⚠️ ⚠️ Source Code is currently hosted on Codeberg: https://codeberg.org/raginx/weStaticVulnerabilityChecker ⚠️ ⚠️
A lightweight, privacy-first command-line utility that allows users to detect known software vulnerabilities using official data from the EU Vulnerability Database (EUVD) — without requiring cloud scanning or enterprise-level licensing.
It's designed to empower users and security teams with actionable insights, without requiring expensive scanners or infrastructure — a simple software inventory is all it takes.
⚠️ This tool is currently in beta – contributions & feedback are welcome!
There are a few areas currently under development. First, the svc.log file is not yet being populated, which limits visibility into service-level events and diagnostics. Additionally, the mapping of software products still needs refinement. At present, the fuzzy matching logic poses challenges, especially when dealing with ambiguous or inconsistently labeled data. We're actively exploring improvements to increase precision while maintaining flexibility in the mapping process.
This tool compares a list of software against known vulnerabilities published by ENISA in the EUVD. It uses fuzzy matching and optionally manual mappings to align non-standard software names with official product entries. The result is a vulnerability report sorted by CVSS and EPSS severity scores.
Many organizations struggle to correlate software inventories with known vulnerabilities—especially if they lack expensive vulnerability scanners or SIEM platforms.
This project offers:
- ✅ No vendor lock-in or scanning engine required
- ✅ Uses existing software inventory (CSV)
- ✅ Matches against ENISA EUVD API
- ✅ CVSS filtering, year scoping, and reporting built-in
- ✅ SQLite-based cache with update/resume support
- ✅ Aligns with MITRE ATT&CK objectives by surfacing exploitable software targets
- 🧪 Actively developed — Beta phase, expect rapid improvements and possible bugs
Perfect for small businesses, security consultants, auditors and researchers.
- 🚀 Sync from ENISA EUVD API (
--years,--min-cvss) - 🔁 Resume support and
--force-resetoption - 📦 Local SQLite database with normalization (
vendor,product,vulnerability) - 🧠 Built-in mapping checker for software versions
- 🎨 Colored CLI output by CVSS severity
- 📊 Excel reporting with clean/vulnerable/unmapped splits
- 🧪
svc db-statusfor database overview
While this tool does not directly map vulnerabilities to ATT&CK techniques, the identified vulnerable products often correspond to components or software categories targeted in specific ATT&CK vectors.
For example:
- Outdated browsers, PDF readers, or office suites are commonly exploited under T1203 (Exploitation for Client Execution).
- Vulnerabilities in server software can relate to T1190 (Exploit Public-Facing Application) or T1210 (Exploitation of Remote Services).
You can use this tool’s output to enrich ATT&CK-based threat modeling, attack surface reviews, or purple team simulations.
- Python 3.8+
- Packages listed in
requirements.txt
Install dependencies:
pip install -r requirements.txt- List your installed software in
installed_software.csv:
software,version
Firefox,122.0
Google Chrome,126.0.0
LibreOffice,7.6.2
- Sync Vulnerabilities
svc update-db --source euvd-api --years 2024 2025Options:
| Argument | Description |
|---|---|
--years |
Select year(s) (e.g. 2023 2024) |
--min-cvss |
Filter by CVSS score (e.g. 7.0) |
--force-reset |
Remove resume files before update |
--no-resume |
Disable resume mechanism |
--db |
SQLite DB path (default: euvd.db) |
Uses per-year paging (100 entries/request), supports resume, rate-limiting, and robust error handling.
- Run Local Software Inventory Report
svc report --csv my_software.csv --years 2025Output:
- Excel file with Vulnerable, Clean, and Unmapped sheets
- CLI output with colorized CVSS ratings and filtering summary
- Find your vulnerability report in
svc_report.xlsxLogs are saved insvc.log
This project is licensed under GNU AGPLv3. Pull requests, feedback, and issue reports are very welcome! The tool is in active development and beta status — expect rapid changes and report any bugs you encounter.
This project is powered by the open EUVD API and inspired by privacy-first approaches to local security automation.
Built with ❤️ and a dash of curiosity