Syncing the NIST National Vulnerability Database to Sqlite3

April 26th, 2013

Many organizations have a need to map public CVEs to internal tickets, packages, or otherwise keep track of the known vulnerabilities. For this, it is useful to have a local database to process CVEs easily in bulk. The nvd2sqlite3(1) utility will populate and sync NIST's Vulnerability Database into a local sqlite3 database for this purpose.

The tool is trivial, and I've seen a number of other tools that do similar things, but with more dependencies and significantly more overhead. In good old Unix fashion, nvd2sqlite3(1) reads its input from stdin, so fetching and feeding it the XML data is up to you.

You can get nvd2sqlite3(1):

The simplest way to run this is:

curl | \
        nvd2sqlite3 -d /wherever/you/like/to/keep/the/dbfile

By default, nvd2sqlite3(1) will use /var/db/cvedb as the database file, so make sure that the user invoking the command has write access to that file. Please see the manual page for details.

