Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Official way to synchronize the JSON 5.0 feeds #16

Closed
ncrocfer opened this issue Mar 26, 2023 · 1 comment
Closed

Official way to synchronize the JSON 5.0 feeds #16

ncrocfer opened this issue Mar 26, 2023 · 1 comment
Labels
question Further information is requested

Comments

@ncrocfer
Copy link

ncrocfer commented Mar 26, 2023
edited
Loading

Hello,

First of all thank you for the awesome work you do concerning the CVE ecosystem!

I'm the developer of a CVE-related tool, and I would like to add the MITRE in my sources (instead of only relying on NVD for now). But to be honest I don't really know how to parse your feed.

So I would like to ask you the official and recommended way to synchronize our local databases with the new JSON 5.0 CVE list.

I searched on your blog posts and if I'm not wrong you're currently in "Soft Deploy" state, meaning CNAs now use the new format to declare CVEs. The "Hard Deploy" is targeted for 1st QT, 2023. At this moment we (as consumers) will be able to officially use the JSON 5.0 feeds.

But where to find the list please? I think the old format (csv, html, text, xml) will be removed, so maybe you will provide an API (or something similar as the NVD does) to fetch the last changes?

Or maybe this current repo (cveproject/cvelistv5) will become our official data feeds? If yes do you recommend to use the recent_activities.json file to detect the changes or simply periodically git pull and parse the new diffs?

Thank you in advance for your answer,
Nicolas
@hkong-mitre
Copy link
Collaborator

As of 3/28/2023, this repository is now the official way to download/update all published CVEs from the official CVE Project. You can think of it as a cache that is updated multiple times an hour.

There are now 3 methods to download/sync the CVEs:

  1. if you are comfortable with using git, use any git client and git clone https://github.com/CVEProject/cvelistV5.git as you would any GitHub repository. The initial git clone is quite large (about 1.7 GB), but each successive git pull will quickly update your local clone. This is the preferred approach and can be easily automated.
  2. if you prefer to use zip, use this repository's Releases Page where you can choose download a "baseline" zip containing all CVEs at midnight (GMT), an hourly zip containing all new/updated CVEs since midnight (GMT), and/or a release note enumerating all the new/updated CVEs since midnight (GMT). This approach uses about 1.5 GB of storage. Use this method if you need a daily sync (e.g., at or close to midnight GMT every night) or hourly syncs throughout the day.
  3. if you want to download all current CVEs infrequently, use GitHub's "Download Zip" link. This downloads all of the current CVEs in a single large zip file. This method is not recommended for sync purposes, since it always downloads all CVEs each time

@hkong-mitre hkong-mitre added good first issue Good for newcomers question Further information is requested labels Apr 3, 2023
@hkong-mitre hkong-mitre pinned this issue Apr 3, 2023
@hkong-mitre hkong-mitre removed the good first issue Good for newcomers label Apr 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ncrocfer @hkong-mitre