Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch to NVD JSON feed and include CVSSv3 #645

Merged
merged 7 commits into from
Oct 22, 2018
Merged

Switch to NVD JSON feed and include CVSSv3 #645

merged 7 commits into from
Oct 22, 2018

Conversation

Katee
Copy link
Contributor

@Katee Katee commented Oct 17, 2018

The NVD JSON feed is still "beta". According to the NVD changlog the last breaking change (a field rename which would not have affected this code) happened 2017-12-18. CVSSv3 is only in the JSON feed.

Some things in the feed relevant to Clair have changed:

  • The format for PublishedDateTime has changed from 2018-01-10T17:29:00.930-05:00 to 2018-01-10T22:29Z.
  • The CVSSv2 and CVSSv3 vector strings are provided directly. If desired, I'm happy to remove the parsing code here or in another PR.

The changes in this PR are meant to be backwards compatible:

  • NVDmetadataCVSSv2 remains unchanged. PublishedDateTime is still in NVDmetadataCVSSv2 even though it isn't specific to CVSSv2.
  • As before, Metadata returns nil if CVSSv2 isn't available (and this now has a test).

@Katee
ext: Parse NVD JSON feed instead of XML
aab46f5 
The JSON feed provides some values that are not available in the XML
feed such as CVSSv3.
@Katee
ext: Add JSON NVD parsing tests
14277a8
@Katee
ext: Parse CVSSv3 data from JSON NVD feed
b81e445
jzelinskie
jzelinskie suggested changes Oct 18, 2018
View reviewed changes
Copy link
Contributor

@jzelinskie jzelinskie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just two minor nitpicks

ext/vulnmdsrc/nvd/json.go Outdated Show resolved Hide resolved
ext/vulnmdsrc/nvd/json.go Outdated Show resolved Hide resolved
@Katee
Copy link
Contributor Author

Katee commented Oct 19, 2018

I'd also like to pass through the CVSSv3 expoloitability score and impact score, I'm adding a commit for that now.

@jzelinskie jzelinskie merged commit 0c2e5e7 into quay:master Oct 22, 2018
@Katee Katee deleted the include-cvssv3 branch October 22, 2018 17:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skelterjohn skelterjohn skelterjohn left review comments

@jzelinskie jzelinskie jzelinskie approved these changes

Assignees
No one assigned
Labels
priority/medium desired functionality
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Katee @skelterjohn @jzelinskie