search

aquasecurity / trivy-db

Apache License 2.0
229 stars 141 forks source link

refactor(nvd): migrate to API 2.0 #374

Closed DmitriyLewen closed 10 months ago

DmitriyLewen commented 11 months ago

Description

Migrate to NVD API 2.0

Related Issues

Related PRs

namandf commented 10 months ago

Hi @DmitriyLewen , @knqyf263 , Hope you are doing great.

Just came across this PR.

  1. Do we intend to bring in this change before 15th?
  2. Will this fix require a trivy upgrade? I am assuming no, because its just a change in the way we gather data right?
  3. In case , we don't get this change by 15th which is the deadline for deprecation and 18th December NVD will stop supporting older feeds if i am not wrong, then what will be impact on trivy scans? Will we continue seeing older vulnerabilities while the new ones or updates will be missing?

Thank you

DmitriyLewen commented 10 months ago

Hello @namandf

Do we intend to bring in this change before 15th?

We are trying to finish these changes before the 15th.

Will this fix require a trivy upgrade? I am assuming no, because its just a change in the way we gather data right?

right. This fix only for trivy-db. You will need only doewnload new DB.

In case , we don't get this change by 15th which is the deadline for deprecation and 18th December NVD will stop supporting older feeds if i am not wrong, then what will be impact on trivy scans? Will we continue seeing older vulnerabilities while the new ones or updates will be missing?

We only receive advisory information from nvd (severity, descriptions, etc.). In this case, you will get all old and new CVEs, but there may be some typos/omissions in the vulnerability information.

namandf commented 10 months ago

Thank you for the update @DmitriyLewen .

We only receive advisory information from nvd (severity, descriptions, etc.). In this case, you will get all old and new CVEs, but there may be some typos/omissions in the vulnerability information.

Out of curiosity, do we rely on MITRE/cve.org for the CVE list? or are you suggesting that other databases bridge that gap? MITRE also seems to have gone through a similar change. https://www.cve.org/Media/News/item/blog/2023/07/25/Legacy-Downloads-being-Phased-Out

DmitriyLewen commented 10 months ago

Out of curiosity, do we rely on MITRE/cve.org for the CVE list?

No, we don't use MITRE/cve.org.

We use the following databases to get CVE list: https://aquasecurity.github.io/trivy/v0.48/docs/scanner/vulnerability/#data-sources https://aquasecurity.github.io/trivy/v0.48/docs/scanner/vulnerability/#data-sources_1

namandf commented 10 months ago

Out of curiosity, do we rely on MITRE/cve.org for the CVE list?

No, we don't use MITRE/cve.org.

We use the following databases to get CVE list: https://aquasecurity.github.io/trivy/v0.48/docs/scanner/vulnerability/#data-sources https://aquasecurity.github.io/trivy/v0.48/docs/scanner/vulnerability/#data-sources_1

Got it. Thank you.

You might already be aware but looks like there is again a change in deadline. Screenshot_2023_1215_075423

DmitriyLewen commented 10 months ago

yes, thanks!

FYI - We have https://github.com/aquasecurity/trivy/issues/5658