cisagov / vulnrichment

A repo to conduct vulnerability enrichment.
Creative Commons Zero v1.0 Universal
494 stars 40 forks source link

Add dateRemoved for removed kev entries #65

Closed jeroenh closed 5 months ago

jeroenh commented 5 months ago

💡 Summary

Sometimes vulns are removed from the KEV list, and it makes sense to track that information.

Motivation and context

Why does this work belong in this project? This repository keeps track of vuln information, and has information on when something is added to the kev list.

This would be useful because... Trend watching over time of the KEV list. Might not make much sense currently, but it will over a few years.

Implementation notes

add "dateRemoved" list. Optionally add a "reasonRemoved" to it.

Acceptance criteria

How do we know when this work is done?

todb-cisa commented 5 months ago

So, the ultimate issue here is that the upstream KEV JSON has no mechanism to track removals, so it'd be pretty difficult for the ADP to pick up any changes. Luckily, removals are rare (only 2 removal events ever, covering seven CVEs, IIRC).

I'm going to close this as blocked because of this lack of upstream support, but since I have some influence over the upstream KEV JSON, I'll recommend separately to that team to update the schema to account for these removals, and have that in place before the next removal event (which might be never!).

All that said -- there remains no in-schema notion of history for the CVE container, and I'm reluctant to try to solve for that in the ADP container. People who are very interested in tracking the history of CVEs will have to turn to external data sources -- namely, the periodic snapshots provided in the CVEProject repo. While it's a bit of a pain to pull in a second data source, it's probably more reliable anyway -- any studies based on additions, removals, rejections, and updates will be more clearly related there to what was actually published at given times.