Spaces:

HimanshuGoyal2004
/

github-mcp-server

Running

App Files Files Community

HimanshuGoyal2004 commited on Oct 10, 2025

Commit

bd09aae

1 Parent(s): fbc9b21

nvd dataset

Browse files

Files changed (1) hide show

app.py +247 -6

app.py CHANGED Viewed

@@ -219,7 +219,7 @@ Summary: {summary}
                 result += f"- **CWE Code**: {metadata.get('cwe_code', 'Unknown')}\n"
                 result += f"- **CWE Name**: {metadata.get('cwe_name', 'Unknown')}\n"
                 result += f"- **CVSS Score**: {metadata.get('cvss', 'N/A')}\n"
                 # Extract summary from content
                 content_lines = doc.page_content.split('\n')
                 summary_line = next((line for line in content_lines if line.startswith('Summary:')), '')
@@ -242,6 +242,218 @@ Summary: {summary}
         except Exception as e:
             return f"❌ Error retrieving CVE information: {str(e)}"
 # Initialize the GitHub MCP server
 github_server = GitHubMCPServer()
@@ -293,20 +505,49 @@ demo = gr.TabbedInterface(
             title="Search CVE Database",
             description="Search the CVE knowledge base for vulnerability patterns and CWE information",
             api_name="search_cve_database"
         )
     ],
     [
         "Repository Info",
         "File Content",
         "Repository Scanner",
-        "CVE Database"
     ],
-    title="🐙 GitHub MCP Server with CVE Knowledge Base"
 )
 if __name__ == "__main__":
-    print("🚀 Starting GitHub MCP Server with CVE Knowledge Base...")
-    print("📡 Server will provide GitHub repository access and CVE search via MCP")
-    print("🛠️ Available tools: repository info, file content, repository scanner, CVE database search")
     demo.launch(mcp_server=True)

