Rewrite NVD provider #27

wagoodman · 2023-01-03T15:07:26Z

The existing NVD provider has a few issues:

the existing "data-feeds" source is deprecated and will be removed within 9 months https://nvd.nist.gov/vuln/data-feeds
the existing provider requires refactors to remove unnecessary CPE version expansion
the existing provider takes 20 minutes to run even when all data is cached

The new implementation:

uses the new V2 JSON API (https://nvd.nist.gov/developers/vulnerabilities)
does minimal (no) transforms on the incoming data
supports incremental updates up to 120 days of drift (longer periods cannot be implements due to a NIST API limitation)

Closes #11
Closes #9

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

src/vunnel/providers/nvd/api.py

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

wagoodman force-pushed the rewrite-nvd branch 6 times, most recently from ca65a46 to ac2ced5 Compare January 4, 2023 00:09

wagoodman marked this pull request as ready for review January 4, 2023 00:11

wagoodman mentioned this pull request Jan 4, 2023

Port remaining feed drivers from enterprise #3

Closed

17 tasks

wagoodman enabled auto-merge (squash) January 4, 2023 16:38

rewrite nvd provider to use NVD API v2

c8b7940

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

wagoodman force-pushed the rewrite-nvd branch from ac2ced5 to c8b7940 Compare January 4, 2023 16:43

westonsteimel reviewed Jan 4, 2023

View reviewed changes

src/vunnel/providers/nvd/api.py Outdated Show resolved Hide resolved

do not require an API key

e8945e7

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

westonsteimel approved these changes Jan 4, 2023

View reviewed changes

wagoodman merged commit 770229f into main Jan 4, 2023

wagoodman deleted the rewrite-nvd branch January 4, 2023 17:18

Provide feedback