A vendor-neutral, community-driven repository providing high-fidelity security context for CVEs, optimized for AI agents and security practitioners.
Modern vulnerability scanners suffer from a critical problem: 95% false positive rates. A dependency is flagged as vulnerable, but the vulnerable code path is never executed in your application. Security teams spend 40+ hours per month triaging alerts that aren't actually exploitable.
CCKB solves this by encoding how to reason about vulnerability reachability.
Instead of just listing vulnerable versions, each CVE entry provides:
- Reachability heuristics: How to determine if vulnerable code is actually called
- False positive patterns: Common scenarios where the vulnerability isn't exploitable
- Exploitation preconditions: What must be true for an attack to succeed
- Framework-specific context: How different frameworks mitigate or expose the vulnerability
- AI-friendly structure: Optimized for consumption by LLM-based security agents
Move from "this dependency is vulnerable" to "this vulnerability is (or is not) exploitable in this codebase."
Add CCKB to your AI assistant:
Cursor:
{
"mcpServers": {
"cve-context-knowledge-base Docs": {
"url": "https://gitmcp.io/0xBentz1/cve-context-knowledge-base"
}
}
}Claude Desktop:
{
"mcpServers": {
"cve-context-knowledge-base Docs": {
"command": "npx",
"args": [
"mcp-remote",
"https://gitmcp.io/0xBentz1/cve-context-knowledge-base"
]
}
}
}Claude Code:
{
"mcpServers": {
"cve-context-knowledge-base Docs": {
"command": "npx",
"args": [
"mcp-remote",
"https://gitmcp.io/0xBentz1/cve-context-knowledge-base"
]
}
}
}Then query CVE context directly:
@cve-context-knowledge-base Is CVE-2021-44228 exploitable in my codebase?
- Browse repository: Navigate to
cves/CVE-YYYY-XXXX/folder - Choose your language: Open the relevant file (e.g.,
java.md,python.md) - Read the reachability guidance: Check "How to Reason About This in Practice" section
- Apply the decision tree: Determine if the vulnerability is exploitable in your codebase
CCKB provides structured CVE context via Machine Context Protocol (MCP):
# Load CVE context into your agent
cckb_entry = load_file("cves/CVE-2021-44228/java.md")
# Combine with your source code analysis
verdict = agent.analyze(cckb_entry, source_code)
# Get structured output
print(verdict) # EXPLOITABLE | UNCERTAIN | UNREACHABLESee AGENT_CONSUMPTION_GUIDE.md for detailed integration instructions.
- Read CONTRIBUTING.md
- Check CONTRIBUTION_RUBRIC.md
- Use the CVE entry template
- Submit a pull request
cve-context-knowledge-base/
├── cves/ # All CVE entries organized here
│ ├── CVE-2021-44228/ # One folder per CVE
│ │ ├── java.md # Language-specific analysis
│ │ ├── python.md
│ │ └── node.md
│ ├── CVE-2017-5638/
│ │ └── java.md
│ └── ...
├── docs/ # Documentation
│ ├── CONTRIBUTING.md
│ ├── CONTRIBUTION_RUBRIC.md
│ ├── AGENT_CONSUMPTION_GUIDE.md
│ ├── CONFIDENCE_SCORING_MODEL.md
│ └── VERSION_CONTROL_POLICY.md
├── tools/ # Validation and tooling
│ ├── validate_entries.py
│ └── lint_markdown.py
├── _templates/ # Entry templates
│ └── CVE-TEMPLATE/
│ └── LANGUAGE.md
└── README.md
- All CVEs in dedicated folder:
cves/contains all CVE entries - One folder per CVE:
cves/CVE-YYYY-XXXX/ - One file per language/ecosystem:
java.md,python.md,node.md, etc. - Fully self-contained: Each file contains ALL context needed for analysis (no cross-references)
- MCP-optimized: Single-file structure enables direct injection into AI agent context
| Feature | NVD / OSV | CCKB |
|---|---|---|
| Focus | Version ranges, CVSS scores | Reachability reasoning, exploitability context |
| False positives | High (flags all usage) | Low (filters unreachable code) |
| AI consumption | Not optimized | Structured for LLM reasoning |
| Exploitation context | Generic descriptions | Framework-specific, real-world heuristics |
| Community-driven | Government/vendor-maintained | Open contributions from practitioners |
| Feature | Commercial SCA | CCKB |
|---|---|---|
| Vendor lock-in | Proprietary | Vendor-neutral, open-source |
| Transparency | Black box analysis | Transparent reasoning, documented heuristics |
| Customization | Limited | Community can add expertise |
| Cost | Expensive licenses | Free and open |
| Integration | Tool-specific APIs | Standard MCP, works with any agent |
A vulnerable dependency in your node_modules doesn't mean you're exploitable. CCKB helps you determine if vulnerable code paths are actually exercised.
