Migrate `cyhy-nvdsync` to the NIST NVD API 2.0

[mcdonnnj]

💡 Summary

Update the cyhy-nvdsync script to use the NIST NVD API 2.0.

Motivation and context

Currently we rely on the NIST NVD data feeds to get CVE information. These feeds are being retired in September of 2023. We will need to migrate to the API 2.0 to continue to get the CVE data we need after this point.

Implementation notes

We will have to determine whether or not we can get appropriate functionality without an API key.

Acceptance criteria

• [ ] The cyhy-nvdsync script uses the NIST NVD API 2.0 for functionality

[dav3r]

See also https://github.com/cisagov/cyhy-system/issues/77.

[jsf9k]

This may be a good piece of work to break off and hand to someone else.

[jsf9k]

We should consider giving whoever takes this on an ODM model for the collection they will be writing to, particularly if they implement the functionality of the old script in a new project (like a Docker container).

[mcdonnnj]

I think this should be blocked until https://github.com/cisagov/cyhy-system/issues/83 is implemented. Doing any kind of substantial development in Python 2 if it is not strictly necessary does not seem like a good use of development time.

[michaelsaki]

Moving status back to "Todo" until https://github.com/cisagov/cyhy-system/issues/83 is implemented.

[michaelsaki]

According to the NIST they pushed the original cut off date from September of 2023 to December of 2023. Update

[michaelsaki]

Wanted to mention a couple threads that I came across regarding some groups transitioning to the API. Some of the discussion is a bit dated but just in case we run into any similar issues I thought they would be worth mentioning as we transition to the new API:

• https://github.com/DependencyTrack/dependency-track/issues/1861
• https://github.com/jeremylong/Open-Vulnerability-Project/issues/42
• https://github.com/jeremylong/DependencyCheck/issues/4732