cve.mitre.org as vulnerability metadata source

[zetaab]

It would be nice to see https://cve.mitre.org/ as vuln source

[jsfan]

I'd be interested in having a crack at this. I noticed mention of licensing terms on #591 . Is that something I should worry about here? What kind of licences are acceptable for sources?

[jsfan]

@zetaab What exactly did you have i mind here? I have already written the XML parser to consume the files like https://cve.mitre.org/data/downloads/allitems-cvrf-year-2019.xml. However, I had a look at the NVD vulnmdsrc implementation and it pulls in a lot of metrics about the vulnerabilities.

The Mitre feed does not really offer those. The most useful data in the Mitre feed seem to be the reference URLs. So, my idea was to return just a list of URLs along with "unknown severity" (because it is unavailable from the feed). Does that make any sense? If not, could you elaborate what you had in mind instead?

@jzelinskie The issue actually suggests using Mitre as a vuln source. However, you have tagged the ticket as a vuln metadata source. As there is little available in terms of parsable metrics included in the feed, that makes sense to me. However, what was it you wanted this source to add in terms of value?

[jsfan]

As I have not had any reply as to what metadata would be useful, I have gone ahead and made a pull request with an implementation which adds the reference URLs as new metadata.

Please take this pull request as a suggestion which I am more than willing to discuss. It largely follows the NVD driver but I am planning to increase the test coverage which (despite being better than in the NVD driver) is a bit low.

[hdonnay]

We’re declaring bug bankruptcy as part of the release process for a new major version of Clair. Please open a ticket in our issue tracker if you feel this still needs to be addressed, and we'll triage as part of our v4 development process. Thanks!