chore(nvd): use NVD API v2 #1318
Conversation
RTann
added
the
generate-dumps-on-pr
RTann
force-pushed
the
ross/nvd-20-api
branch
6 times, most recently
from
dfa8104 to
796f18f
Compare
|
Images are ready for the commit at 7d44713. To use the images, use the tag |
RTann
force-pushed
the
ross/nvd-20-api
branch
4 times, most recently
from
5a49763 to
0ff2a22
Compare
|
/retest slim-e2e-tests |
|
@RTann: The
The following commands are available to trigger optional jobs:
Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test slim-e2e-tests |
RTann
force-pushed
the
ross/nvd-20-api
branch
from
0ff2a22 to
f800b47
Compare
RTann
requested review from
jvdm,
BradLugo,
daynewlee,
dcaravel and
connorgorman
RTann
force-pushed
the
ross/nvd-20-api
branch
from
f800b47 to
a30839a
Compare
|
/retest |
|
Getting 403s, which is concerning. Perhaps we should look into getting an API key... |
|
/retest |
1 similar comment
|
/retest |
|
Failing e2e test is unrelated: #1322 |
RTann
force-pushed
the
ross/nvd-20-api
branch
from
a30839a to
e667798
Compare
RTann
force-pushed
the
ross/nvd-20-api
branch
from
dbc9d7a to
7d44713
Compare
|
will merge tomorrow morning |
|
Verified via these tests, checking for specific known ones, and ensuring StackRox 3.74.7 can handle the vulns without panicking and return scan results. Merging |
NVD plans to retire the 1.1 JSON feeds on December 15, 2023. This PR swaps our usage of those feeds with the v2 API.
For backwards compatibility purposes with previous Scanner versions, which may still be deployed somewhere and may still be officially supported, we convert the v2 API JSON responses to the 1.1 JSON formatting. This allows us to continue serving NVD data to live Scanners without any downtime nor required updates.
Before, there was a JSON file per year (2002 - Present year). Now, there will be a JSON file for every 20,000 vulnerabilities. The maximum file size, uncompressed, is about 60MB, and the genesis-dump.zip is about 164MB. The genesis-dump.zip associated with the 4.3.0 release is about 166MB, so these changes result in negligible differences in the genesis-dump.
The change in file names will not affect older Scanners (at least no Scanners which are still supported), as each Scanner looks inside of a directory called
nvd/(which has not changed) for all.jsonfiles. As long as the file extension is.json, the file name does not matter. See https://github.com/stackrox/scanner/blob/2.28.7/cpe/nvdtoolscache/load.go, which (as of writing this), has not been touched since well before 3.74 (Scanner 2.28) was released.See stackrox/nvdtools#9 for the related changes to the nvdtools library.
NOTE: Once this is merged, all live Scanners will be getting this data, so this can be a potentially dangerous change.