cwe-search_mcp

The CWE Search MCP provides a Python-based interface to MITRE's CWE API, enabling MCP-compatible systems to query and retrieve CWE data via stdio transport. It exposes endpoints such as version, specific CWE metadata, weaknesses, categories, and views, along with relationship data like parents, children, ancestors, and descendants. The server normalizes various CWE ID formats (e.g., 79, CWE-79, cw e79) and supports batch requests, making it convenient to integrate CWE lookups into vulnerability research pipelines and automated security tooling. To use it with an MCP client, run the server with the provided stdio transport configuration and connect your client to the MCP server over stdio as demonstrated in the integration guide provided with the project.

Prerequisites:

• Python 3.10+
• uv package manager installed

Installation steps:

1. Clone the repository: git clone https://github.com/Bilel-Eljaamii/cwe-search_mcp.git cd cwe-search_mcp

2. Install dependencies (from the project root): pip install requests fastmcp

3. Install uv (the package manager) and related tooling if not already installed. The README suggests using uv for this MCP server: uv init uv venv source ./venv/bin/activate uv pip install "mcp[cli]" "requests"

4. Run the server (as shown in the usage section): DANGEROUSLY_OMIT_AUTH=true mcp dev main.py

This will start the CWE Search MCP server and expose it via STDIO transport for MCP clients to connect.

Tips and considerations:

• Authentication: The CWE API is public; the MCP example disables authentication for local testing. If you deploy publicly, consider enabling proper auth controls.
• Input normalization: The server automatically normalizes CWE IDs (e.g., 79, CWE-79, cw e79) to a consistent internal form.
• Batch processing: Many endpoints accept comma-separated IDs for bulk retrieval.
• Endpoints supported include: /cwe/version, /cwe/{id}, /weakness/{id(s)}, /cwe/category/{id(s)}, /cwe/view/{id(s)}, and /cwe/{id}/parents|children|ancestors|descendants.
• If you want to run in a non-uv environment, you could adapt the mcp_config accordingly, but the current recommended setup uses uv as described in the README.
• Environment variable: DANGEROUSLY_OMIT_AUTH can be used to disable authentication for testing; avoid in production environments.