ROX-28353: use NVD 2.0 JSON feeds #2015
Conversation
RTann
added
the
generate-dumps-on-pr
RTann
force-pushed
the
ROX-28353
branch
4 times, most recently
from
ae8b52c to
ee8b69f
Compare
pkg/vulnloader/nvdloader/convert.go
Outdated
| // Prefer CVSS 3.1. | ||
| baseMetric := toBaseMetricV31(metrics31) | ||
| if baseMetric != nil { | ||
| return baseMetric | ||
| } | ||
|
|
||
| baseMetric = toBaseMetricV30(metrics30) | ||
| if baseMetric != nil { | ||
| return baseMetric | ||
| } | ||
|
|
||
| return nil |
There was a problem hiding this comment.
Didn't like the len checks?
There was a problem hiding this comment.
Looks like it took O(n) to avoid a function call 🤷
Test: https://go.dev/play/p/0ZRLq9-4G-I
There was a problem hiding this comment.
didn't seem very necessary, and would have caused for more if/else, which is nice to avoid for readability :)
There was a problem hiding this comment.
Also just want to clarify the semantic change. Before, if there was a 3.1 score, we only read that. However, this was a problem when the 3.1 score was from a "Secondary" (non-NVD) source. There was a case where NVD had both a 3.1 score (secondary) and a 3.0 score (primary). We should use the NVD score in that case, so we should use the 3.0 score instead of the 3.1 score. This change allows for that now
| @@ -31,6 +31,11 @@ func toJSON(vulns []*apischema.CVEAPIJSON20DefCVEItem) ([]*jsonschema.NVDCVEFeed | |||
| continue | |||
| } | |||
|
|
|||
| // Ignore rejected vulnerabilities. | |||
| if strings.EqualFold(vuln.CVE.VulnStatus, "Rejected") { | |||
There was a problem hiding this comment.
I vaguely recall there being some contention with us supporting rejected vulns in the past, and ignoring them as the solution, so your change tracks 👍
Is this covered by a test? If not, should it be?
There was a problem hiding this comment.
I didn't add any because they didn't exist before, but that's a bad reason to not add tests. Just added one which covers this rejected case and some basic stuff
NVD will remove the 1.1 JSON feeds August 20, 2025, so this PR switches our feed loader to use the new 2.0 feeds. The schema is the same as the API, so this was pretty straightforward.
The NVD 2.0 API and feeds includes vulnerabilities with more NVD statuses than the 1.1 JSON feeds did (https://nvd.nist.gov/vuln/vulnerability-status). For example, "Deferred" vulnerabilities are included. As long as the vulnerability is not rejected and has all the fields we need, we do not care if NVD opted to change its status.
We should backport this to currently supported releases.