Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: resync NVD information #2

Merged
merged 1 commit into from
Dec 16, 2024
Merged

fix: resync NVD information #2

merged 1 commit into from
Dec 16, 2024

Conversation

fhrbata
Copy link
Collaborator

@fhrbata fhrbata commented Dec 16, 2024

At present, there's an issue in the sync script where the lastModEndDate is recorded using the current time from the host executing the script. This is incorrect and could result in missing CVE or Match String data.

Suppose the sync.py script requests modified data between date1 and date2, with date2 being the current time on the host executing the script. The NVD might update CVEs and label them as updated at a time slightly before date2 due to clock discrepancies. When the sync.py script runs again, it requests data modified between date2 and date3, potentially missing anything marked as updated just before date2.

The NVD response includes a timestamp from the NVD server indicating when the data was generated, and this should be used as the lastModEndDate. As mentioned in [1], "LastModStartDate equals the time of the last CVE or CPE received."

Re-synchronize the NVD data to ensure all records are complete and current. Additionally, modify the sync.py script to properly manage the lastModEndDate information.

Note: There was a change to a lot of CVEs because of the Authorized Data Publisher (ADP) support was added and sync.py most probably missed this. From NVD Communication page [2]:

CVE records within the NVD dataset will contain more information
(Reference(s), CWE, and CVSS) from additional sources. This new
information will be displayed on the website and in the API responses,
attributed to the organization who contributed the information. More
information regarding ADPs can be reviewed at
https://www.cve.org/ProgramOrganization/ADPs.

Downstream data consumers will notice a large shift in the volume of CVE
Record modifications as part of this change. Going forward,
organizations should expect CVE records to update at a higher frequency.

[1] https://nvd.nist.gov/developers/start-here
[2] https://www.nist.gov/itl/nvd

Description

Related

Testing

Checklist

Before submitting a Pull Request, please ensure the following:

  • 🚨 This PR does not introduce breaking changes.
  • All CI checks (GH Actions) pass.
  • Documentation is updated as needed.
  • Tests are updated or added as necessary.
  • Code is well-commented, especially in complex areas.
  • Git history is clean — commits are squashed to the minimum necessary.

@fhrbata
fix: resync NVD information
b99e292 
At present, there's an issue in the sync script where the lastModEndDate
is recorded using the current time from the host executing the script.
This is incorrect and could result in missing CVE or Match String data.

Suppose the sync.py script requests modified data between date1 and
date2, with date2 being the current time on the host executing the
script. The NVD might update CVEs and label them as updated at a time
slightly before date2 due to clock discrepancies. When the sync.py
script runs again, it requests data modified between date2 and date3,
potentially missing anything marked as updated just before date2.

The NVD response includes a timestamp from the NVD server indicating
when the data was generated, and this should be used as the
lastModEndDate. As mentioned in [1], "LastModStartDate equals the time
of the last CVE or CPE received."

Re-synchronize the NVD data to ensure all records are complete and current.
Additionally, modify the sync.py script to properly manage the
lastModEndDate information.

Note: There was a change to a lot of CVEs because of the Authorized
Data Publisher (ADP) support was added and sync.py most probably
missed this. From NVD Communication page [2]:

    CVE records within the NVD dataset will contain more information
    (Reference(s), CWE, and CVSS) from additional sources. This new
    information will be displayed on the website and in the API responses,
    attributed to the organization who contributed the information. More
    information regarding ADPs can be reviewed at
    https://www.cve.org/ProgramOrganization/ADPs.

    Downstream data consumers will notice a large shift in the volume of CVE
    Record modifications as part of this change. Going forward,
    organizations should expect CVE records to update at a higher frequency.

[1] https://nvd.nist.gov/developers/start-here
[2] https://www.nist.gov/itl/nvd

Signed-off-by: Frantisek Hrbata <[email protected]>
@fhrbata fhrbata self-assigned this Dec 16, 2024
@fhrbata fhrbata requested a review from dobairoland December 16, 2024 08:15
dobairoland
dobairoland approved these changes Dec 16, 2024
View reviewed changes
Copy link
Collaborator

@dobairoland dobairoland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@fhrbata fhrbata merged commit dd791fe into master Dec 16, 2024
@fhrbata fhrbata deleted the fix/resync branch December 16, 2024 09:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dobairoland dobairoland dobairoland approved these changes

Assignees

@fhrbata fhrbata

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fhrbata @dobairoland