CLI JQ Commands

A list of example JQ commands that can be used with VulnCheck CLI.

JQ Example Commands

Pipe CLI output to jq

vulncheck index list ipintel-3d | jq

Parse all objects in the VulnCheck response

vulncheck index list ipintel-3d | jq '.[]'

Parse the first object in the VulnCheck response

vulncheck index list ipintel-3d | jq '.[0]'

Find the objects of type initial-access

vulncheck index list ipintel-3d | jq '.[] | select(.type.id == "initial-access")'

How many findings were of type initial-access

vulncheck index list ipintel-3d | jq '[.[] | select(.type.id == "initial-access")] | length'

Search for the finding with a specific ip address and port

vulncheck index list ipintel-3d | jq '.[] | select(.port == 9443 and .ip == "217.171.231.74")'

Search for findings by CVE

vulncheck index list ipintel-3d | jq '.[] | select(.cve[] == "CVE-2022-40684")'

CVSS base scores with source from vulncheck-nvd2

vulncheck index list vulncheck-nvd2 --cve CVE-2024-3400 | jq -r '.[].metrics.cvssMetricV31[] | "\(.source): \(.cvssData.baseScore)"'

CWEs from vulncheck-nvd2 with source as json

vulncheck index list nist-nvd2 --cve CVE-2024-3400 | jq '.[] | {id,
           weaknesses: [.weaknesses[] as $w
                        | {source: $w.source,
                           type: $w.type,
                           cwes: ($w.description[]
                                  | select(.lang=="en" and (.value|startswith("CWE-")))
                                  | .value) } ]
          }'

THe last 10 days of recent VulnCheck KEVs

vulncheck index list vulncheck-kev | jq --argjson now "$(date +%s)" '
  map(select(
    (.date_added | fromdateiso8601) > ($now - (10 * 24 * 60 * 60))
  )
    | {
        cve: .cve,
        date_added: .date_added,
        vendorProject: .vendorProject,
        product: .product
      }
)
'

