Vulnerability Scoring Aggregation Tool (VSAT)

The VSAT utility is a specialized backend service engineered to query the National Vulnerability Database (NVD) API for CVE records and concurrently retrieve current EPSS metrics from the designated EPSS endpoint. It consolidates all pertinent security metadata—including vulnerability descriptions, applicable CWEs, standardized CVSS assessments, and EPSS exploitation likelihood percentiles—into a unified interface.

Core Capabilities

• Complete CVE Retrieval: Secure detailed vulnerability artifacts, such as narrative descriptions, relevant CWE mappings, and calibrated CVSS scores, sourced directly from the NVD repository.
• EPSS Metric Integration: Obtain real-time EPSS scores and percentile rankings to quantitatively estimate the near-term exploit risk associated with identified weaknesses.
• Service Endpoint: Delivers aggregated security data via a high-performance, adaptable service layer, ensuring compatibility with companion tooling.
• Containerization Support: Facilitates rapid deployment using Docker containers, guaranteeing environmental consistency across various operational settings.
• IDE Connectivity: Designed for seamless integration with VS Code extensions leveraging the MCP protocol for immediate security feedback within the development environment.

Prerequisites for Operation

• Python runtime, version 3.13 or newer is mandatory.
• Docker runtime (recommended for simplified, immutable infrastructure deployment).
• A valid credential for accessing the NVD data feed (must be stored in the .env configuration file under the NVD_API_KEY variable).

Deployment Guidance

1. Codebase Acquisition

git clone <repository-url>
cd epss-mcp-project

2. Dependency Resolution

It is strongly advised to isolate dependencies using a dedicated virtual environment (e.g., venv or conda). Afterward, install necessary libraries:

pip install -r requirements.txt

3. API Key Configuration

Establish a .env file in the project's root directory and input your NVD access token:

NVD_API_KEY=your-nvd-api-key

Operational Methods

Installation via Smithery Utility

To automatically deploy the Exploit Prediction Scoring System Aggregator for use with Claude Desktop environments using Smithery:

npx -y @smithery/cli install @jgamblin/EPSS-MCP --client claude

Local Service Initiation

Execute the primary service script to launch the local backend:

python epss_mcp.py

Once the service is actively listening, queries can be dispatched to retrieve specific CVE intelligence by referencing its unique identifier.

Retrieval Example

To fetch the complete profile for a known vulnerability, use this request pattern:

GET /cve/<CVE-ID>

Substitute <CVE-ID> with the target identifier (e.g., CVE-2023-4567).

Containerized Deployment (Targeting Open-WebUI)

For execution within an Open-WebUI context, adhere to these steps:

1. Image Compilation

Compile the necessary Docker image:

docker build -t vuln-score-aggregator .

2. Container Launch

Start the container, mapping the service port to the host machine's port 8000:

docker run -p 8000:8000 vuln-score-aggregator

The aggregation service will then be reachable via http://localhost:8000.

WebUI Visualization

[Placeholder for a screenshot showing the tool operating within a WebUI environment]

Recommended System Prompt for WebUI Integration

To optimize the AI assistant's interaction with this service in Open-WebUI, employ the following directive:

You function as an expert agent specializing in the Exploit Prediction Scoring System (EPSS). Your core competency involves presenting and interpreting EPSS metrics, which include daily refreshed exploitation probability values (ranging from 0.0 to 1.0) and associated percentiles for Common Vulnerabilities and Exposures (CVEs). These scores predict in-the-wild exploitation likelihood over the subsequent 30-day window. Assist security architects by contextualizing these predictions against metrics like CVSS, thus enabling effective, data-driven prioritization of remediation actions. All responses must be technically precise, professional, actionable, and focused on delivering solutions.

Interfacing with VS Code MCP

To expose the service backend to the VS Code MCP infrastructure, perform the following configuration steps:

1. Registering the Local Service in VS Code: Modify your VS Code settings.json file and append the subsequent configuration block to define the local service endpoint:

json "mcp.servers": { "VSAT_SERVICE": { "type": "stdio", "command": "python", "args": [ "/Github/EPSS-MCP/epss_mcp.py" ] } }

Crucial Note: Verify that the path specified in the args directive accurately reflects the actual location of the epss_mcp.py executable on your workstation.

