From e3fd26337b78371940df20d5a5a2ddfab6d5e8a4 Mon Sep 17 00:00:00 2001 From: akshatgokul <35228810+akshatgokul@users.noreply.github.com> Date: Mon, 25 Dec 2023 21:41:43 +0530 Subject: [PATCH 1/4] fix: deprecate NVD api and failover to NVD api2 --- cve_bin_tool/cli.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/cve_bin_tool/cli.py b/cve_bin_tool/cli.py index 2c034219f1..1021e10945 100644 --- a/cve_bin_tool/cli.py +++ b/cve_bin_tool/cli.py @@ -548,6 +548,10 @@ def main(argv=None): if args["nvd"] == "json": args["nvd"] = "json-mirror" nvd_type = args["nvd"] + if nvd_type == "api": + LOGGER.warning(f"API 1.0 is deprecated, switching to API 2.0") + nvd_type = "api2" + # If NVD API key is not set, check for environment variable (e.g. GitHub Secrets) if not args["nvd_api_key"] and os.getenv("nvd_api_key"): args["nvd_api_key"] = os.getenv("nvd_api_key") @@ -558,9 +562,10 @@ def main(argv=None): if args["nvd_api_key"]: if nvd_type != "api2": - LOGGER.debug(f"{nvd_type} - changing to api. API Key {args['nvd_api_key']}") - nvd_type = "api" - + LOGGER.debug( + f"{nvd_type} - changing to api2. API Key {args['nvd_api_key']}" + ) + nvd_type = "api2" # If you're not using an NVD key, let you know how to get one if nvd_type == "json-nvd" and not args["nvd_api_key"] and not args["offline"]: LOGGER.info("Not using an NVD API key. Your access may be rate limited by NVD.") From 51fc5e843ba2d691c2693dd0df4811c0fe2fc6ea Mon Sep 17 00:00:00 2001 From: akshatgokul <35228810+akshatgokul@users.noreply.github.com> Date: Mon, 25 Dec 2023 22:03:56 +0530 Subject: [PATCH 2/4] docs: update --nvd for NVD API 1.0 deprecation --- doc/MANUAL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/MANUAL.md b/doc/MANUAL.md index a19d832e59..5a6e45e332 100644 --- a/doc/MANUAL.md +++ b/doc/MANUAL.md @@ -545,7 +545,7 @@ This option controls the frequency of updates for the CVE data from the National ### -n {json-nvd,json-mirror,api,api2}, --nvd {json-nvd,json-mirror,api,api2} -This option selects how CVE data is downloaded from the National Vulnerability Database. The default `api` option uses the NVD CVE Retrieval API version 1.0. The `api2` option uses the later NVD CVE Retrieval API version 2.0. The results from this API are updated as quickly as the NVD website. +This option selects how CVE data is downloaded from the National Vulnerability Database. The `api` option previously used the NVD CVE Retrieval API version 1.0, which is now deprecated. Using `--nvd api` will automatically failover to the `--nvd api2` option. The `api2` option uses the later NVD CVE Retrieval API version 2.0. The results from this API are updated as quickly as the NVD website. A major benefit of using this NVD API is incremental updates which basically means you won't have to download the complete feed again in case you want the latest CVE entries from NVD. See the detailed guide on [incremental updates](how_to_guides/use_incremental_updates.md) for more details. You may also choose to update the data using `json-nvd` option which uses the JSON feeds available on [this page](https://nvd.nist.gov/vuln/data-feeds). These per-year feeds are updated once per day. This mode was the default for CVE Binary Tool prior to the 3.0 release. From 31a33fd708a8c8124aad3fd48cb3f673105ce5dd Mon Sep 17 00:00:00 2001 From: akshatgokul <35228810+akshatgokul@users.noreply.github.com> Date: Thu, 28 Dec 2023 01:47:39 +0530 Subject: [PATCH 3/4] fix: linter issue --- cve_bin_tool/cli.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve_bin_tool/cli.py b/cve_bin_tool/cli.py index 1021e10945..bcbf839c93 100644 --- a/cve_bin_tool/cli.py +++ b/cve_bin_tool/cli.py @@ -549,7 +549,7 @@ def main(argv=None): args["nvd"] = "json-mirror" nvd_type = args["nvd"] if nvd_type == "api": - LOGGER.warning(f"API 1.0 is deprecated, switching to API 2.0") + LOGGER.warning("API 1.0 is deprecated, switching to API 2.0") nvd_type = "api2" # If NVD API key is not set, check for environment variable (e.g. GitHub Secrets) From e761309be67218e1d9beb4fa67442b1f29fc205c Mon Sep 17 00:00:00 2001 From: akshatgokul <35228810+akshatgokul@users.noreply.github.com> Date: Thu, 28 Dec 2023 03:57:07 +0530 Subject: [PATCH 4/4] docs: reword --nvd --- doc/MANUAL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/MANUAL.md b/doc/MANUAL.md index 5a6e45e332..fd87f291e8 100644 --- a/doc/MANUAL.md +++ b/doc/MANUAL.md @@ -545,7 +545,7 @@ This option controls the frequency of updates for the CVE data from the National ### -n {json-nvd,json-mirror,api,api2}, --nvd {json-nvd,json-mirror,api,api2} -This option selects how CVE data is downloaded from the National Vulnerability Database. The `api` option previously used the NVD CVE Retrieval API version 1.0, which is now deprecated. Using `--nvd api` will automatically failover to the `--nvd api2` option. The `api2` option uses the later NVD CVE Retrieval API version 2.0. The results from this API are updated as quickly as the NVD website. +This option selects how CVE data is downloaded from the National Vulnerability Database. The `api` option previously used the NVD CVE Retrieval API version 1.0, which is now deprecated. Using `--nvd api` will automatically switch to the `--nvd api2` option. The `api2` option uses the later NVD CVE Retrieval API version 2.0. The results from this API are updated as quickly as the NVD database. A major benefit of using this NVD API is incremental updates which basically means you won't have to download the complete feed again in case you want the latest CVE entries from NVD. See the detailed guide on [incremental updates](how_to_guides/use_incremental_updates.md) for more details. You may also choose to update the data using `json-nvd` option which uses the JSON feeds available on [this page](https://nvd.nist.gov/vuln/data-feeds). These per-year feeds are updated once per day. This mode was the default for CVE Binary Tool prior to the 3.0 release.