Building a Minimal Offline MySQL CVE Scanning Tool with DuckDB

In daily database security operations and vulnerability management, mastering MySQL‑related CVE information is crucial for patch remediation and risk assessment.

CVE (Common Vulnerabilities and Exposures) lists publicly disclosed security flaws across software.

For enterprises using MySQL, an efficient local method to retrieve and analyze CVE data directly impacts system security.

This guide shares a minimal‑deployment solution that builds an offline MySQL CVE lookup and report generation tool using DuckDB, eliminating the need for commercial scanners.

Technical Solution

1. Data Source

Clone the official CVEProject repository, which contains all public CVE entries stored as JSON files. git clone https://github.com/kevinbin/mysqlcve.git

2. Data Engine

DuckDB is chosen as the analysis engine because:

Native support for reading and parsing JSON files.

Standard SQL syntax with a low learning curve.

Zero‑configuration, no service process required.

Excellent performance for small‑to‑medium data sets.

DuckDB’s embedded nature makes it ideal for rapid, script‑driven analysis.

3. Design Goals

Minimal deployment : Only DuckDB, git, and a shell are needed, suitable for any Unix‑like system.

Automatic CVE sync : Data is refreshed before each run to ensure up‑to‑date information.

High‑performance parsing : Direct JSON parsing in DuckDB without intermediate conversion.

Version‑number matching : Precise comparison of major, minor, and patch numbers to avoid false positives/negatives.

Automatic result export : Generates a structured Markdown report.

4. Usage Scenarios

DBA daily security self‑checks.

Risk assessment before version upgrades.

Automated vulnerability report generation.

Offline vulnerability lookup.

Usage Instructions

Clone the project git clone https://github.com/kevinbin/mysqlcve.git

Update CVE data (full or specific year) ./mysql_cve.sh update # full update, longer runtime ./mysql_cve.sh update 2025 # update only 2025 entries

Scan a network segment for MySQL versions ./mysql_cve.sh scan 192.168.1 Sample output: [+] 192.168.1.8 - MySQL Version: 8.0.42 [+] 192.168.1.22 - MySQL Version: 5.7.44 ...

Find CVEs for a specific MySQL version ./mysql_cve.sh match 8.0.32 # Result automatically written to scan_result.md

Conclusion

The project delivers a lightweight, reliable, offline‑capable MySQL CVE scanning tool with simple deployment, flexible querying, and clear results, making it suitable for personal security research, enterprise operations self‑checks, and automated vulnerability management.