vuln-nist

This MCP server provides a set of tools to query the NIST NVD CVE data and return concise, formatted results suitable for consumption by language models and MCP clients. The available tools include: get_temporal_context for obtaining current date mappings and time-relative references, search_cves for keyword-based CVE searches with flexible date filtering (including absolute start_date/end_date ranges and automatic chunking for large date ranges), get_cve_by_id for retrieving detailed CVE information, cves_by_cpe to find CVEs tied to a specific CPE, kevs_between to fetch KEV catalog entries within a date range, and cve_change_history to review change histories for CVEs. Use get_temporal_context first when handling questions like “this year” or “last year” to ensure consistent date parameters. The tools return results in a text-friendly format and include validation and parallel processing to improve responsiveness for large queries.

Prerequisites:

• Docker (recommended) or Python 3.11+ if you build/run locally
• Internet access to NVD endpoints

Option A: Run via Docker (recommended)

1. Install Docker on your system (https://docs.docker.com/get-docker/).
2. Pull the vuln-nist-mcp-server image built by the maintainers: docker pull vuln-nist-mcp-server
3. Run the MCP server: docker run --rm -it vuln-nist-mcp-server

Option B: Build locally from source (if a Docker image is not available)

1. Ensure Python 3.11+ is installed.
2. Clone the repository: git clone https://github.com/HaroldFinchIFT/vuln-nist-mcp-server.git
3. Install dependencies: cd vuln-nist-mcp-server python -m pip install -r requirements.txt
4. Run the server (if provided as a Python module, otherwise follow repo-specific instructions): python vuln_nist_mcp_server.py

Prerequisites recap:

• Docker or Python 3.11+ environment
• Network access to services.nvd.nist.gov
• MCP client to communicate with the server

Tips and common issues:

• If you see time-related errors, start by running get_temporal_context to obtain current date mappings before using time-filtered searches.
• For large date ranges, the server auto-chunks queries into parallel requests; ensure your environment allows concurrent connections.
• Environment variables can customize the NVD API base URL, version, and timeout. For private deployments, update NVD_BASE_URL as needed.
• The CPE validation step helps prevent invalid queries; ensure CPE names are in the full 2.3 format.
• When using absolute date ranges, prefer start_date/end_date over relative last_days for precision.
• Logs and error messages are designed to be verbose for debugging; enable verbose logging if needed in your environment.