Metadata-Version: 2.3
Name: gcve
Version: 0.4.3
Summary: Global CVE Allocation System
License: GPL-3.0
Keywords: GCVE,Vulnerability,CVE,CVD,CSAF
Author: Alexandre Dulaunoy
Author-email: alexandre.dulaunoy@circl.lu
Requires-Python: >=3.10
Classifier: Development Status :: 5 - Production/Stable
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Science/Research
Classifier: License :: OSI Approved :: GNU General Public License v3 (GPLv3)
Classifier: License :: OSI Approved :: GNU General Public License v3 or later (GPLv3+)
Classifier: Operating System :: POSIX :: Linux
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Requires-Dist: cryptography (>=44.0.2,<45.0.0)
Requires-Dist: requests (>=2.32.3,<3.0.0)
Project-URL: Documentation, https://gcve.eu
Project-URL: Homepage, https://gcve.eu
Project-URL: Repository, https://github.com/gcve-eu/gcve
Description-Content-Type: text/markdown

# GCVE: Global CVE Allocation System

The [Global CVE (GCVE) allocation system](https://gcve.eu) is a new, decentralized approach to vulnerability identification and numbering, designed to improve flexibility, scalability, and autonomy for participating entities.

While remaining compatible with the traditional CVE system, GCVE introduces GCVE Numbering Authorities (GNAs). GNAs are independent entities that can allocate identifiers without relying on a centralised block distribution system or rigid policy enforcement.

This format is already used in [Vulnerability-Lookup](https://github.com/vulnerability-lookup/vulnerability-lookup).  
See an example [here](https://vulnerability.circl.lu/product/651684fd-f2b4-45ac-96d0-e3e484af6113).


## Examples of usage

### As a command line tool

First install the gcve client:

```bash
pipx install gcve
```

### Pulling the registry locally

```bash
$ gcve --help
usage: gcve [-h] {registry} ...

A Python client for the Global CVE Allocation System.

positional arguments:
  {registry}
    registry  Registry operations

options:
  -h, --help  show this help message and exit


$ gcve registry --pull
Pulling from registry...
Downloaded updated https://gcve.eu/dist/key/public.pem to data/public.pem
Downloaded updated https://gcve.eu/dist/gcve.json.sigsha512 to data/gcve.json.sigsha512
Downloaded updated https://gcve.eu/dist/gcve.json to data/gcve.json
Integrity check passed successfully.
```


### As a library

#### Verifying the integrity of your local GNA directory copy

```python
download_public_key_if_changed()
download_directory_signature_if_changed()
download_gcve_json_if_changed()

# Verify the integrity of the directory
if integrity := verify_gcve_integrity():
    # Load the GCVE directory
    gcve_data: List[GNAEntry] = load_gcve_json()
```

#### Generating new GCVE-1 entries (CIRCL namespace)

```python
from gcve import gcve_generator, get_gna_id_by_short_name, to_gcve_id
from gcve.gna import GNAEntry
from gcve.utils import download_gcve_json_if_changed, load_gcve_json

# Retrieve the JSON Directory file available at GCVE.eu if it has changed
updated: bool = download_gcve_json_if_changed()
# Initializes the GNA entries
gcve_data: List[GNAEntry] = load_gcve_json()

# If "CIRCL" found in the registry
if CIRCL_GNA_ID := get_gna_id_by_short_name("CIRCL", gcve_data):
    # Existing GCVE-O
    existing_gcves = {to_gcve_id(cve) for cve in vulnerabilitylookup.get_all_ids()}

    generator = gcve_generator(existing_gcves, CIRCL_GNA_ID)
    for _ in range(5):
        print(next(generator))
```



## Contact

https://www.circl.lu


## License

[GCVE](https://github.com/gcve-eu/gcve) is licensed under
[GNU General Public License version 3](https://www.gnu.org/licenses/gpl-3.0.html)

