Counting Critical Vulnerabilities

For an upcoming discussion, I wanted to get the count of registered vulnerabilities that have severity of “critical” by year. The NIST produces files of the vulnerabilities in JSON format which one can download here.

Conveniently the service is offered with a download per year. Now to filter them and get a count. It turns out the jq tool can help out here with a command such as;

zcat nvdcve-1.1-2022.json.gz | \
jq '.CVE_Items[] | select(.impact.baseMetricV3.cvssV3.baseSeverity == "CRITICAL") .cve.CVE_data_meta.ID' | \
wc -l

In this case, jq is going through the CVEs filtering for those that have the severity CRITICAL and then pulling out the ID of the item. Lastly the wc command is used to get a count of the number of lines.