1. Establishing VS Code Connection:
2. Launch Visual Studio Code.
3. If absent, install the Microsoft Copilot Labs extension.

4. Confirm that the newly defined VSAT service is listed and reported as operational by the extension.

5. Commencing Tool Utilization: Once the link is established, VS Code will directly invoke the Python runtime to solicit CVE specifics and their corresponding EPSS risk ratings.

VS Code Integration View

[Placeholder for a screenshot illustrating the service operational status within the VS Code interface]

Directory Layout

epss-mcp-project
├── epss_mcp.py               # Primary executable script for the service
├── nvd_api.py                # Module handling NVD API communication protocols
├── epss_api.py               # Module managing interactions with the EPSS data source
├── epss_mcp_test.py          # Script dedicated to functional validation of the service
├── requirements.txt          # List of necessary software packages
├── Dockerfile                # Instructions for container image creation
├── .env                      # Configuration file for environmental secrets (e.g., credentials)
└── README.md                 # Comprehensive project documentation

Contribution Guidelines

We welcome community contributions! Please submit feature enhancements or bug fixes via pull requests or by opening detailed issues.

Licensing Information

This software is distributed under the terms of the MIT License. Refer to the [LICENSE] file for full details.

WIKIPEDIA SUMMARY: XMLHttpRequest (XHR) defines an application programming interface accessible via JavaScript objects. Its methods enable web browsers to dispatch asynchronous HTTP requests to remote servers and receive feedback post-page load. XHR is foundational to Asynchronous JavaScript and XML (Ajax) programming paradigms. Before Ajax, server interaction relied primarily on traditional hyperlink navigation or form submissions, which typically resulted in a full page refresh. == Historical Context == The foundational concept for the XMLHttpRequest object originated in 2000 with Microsoft Outlook developers. It was first implemented in Internet Explorer 5 (released in 1999), although it initially utilized different object identifiers: ActiveXObject("Msxml2.XMLHTTP") or ActiveXObject("Microsoft.XMLHTTP"). By the time Internet Explorer 7 was released (2006), broad browser support for the standardized XMLHttpRequest identifier was achieved, including implementations within Mozilla's Gecko engine (2002), Safari 1.2 (2004), and Opera 8.0 (2005). == Standardization Process == The World Wide Web Consortium (W3C) released the initial Working Draft specification for the XMLHttpRequest object on April 5, 2006. A Level 2 draft followed on February 25, 2008, introducing features such as progress monitoring events, support for cross-origin requests, and binary stream handling. By late 2011, the Level 2 specifications were integrated back into the primary document. Since the end of 2012, the WHATWG has assumed maintenance of the living standard, documenting it using Web IDL. == Operational Workflow == Executing a server request using XMLHttpRequest typically involves several sequential programming steps: 1. Instantiate the XMLHttpRequest object using its constructor. 2. Invoke the open() method to define the request method (e.g., GET/POST), specify the target Uniform Resource Identifier (URI), and choose between synchronous or asynchronous execution. 3. For asynchronous operations, register a callback function (a listener) to be triggered upon changes in the request's state. 4. Initiate the transmission using the send() method. 5. Handle state transitions within the designated event listener. Upon successful completion (state 4, "done"), the server response payload is typically accessible via the responseText property. Beyond these foundational steps, XHR offers granular control over request transmission and response management. Custom headers can be injected to dictate server processing behavior, and data payloads can be uploaded via the argument provided to send(). Responses can be automatically parsed from JSON strings into native JavaScript objects or processed incrementally as data streams arrive. Furthermore, requests can be canceled prematurely or configured to automatically timeout if completion is not achieved within a specified duration.

== Inter-Origin Communications == In the early stages of the World Wide Web's evolution, security restrictions sometimes prevented scripts loaded from one origin from interacting with resources on a different origin, an issue that XMLHttpRequest's design had to address.