Closed ostefano closed 8 months ago
Hey Stefano,
you are right. This is something I stumbled upon as well during implementation (because nobody likes timezone unawareness). Yet I didn't bother to check out the schema. They, indeed, refer date-time
.
Take a look at this NVD API response: The NVD Endpoints neither emit timezone aware offsets - this is how the incomplete format snuck into our repo.
We have to carefully think about fixing this issue. This would mean we have to manipulate the timestamps of all CVEs. Even if it is only a small change, it is still a deviation from the NVD API responsens. I'll bring it up tomorrow and will catch up later on :-).
@rhelmke oh, I am fully aware of the issues :) and I am perfectly fine if the decision is to not manipulate the data.
I guess this should be an NVD bug then?
Totally unrelated, I noticed "CVE-2023-41036" has an url tagged broken, but that is happening only because the scheme is missing an "h". NVD or FKIE bug?
Tell me about it. We stumbled over some CVEs that got changed last year but did not receive a new modified value. This is dangerous as the official way to establish consistency between local copies and the NVD relies on these timestamps..
I suppose the timestamp quirk should ultimately be fixed by the NVD. But we'll still discuss it 🙂
As for the broken URL: the URL strings are also limited by the json schema through regex. This shouldn't happen, but it appears that the NVD doesn't validate their URL scheme. These inconsistencies are also the reason why we don't validate the schema
@rhelmke as a positive spin, I validated all CVE files against the provided schema and besides the afore mentioned issues, everything checks out 👍
Hey @ostefano,
as for now we will not introduce any changes to the data in this repository - it is supposed to be a mirror :-). But we will certainly approach the NVD about this issue. If they introduce zone data, we are happy to rebuild the whole cache and flush the timestamp changes to this repo.
Thanks!
The NVD JSON schema https://csrc.nist.gov/schema/nvd/api/2.0/cve_api_json_2.0.schema defines the date-time as timezone aware as per https://datatracker.ietf.org/doc/html/rfc3339#section-5.6
However, the JSON stored in this project are missing the default time offset "Z".