Skip to content

fix: Deprecate NVD API 1.0 #3671

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jan 3, 2024
Merged

fix: Deprecate NVD API 1.0 #3671

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e3fd263
fix: deprecate NVD api and failover to NVD api2
akshatgokul Dec 25, 2023
51fc5e8
docs: update --nvd for NVD API 1.0 deprecation
akshatgokul Dec 25, 2023
31a33fd
fix: linter issue
akshatgokul Dec 27, 2023
e761309
docs: reword --nvd
akshatgokul Dec 27, 2023
332a117
Merge branch 'main' into deprecate-api1
terriko Dec 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions cve_bin_tool/cli.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -548,6 +548,10 @@ def main(argv=None):
if args["nvd"] == "json":
args["nvd"] = "json-mirror"
nvd_type = args["nvd"]
if nvd_type == "api":
LOGGER.warning("API 1.0 is deprecated, switching to API 2.0")
nvd_type = "api2"

# If NVD API key is not set, check for environment variable (e.g. GitHub Secrets)
if not args["nvd_api_key"] and os.getenv("nvd_api_key"):
args["nvd_api_key"] = os.getenv("nvd_api_key")
Expand All @@ -558,9 +562,10 @@ def main(argv=None):

if args["nvd_api_key"]:
if nvd_type != "api2":
LOGGER.debug(f"{nvd_type} - changing to api. API Key {args['nvd_api_key']}")
nvd_type = "api"

LOGGER.debug(
f"{nvd_type} - changing to api2. API Key {args['nvd_api_key']}"
)
nvd_type = "api2"
# If you're not using an NVD key, let you know how to get one
if nvd_type == "json-nvd" and not args["nvd_api_key"] and not args["offline"]:
LOGGER.info("Not using an NVD API key. Your access may be rate limited by NVD.")
Expand Down
2 changes: 1 addition & 1 deletion doc/MANUAL.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -545,7 +545,7 @@ This option controls the frequency of updates for the CVE data from the National

### -n {json-nvd,json-mirror,api,api2}, --nvd {json-nvd,json-mirror,api,api2}

This option selects how CVE data is downloaded from the National Vulnerability Database. The default `api` option uses the NVD CVE Retrieval API version 1.0. The `api2` option uses the later NVD CVE Retrieval API version 2.0. The results from this API are updated as quickly as the NVD website.
This option selects how CVE data is downloaded from the National Vulnerability Database. The `api` option previously used the NVD CVE Retrieval API version 1.0, which is now deprecated. Using `--nvd api` will automatically switch to the `--nvd api2` option. The `api2` option uses the later NVD CVE Retrieval API version 2.0. The results from this API are updated as quickly as the NVD database.
A major benefit of using this NVD API is incremental updates which basically means you won't have to download the complete feed again in case you want the latest CVE entries from NVD. See the detailed guide on [incremental updates](how_to_guides/use_incremental_updates.md) for more details.

You may also choose to update the data using `json-nvd` option which uses the JSON feeds available on [this page](https://nvd.nist.gov/vuln/data-feeds). These per-year feeds are updated once per day. This mode was the default for CVE Binary Tool prior to the 3.0 release.
Expand Down