A place to mess around with GCVE things. Maybe someone else will find this helpful.
In order to publish with the current schema, all we need to do is grab the relevant CVEs, insert a "vulnId" element at the top, and dump them to the API-designated dump. Then we let a very lighweight CloudFlare worker do the business of sorting by date and returning what's requested.
This all amounts to:
curl https://cveawg.mitre.org/api/cve/CVE-2025-8452 > GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111011111010111111001000000000000000000000000000000000000000000000000000000001.json
# edit in the vulnId
awk 1 GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111011111010111111001000000000000000000000000000000000000000000000000000000001.json >> dumps/gna-1337.ndjson
This is mostly automated with lu-gcveify.rb, which fetches, edits, and concats with the dump file.
The minimally-compliant API is at https://aha-gcve.todb.workers.dev and supports the following:
- https://aha-gcve.todb.workers.dev/api/vulnerability/recent?since=2025-09-01 (
sinceis optional, defaults to last 24 hours) - https://aha-gcve.todb.workers.dev/api/vulnerability/last?limit=67 (
lastis optional, defaults to last 10) - https://aha-gcve.todb.workers.dev/api/dumps/gna-1337.ndjson (The full dump of all vulnerabilities from AHA! with GCVE IDs)
All other API calls will produce an amusing error. Asking for gna-1337.json will provide a helpful tip to remember that it's ndjson.
Now ideally, I would be able to write my GCVEs by deriving from CVE JSONv5. According to BCP-03, this should be possible: "GCVE-BCP-03 does not enforce a specific JSON format for vulnerability publication." In practice, though, the extant GCVE lookup infrastructure does seem to require strict CVEv5. See this thread on Mastodon for more.
This isn't useful for the current GCVE implementations, where they expect a bunch of CVE JSONv5, so basically ignore all this
- aha-gcve-schema.json : How to read and write AHA! originated GCVE records.
- test-gcve-sample.json : A test GCVE record conforming to the AHA! format. Not for production!
- tools/aha-gcve-validator.rb: A basic validator for those two things.
- tools/aha-gcveify.rb: A converter MITRE CVE records to AHA!-flavored GCVE records. Adjust to taste.
- tools/lu-gcveify.rb): A converter MITRE CVE records to the most basic form of a GCVE record.
tools/worker.js: The Cloudflare Worker script (running at https://aha-gcve.todb.workers.dev/). Implements a minimal API per BCP-3.
Enjoy! Not fit for any purpose, 2-Clause BSD licensed, etc.
AHA!'s GCVEness is expressed across several domains at the moment:
- takeonme.org : AHA!'s primary domain, where most of AHA! stuff happens. Eventually, everything will move here.
- hugesuccess.org : Tod's internet-exposed sandbox for web shenanigans.
aha-gcve.todb.workers.dev: A CloudFlare worker instance, free-tier, for fronting API calls. Capped at 10,000 requests or some such.- gcve.eu : More info about GCVE, and notably, where the canonical index of all GCVE providers are listed, at gcve.json.
- vulnerability.circl.lu : An endpoint to see the fruits of AHA!'s GCVE labor.