cve list by API

[grooverdan]

NIST has a couple of APIs that can be use to fetch CVE information for a product, and then information from the CVE.

The CPE (product) API is described https://csrc.nist.gov/CSRC/media/Projects/National-Vulnerability-Database/documents/web%20service%20documentation/Automation%20Support%20for%20CPE%20Retrieval.pdf

An example request would be:

• https://services.nvd.nist.gov/rest/json/cpes/1.0?cpeMatchString=cpe:2.3:a:mariadb:mariadb:10.4.9&addOns=cves
• https://services.nvd.nist.gov/rest/json/cpes/1.0?cpeMatchString=cpe:2.3:a:oracle:mysql:8.0.22&addOns=cves

These should be easy enough to match to a product.

CVE look up is https://csrc.nist.gov/CSRC/media/Projects/National-Vulnerability-Database/documents/web%20service%20documentation/Automation%20Support%20for%20CVE%20Retrieval.pdf

CVE rest lookup example:

https://services.nvd.nist.gov/rest/json/cve/1.0/CVE-2021-2056

With this information:

• is doing an online lookup acceptable?
• do you want to use this to populate the vulnerabilities.csv? (or could this interface be deprecated)
• what would you like the report format to look like?

Which perl modules for web fetching and JSON are acceptable to add as a dependency (can make them optional of course)?

[jmrenouard]

Hi @grooverdan

Yes it could be nice to populate vulnerabilities.csv for offline mysql/mariadb database.

If you want to see update script doing that look at
https://github.com/major/MySQLTuner-perl/blob/master/build/updateCVElist.pl

[jmrenouard]

Hi @grooverdan

Feel free to reopen if needed
All is in
https://github.com/major/MySQLTuner-perl/blob/master/build/updateCVElist.pl

BR,