NVD API 2.0 changes upcoming

[terriko]

From the nvd's email:

Removal of restrictions within the /cves/ 2.0 API schema

To enable more flexibility within our API output we need to remove certain restrictions from the existing 2.0 API schemas.

Why does this matter?

All existing API users will need to update to the 2.1.0 /cves/ schema or later. Many systems reference a cached or local version of a schema when performing validation. Since the /cves/ schema prior to 2.1.0 is overly restrictive, any system that references an older version of the schema that contains additionalProperties: false in the locations changed may no longer validate against future 2.0 API output. We plan to begin including new data types within the 2.0 API output in the near future. We advise updating any schema references within the next 30 days.

What changes were made?

Removed additionalProperties: false from the following objects: • "cve_item": • "reference": • "metrics": Similar information is available at our news page.

I haven't dug into how this will affect us and if we need to make changes, so this is just a reminder to check on it. I don't think off the top of my head that our schema validation check uses a cached copy, but we don't block on schema fails with NVD anyhow because they have a habit of failing those checks already, so at worst I think there will be cranky log messages.

That said, the fact that they're adding metrics is potentially interesting and might fit well with the existing EPSS work.

[terriko]

Todo:

• check our existing schema checks (under test/ ) and make sure they're update to the correct url or a new version of the schema is downloaded