Can I use NVD as a CLI?

Yes. KosmoKrator exposes a NVD CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose NVD through MCP?

Yes. The KosmoKrator MCP gateway can expose selected NVD tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are NVD credentials stored?

NVD credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for NVD MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

data

NVD Lua API for KosmoKrator Agents

Agent-facing Lua documentation and function reference for the NVD KosmoKrator integration.

Lua Namespace

Agents call this integration through app.integrations.nvd.*. Use lua_read_doc("integrations.nvd") inside KosmoKrator to discover the same reference at runtime.

Call Lua from the Headless CLI

Use kosmo integrations:lua when a shell script, CI job, cron job, or another coding CLI should run a deterministic NVD workflow without starting an interactive agent session.

Inline Lua call

kosmo integrations:lua --eval 'dump(app.integrations.nvd.cves({}))' --json

Read Lua docs headlessly

kosmo integrations:lua --eval 'print(docs.read("nvd"))' --json
kosmo integrations:lua --eval 'print(docs.read("nvd.cves"))' --json

Workflow file

Put repeatable logic in a Lua file, then execute it with JSON output for the calling process.

workflow.lua

local nvd = app.integrations.nvd
local result = nvd.cves({})

dump(result)

Run the workflow

kosmo integrations:lua workflow.lua --json
kosmo integrations:lua workflow.lua --force --json

Namespace note. integrations:lua exposes app.integrations.nvd, app.mcp.*, docs.*, json.*, and regex.*. Use app.integrations.nvd.default.* or app.integrations.nvd.work.* when you configured named credential accounts.

MCP-only Lua

If the script only needs configured MCP servers and does not need NVD, use the narrower mcp:lua command.

MCP Lua command

# Use mcp:lua for MCP-only scripts; use integrations:lua for this integration namespace.
kosmo mcp:lua --eval 'dump(mcp.servers())' --json

Agent-Facing Lua Docs

This is the rendered version of the full Lua documentation exposed to agents when they inspect the integration namespace.

NVD

Namespace: nvd

Use this integration to search NIST National Vulnerability Database 2.0 data: CVE records, CVE change-history events, CPE dictionary names, CPE match criteria, and NVD source metadata.

Authentication

The NVD APIs are public. An API key is optional and is sent with the official apiKey request header when configured. Use a key for higher rate limits and more reliable bulk workflows.

Tools

nvd_cves: search CVE records with official filters such as cve_id, keyword_search, cpe_name, cwe_id, cvss_v3_severity, cvss_v4_severity, has_kev, no_rejected, publication dates, modification dates, results_per_page, and start_index.
nvd_cve_by_id: convenience wrapper around nvd_cves for one CVE ID.
nvd_cve_history: search CVE change-history events by cve_id, event_name, change date range, and pagination.
nvd_cpes: search CPE dictionary records by cpe_name_id, cpe_match_string, keyword_search, match_criteria_id, modification dates, and pagination.
nvd_cpe_by_name_id: convenience wrapper around nvd_cpes for one cpeNameId UUID.
nvd_cpe_match: search CPE match criteria records by cve_id, match_criteria_id, match_string_search, modification dates, and pagination.
nvd_cpe_match_by_criteria_id: convenience wrapper around nvd_cpe_match for one matchCriteriaId UUID.
nvd_sources: search data-source metadata by source_identifier, modification dates, and pagination.
nvd_source_by_identifier: convenience wrapper around nvd_sources for one source identifier.

Return Notes

This package keeps NVD response field names intact. CVE searches return NVD pagination metadata plus a vulnerabilities array. CPE searches return products; CPE match searches return matchStrings; source searches return sources.

Boolean flags such as has_kev, no_rejected, and keyword_exact_match are sent as NVD valueless query flags when true and omitted when false.

Examples

local kev = tools.nvd_cves({
  has_kev = true,
  no_rejected = true,
  results_per_page = 20
})

local cve = tools.nvd_cve_by_id({
  cve_id = "CVE-2024-12345"
})

local cpe = tools.nvd_cpes({
  keyword_search = "nginx",
  results_per_page = 10
})

NVD date filters use the timestamp formats documented by NIST. Keep date-range windows narrow for agent workflows so pagination stays predictable.

Raw agent markdown

# NVD

Namespace: `nvd`

Use this integration to search NIST National Vulnerability Database 2.0 data:
CVE records, CVE change-history events, CPE dictionary names, CPE match
criteria, and NVD source metadata.

