Add an NVD alternative?
Closed this issue · 7 comments
Hi Mario,
Hoping you are well.
I guess probably yes, but don´t know if you are aware of the current issues with NVD and their work of CVE enrichment:
https://resilientcyber.substack.com/p/death-knell-of-the-nvd
https://www.linkedin.com/pulse/security-industry-depends-nvd-patrick-garrity--jwq9c/?trackingId=PRZ4EL%2FWSCmvYIvc0Fg%2F2g%3D%3D
https://www.infosecurity-magazine.com/news/nist-vulnerability-database/
https://anchore.com/blog/national-vulnerability-database-opaque-changes-and-unanswered-questions/
"Over the past month, the security industry has experienced the impact on this critical resource, specifically the sharp reduction in CVE publication and enrichment, e.g., missing common platform enumerations (CPEs) which inform the public of which products and versions are affected by the Common Vulnerability Enumeration (CVE)."
"Since February 12, 2024, NIST has almost completely stopped enriching software vulnerabilities listed in its National Vulnerability Database (NVD), the world's most widely used software vulnerability database. Failure to enrich the CVEs means that over 2500 vulnerabilities added to the database have been uploaded without crucial metadata information."
Having said that... if this issue still persist in time, are you able to consider in add support to an alternative source of information?. Example: OSV or GSD Database from Cloud Security Alliance? (CSA):
https://github.com/cloudsecurityalliance/gsd-database/tree/main
https://gsd.id/getting-started
Thanks as always for you work.
N.
Also adding another screenshot:
Hi @dr4lekhine thanks for raising this, I think we are all concerned about NISTs delays. Im considering using VulnCheck's NVD++, I will take a look at the other alternatives you listed as well,
Thanks Mario!
I recently also discovered VulnCheck but didn´t noticed that could be a kind of replacement of NVD :O [Hoping they could maintain such resource free, non-paid].
Also leaving here some resources and code examples (although is Golang) for you that might can help you with the implementation of VulnCheck API on CVE Prioritizer:
https://rud.is/b/2024/03/23/vulnchecks-free-community-kev-cve-apis-code-golang-cli-utility/
https://codeberg.org/hrbrmstr/vccve
Regards.
@dr4lekhine I have added NVD++ as an alternative source of CVE data, here are the instructions
- Request your API keys to avoid public rate limits.
- Select your CVE Data source
- NIST NVD: This is the default source.
- NVD++: VulnCheck's NVD2 solves NIST's API challenges with a reliable, persistent
connection to their Community NVD 2.0 API that operates at machine speed use-vcor--vulncheckto select this source.
Please let me know if it works for you, I've tested it on bot Linux and Windows
Thanks Mario!
I have just check on a Ubuntu WSL with a list of almost 100 CVE of 2024, and seems to be working good. VulnCheck API it´s super fast!
Anyway, and just in case, with a larger list of CVE (+3000) I´m receiving some errors regarding "Error connecting to EPSS"
But EPSS seems to be still calculated...
Not sure if the speed of this VulnCheck API requests could also cause some issues with EPSS API. Please check attached the full list of CVE (+3000) for your testing.
Large_list_CVE.txt
The parameters that I had used are:
python3 cve_prioritizer.py -v --vulncheck -f Large_list_CVE.txt -o out2.csv
Thanks @dr4lekhine you are 100% right; unfortunately it looks like EPSS cannot keep up with VulnCheck's API speed. I have updated the throttle time to avoid this issue, I ran the script on the Large_list_CVE.txt with no issues. it should still be 75% faster than using NIST.
I just tried again with the large list, and no issues at all ;) kudos, great work buddy!