:59:59Z") | .id
.[] | .trending.github
.[] | select(.epss.epss_score > 0.01 and .reported_exploited_by_threat_actors)'
.[] | select(.weaponized_exploit_found and .public_exploit_found) | .id
.[] | .commercial_exploit_found
.[] | select(.epss.epss_score > 0.6 and .weaponized_exploit_found) | .id
.[] | .shortDescription
.[] | .reported_exploitation[]?.url
.[] | select(.timeline.first_exploit_published < "2024-10-15T00:00:00Z") | .id
.[] | .inKEV
.[] | .reported_exploited_by_botnets
.[] | select(.reported_exploited_by_ransomware and .public_exploit_found == false) | .id
.[] | .required_action
.[] | select(.dueDate < "2024-11-01T00:00:00Z") | .cve
.[] | select(.timeline.first_exploit_published < "2024-10-01T00:00:00Z") | .id
.[] | select(.public_exploit_found and .weaponized_exploit_found and .timeline.first_exploit_published > "2024-10-01T00:00:00Z") | .id
.[] | .counts.public_exploits
.[] | select(.reported_exploited_by_threat_actors and .trending.github) | .id
.[]
.[] | select(.timeline.vulncheck_kev_date_added > "2024-10-01T00:00:00Z") | .id
.[] | select(.technique_id.tactics | index("inhibit-response-function")) | .cve_list
.[] | select(.timeline.vulncheck_kev_date_added | startswith("2024"))? | .id] | length
.[] | select(.risk_score == "high") | .id
.[] | select(.trending.last_week == true) | .id
.[] | select(.reported_exploited_by_threat_actors == true) | .id
.[] | select(.technique_id.tactics | index("lateral-movement")) | ( .cve_list | .[] | select(startswith("CVE-2023")) )
[.[] | select(.inKEV == true) | .epss.epss_score ] | add / length
.[] | select(.technique_id.tactics | index("privilege-escalation")) | .cve_list
.[] | .reported_exploitation | sort_by(.date_added) | .[0] | .date_added
.[] | select(.epss.epss_score > 0.2 and .trending.github == true) | .id
.[] | select(.timeline.vulncheck_kev_date_added < "2024-10-16" and .timeline.vulncheck_kev_date_added >= "2024-10-15") | .id
.[] | select(.counts.threat_actors > 2) | .id
.[] | .dueDate
.[] | .exploits[]? | .url | select(startswith("https://github.com"))?
.[] | select(.public_exploit_found == true and .inKEV == false) | .id
.[] | select(.max_exploit_maturity == "poc" and .epss.epss_percentile < 0.1)
.[] | select(.severity == "high" and .reported_exploited_by_ransomware == true and (.timeline.first_exploit_published | startswith("2024")?)) | .id
.[] | select(.counts.ransomware_families >= 3) | .id
.[] | select(.timeline.vulncheck_kev_date_added >= "2024-09-01T00:00:00Z" and .timeline.vulncheck_kev_date_added <= "2024-09-30T23:59:59Z") | .id
.[] | .remediation
.[] | select(.risk_score == "low" and .weaponized_exploit_found == true) | .id
.[] | select(.reported_exploited_by_ransomware)
.[] | select(.public_exploit_found) | select(.. | ascii_downcase? | contains("sql injection")?)
.[] | select(.counts.threat_actors > 5) | length
.[] | .timeline
.[] | .timeline.last_exploit_published
.[] | select(.weaponized_exploit_found) | .id
.[] | .required_action
.[] | select(.. | ascii_downcase? | contains("watering hole")?) | .id
.[] | select(.counts.threat_actors > 10) | .id
.[] | .exploits | .[] | .url
.[] | select(.weaponized_exploit_found and (.. | ascii_downcase? | contains("phishing")?)) | .id
.[] | select(.public_exploit_found == true and .weaponized_exploit_found == false) | .id
.[] | select(.public_exploit_found) | .id
Vulnerability Score Examples (CVSS/EPSS)
.[] | .cvss_score
.[] | .epss.epss_score
.[] | .epss.epss_percentile
.[] | select(.epss.epss_score < 0.01) | .id
.[] | select(.inKEV == true and .epss.epss_score < 0.1) | .id
.[] | select(.epss.epss_percentile > 0.5 and .public_exploit_found == true)
.[] | {cve: .id, cvss_score: .cvss_score, epss_score: .epss.epss_score}'
.[] | select(.epss.epss_score > 0.8 and .trending.github == true) | .id
.[] | select(.epss.epss_score > 0.9 and .public_exploit_found == true) | .id
.[] | select(.epss.epss_percentile >= 0.3 and .epss.epss_percentile <= 0.6 and .reported_exploited_by_ransomware == true) | .id