                 result += f"- **CWE Code**: {metadata.get('cwe_code', 'Unknown')}\n"
                 result += f"- **CWE Name**: {metadata.get('cwe_name', 'Unknown')}\n"
                 result += f"- **CVSS Score**: {metadata.get('cvss', 'N/A')}\n"
                 # Extract summary from content
                 content_lines = doc.page_content.split('\n')
                 summary_line = next((line for line in content_lines if line.startswith('Summary:')), '')
         except Exception as e:
             return f"❌ Error retrieving CVE information: {str(e)}"
+    def get_nvd_cve_details(self, cve_id: str) -> str:
+        """
+        Fetches detailed CVE information from NVD (National Vulnerability Database).
+        Args:
+            cve_id: The CVE identifier (e.g., 'CVE-2019-16515')
+        Returns:
+            Formatted string containing detailed CVE information from NVD
+        """
+        try:
+            # Validate and clean CVE ID format
+            cve_id = cve_id.strip().upper()
+            if not cve_id.startswith('CVE-'):
+                return f"❌ Invalid CVE ID format: '{cve_id}'\nCVE ID must start with 'CVE-' (e.g., CVE-2019-16515)"
+            # NVD API endpoint
+            nvd_api_url = "https://services.nvd.nist.gov/rest/json/cves/2.0"
+            nvd_web_url = f"https://nvd.nist.gov/vuln/detail/{cve_id}"
+            # Make request to NVD API
+            params = {"cveId": cve_id}
+            headers = {
+                "User-Agent": "VulnerabilityScanner/1.0 (GitHub Security Analysis Tool)"
+            }
+            print(f"🔍 Fetching NVD details for {cve_id}...")
+            response = requests.get(nvd_api_url, params=params, headers=headers, timeout=15)
+            if response.status_code == 200:
+                data = response.json()
+                # Check if CVE was found
+                if data.get('resultsPerPage', 0) == 0:
+                    return f"⚠️ CVE not found in NVD database: {cve_id}\n\n🔗 **NVD URL**: {nvd_web_url}\n\nNote: The CVE may not yet be published in NVD or the ID might be incorrect."
+                # Extract vulnerability data
+                vuln = data['vulnerabilities'][0]['cve']
+                # Build formatted result
+                result = f"📋 **NVD CVE Details: {cve_id}**\n\n"
+                result += f"🔗 **NVD URL**: {nvd_web_url}\n\n"
+                # Status and dates
+                result += f"**Status**: {vuln.get('vulnStatus', 'N/A')}\n"
+                result += f"**Published**: {vuln.get('published', 'N/A')[:10]}\n"
+                result += f"**Last Modified**: {vuln.get('lastModified', 'N/A')[:10]}\n\n"
+                # Description
+                descriptions = vuln.get('descriptions', [])
+                for desc in descriptions:
+                    if desc.get('lang') == 'en':
+                        result += f"**📝 Description**:\n{desc.get('value', 'N/A')}\n\n"
+                        break
+                # CVSS Scores
+                metrics = vuln.get('metrics', {})
+                # CVSS v3.x (preferred)
+                if 'cvssMetricV31' in metrics or 'cvssMetricV30' in metrics:
+                    cvss_key = 'cvssMetricV31' if 'cvssMetricV31' in metrics else 'cvssMetricV30'
+                    cvss_v3 = metrics[cvss_key][0]['cvssData']
+                    result += f"**🎯 CVSS v3 Score**:\n"
+                    result += f"- **Base Score**: {cvss_v3.get('baseScore', 'N/A')} ({cvss_v3.get('baseSeverity', 'N/A')})\n"
+                    result += f"- **Vector String**: {cvss_v3.get('vectorString', 'N/A')}\n"
+                    result += f"- **Attack Vector**: {cvss_v3.get('attackVector', 'N/A')}\n"
+                    result += f"- **Attack Complexity**: {cvss_v3.get('attackComplexity', 'N/A')}\n"
+                    result += f"- **Privileges Required**: {cvss_v3.get('privilegesRequired', 'N/A')}\n"
+                    result += f"- **User Interaction**: {cvss_v3.get('userInteraction', 'N/A')}\n"
+                    result += f"- **Scope**: {cvss_v3.get('scope', 'N/A')}\n"
+                    result += f"- **Confidentiality Impact**: {cvss_v3.get('confidentialityImpact', 'N/A')}\n"
+                    result += f"- **Integrity Impact**: {cvss_v3.get('integrityImpact', 'N/A')}\n"
+                    result += f"- **Availability Impact**: {cvss_v3.get('availabilityImpact', 'N/A')}\n\n"
+                # CVSS v2 (if available)
+                if 'cvssMetricV2' in metrics:
+                    cvss_v2 = metrics['cvssMetricV2'][0]['cvssData']
