cc-audit 3.2.14

Security auditor for Claude Code skills, hooks, and MCP servers
Documentation
# CVE Database Auto-Update

[日本語](./CVE-UPDATE.ja.md)

This document describes how cc-audit's CVE database is automatically updated using GitHub Actions.

## Overview

cc-audit maintains a database of known CVEs affecting AI coding tools and MCP-related products. This database is automatically updated daily by fetching new vulnerabilities from the [NVD (National Vulnerability Database) API](https://nvd.nist.gov/developers/vulnerabilities).

## How It Works

### Daily Cron Job

The GitHub Actions workflow runs daily at **09:00 UTC (18:00 JST)**:

```yaml
on:
  schedule:
    - cron: '0 9 * * *'
```

### Update Process

1. **Fetch CVEs**: The script queries the NVD API for CVEs related to:
   - MCP (Model Context Protocol)
   - Claude Code
   - Cursor IDE
   - GitHub Copilot
   - Codeium, Tabnine, and other AI coding tools

2. **Filter Relevant CVEs**: Only CVEs affecting known AI coding tool vendors/products are included

3. **Merge with Existing**: New CVEs are merged with the existing database, avoiding duplicates

4. **Create Pull Request**: If new CVEs are found, a PR is automatically created for review

### Manual Trigger

You can also trigger the workflow manually from GitHub Actions:

1. Go to **Actions****CVE Database Update**
2. Click **Run workflow**
3. Optionally specify the number of days to look back (default: 90)

## Configuration

### NVD API Key (Recommended)

Setting up an NVD API key increases the rate limit from 5 requests/30 seconds to 50 requests/30 seconds.

1. Request an API key at [NVD API Key Request]https://nvd.nist.gov/developers/request-an-api-key
2. Add the key as a GitHub Secret:
   - Go to **Settings****Secrets and variables****Actions**
   - Create a new secret named `NVD_API_KEY`

### Workflow Permissions

The workflow requires:
- `contents: write` - To commit database updates
- `pull-requests: write` - To create PRs

## Database Structure

The CVE database is stored at `data/cve-database.json`:

```json
{
  "version": "1.0.0",
  "updated_at": "2025-01-26T00:00:00Z",
  "entries": [
    {
      "id": "CVE-2025-XXXXX",
      "title": "Vulnerability title",
      "description": "Detailed description...",
      "severity": "critical",
      "cvss_score": 9.8,
      "affected_products": [
        {
          "vendor": "anthropic",
          "product": "claude-code",
          "version_affected": "< 1.5.0",
          "version_fixed": "1.5.0"
        }
      ],
      "cwe_ids": ["CWE-78"],
      "references": ["https://nvd.nist.gov/vuln/detail/CVE-2025-XXXXX"],
      "published_at": "2025-01-15T00:00:00Z"
    }
  ]
}
```

## Pull Request Review

When a PR is created, reviewers should verify:

- [ ] New CVE entries are relevant to AI coding tools
- [ ] Severity ratings are accurate
- [ ] Affected version ranges are correct
- [ ] Fixed versions are properly specified

## Adding CVEs Manually

To add a CVE manually:

1. Edit `data/cve-database.json`
2. Add a new entry following the structure above
3. Increment the `version` patch number
4. Update `updated_at` timestamp
5. Submit a PR

## Troubleshooting

### Rate Limiting

If you see rate limit errors:
- Add an NVD API key (see Configuration above)
- Wait and retry later

### No New CVEs Found

This is normal if:
- No new AI coding tool CVEs were published
- The CVEs found don't match known vendor/product names

### Script Errors

Check the GitHub Actions logs for details. Common issues:
- Network connectivity problems
- NVD API temporary outages
- JSON parsing errors (malformed CVE data)

## Related Documentation

- [FEATURES.md]./FEATURES.md - CVE Database feature overview
- [NVD API Documentation]https://nvd.nist.gov/developers/vulnerabilities