Skip to content

Vulnogram/cve-index

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2,459 Commits
.github/workflows
.github/workflows
 
 
data
data
 
 
docs
docs
 
 
src
src
 
 
warnings
warnings
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

CVE Index

Automatically syncs and indexes the CVEProject/cvelistV5 dataset every 60 minutes. Each incremental run also performs a quality analysis of new/updated CVEs using the Google Gemini API and stores the results under warnings/.

GitHub Actions Setup

Required permissions

The workflow needs write access to commit index and warning files back to the repository. This is already configured in sync.yml via permissions: contents: write.

Gemini API keys (for quality analysis)

Quality analysis calls the Gemini API. To avoid hitting per-key rate limits during a single run, you can add up to six API keys. The code tries them in order (GEMINI_API_KEY first, then GEMINI_API_KEY_1 through GEMINI_API_KEY_5). When a key returns a 429 quota error the next key is tried automatically. Once all keys are exhausted for a model the next model in the fallback list is tried.

Adding secrets

  1. Go to your repository on GitHub.
  2. Click Settings → Secrets and variables → Actions.
  3. Click New repository secret for each key you want to add.
Secret name Description
GEMINI_API_KEY Primary key (required for AI checks)
GEMINI_API_KEY_1 Second key (optional)
GEMINI_API_KEY_2 Third key (optional)
GEMINI_API_KEY_3 Fourth key (optional)
GEMINI_API_KEY_4 Fifth key (optional)
GEMINI_API_KEY_5 Sixth key (optional)

You can get API keys from Google AI Studio. Each free-tier key has its own quota, so adding more keys increases the number of CVEs that can be analyzed per run before hitting limits.

If no keys are configured the sync still runs successfully — quality analysis is silently skipped and only static CVSS consistency checks are written to warnings/.

Model fallback order

When all keys are exhausted for a model, the next model in this list is tried with all keys again:

  1. gemini-3.1-flash-lite-preview
  2. gemini-2.0-flash
  3. gemini-2.0-flash-lite
  4. gemini-1.5-flash
  5. gemini-1.5-flash-8b

Running locally

# Full rebuild (clones/pulls the CVE repo and reindexes everything)
npm run rebuild

# Incremental update (fetches only CVEs changed in the last 120 minutes)
npm run update

# Quality check a single CVE file
GEMINI_API_KEY=your-key node src/quality.js cache/cvelistV5/cves/2025/46xxx/CVE-2025-46265.json

# Static checks only (no API key needed)
node src/quality.js cache/cvelistV5/cves/2025/46xxx/CVE-2025-46265.json --no-ai

Output structure

Path Contents
data/orgs.json Map of org ID → short name
data/date.json Most recent publish date per org
data/latest/<org>.json Ordered list of recent CVE IDs for each org
data/vendor/<org>.json Vendor names seen in CVEs for each org
data/product/<org>.json Product names seen in CVEs for each org
warnings/cves/<year>/<folder>/<CVE-ID>.json Quality warnings array for each analyzed CVE

About

Indices based on CVE Records

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages