Also parse text and HTML OpenSSL feeds

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/

https://public.vulnerablecode.io

Apache License 2.0

519 stars 190 forks source link

Also parse text and HTML OpenSSL feeds #1128

Open pombredanne opened 1 year ago

pombredanne commented 1 year ago

OpenSSL publishes an XML feed that we parse but this is not updated https://www.openssl.org/news/vulnerabilities.html and https://www.openssl.org/news/secadv/ should be alternative good sources.

keshav-space commented 1 year ago

OpenSSL also provides an updated JSON feed https://www.openssl.org/news/secjson

pombredanne commented 4 months ago

Structured data are gone: XML data is gone, secadv/ index is gone and secjson/ index is gone.
The security data comes from a private repository per https://github.com/openssl/web/blob/d3ec13fa40e74fad789462dee4323faa2c6d2991/Makefile#L526 but seems no longer published.
OpenSSL also has now "premium releases" that are built as explained there https://github.com/openssl/tools/blob/291a580209449f6aebf34e433f3b5f9afbd44c2b/HOWTO-publish-a-release.md

I filed https://github.com/openssl/web/issues/483 upstream as this is problematic. At the moment the ways to solve this issue would be:

Scrape the HTML page to get the list of known vulnerabilities OpenSSL ids and CVEs
Fetch the corresponding JSON for each CVE as is https://www.openssl.org/news/secjson/CVE-2002-0659.json
Alternatively parse the unstructured text as in https://www.openssl.org/news/secadv/20240115.txt

(note that the date used by OpenSSL as a vulnerability ID is different from the CVE id)

pombredanne commented 3 weeks ago

Just some status:

OpenSSL website is reorged and this is a bit of a mess at the new https://openssl-library.org/ because of missing redirects
https://openssl.org/news/secjson/CVE-2002-0659.json does not redirect at https://openssl-library.org/news/secjson/CVE-2002-0659.json ... there is no directory listing
The text advisories cannot be listed anymore (no directory listing) but redirect https://github.com/openssl/web/issues/493
See other woes at https://github.com/openssl/web/issues/483#issuecomment-2080436149
https://www.cve.org/CVERecord?id=CVE-2024-5535 and https://cveawg.mitre.org/api/cve/CVE-2024-5535 (JSON) seem to be mostly but not exactly the same as the HTML advisories at https://openssl-library.org/news/vulnerabilities/index.html
JSON advisories seem gone from the new web site

With all this, scraping the web page is likely the way out: