CVE Weather
Real-time "threat weather" dashboard for DevOps teams and SREs. Answers the question: is today a safe day to deploy?
Aggregates critical and high-severity CVEs from NVD and OSV.dev, computes a daily threat level (Sunny / Cloudy / Stormy), and presents a 30-day history chart. Includes shareable SVG weather cards for Slack and embeddable badges for status pages.
How It Works
Every 30 minutes, the server fetches:
- Critical and high CVEs published in the last 24 hours from the NVD API
- Open-source vulnerabilities across npm, PyPI, Go, crates.io, and Linux ecosystems from OSV.dev
A threat score is computed:
``
score = (criticalCVEs × 3) + (highCVEs × 1) + (unfixedOSV × 2)
| Score | Level | Meaning |
|-------|-------|---------|
| 0–5 | Sunny | Safe to deploy |
| 6–15 | Cloudy | Proceed with caution |
| 16+ | Stormy | Hold deploys if possible |
Data Sources
| Source | URL | Refresh Interval |
|--------|-----|-----------------|
| NVD CVE API 2.0 | https://services.nvd.nist.gov/rest/json/cves/2.0 | Every 30 minutes |
| OSV.dev API | https://api.osv.dev/v1/query | Every 30 minutes |
API Endpoints
All endpoints are public, no authentication required.
| Method | Path | Description |
|--------|------|-------------|
| GET | /cve-weather/health | Health check with last fetch timestamps |
| GET | /cve-weather/api/weather | Current threat level, score, and breakdown |
| GET | /cve-weather/api/history?days=30 | Daily scores for last N days |
| GET | /cve-weather/api/cves?hours=48 | Recent critical/high CVEs |
| GET | /cve-weather/api/card | SVG weather card (shareable in Slack) |
| GET | /cve-weather/api/badge | SVG badge (embeddable in READMEs) |
Run Locally
npm install
PORT=4742 node server.js
Open http://localhost:4742/cve-weather/
The initial data fetch runs on startup. After that, data refreshes every 30 minutes via cron.
Embed the Badge
Stack
- Node.js >=22, Express, better-sqlite3 (WAL mode), node-cron
- Vanilla JS frontend with Canvas chart
- SVG generation for cards and badges (no headless browser)