CVE Finder and Mapper
CVE Mapper
Turn an Nmap scan into the CVEs that actually affect the versions you found β
not every CVE that merely mentions the product.
Install Β· Quick start Β· How it works Β· Confidence Β·
Most "Nmap β CVE" tools search by product name and dump everything. **CVE-Mapper is version-aware**: for each discovered service it asks Vulners which CVEs match the exact product and version, then **independently re-validates every affected range** with its own comparator before reporting it. Every result carries a confidence level and a plain-English reason β including why something was rejected.
Why
- Version-accurate. Understands semantic, partial, OpenSSH
7.2p2, Debian/Ubuntu,
- Conservative by design.
Apache httpdβApache Tomcat; backported distro
- Evidence-backed. Each finding states the affected range and the reason for its
- Vulners-only intel, via the official SDK (clears Cloudflare) with a raw-HTTP
- Outputs to terminal, JSON, CSV and self-contained HTML.
Install
pip install -e . # installs the cve-mapper command + the vulners SDK
#OR
pipx install git+https://github.com/NeCr00/CVE-Mapper.git
Python 3.9+. The official vulners SDK is installed automatically and is
required for live queries β Vulners' API is behind Cloudflare, which blocks plain
HTTP clients. requests powers the raw-HTTP fallback (and degrades to the stdlib if
absent).
Quick start
# 1 β scan with service/version detection
nmap -sV -sC -oX scan.xml <target>
2 β map the discovered versions to CVEs
cve-mapper --input scan.xml --min-cvss 7.0 --only-exploitable
Usage
cve-mapper --input scan.xml [options]
| Flag | Purpose | | --- | --- | | --input / --input-dir | A single Nmap report, or a directory to scan recursively | | --json-output / --csv-output / --html-output | Write machine-readable / spreadsheet / shareable reports | | --min-cvss 7.0 | Keep CVEs at or above a CVSS score | | --only-exploitable | Keep only CVEs with a public exploit per Vulners | | --severity Β· --year-from Β· --year-to | Filter by severity or CVE year | | --confidence Confirmed,Likely | Keep only chosen confidence levels | | --strict | Require CPE-grade evidence to mark a finding Confirmed | | --confidence-threshold high | Cap low-trust Nmap detections at Needs manual verification | | --vulners-api-key Β· --no-cache Β· --debug | Auth, cache and diagnostics |
Run cve-mapper --help for the full list.
How it works
Nmap XML ββΆ normalize service ββΆ query Vulners (CPE + version) ββΆ re-validate range ββΆ grade
For every (service, CVE) pair CVE-Mapper checks product identity (rejecting look-alikes and unrelated vendors), version (is the detected version provably in the affected range?) and platform (OS compatibility) before assigning a verdict.
Confidence levels
| Level | Meaning | | --- | --- | | Confirmed | Strong identity, specific version provably in range, compatible platform | | Likely | In range, but a caveat applies (e.g. a backported distro package) | | Possible | In range, but identity is weaker or the sub-version is ambiguous | | Needs manual verification | Identity matches but the range can't be compared reliably | | Rejected | Product mismatch, version out of range, or platform conflict |
Output formats
--json-output (full structured schema), --csv-output (one row per finding, spreadsheet-safe), --html-output (self-contained, escaped) and a coloured terminal report by default.
Testing
pip install pytest && pytest # 127 offline tests β Vulners is fully mocked
VULNERSAPIKEY=β¦ pytest # also runs an opt-in live smoke test
Troubleshooting
HTTP 403 / βVulners rejected the requestβ β this is almost always Cloudflare bot protection, not a bad API key. It means the vulners SDK isn't available, so the tool fell back to the raw-HTTP backend. Fix it with:
pip install vulners
The SDK clears Vulners' Cloudflare challenge; the raw-HTTP backend cannot.