Why not use the NIST API for CVE generation?

oasis-open / cti-stix-common-objects

OASIS Cyber Threat Intelligence (CTI) TC: A repository for commonly used STIX objects in order to avoid needless duplication. https://github.com/oasis-open/cti-stix-common-objects

BSD 3-Clause "New" or "Revised" License

79 stars 36 forks source link

Why not use the NIST API for CVE generation? #77

Open elemendar-syra opened 2 weeks ago

elemendar-syra commented 2 weeks ago

As per https://nvd.nist.gov/developers/start-here I believe it would be easy to integrate updating CVEs using that rather than how the current build script does it, from what I can see. Again, happy to implement in a branch (obviously if you're then building and publishing daily you'd need to handle the CI/CD side with an API key)

adulau commented 2 weeks ago

We provide a multi-source (including NVD) vulnerability database where the API is documented there https://vulnerability.circl.lu/doc

You can easily query NVD for example, this way: https://vulnerability.circl.lu/last/nvd/1 and many other sources.

To describe other vulnerabilities in STIX 2.1, an extension would be required to support the different sources. Maybe @chrisr3d as some ideas for potential extensions.