Every entry is written explicitly for LLM reasoning:
- Structured metadata for filtering
- High-signal vs. low-signal indicators
- Decision trees and heuristics
- Confidence scoring and uncertainty labeling
- Expert judgment is encouraged, not hidden
- All claims backed by evidence or references
- Confidence scores reflect real limitations
- Disagreements documented openly
- Peer review mandatory
- Contribution rubric enforced
- Staleness detection (entries >6 months flagged)
- Version tracking and deprecation
Scenario: LLM-based security copilot performing vulnerability triage
Agent workflow:
1. Detect CVE in dependency scan
2. Load CCKB entry via MCP
3. Analyze source code for reachability patterns
4. Cross-reference framework versions and configurations
5. Return verdict: EXPLOITABLE | UNCERTAIN | UNREACHABLE
6. Provide confidence score and supporting evidence
Scenario: Manual vulnerability triage after SCA scan
Engineer workflow:
1. Receive alert: "Log4j 2.14.0 detected (CVE-2021-44228)"
2. Reference CCKB entry for Log4Shell
3. Check reachability heuristics
4. Verify: Is message interpolation used with user input?
5. Decision: Upgrade immediately / exclude dependency / accept risk
6. Document reasoning in ticket
Scenario: Publishing vulnerability analysis
Researcher workflow:
1. Discover new deserialization gadget chain
2. Write CCKB entry documenting:
- Exploitation preconditions
- Reachability patterns
- False positive scenarios
3. Submit PR with PoC and analysis
4. Community reviews and merges
5. Entry becomes canonical reference for tools and practitioners
We welcome contributions from:
- Security researchers
- AppSec engineers
- Tool builders
- Open-source maintainers
- Anyone with security domain expertise
-
Read the guides:
- CONTRIBUTING.md - Contribution process
- CONTRIBUTION_RUBRIC.md - Quality standards
- CONFIDENCE_SCORING_MODEL.md - How to score confidence
-
Choose a CVE:
- Check existing entries to avoid duplicates
- Pick high-impact CVEs (CISA KEV, active exploitation, common libraries)
-
Write your entry:
- Use the template
- Follow the rubric
- Back claims with evidence (PoC, research papers, real-world testing)
-
Submit a PR:
- Create feature branch:
cve/CVE-YYYY-XXXX/<language> - Run validation:
python tools/validate_entries.py - Submit PR with clear description
- Respond to peer review feedback
- Create feature branch:
All entries must:
- Include all required sections
- Provide language-specific code examples
- Document confidence levels explicitly
- Reference authoritative sources
- Pass peer review by domain expert
CCKB is community-governed with transparent decision-making:
- Maintainers: Admin permissions, final approval on PRs
- Core contributors: Trusted reviewers with domain expertise
- Community contributors: Anyone can submit PRs
See GOVERNANCE.md for details on:
- Conflict resolution
- Maintainer responsibilities
- Voting mechanisms (future)
- Code of conduct
This repository is licensed under the MIT License.
See LICENSE for full text.
- Maximum compatibility with commercial and open-source tools
- No restrictions on AI agent consumption
- Encourages broad adoption and contribution
No. CCKB is a supplementary knowledge layer that helps interpret scanner results. It works alongside SCA, SAST, and other security tools to reduce false positives.
CCKB entries include explicit confidence scores. Confidence varies by entry:
- High confidence (80-95%): Reproducible PoC, extensive testing, expert consensus
- Medium confidence (60-80%): Heuristic-based, tested on common frameworks
- Low confidence (<60%): Theoretical analysis, limited validation
All entries document their evidence basis and uncertainty factors.
Yes. MIT license allows commercial use, modification, and distribution.
See AGENT_CONSUMPTION_GUIDE.md for:
- MCP integration (Cursor, Claude)
- Direct file loading (custom agents)
- API wrappers (future)
Conflicting interpretations are documented in the "Conflicting Interpretations" section of each entry. AI agents receive guidance on how to handle uncertainty.
All entries include:
last_revieweddate in metadata- Staleness warnings (automated if >6 months old)
- Version history showing updates
Yes! If you have:
- Additional framework testing results
- New exploitation techniques
- Evidence of changed exploitability
Submit a PR with updates. Version will be incremented.
- GitHub Issues: Report bugs, request CVEs, ask questions
- Discussions: Community forum for broader topics
- Security: For responsible disclosure of vulnerabilities in CCKB itself, email security@example.com
CCKB is inspired by:
- The work of security researchers publishing detailed vulnerability analysis
- The open-source security community's commitment to transparency
- The need for AI-consumable security knowledge in the age of autonomous agents
Special thanks to all contributors who make this knowledge base possible.
Status: Active Development | Version: 1.0.0 | Last Updated: 2025-12-15