Can I update CVE database on local server?

[147sugiura]

I would like to update the CVE database on local server.
When I used SwiftBOM on internet (https://sbom.democert.org/sbom/), I think that this database is latest.
I would like to know how to update CVE database.

[sei-vsarvepalli]

Hello @147sugiura

We use active lookup of CVE program GitHub site as the official location to get the CVE information from For Example CVE-2024-0709 will be collected from the https://olbat.github.io/nvdcve/CVE-2024-0709.json

If a CVSS score is available it is pulled up and provided. If not, one can manually add other sources of CVSS score such as NVD or the Vendor advisory itself.

[147sugiura]

Hi @sei-vsarvepalli
Thank you for your response.
I understand how to get the CVE information.
How do you get vendors and products to use in CPE?
Also, do you have any plans to upload SwiftBOM Version 5.2.7 to GitHub?

[sei-vsarvepalli]

The CPE data was initially using CPE database from NIST - https://nvd.nist.gov/products/cpe ; As it turns out this CPE data is now being archived and less reliable. So the development of actually puling CPE was stopped. CPE data can be appended locally without having to lookup the NIST one, meaning the NIST data is only convenience to avoid duplicates. A new entry outside of NIST data can be freeform and will be accepted as-typed by the user.

Surely will work on porting over 5.2.7 to GH may be in the next couple of weeks. Thanks for catching that.

[sei-vsarvepalli]

It is also documented here https://github.com/CERTCC/SBOM/tree/master/SwiftBOM/cpe_lookup