Additional JQ Attributes

.[] | .cve
.[] | {cve: .cve, description: .shortDescription}
.[] | ._timestamp
.[] | .public_exploit_found
.[] | .exploits
.[] | .weaponized_exploit_found
.[] | .reported_exploited_by_threat_actors
.[] | select(.reported_exploited_by_threat_actors and .weaponized_exploit_found) | .id
.[] | select(.reported_exploited_by_threat_actors and .weaponized_exploit_found)
.[] | .reported_exploited_by_ransomware
.[] | .counts.exploits
.[] | .counts.threat_actors
.[] | .counts.botnets
.[] | select(.counts.botnets > 5) | .id
.[] | .timeline.first_exploit_published
.[] | select(.timeline.vulncheck_kev_date_added == "2024-10-11T00:00:00Z") | .id
.[] | select(.public_exploit_found == true) | .id
.[] | .max_exploit_maturity
.[] | select(.trending.github) | .id
.[] | .botnet_name
.[] | .reported_exploited_by_threat_actors
.[] | .counts.ransomware_families
.[] | .timeline.most_recent_exploit_reported
.[] | select(.weaponized_exploit_found and .inKEV) | .id
.[] | select(.timeline.vulncheck_kev_date_added >= "2024-10-10T00:00:00Z" and .timeline.vulncheck_kev_date_added <= "2024-10-12T23:59:59Z") | .id
.[] | .trending.github
.[] | select(.epss.epss_score > 0.01 and .reported_exploited_by_threat_actors)'
.[] | select(.weaponized_exploit_found and .public_exploit_found) | .id
.[] | .commercial_exploit_found
.[] | select(.epss.epss_score > 0.6 and .weaponized_exploit_found) | .id
.[] | .shortDescription
.[] | .reported_exploitation[]?.url
.[] | select(.timeline.first_exploit_published < "2024-10-15T00:00:00Z") | .id
.[] | .inKEV
.[] | .reported_exploited_by_botnets
.[] | select(.reported_exploited_by_ransomware and .public_exploit_found == false) | .id
.[] | .required_action
.[] | select(.dueDate < "2024-11-01T00:00:00Z") | .cve
.[] | select(.timeline.first_exploit_published < "2024-10-01T00:00:00Z") | .id
.[] | select(.public_exploit_found and .weaponized_exploit_found and .timeline.first_exploit_published > "2024-10-01T00:00:00Z") | .id
.[] | .counts.public_exploits
.[] | select(.reported_exploited_by_threat_actors and .trending.github) | .id
   .[]
.[] | select(.timeline.vulncheck_kev_date_added > "2024-10-01T00:00:00Z") | .id
.[] | select(.technique_id.tactics | index("inhibit-response-function")) | .cve_list
.[] | select(.timeline.vulncheck_kev_date_added | startswith("2024"))? | .id] | length
.[] | select(.risk_score == "high") | .id
.[] | select(.trending.last_week == true) | .id
.[] | select(.reported_exploited_by_threat_actors == true) | .id
.[] | select(.technique_id.tactics | index("lateral-movement")) | ( .cve_list | .[] | select(startswith("CVE-2023")) )
[.[] | select(.inKEV == true) | .epss.epss_score ] | add / length
.[] | select(.technique_id.tactics | index("privilege-escalation")) | .cve_list
.[] | .reported_exploitation | sort_by(.date_added) | .[0] | .date_added
.[] | select(.epss.epss_score > 0.2 and .trending.github == true) | .id
.[] | select(.timeline.vulncheck_kev_date_added < "2024-10-16" and .timeline.vulncheck_kev_date_added >= "2024-10-15") | .id
.[] | select(.counts.threat_actors > 2) | .id
.[] | .dueDate
.[] | .exploits[]? | .url | select(startswith("https://github.com"))?
.[] | select(.public_exploit_found == true and .inKEV == false) | .id
.[] | select(.max_exploit_maturity == "poc" and .epss.epss_percentile < 0.1)
.[] | select(.severity == "high" and .reported_exploited_by_ransomware == true and (.timeline.first_exploit_published | startswith("2024")?)) | .id
.[] | select(.counts.ransomware_families >= 3) | .id
.[] | select(.timeline.vulncheck_kev_date_added >= "2024-09-01T00:00:00Z" and .timeline.vulncheck_kev_date_added <= "2024-09-30T23:59:59Z") | .id
.[] | .remediation
.[] | select(.risk_score == "low" and .weaponized_exploit_found == true) | .id
.[] | select(.reported_exploited_by_ransomware)
.[] | select(.public_exploit_found) | select(.. | ascii_downcase? | contains("sql injection")?)
.[] | select(.counts.threat_actors > 5) | length
.[] | .timeline
.[] | .timeline.last_exploit_published
.[] | select(.weaponized_exploit_found) | .id
.[] | .required_action
.[] | select(.. | ascii_downcase? | contains("watering hole")?) | .id
.[] | select(.counts.threat_actors > 10) | .id
.[] | .exploits | .[] | .url
.[] | select(.weaponized_exploit_found and (.. | ascii_downcase? | contains("phishing")?)) | .id
.[] | select(.public_exploit_found == true and .weaponized_exploit_found == false) | .id
.[] | select(.public_exploit_found) | .id

Vulnerability Score Examples (CVSS/EPSS)

.[] | .cvss_score
.[] | .epss.epss_score
.[] | .epss.epss_percentile
.[] | select(.epss.epss_score < 0.01) | .id
.[] | select(.inKEV == true and .epss.epss_score < 0.1) | .id
.[] | select(.epss.epss_percentile > 0.5 and .public_exploit_found == true)
.[] | {cve: .id, cvss_score: .cvss_score, epss_score: .epss.epss_score}'
.[] | select(.epss.epss_score > 0.8 and .trending.github == true) | .id
.[] | select(.epss.epss_score > 0.9 and .public_exploit_found == true) | .id
.[] | select(.epss.epss_percentile >= 0.3 and .epss.epss_percentile <= 0.6 and .reported_exploited_by_ransomware == true) | .id