search

fkie-cad / nvd-json-data-feeds

Community reconstruction of the legacy JSON NVD Data Feeds. This project uses and redistributes data from the NVD API but is neither endorsed nor certified by the NVD.
109 stars 15 forks source link

Date-time fields are missing the default time offset #9

Closed ostefano closed 8 months ago

ostefano commented 9 months ago

The NVD JSON schema https://csrc.nist.gov/schema/nvd/api/2.0/cve_api_json_2.0.schema defines the date-time as timezone aware as per https://datatracker.ietf.org/doc/html/rfc3339#section-5.6

However, the JSON stored in this project are missing the default time offset "Z".

rhelmke commented 8 months ago

Hey Stefano,

you are right. This is something I stumbled upon as well during implementation (because nobody likes timezone unawareness). Yet I didn't bother to check out the schema. They, indeed, refer date-time.

Take a look at this NVD API response: The NVD Endpoints neither emit timezone aware offsets - this is how the incomplete format snuck into our repo.

We have to carefully think about fixing this issue. This would mean we have to manipulate the timestamps of all CVEs. Even if it is only a small change, it is still a deviation from the NVD API responsens. I'll bring it up tomorrow and will catch up later on :-).

ostefano commented 8 months ago

@rhelmke oh, I am fully aware of the issues :) and I am perfectly fine if the decision is to not manipulate the data.

I guess this should be an NVD bug then?

Totally unrelated, I noticed "CVE-2023-41036" has an url tagged broken, but that is happening only because the scheme is missing an "h". NVD or FKIE bug?

rhelmke commented 8 months ago

Tell me about it. We stumbled over some CVEs that got changed last year but did not receive a new modified value. This is dangerous as the official way to establish consistency between local copies and the NVD relies on these timestamps..

I suppose the timestamp quirk should ultimately be fixed by the NVD. But we'll still discuss it 🙂

As for the broken URL: the URL strings are also limited by the json schema through regex. This shouldn't happen, but it appears that the NVD doesn't validate their URL scheme. These inconsistencies are also the reason why we don't validate the schema

ostefano commented 8 months ago

@rhelmke as a positive spin, I validated all CVE files against the provided schema and besides the afore mentioned issues, everything checks out 👍

rhelmke commented 8 months ago

Hey @ostefano,

as for now we will not introduce any changes to the data in this repository - it is supposed to be a mirror :-). But we will certainly approach the NVD about this issue. If they introduce zone data, we are happy to rebuild the whole cache and flush the timestamp changes to this repo.

Thanks!