CVEs aggregated by programming language?

Question

Is there a way to search the CVE database by programming language?

For instance, I'd consider CVE-2015-4852 to be a Java-specific vulnerability as the scope of the vulnerability is the commons-collections Java programming language library, while CVE-2016-4009 is a C vulnerability which affects programs written in Python.

Are CVEs indexed by the fundamental programming language that they target in some way? Any way to search that other than by going through each one?

Answer 1

OWASP Dependency Check, which was originally written for JEE apps will scan components (e.g., framework-default, contrib, or third-party libraries) for CVE-level vulnerabilities, and more-recently added support for C/C++, Java, .NET, PHP, Python, Node.js, and Ruby components. It also integrates to build environments such as the popular Java ones (e.g., maven) and CI portals including Jenkins.

There is also a web frontend for OWASP Dependency Check called Dependency Track. These are all free, open-source software (FOSS) solutions available from the extensive OWASP security community.

Here also is an extremely unorthodox metasploit-framework search using the Linux grep command, showing that all Java-related CVEs can be searched for using this method:

    $ msfconsole -qx "search cve:CVE; exit" | grep -i java | grep -vi javascript
   auxiliary/server/jsse_skiptls_mitm_proxy                               2015-01-20       normal     Java Secure Socket Extension (JSSE) SKIP-TLS MITM Proxy
   exploit/linux/misc/jenkins_java_deserialize                            2015-11-18       excellent  Jenkins CLI RMI Java Deserialization Vulnerability
   exploit/multi/browser/java_atomicreferencearray                        2012-02-14       excellent  Java AtomicReferenceArray Type Violation Vulnerability
   exploit/multi/browser/java_calendar_deserialize                        2008-12-03       excellent  Sun Java Calendar Deserialization Privilege Escalation
   exploit/multi/browser/java_getsoundbank_bof                            2009-11-04       great      Sun Java JRE getSoundbank file:// URI Buffer Overflow
   exploit/multi/browser/java_jre17_driver_manager                        2013-01-10       excellent  Java Applet Driver Manager Privileged toString() Remote Code Execution
   exploit/multi/browser/java_jre17_exec                                  2012-08-26       excellent  Java 7 Applet Remote Code Execution
   exploit/multi/browser/java_jre17_glassfish_averagerangestatisticimpl   2012-10-16       excellent  Java Applet AverageRangeStatisticImpl Remote Code Execution
   exploit/multi/browser/java_jre17_jaxws                                 2012-10-16       excellent  Java Applet JAX-WS Remote Code Execution
   exploit/multi/browser/java_jre17_jmxbean                               2013-01-10       excellent  Java Applet JMX Remote Code Execution
   exploit/multi/browser/java_jre17_jmxbean_2                             2013-01-19       excellent  Java Applet JMX Remote Code Execution
   exploit/multi/browser/java_jre17_method_handle                         2012-10-16       excellent  Java Applet Method Handle Remote Code Execution
   exploit/multi/browser/java_jre17_provider_skeleton                     2013-06-18       great      Java Applet ProviderSkeleton Insecure Invoke Method
   exploit/multi/browser/java_jre17_reflection_types                      2013-01-10       excellent  Java Applet Reflection Type Confusion Remote Code Execution
   exploit/multi/browser/java_rhino                                       2011-10-18       excellent  Java Applet Rhino Script Engine Remote Code Execution
   exploit/multi/browser/java_rmi_connection_impl                         2010-03-31       excellent  Java RMIConnectionImpl Deserialization Privilege Escalation
   exploit/multi/browser/java_setdifficm_bof                              2009-11-04       great      Sun Java JRE AWT setDiffICM Buffer Overflow
   exploit/multi/browser/java_storeimagearray                             2013-08-12       great      Java storeImageArray() Invalid Array Indexing Vulnerability
   exploit/multi/browser/java_trusted_chain                               2010-03-31       excellent  Java Statement.invoke() Trusted Method Chain Privilege Escalation
   exploit/multi/browser/java_verifier_field_access                       2012-06-06       excellent  Java Applet Field Bytecode Verifier Cache Remote Code Execution
   exploit/multi/browser/mozilla_navigatorjava                            2006-07-25       normal     Mozilla Suite/Firefox Navigator Object Code Execution
   exploit/multi/browser/qtjava_pointer                                   2007-04-23       excellent  Apple QTJava toQTPointer() Arbitrary Memory Access
   exploit/multi/elasticsearch/script_mvel_rce                            2013-12-09       excellent  ElasticSearch Dynamic Script Arbitrary Java Execution
   exploit/multi/http/jboss_deploymentfilerepository                      2010-04-26       excellent  JBoss Java Class DeploymentFileRepository WAR Deployment
   exploit/multi/http/sun_jsws_dav_options                                2010-01-20       great      Sun Java System Web Server WebDAV OPTIONS Buffer Overflow
   exploit/multi/misc/java_jmx_server                                     2013-05-22       excellent  Java JMX Server Insecure Configuration Java Code Execution
   exploit/windows/browser/java_basicservice_impl                         2010-10-12       excellent  Sun Java Web Start BasicServiceImpl Code Execution
   exploit/windows/browser/java_cmm                                       2013-03-01       normal     Java CMM Remote Code Execution
   exploit/windows/browser/java_codebase_trust                            2011-02-15       excellent  Sun Java Applet2ClassLoader Remote Code Execution
   exploit/windows/browser/java_docbase_bof                               2010-10-12       great      Sun Java Runtime New Plugin docbase Buffer Overflow
   exploit/windows/browser/java_mixer_sequencer                           2010-03-30       great      Java MixerSequencer Object GM_Song Structure Handling Vulnerability
   exploit/windows/browser/java_ws_arginject_altjvm                       2010-04-09       excellent  Sun Java Web Start Plugin Command Line Argument Injection
   exploit/windows/browser/java_ws_double_quote                           2012-10-16       excellent  Sun Java Web Start Double Quote Injection
   exploit/windows/browser/java_ws_vmargs                                 2012-02-14       excellent  Sun Java Web Start Plugin Command Line Argument Injection
   exploit/windows/http/hp_nnm_webappmon_ovjavalocale                     2010-08-03       great      HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow

One could use a different exploitation-framework search engine, such as the one from Core Security, to perform a similar extensive search -- https://www.coresecurity.com/products/core-impact/recent-exploits-and-updates?title=java&field_exploit_type_tid=All&field_vulnerabilty_id_value=CVE&field_operating_system_tid=All -- or even the one from Immunity Security -- http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/browse

Answer 2

This is not exactly what you are asking but here is an option to search by key word. You can search by word "java"

http://cve.mitre.org/cve/cve.html

Answer 3

Probably what you're looking for is an Application Programming Interface (API). You might want to check out the following:

1. circle.lu cve-search API
2. nvd.nist.gov Data Feeds
3. vFeed on GitHub
4. cve-search on GitHub

This API's and projects might be a good start. You can basically talk to an API from any programming language. This gives you the ability to build a custom search like you suggested.