It appears you can request CVEs incrementally using startIndex and resultsPerPage, however I suspect this is much slower than downloading the per-year NVD JSON Feeds.

There is also the experimental/pilot cvelist git repo which puts the entire NVD data-set into a git repo as JSON files (Ruby client code: cvelist.rb).
#nvd #cvelist

TIL on September 2023 NVD will shutdown their JSON Feeds in favor of their own REST API. While I generally prefer REST, I kind of like the idea of being able to import all of their data into whatever database or schema I want to use and query it as much as I like. Although, I bet this gets abused by companies and NIST is looking to monetize the commercial demand for their data.
https://nvd.nist.gov/General/News/change-timeline
#nvd

When will the NVD offer .xz compressed feeds?
#nvd #xz

Another unambiguous write up by Daniel Stenberg and very nice to learn some more about the subjective nature of the CVSS scores and how it all fits together.

How do we get the NVD to stop the insanity?

[...] In the curl project we decided to abandon CVSS years ago because of its inherent problems. Instead we use only the four severity names: Low, Medium, High, and Critical [...] I have talked to humans on the GitHub database team and I push for them to ignore or filter out the severity levels as set by NVD, if possible. But me being just a single complaining maintainer I do not expect this to have much of an effect. I would urge NVD to stop this insanity if I had any way to. [...]

https://daniel.haxx.se/blog/2023/03/06/nvd-makes-up-vulnerability-severity-levels/

#CVSS #NVD #CVE #MITRE #VulnerabilityManagement

[Hint] You want to publish a new vulnerability? Just submit and we will handle your CVE assignment in no time. https://vuldb.com/?id.add #vuldb #cna #cve #mitre #nvd

#NVD #CVE #SoftwareSupplyChain and the need for #SBOM https://medium.com/@interlynkblog/the-need-for-sbom-part-1-dc07dbaf863a

Dark Reading details our latest research revealing how the differences in the National Vulnerability Database (#NVD) and vendors score bugs can make patch prioritization more challenging. Read the full article below to learn more: https://www.darkreading.com/application-security/discrepancies-discovered-in-vulnerability-severity-ratings
#vulnerabilitymanagement

[Hint] You have discovered a new vulnerability? Submit it here and we will assign a CVE in no time. https://vuldb.com/?id.add #vuldb #cna #cve #mitre #nvd

@DarkOperator minor point of fact, FTA:

the National Vulnerability Database assigned Common Vulnerabilities and Exposures (CVE) identifiers to over 12,000 vulnerabilities

I assure you, the #NVD did not assign 12,000 CVEs. Most CVEs are assigned by the #CVE Program, and the rest are assigned by CVE partners (CNAs), which is not part of NVD.

NVD merely provides commentary on, and republishes, CVEs.

Being sick at home means that you have a lot of time and can devote yourself to things that you would otherwise like to put off.

And so, while analyzing some failures in our CI pipeline, I found out that #NIST apparently will no longer make the #NVD database available offline, but only via a new version of their API.

https://nvd.nist.gov/General/News/changes-to-feeds-and-apis

This will make it much harder to include NVD data because this approach doesn't scale, let alone builds that lack access to external resources. #DevOps

Fríggjadagin 18. november klokkan 14:30 verður alment tiltak og móttøka í Kongshøll á Vestaru bryggju í Havn í sambandi við, at Náttúruvísindadeildin á Fróðskaparsetri Føroya fyllir 50 ár
https://www.setur.fo/fo/setrid/tiltok/alment-tiltak-nvd-50-ar #setrið #tiltøk #nvd