cwe-man is a terminal TUI for browsing and reading Common Weakness Enumeration (CWE) data from a local SQLite database synchronized with the CWE REST API. It is intended for developers and security practitioners who want quick, Vim-like interaction to look up CWEs.
-
Start the app (no CLI args used):
cwe-man
-
If this is your first run and the database is empty, run (this syncs the local CWE database /w data from the CWE REST API):
:sync -
Core interaction modes:
- Tree navigation:
j/k,{/},oorEnterto open/expand,x/hcollapse,lopen CWE. - Search mode:
/then type query,Enterto accept. - Filter mode:
//then type query,Enterto navigate results,j/k/g/G,o/lto open. - Command mode:
: - Detail view:
j/k,g/G,qto close. - Notification pane:
Ctrl+Nto toggle/focus, thenj/k,Enter(read/unread),d(delete).
- Tree navigation:
-
Prefix counts are supported for
j/kin list-like views (for example,10j).
- Config file path:
$HOME/.cwe-man/config.ini - Supported keys:
auto_sync_enabled=true auto_sync_interval_days=30
- If the file is missing or contains invalid values, defaults are used.
- Startup auto-sync runs in the background when enabled and data is stale; does not interrupt app usage and usually takes less than a minute.
- Launch app.
- Press
/then/to enter filter mode. - Type part of a CWE name or ID.
- Press
Enter. - Use
j/kto choose a match. - Press
oorlto open details. - Press
qto close the details. - Press
qto exit filter view and return to regular tree pane view.
- Press
: - Run:
:cwe 79
- Press
: - Run one of:
:print-cwes :print-cwes my-cwes.md
:show-config
:rest-api
Close either popup with Esc or q.
- Run:
:clear-runtime - Confirm with:
or cancel with:
:yes:no
-
:q/:quit
Exit the application. -
:sync
Synchronize local data from the CWE REST API. -
:cwe <id>
Open a specific CWE directly in detail view. -
:print-cwes [filename]
Export CWE entries from the local database to a Markdown file.
Default output file iscwe-list.mdin the current working directory. -
:show-config
Show configuration and runtime paths in a centered popup. -
:rest-api
Show a centered popup with CWE REST API reference details. -
:clear-runtime
Prepare runtime cleanup (logs and runtime artifacts under$HOME/.cwe-man), then wait for confirmation. -
:yes
Confirm pending:clear-runtime. -
:no
Cancel pending:clear-runtime.
- C++20 compiler
- CMake (3.20+)
- SQLite3 development package
sqlite-devel - libcurl development package
libcurl-devel - nlohmann_json
nlohmann_json-develorjson-devel
FTXUI, the TUI library dependency, is fetched automatically by CMake (FetchContent).
# Defaults to installing in `/usr/local/bin/` on Linux systems
cmake -S . -B build -DCMAKE_BUILD_TYPE=Release
cmake --build build --config Release --target install -jcmake -S . -B build-gcc -DCMAKE_BUILD_TYPE=Release -DCMAKE_CXX_COMPILER=g++
cmake --build build-gcc -j
cmake -S . -B build-clang -DCMAKE_BUILD_TYPE=Release -DCMAKE_CXX_COMPILER=clang++
cmake --build build-clang -jcwe-man enforces standard C++20 (CMAKE_CXX_EXTENSIONS=OFF), always enables strict GCC/Clang warnings, and applies -Werror in Release builds (not Debug).
cmake -S . -B build-test -DCMAKE_BUILD_TYPE=Debug -DCWE_MAN_ENABLE_TESTS=ON
cmake --build build-test -j
ctest --test-dir build-test --output-on-failureIf GoogleTest is not installed system-wide, you can allow CMake to fetch it:
cmake -S . -B build-test -DCMAKE_BUILD_TYPE=Debug -DCWE_MAN_ENABLE_TESTS=ON -DCWE_MAN_FETCH_TEST_DEPS=ON./scripts/run_coverage.shThis generates gcovr reports in ./coverage/:
coverage.txtcoverage.htmlcoverage.xmlcoverage.json
./scripts/run_tests.sh
./scripts/run_coverage.sh
./scripts/run_sanitizers.sh
./scripts/run_static_analysis.sh
./scripts/run_quality.shFor architecture details, source-file mapping, and my engineering principles, see: