rhelmke
commented
1 year ago Hey,
- Involved Parties. cvelistV5 is MITRE's official file-based cache of the CVE data set. This repository is a community effort to basically implement the same for the NVD data set. It is important to note that this repository is neither endorsed by nor affiliated with the NVD.
- It is not the same data. We cache the NVD data set, not MITRE. The NVD synchronizes with MITRE for CVE information. The NVD exists because it adds various meta data to CVE records. Namely CVSS calculations, further continuously updated technical references, CPEs, and supplementary CWE meta data. While newer CVEs in the MITRE DB contain CWE and CVSS data as well, e.g. CVE-2022-2942, there is a significant amount of items without such info. Yet they are present in the NVD; take Heartbleed's CVE-2014-0160 as an example: Compare the bug data in this repo with cvelistV5. One of them neither contains CWE nor CVSS data. Also, MITRE does not incorporate CPEs, which are very convenient for automated version-based matching of affected products.
- The format is different. cvelistV5 uses CVE JSON 5.0, this repository caches NVD API 2.0 JSON responses.
- Release Packages. This repository releases packages that aim to resemble the Legacy NVD Data Feeds, take a look at our Release Page and compare the downloadable assets :). We wanted a drop-in replacement for said feeds. They are used in several of our software projects. For example FACT.
There are several other differences not mentioned here. However, in my opinion these are the key differences. :-)
How does this project relate to https://github.com/CVEProject/cvelistV5?