Skip to content

gcve-eu/gcve-eu-kev

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
bin
bin
 
 
gcve_eu_kev
gcve_eu_kev
 
 
sample
sample
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CLAUDE.md
CLAUDE.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
poetry.lock
poetry.lock
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

gcve-eu-kev - CISA KEV and ENISA CNW EUVD to GCVE BCP-07 Converter

This repository contains a Python script that downloads the CISA Known Exploited Vulnerabilities (KEV) Catalog/ENISA CNW EUVD KEV (JSON) and converts each entry into a GCVE-BCP-07 Known Exploited Vulnerability (KEV) Assertion JSON object.

The goal is to transform a list-based KEV feed into attributable, structured exploitation assertions suitable for ingestion into GCVE-compatible systems, vulnerability databases, or analytical pipelines.

What gcve-eu-kev Does

  • Downloads the official CISA and ENISA KEV JSON feeds
  • Converts each KEV entry into a GCVE-BCP-07 assertion
  • Preserves CISA/ENISA semantics while adding:
    • Explicit attribution (evidence.source)
    • Timestamp separation (first_seen_at, asserted_at, recorded_at)
    • Confidence signaling
  • Outputs:
    • NDJSON (default, one assertion per line),
    • A single JSON array, or
    • Atom/RSS feeds generated from previously converted GCVE assertions
  • Push GCVE-BCP-07 converted entries in a Vulnerability-Lookup instance.

This tool does not attempt to enrich or reinterpret KEV data beyond what is explicitly published by CISA. The tool is developed to validate the first BCP-07 specification to review any missing representation.

Installation

git clone https://github.com/gcve-eu/gcve-eu-kev
cd gcve-eu-kev
poetry install

Usage

usage: gcve-from-enisa [-h] [--url URL] [-o OUTPUT] [--json-array] [--timeout TIMEOUT] [--source-id SOURCE_ID] [--push] [--vulnlookup-origin-uuid VULNLOOKUP_ORIGIN_UUID]

gcve-eu-kev

Convert CISA KEV and ENISA CNW (EUVD) feeds into GCVE-BCP-07 KEV assertion objects.

This project transforms published KEV entries into small, attributable, and machine-friendly assertions that follow the GCVE BCP-07 format. The output is intended for ingestion into GCVE-aware systems, vulnerability databases, or analytics pipelines.

Why this exists

  • Make KEV claims explicit and attributable (evidence.source).
  • Preserve authoritative timestamps while adding a recorded_at ingestion time.
  • Provide a simple, auditable mapping from KEV feeds to GCVE-BCP-07 assertions.

Quick start

Install dependencies (recommended in a venv):

pip install -e .

Run the converters:

CISA (JSON feed)

gcve-from-cisa --help

ENISA CNW (JSON feed)

gcve-from-enisa --help

Or run the modules directly

python -m gcve_eu_kev.cisa --help python -m gcve_eu_kev.enisa --help gcve-kev-to-feed --help python -m gcve_eu_kev.feed --help

Basic usage examples

Write GCVE assertions as NDJSON to stdout (default):

gcve-from-cisa -o -
gcve-from-enisa -o kev_assertions.ndjson

Output a single JSON array:

gcve-from-cisa --json-array -o kev_array.json

Convert existing GCVE assertions into Atom or RSS:

gcve-from-cisa -o kev.ndjson
gcve-kev-to-feed --input kev.ndjson --format atom -o kev.atom.xml
gcve-kev-to-feed --input kev.ndjson --format rss -o kev.rss.xml

Push converted assertions to a Vulnerability-Lookup instance (requires API key and origin UUID):

gcve-from-cisa --push

gcve-from-cisa --push --since-date 2026-02-02
gcve-from-cisa --push --since-date '1 day'
gcve-from-cisa --push --since-date '1 week'

gcve-from-enisa --push
gcve-from-enisa --push --since-date '10 days'

By default the API URL and key are read from gcve_eu_kev/conf.py. To push to a different Vulnerability-Lookup instance without editing that file, set the VULNERABILITY_LOOKUP_API_URL and VULNERABILITY_LOOKUP_API_KEY environment variables:

VULNERABILITY_LOOKUP_API_URL=https://other-instance.example.com/api/kev VULNERABILITY_LOOKUP_API_KEY=mykey gcve-from-cisa --push
VULNERABILITY_LOOKUP_API_URL=https://other-instance.example.com/api/kev VULNERABILITY_LOOKUP_API_KEY=mykey gcve-from-enisa --push --since-date '10 days'

What the converter produces

  • One GCVE-BCP-07 assertion per KEV entry (NDJSON by default).
  • Fields commonly produced: vulnerability.vulnId, status, timestamps, evidence, and references.
  • Conservative defaults for evidence.confidence (CISA 0.8, ENISA 0.75) are used to avoid overstating claims.

Notes and caveats

  • The tool preserves published KEV information and does not invent facts or infer extra metadata (geography, sector, etc.).
  • When no CVE is available, the tool preserves provider identifiers (e.g., EUVD) as references.
  • The recorded_at timestamp is the local ingestion time and is added by the collector.

Further reading

Contributing

  • Please open issues or PRs for improvements, corner cases, or fixes.

License

gcve-eu-kev is licensed under GNU General Public License version 3

Copyright (c) 2026 Computer Incident Response Center Luxembourg (CIRCL)
Copyright (c) 2026 Alexandre Dulaunoy - https://github.com/adulau
Copyright (C) 2026 Cédric Bonhomme - https://github.com/cedricbonhomme

About

CISA/ENISA KEV to GCVE BCP-07 Converter.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 3

gcve-eu-key v0.4.0 released Latest
Mar 20, 2026
+ 2 releases

Packages

 
 
 

Contributors

Languages