+                    result += f"**CVSS v2 Score**:\n"
+                    result += f"- **Base Score**: {cvss_v2.get('baseScore', 'N/A')} ({metrics['cvssMetricV2'][0].get('baseSeverity', 'N/A')})\n"
+                    result += f"- **Vector String**: {cvss_v2.get('vectorString', 'N/A')}\n\n"
+                # CWE (Common Weakness Enumeration)
+                weaknesses = vuln.get('weaknesses', [])
+                if weaknesses:
+                    result += f"**🔍 CWE (Common Weakness Enumeration)**:\n"
+                    cwe_list = []
+                    for weakness in weaknesses:
+                        for desc in weakness.get('description', []):
+                            if desc.get('lang') == 'en':
+                                cwe_list.append(desc.get('value', 'N/A'))
+                    result += f"- {', '.join(set(cwe_list))}\n\n"
+                # References
+                references = vuln.get('references', [])
+                if references:
+                    result += f"**🔗 References** (showing first 5):\n"
+                    for i, ref in enumerate(references[:5], 1):
+                        result += f"{i}. [{ref.get('source', 'Source')}]({ref.get('url', '#')})\n"
+                    if len(references) > 5:
+                        result += f"\n... and {len(references) - 5} more references\n"
+                    result += "\n"
+                result += f"---\n"
+                result += f"💡 **Tip**: Use this CVE information to cross-reference vulnerabilities found in code analysis.\n"
+                return result
+            elif response.status_code == 404:
+                return f"⚠️ CVE not found: {cve_id}\n\n🔗 **NVD URL**: {nvd_web_url}\n\nThe CVE may not exist or may not yet be published in NVD."
+            elif response.status_code == 403:
+                return f"❌ Access denied to NVD API (HTTP 403)\n\nThis might be due to rate limiting. Please try again in a few moments.\n\n🔗 **NVD URL**: {nvd_web_url}"
+            else:
+                return f"❌ NVD API request failed with status {response.status_code}\n\n🔗 **NVD URL**: {nvd_web_url}\n\nYou can view the CVE details directly on the NVD website."
+        except requests.exceptions.Timeout:
+            return f"⏱️ Request to NVD API timed out for {cve_id}\n\nPlease try again or visit: {nvd_web_url}"
+        except requests.exceptions.RequestException as e:
+            return f"❌ Network error while fetching CVE details: {str(e)}\n\n🔗 **NVD URL**: {nvd_web_url}"
+        except Exception as e:
+            return f"❌ Unexpected error fetching NVD details for {cve_id}: {str(e)}\n\n🔗 **NVD URL**: {nvd_web_url}"
+    def search_and_fetch_cve_details(self, query: str, max_nvd_fetches: int = 5) -> str:
+        """
+        Smart combined function: Searches CVE database and automatically fetches NVD details.
+        This function:
+        1. Searches the CVE knowledge base (RAG) for relevant vulnerabilities
+        2. Automatically parses CVE IDs from the results
+        3. Fetches detailed NVD information for top CVEs
+        4. Returns combined results with both RAG data and NVD details
+        Args:
+            query: Vulnerability search query (e.g., "SQL injection", "XSS")
+            max_nvd_fetches: Maximum number of CVEs to fetch NVD details for (default: 5)
+        Returns:
+            Formatted string with RAG results + detailed NVD information
+        """
+        import re
+        import time
+        try:
+            # Step 1: Search CVE database using RAG
+            print(f"🔍 Step 1: Searching CVE knowledge base for '{query}'...")
+            rag_results = self.search_cve_database(query)
+            if "❌" in rag_results or "No relevant CVE information found" in rag_results:
+                return rag_results
+            # Step 2: Parse CVE IDs from RAG results
+            print(f"📋 Step 2: Parsing CVE IDs from results...")
+            cve_pattern = r'CVE-\d{4}-\d{4,7}'
+            cve_ids = re.findall(cve_pattern, rag_results)
+            # Remove duplicates and limit to max_nvd_fetches
+            unique_cve_ids = list(dict.fromkeys(cve_ids))[:max_nvd_fetches]
+            if not unique_cve_ids:
+                return rag_results + "\n\n⚠️ No CVE IDs found in results to fetch NVD details."
+            print(f"✅ Found {len(unique_cve_ids)} unique CVE IDs: {', '.join(unique_cve_ids)}")
+            # Step 3: Build combined result
+            combined_result = "🔬 **COMPREHENSIVE CVE ANALYSIS**\n"
+            combined_result += "=" * 80 + "\n\n"
+            # Include RAG results first
