Question on whether we should populate older CVE entries

[cplvic]

Looking at this link: https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/Apache-Struts.html

Its clear that CVE-2017-5638 (already entered) is so severe that it trumps any prior entry. But in many cases, Security teams will evaluate and look at mitigations. If the database is not fully populated, they may risk accept a newer vulnerability and never know about an older one. For victims to be truly useful, it should approach 100% accuracy imho. But that depends @jasinner Is the idea of this tool to be a quick supplemental to a primary use tool?

[jasinner]

Hi @cplvic, I would say Victims is more of a primary use tool for Java applications. I would like to see every CVE in there. We have a tool here which compares CVEs published by Red Hat with what's in the Victims Database. I worked though many the latests reports and added them to Victims, but there are still many older ones that haven't been added yet. Unfortuantely I haven't had to the time to revisit the older CVEs yet, but would be happy if someone would like to contribe reports for those. The good thing about Victims is that it's already been in use for 10 years, so we do have quite a few older CVE entries. Also, thanks to valuable contributions from people like yourself, we are capturing many of the latests reports as well. Keep up the good work! Jason

[ashcrow]

I agree with @jasinner. I'd welcome the inclusion of older CVE's but it hasn't been a priority in the past (mainly due to time).

[cplvic]

Cool, I'll check out the script

[cplvic]

Follow on questions, we use cvssv2 scores today. any thoughts on including v3 as well?

[ashcrow]

@cplvic I welcome the addition, though we'd probably start using it in the next iteration of the API.