{"uuid": "6533f223-b34d-4c89-936d-35bc46e45e91", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0001", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/1263fa8ea1c9d2bdbbb4410ed0273673", "content": "diff --git a/.gitignore b/.gitignore\nindex 7f21d1e..71b4c8d 100644\n--- a/.gitignore\n+++ b/.gitignore\n@@ -4,6 +4,7 @@\n *.sqlite3*\n *.db\n *.toml\n+!config.toml.example\n tags\n .gitmodules\n coverage.out\ndiff --git a/README.md b/README.md\nindex 57102d1..c8a5ae7 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data through go-kev\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -166,6 +169,18 @@ Vuls has some options to detect the vulnerabilities\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \n+## KEV Reporting Example\n+\n+Use `config.toml.example` as a redacted starting point for enabling KEV reporting with go-kev. The KEV database is configured with the `[kevuln]` section:\n+\n+```toml\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+```\n+\n+The report JSON exposes KEV information on each vulnerability under `scannedCves..kevs`. See `sample-kev-result.json` for a synthetic redacted scan result containing both CISA and VulnCheck KEV entries.\n+\n ----\n \n ## What Vuls Doesn't Do\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..ed5b6b5\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,36 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_ed25519\"\n+scanMode = [\"fast-root\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..45568db 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -5,7 +5,10 @@ package detector\n \n import (\n \t\"encoding/json\"\n+\t\"fmt\"\n \t\"net/http\"\n+\t\"reflect\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -79,18 +82,9 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevulns) &gt; 0 {\n+\t\t\t\tv.KEVs = append(v.KEVs, convertKEVulns(kevulns)...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +102,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, convertKEVulns(kevulns)...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +112,181 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, kevuln := range kevulns {\n+\t\tv := reflect.ValueOf(kevuln)\n+\t\tkevs = append(kevs, models.KEV{\n+\t\t\tType:                       toKEVType(stringField(v, \"Type\", \"Source\")),\n+\t\t\tVendorProject:              stringField(v, \"VendorProject\", \"Vendor\", \"Project\"),\n+\t\t\tProduct:                    stringField(v, \"Product\"),\n+\t\t\tVulnerabilityName:          stringField(v, \"VulnerabilityName\", \"Name\"),\n+\t\t\tShortDescription:           stringField(v, \"ShortDescription\", \"Description\"),\n+\t\t\tRequiredAction:             stringField(v, \"RequiredAction\"),\n+\t\t\tKnownRansomwareCampaignUse: stringField(v, \"KnownRansomwareCampaignUse\"),\n+\t\t\tDateAdded:                  timeField(v, \"DateAdded\"),\n+\t\t\tDueDate:                    timePtrField(v, \"DueDate\"),\n+\t\t\tCISA:                       cisaKEVField(v),\n+\t\t\tVulnCheck:                  vulnCheckKEVField(v),\n+\t\t})\n+\t}\n+\treturn kevs\n+}\n+\n+func toKEVType(source string) models.KEVType {\n+\tswitch strings.ToLower(source) {\n+\tcase string(models.VulnCheckKEVType):\n+\t\treturn models.VulnCheckKEVType\n+\tdefault:\n+\t\treturn models.CISAKEVType\n+\t}\n+}\n+\n+func stringField(v reflect.Value, names ...string) string {\n+\tfor _, name := range names {\n+\t\tf := fieldByName(v, name)\n+\t\tif f.IsValid() {\n+\t\t\tswitch f.Kind() {\n+\t\t\tcase reflect.String:\n+\t\t\t\treturn f.String()\n+\t\t\tcase reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:\n+\t\t\t\treturn fmt.Sprint(f.Int())\n+\t\t\tcase reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:\n+\t\t\t\treturn fmt.Sprint(f.Uint())\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func timeField(v reflect.Value, names ...string) time.Time {\n+\tfor _, name := range names {\n+\t\tf := fieldByName(v, name)\n+\t\tif f.IsValid() &amp;&amp; f.Type() == reflect.TypeOf(time.Time{}) {\n+\t\t\treturn f.Interface().(time.Time)\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func timePtrField(v reflect.Value, names ...string) *time.Time {\n+\tfor _, name := range names {\n+\t\tf := fieldByName(v, name)\n+\t\tif !f.IsValid() {\n+\t\t\tcontinue\n+\t\t}\n+\t\tif f.Type() == reflect.TypeOf(time.Time{}) {\n+\t\t\tt := f.Interface().(time.Time)\n+\t\t\treturn &amp;t\n+\t\t}\n+\t\tif f.Type() == reflect.TypeOf((*time.Time)(nil)) &amp;&amp; !f.IsNil() {\n+\t\t\tt := f.Interface().(*time.Time)\n+\t\t\treturn t\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n+func cisaKEVField(v reflect.Value) *models.CISAKEV {\n+\tf := fieldByName(v, \"CISA\", \"Cisa\")\n+\tif !f.IsValid() {\n+\t\treturn nil\n+\t}\n+\tif f.Kind() == reflect.Pointer {\n+\t\tif f.IsNil() {\n+\t\t\treturn nil\n+\t\t}\n+\t\tf = f.Elem()\n+\t}\n+\treturn &amp;models.CISAKEV{Note: stringField(f, \"Note\")}\n+}\n+\n+func vulnCheckKEVField(v reflect.Value) *models.VulnCheckKEV {\n+\tf := fieldByName(v, \"VulnCheck\", \"Vulncheck\")\n+\tif !f.IsValid() {\n+\t\treturn nil\n+\t}\n+\tif f.Kind() == reflect.Pointer {\n+\t\tif f.IsNil() {\n+\t\t\treturn nil\n+\t\t}\n+\t\tf = f.Elem()\n+\t}\n+\treturn &amp;models.VulnCheckKEV{\n+\t\tXDB:                  vulnCheckXDBField(f),\n+\t\tReportedExploitation: vulnCheckReportedExploitationField(f),\n+\t}\n+}\n+\n+func vulnCheckXDBField(v reflect.Value) []models.VulnCheckXDB {\n+\tf := fieldByName(v, \"XDB\", \"Xdb\")\n+\tif !f.IsValid() || f.Kind() != reflect.Slice {\n+\t\treturn nil\n+\t}\n+\txdbs := make([]models.VulnCheckXDB, 0, f.Len())\n+\tfor i := 0; i &lt; f.Len(); i++ {\n+\t\titem := f.Index(i)\n+\t\tif item.Kind() == reflect.Pointer {\n+\t\t\tif item.IsNil() {\n+\t\t\t\tcontinue\n+\t\t\t}\n+\t\t\titem = item.Elem()\n+\t\t}\n+\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\tXDBID:       stringField(item, \"XDBID\", \"XdbID\", \"ID\"),\n+\t\t\tXDBURL:      stringField(item, \"XDBURL\", \"XdbURL\", \"URL\"),\n+\t\t\tDateAdded:   timeField(item, \"DateAdded\"),\n+\t\t\tExploitType: stringField(item, \"ExploitType\"),\n+\t\t\tCloneSSHURL: stringField(item, \"CloneSSHURL\"),\n+\t\t})\n+\t}\n+\treturn xdbs\n+}\n+\n+func vulnCheckReportedExploitationField(v reflect.Value) []models.VulnCheckReportedExploitation {\n+\tf := fieldByName(v, \"ReportedExploitation\")\n+\tif !f.IsValid() || f.Kind() != reflect.Slice {\n+\t\treturn nil\n+\t}\n+\texploitations := make([]models.VulnCheckReportedExploitation, 0, f.Len())\n+\tfor i := 0; i &lt; f.Len(); i++ {\n+\t\titem := f.Index(i)\n+\t\tif item.Kind() == reflect.Pointer {\n+\t\t\tif