+            combined_result += "## 📚 PART 1: CVE Knowledge Base Search Results\n\n"
+            combined_result += rag_results
+            combined_result += "\n\n" + "=" * 80 + "\n\n"
+            # Step 4: Fetch NVD details for each CVE
+            combined_result += f"## 🌐 PART 2: Detailed NVD Information (Top {len(unique_cve_ids)} CVEs)\n\n"
+            combined_result += f"Fetching official NVD details for: {', '.join(unique_cve_ids)}\n\n"
+            combined_result += "-" * 80 + "\n\n"
+            for idx, cve_id in enumerate(unique_cve_ids, 1):
+                print(f"🌐 Step 3.{idx}: Fetching NVD details for {cve_id}...")
+                # Fetch NVD details
+                nvd_result = self.get_nvd_cve_details(cve_id)
+                combined_result += nvd_result
+                combined_result += "\n" + "=" * 80 + "\n\n"
+                # Rate limiting: Add delay between requests (NVD recommends max 5 requests per 30 seconds)
+                if idx < len(unique_cve_ids):
+                    time.sleep(6)  # Wait 6 seconds between requests
+            # Step 5: Add summary
+            combined_result += "## 📊 SUMMARY\n\n"
+            combined_result += f"✅ **Total CVEs Analyzed**: {len(unique_cve_ids)}\n"
+            combined_result += f"✅ **Search Query**: {query}\n"
+            combined_result += f"✅ **RAG Results**: {len(cve_ids)} CVE references found\n"
+            combined_result += f"✅ **NVD Details Fetched**: {len(unique_cve_ids)} CVEs\n\n"
+            combined_result += "💡 **Next Steps**: Use this information to:\n"
+            combined_result += "- Cross-reference vulnerabilities in your code\n"
+            combined_result += "- Understand CVSS severity scores\n"
+            combined_result += "- Review CWE classifications\n"
+            combined_result += "- Check official NVD references for remediation guidance\n"
+            print(f"✅ Combined analysis complete!")
+            return combined_result
+        except Exception as e:
+            return f"❌ Error in combined CVE analysis: {str(e)}\n\nPlease try using search_cve_database and get_nvd_cve_details separately."
 # Initialize the GitHub MCP server
 github_server = GitHubMCPServer()
             title="Search CVE Database",
             description="Search the CVE knowledge base for vulnerability patterns and CWE information",
             api_name="search_cve_database"
+        ),
+        gr.Interface(
+            fn=github_server.get_nvd_cve_details,
+            inputs=[
+                gr.Textbox(label="CVE ID", placeholder="CVE-2019-16515", value="CVE-2019-16515")
+            ],
+            outputs=gr.Textbox(label="NVD CVE Details", lines=30),
+            title="Get NVD CVE Details",
+            description="Fetch detailed CVE information from National Vulnerability Database (NVD)",
+            api_name="get_nvd_cve_details"
+        ),
+        gr.Interface(
+            fn=github_server.search_and_fetch_cve_details,
+            inputs=[
+                gr.Textbox(label="Vulnerability Query", placeholder="SQL injection, XSS, command injection, etc.", value="SQL injection"),
+                gr.Slider(minimum=1, maximum=10, value=5, step=1, label="Max NVD Fetches", info="Number of CVEs to fetch NVD details for")
+            ],
+            outputs=gr.Textbox(label="Comprehensive CVE Analysis", lines=40),
+            title="🔬 Smart CVE Analysis (RAG + NVD)",
+            description="Automatically searches CVE database AND fetches detailed NVD information for top CVEs",
+            api_name="search_and_fetch_cve_details"
         )
     ],
     [
         "Repository Info",
         "File Content",
         "Repository Scanner",
+        "CVE Database",
+        "NVD CVE Details",
+        "🔬 Smart CVE Analysis"
     ],
+    title="🐙 GitHub MCP Server with CVE Knowledge Base & NVD Integration"
 )
 if __name__ == "__main__":
+    print("🚀 Starting GitHub MCP Server with CVE Knowledge Base & NVD Integration...")
+    print("📡 Server will provide GitHub repository access, CVE search, and NVD details via MCP")
+    print("🛠️ Available tools:")
+    print("   - get_repository_info: Get repository metadata")
+    print("   - get_file_content: Retrieve file contents")
+    print("   - scan_repository: Scan for code files")
+    print("   - search_cve_database: Search CVE knowledge base")
+    print("   - get_nvd_cve_details: Fetch detailed CVE info from NVD")
+    print("   - 🆕 search_and_fetch_cve_details: Smart combined RAG + NVD analysis")
     demo.launch(mcp_server=True)