haikoschol
commented
5 years ago Open pombredanne opened 5 years ago
haikoschol
commented
5 years ago haikoschol
commented
5 years ago Comparing OVAL and CVRF entries for the same RHSA, it seems that CVRF has all the information we need in an easier to consume structure. However, the XML version of it has more data than the JSON linked above.
pombredanne
commented
5 years ago Actually we could also start with the simpler https://www.redhat.com/security/data/metrics/rpm-to-cve.xml
We could have for each record:
sbs2001
commented
4 years ago I didn't see this mentioned, so here it is https://access.redhat.com/hydra/rest/securitydata/cve.json
Anyways the larger issue with extracting data from any of the above mentioned sources (and CVRF advisories in general) is that there is no explicit mention of package name and package version . Rather these are combined and hence we will need to split these combined names into package name and version to construct purl.
Here is data extracted from CVRFs https://github.com/nexB/vulnerablecode/issues/62#issuecomment-590656383 notice how package name and version are not separated
pombredanne
commented
2 years ago I am reopening as we are missing Oval and/or CVRF data for completeness. Or at least we need to double check https://www.redhat.com/security/data/oval/v2/ The license is not clear though
pombredanne
commented
9 months ago Based on the feedback of a RedHat buddy:
The license for what's under https://www.redhat.com/security/data/oval/v2/ is CC BY 4.0 as explained here: https://access.redhat.com/security/data
https://www.redhat.com/security/data/oval/ http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml https://www.redhat.com/security/data/metrics/
See also the API such as at https://access.redhat.com/hydra/rest/securitydata/cvrf.json https://access.redhat.com/documentation/en-us/red_hat_security_data_api/1.0/html/red_hat_security_data_api/index and https://access.redhat.com/articles/221883