## Authentication

The NVD APIs are public. An API key is optional and is sent with the official
`apiKey` request header when configured. Use a key for higher rate limits and
more reliable bulk workflows.

## Tools

- `nvd_cves`: search CVE records with official filters such as `cve_id`,
  `keyword_search`, `cpe_name`, `cwe_id`, `cvss_v3_severity`,
  `cvss_v4_severity`, `has_kev`, `no_rejected`, publication dates,
  modification dates, `results_per_page`, and `start_index`.
- `nvd_cve_by_id`: convenience wrapper around `nvd_cves` for one CVE ID.
- `nvd_cve_history`: search CVE change-history events by `cve_id`,
  `event_name`, change date range, and pagination.
- `nvd_cpes`: search CPE dictionary records by `cpe_name_id`,
  `cpe_match_string`, `keyword_search`, `match_criteria_id`,
  modification dates, and pagination.
- `nvd_cpe_by_name_id`: convenience wrapper around `nvd_cpes` for one
  `cpeNameId` UUID.
- `nvd_cpe_match`: search CPE match criteria records by `cve_id`,
  `match_criteria_id`, `match_string_search`, modification dates, and
  pagination.
- `nvd_cpe_match_by_criteria_id`: convenience wrapper around `nvd_cpe_match`
  for one `matchCriteriaId` UUID.
- `nvd_sources`: search data-source metadata by `source_identifier`,
  modification dates, and pagination.
- `nvd_source_by_identifier`: convenience wrapper around `nvd_sources` for one
  source identifier.

## Return Notes

This package keeps NVD response field names intact. CVE searches return NVD
pagination metadata plus a `vulnerabilities` array. CPE searches return
`products`; CPE match searches return `matchStrings`; source searches return
`sources`.

Boolean flags such as `has_kev`, `no_rejected`, and `keyword_exact_match` are
sent as NVD valueless query flags when true and omitted when false.

## Examples

```lua
local kev = tools.nvd_cves({
  has_kev = true,
  no_rejected = true,
  results_per_page = 20
})

local cve = tools.nvd_cve_by_id({
  cve_id = "CVE-2024-12345"
})

local cpe = tools.nvd_cpes({
  keyword_search = "nginx",
  results_per_page = 10
})
```

NVD date filters use the timestamp formats documented by NIST. Keep date-range
windows narrow for agent workflows so pagination stays predictable.

Metadata-derived Lua example

local result = app.integrations.nvd.cves({})
print(result)

Functions

cves Read

Search NVD CVE records with official 2.0 filters.

Lua path: app.integrations.nvd.cves
Full name: nvd.nvd_cves

Parameter	Type	Required	Description
No parameters.

cve_by_id Read

Retrieve one CVE record by CVE ID.

Lua path: app.integrations.nvd.cve_by_id
Full name: nvd.nvd_cve_by_id

Parameter	Type	Required	Description
No parameters.

cve_history Read

Search CVE change-history events.

Lua path: app.integrations.nvd.cve_history
Full name: nvd.nvd_cve_history

Parameter	Type	Required	Description
No parameters.

cpes Read

Search NVD CPE dictionary records.

Lua path: app.integrations.nvd.cpes
Full name: nvd.nvd_cpes

Parameter	Type	Required	Description
No parameters.

cpe_by_name_id Read

Retrieve CPE dictionary records by cpeNameId UUID.

Lua path: app.integrations.nvd.cpe_by_name_id
Full name: nvd.nvd_cpe_by_name_id

Parameter	Type	Required	Description
No parameters.

cpe_match_criteria Read

Search CPE match criteria records.

Lua path: app.integrations.nvd.cpe_match_criteria
Full name: nvd.nvd_cpe_match

Parameter	Type	Required	Description
No parameters.

cpe_match_by_criteria_id Read

Retrieve match criteria records by matchCriteriaId UUID.

Lua path: app.integrations.nvd.cpe_match_by_criteria_id
Full name: nvd.nvd_cpe_match_by_criteria_id

Parameter	Type	Required	Description
No parameters.

sources Read

Search NVD data-source metadata.

Lua path: app.integrations.nvd.sources
Full name: nvd.nvd_sources

Parameter	Type	Required	Description
No parameters.

source_by_identifier Read

Retrieve NVD data-source metadata by sourceIdentifier.

Lua path: app.integrations.nvd.source_by_identifier
Full name: nvd.nvd_source_by_identifier

Parameter	Type	Required	Description
No parameters.