Skip to content

Latest commit

 

History

History

nvd

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
data
data
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
check.py
check.py
 
 

README.md

NVD mapping scripts

The purpose of these scripts is to map the data in the cve5 data into something that looks like NVD CPE data. We are focusing only on CPE data at the moment.

Long term we will try to store the data in a non CPE format that is friendlier to humans. A more comprehensive format will also allow transforming it into other outputs, such as OSV.

How to setup the scripts

Clone these repos

Then create symlinks to them in this (nvd) directory

If you run

python -m scripts.nvd_override_candidates_from_cve5

It will update the data in the nvd-data-overrides repository. The updated data needs to be inspected by humans and the notes field should be removed.

JSON output

The generated and curated JSON files are all located in the data directory.

The layout of this tree is

├── cpe
│   ├── curated/lookup
│       ├── by_collection_url_and_package_name
│           ├── application.json
│           ├── hardware.json
│           ├── os.json
│       ├── by_vendor_and_product
│           ├── application.json
│           ├── hardware.json
│           ├── os.json
│       ├── by_product
│           ├── application.json
│           ├── hardware.json
│           ├── os.json
│   ├── generated/lookup
│       ├── by_collection_url_and_package_name
│           ├── application.json
│           ├── hardware.json
│           ├── os.json
│       ├── by_vendor_and_product
│           ├── application.json
│           ├── hardware.json
│           ├── os.json
│       ├── by_product
│           ├── application.json
│           ├── hardware.json
│           ├── os.json
├── cves_with_no_mapping.json
├── no_collection_url_and_package_to_cpes.json
├── no_vendor_and_product_cpe_mapping.json

The files in the lookup directory (curated and generated) are used to turn the cve5 product/package and vendor data into a CPE. The os.json and hardware.json files are currently empty (they could be filled out in the future). For example, the qemu project historically has 2 CPE names that end up being associated with it

    "qemu": [
      "cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*",
      "cpe:2.3:a:redhat:openstack_platform:*:*:*:*:*:*:*:*"
    ],

This is stored in the application.json file.

The files cves_with_no_mapping.json no_collection_url_and_package_to_cpes.json no_vendor_and_product_cpe_mapping.json are not currently used.