item.IsNil() {\n+\t\t\t\tcontinue\n+\t\t\t}\n+\t\t\titem = item.Elem()\n+\t\t}\n+\t\texploitations = append(exploitations, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       stringField(item, \"URL\"),\n+\t\t\tDateAdded: timeField(item, \"DateAdded\"),\n+\t\t})\n+\t}\n+\treturn exploitations\n+}\n+\n+func fieldByName(v reflect.Value, names ...string) reflect.Value {\n+\tif !v.IsValid() {\n+\t\treturn reflect.Value{}\n+\t}\n+\tif v.Kind() == reflect.Pointer {\n+\t\tif v.IsNil() {\n+\t\t\treturn reflect.Value{}\n+\t\t}\n+\t\tv = v.Elem()\n+\t}\n+\tif v.Kind() != reflect.Struct {\n+\t\treturn reflect.Value{}\n+\t}\n+\tfor _, name := range names {\n+\t\tf := v.FieldByName(name)\n+\t\tif f.IsValid() &amp;&amp; f.CanInterface() {\n+\t\t\treturn f\n+\t\t}\n+\t}\n+\treturn reflect.Value{}\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/kev_test.go b/models/kev_test.go\nnew file mode 100644\nindex 0000000..651dcc1\n--- /dev/null\n+++ b/models/kev_test.go\n@@ -0,0 +1,92 @@\n+package models\n+\n+import \"testing\"\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\ttests := []struct {\n+\t\tname string\n+\t\tr    ScanResult\n+\t\twant string\n+\t}{\n+\t\t{\n+\t\t\tname: \"counts cves with kev entries\",\n+\t\t\tr: ScanResult{ScannedCves: VulnInfos{\n+\t\t\t\t\"CVE-0000-0001\": {KEVs: []KEV{{Type: CISAKEVType}, {Type: VulnCheckKEVType}}},\n+\t\t\t\t\"CVE-0000-0002\": {},\n+\t\t\t\t\"CVE-0000-0003\": {KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t}},\n+\t\t\twant: \"2 kevs\",\n+\t\t},\n+\t\t{\n+\t\t\tname: \"empty\",\n+\t\t\tr:    ScanResult{ScannedCves: VulnInfos{}},\n+\t\t\twant: \"0 kevs\",\n+\t\t},\n+\t}\n+\n+\tfor _, tt := range tests {\n+\t\tt.Run(tt.name, func(t *testing.T) {\n+\t\t\tif got := tt.r.FormatKEVCveSummary(); got != tt.want {\n+\t\t\t\tt.Errorf(\"FormatKEVCveSummary() = %q, want %q\", got, tt.want)\n+\t\t\t}\n+\t\t})\n+\t}\n+}\n+\n+func TestScanResult_FormatAlertSummaryExcludesCISA(t *testing.T) {\n+\tr := ScanResult{ScannedCves: VulnInfos{\n+\t\t\"CVE-0000-0001\": {AlertDict: AlertDict{\n+\t\t\tCISA:   []Alert{{Title: \"old kev alert\"}},\n+\t\t\tUSCERT: []Alert{{Title: \"uscert-1\"}},\n+\t\t\tJPCERT: []Alert{{Title: \"jpcert-1\"}, {Title: \"jpcert-2\"}},\n+\t\t}},\n+\t}}\n+\n+\tif got, want := r.FormatAlertSummary(), \"uscert: 1, jpcert: 2 alerts\"; got != want {\n+\t\tt.Errorf(\"FormatAlertSummary() = %q, want %q\", got, want)\n+\t}\n+}\n+\n+func TestAlertDict_CISAIgnoredForGenericAlertState(t *testing.T) {\n+\ta := AlertDict{CISA: []Alert{{Title: \"old kev alert\"}}}\n+\n+\tif !a.IsEmpty() {\n+\t\tt.Errorf(\"IsEmpty() = false, want true for CISA-only alert dict\")\n+\t}\n+\tif got := a.FormatSource(); got != \"\" {\n+\t\tt.Errorf(\"FormatSource() = %q, want empty source for CISA-only alert dict\", got)\n+\t}\n+\n+\ta.USCERT = []Alert{{Title: \"uscert\"}}\n+\tif a.IsEmpty() {\n+\t\tt.Errorf(\"IsEmpty() = true, want false for CERT alert dict\")\n+\t}\n+\tif got, want := a.FormatSource(), \"CERT\"; got != want {\n+\t\tt.Errorf(\"FormatSource() = %q, want %q\", got, want)\n+\t}\n+}\n+\n+func TestScanResult_SortForJSONOutputSortsKEVs(t *testing.T) {\n+\tr := ScanResult{ScannedCves: VulnInfos{\n+\t\t\"CVE-0000-0001\": {KEVs: []KEV{\n+\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t}},\n+\t}}\n+\n+\tr.SortForJSONOutput()\n+\tgot := r.ScannedCves[\"CVE-0000-0001\"].KEVs\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t}\n+\tfor i := range want {\n+\t\tif got[i] != want[i] {\n+\t\t\tt.Fatalf(\"KEVs[%d] = %+v, want %+v\", i, got[i], want[i])\n+\t\t}\n+\t}\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..6cf2b38 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,11 +197,12 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n@@ -229,6 +230,17 @@ func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \t\tnUpdatable)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatExploitCveSummary returns a summary of exploit cve\n func (r ScanResult) FormatExploitCveSummary() string {\n \tnExploitCve := 0\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..6a3df97 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is a known exploited vulnerability source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType represents CISA KEV catalog entries.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType represents VulnCheck KEV entries.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known exploited vulnerability information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,7 +962,7 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n@@ -919,15 +971,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..3aa23ae 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -202,6 +202,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.ScannedCves.FormatCveSummary(),\n \t\t\t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n@@ -565,8 +566,29 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tsource := \"KEV\"\n+\t\t\tswitch kev.Type {\n+\t\t\tcase models.CISAKEVType:\n+\t\t\t\tsource = \"CISA KEV\"\n+\t\t\tcase models.VulnCheckKEVType:\n+\t\t\t\tsource = \"VulnCheck KEV\"\n+\t\t\t}\n+\t\t\tif kev.CISA != nil &amp;&amp; kev.CISA.Note != \"\" {\n+\t\t\t\tdata = append(data, []string{source, kev.CISA.Note})\n+\t\t\t}\n+\t\t\tif kev.VulnCheck != nil {\n+\t\t\t\tfor _, xdb := range kev.VulnCheck.XDB {\n+\t\t\t\t\tif xdb.XDBURL != \"\" {\n+\t\t\t\t\t\tdata = append(data, []string{source, xdb.XDBURL})\n+\t\t\t\t\t}\n+\t\t\t\t}\n+\t\t\t\tfor _, exploitation := range kev.VulnCheck.ReportedExploitation {\n+\t\t\t\t\tif exploitation.URL != \"\" {\n+\t\t\t\t\t\tdata = append(data, []string{source, exploitation.URL})\n+\t\t\t\t\t}\n+\t\t\t\t}\n+\t\t\t}\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/sample-kev-result.json b/sample-kev-result.json\nnew file mode 100644\nindex 0000000..005e83b\n--- /dev/null\n+++ b/sample-kev-result.json\n@@ -0,0 +1,58 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scannedVersion\": \"vuls-example\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic sample showing the first-class KEV JSON shape.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic sample showing VulnCheck KEV details.\",\n+          \"requiredAction\": \"Review exploitation evidence and remediate.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/vulncheck/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"proof-of-concept\",\n+                \"cloneSSHURL\": \"git@example.invalid:example/research.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/advisory/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T18:57:42.669283Z"}