search

CVEProject / cvelistV5

CVE cache of the official CVE List in CVE JSON 5 format
735 stars 163 forks source link

Official way to synchronize the JSON 5.0 feeds #16

Closed ncrocfer closed 1 year ago

ncrocfer commented 1 year ago

Hello,

First of all thank you for the awesome work you do concerning the CVE ecosystem!

I'm the developer of a CVE-related tool, and I would like to add the MITRE in my sources (instead of only relying on NVD for now). But to be honest I don't really know how to parse your feed.

So I would like to ask you the official and recommended way to synchronize our local databases with the new JSON 5.0 CVE list.

I searched on your blog posts and if I'm not wrong you're currently in "Soft Deploy" state, meaning CNAs now use the new format to declare CVEs. The "Hard Deploy" is targeted for 1st QT, 2023. At this moment we (as consumers) will be able to officially use the JSON 5.0 feeds.

But where to find the list please? I think the old format (csv, html, text, xml) will be removed, so maybe you will provide an API (or something similar as the NVD does) to fetch the last changes?

Or maybe this current repo (cveproject/cvelistv5) will become our official data feeds? If yes do you recommend to use the recent_activities.json file to detect the changes or simply periodically git pull and parse the new diffs?

Thank you in advance for your answer, Nicolas

hkong-mitre commented 1 year ago

As of 3/28/2023, this repository is now the official way to download/update all published CVEs from the official CVE Project. You can think of it as a cache that is updated multiple times an hour.

There are now 3 methods to download/sync the CVEs:

  1. if you are comfortable with using git, use any git client and git clone https://github.com/CVEProject/cvelistV5.git as you would any GitHub repository. The initial git clone is quite large (about 1.7 GB), but each successive git pull will quickly update your local clone. This is the preferred approach and can be easily automated.
  2. if you prefer to use zip, use this repository's Releases Page where you can choose download a "baseline" zip containing all CVEs at midnight (GMT), an hourly zip containing all new/updated CVEs since midnight (GMT), and/or a release note enumerating all the new/updated CVEs since midnight (GMT). This approach uses about 1.5 GB of storage. Use this method if you need a daily sync (e.g., at or close to midnight GMT every night) or hourly syncs throughout the day.
  3. if you want to download all current CVEs infrequently, use GitHub's "Download Zip" link. This downloads all of the current CVEs in a single large zip file. This method is not recommended for sync purposes, since it always downloads all CVEs each time