nilp0inter
commented
4 years ago Is the new JSON format a one-to-one translation of the old XML format?
Closed donpellegrino closed 1 year ago
nilp0inter
commented
4 years ago Is the new JSON format a one-to-one translation of the old XML format?
Use Case
Determine if an NVD CVE configuration applies to a given CPE. Determine which NVD CVE are applicable to a given CPE.
Background
The NVD Vulnerability Feeds are no longer provided in XML. They are now only provided in JSON (https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement). Each vulnerability includes a "configurations" node in JSON. The configuration nodes seem to have the same data model as the XML CPE Applicability Language used by the CPE library (https://cpe.readthedocs.io/en/latest/examples.html#language-matching). However, users of the CPE library will need to write custom code to translate between NVD JSON configurations and CPE Applicability Language XML.
Enhancement
It seems that it would generally useful if the CPELanguage classes accepted the JSON used in the NVD CVE configurations nodes instead of just XML.