cvelistV5 icon indicating copy to clipboard operation
cvelistV5 copied to clipboard
verified publisher icon CVEProject

CNA information difficult to obtain without scraping and parsing all CVEs

Open nisamson opened this issue 1 year ago • 6 comments

There is a mapping between some GUIDs and CNAs that exists in the providerMetadata fields, e.g.

"providerMetadata": {
  "dateUpdated": "2022-07-03T22:16:27",
  "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
  "shortName": "ibm"
}

However, there doesn't appear to be a way to gather a mapping of these organizational IDs or a clear way to get additional information about them, e.g. a contact email or a longer form name. It would be very useful to have a dictionary of this information for correlation with some downstream consumers of the CVE.org data like NIST NVD who are currently just using the UUID when they publish their information.

Additionally, even though it is public, there is no way of programmatically obtaining the contact information for or the name of a CNA even though this information is public without scraping the CVE.org website (if there is, please correct me; I can't find any indication of such an offering existing).

nisamson avatar Sep 06 '24 23:09 nisamson

@nisamson,

It is not an "officially supported" method, but I use the JSON from the GitHub repo for this information to stop from having to scrape the site: https://raw.githubusercontent.com/CVEProject/cve-website/main/src/assets/data/CNAsList.json

The JSON has not been updated to include the orgID but I opened a request on the website repo to see if it is possible to add that. https://github.com/CVEProject/cve-website/issues/2907

jgamblin avatar Sep 07 '24 15:09 jgamblin

See this for a mapping of Org ID to CNA full names. https://www.cve.org/cve-partner-name-map.json

M-nj avatar Sep 10 '24 14:09 M-nj

@M-nj Thank you so much! That is so helpful!

jgamblin avatar Sep 10 '24 14:09 jgamblin

@M-nj this file is now empty? It was populated this morning.

jgamblin avatar Sep 10 '24 20:09 jgamblin

@M-nj this file is now empty? It was populated this morning.

This has been a known issue for that file, however it may have been patched as of Sept 11th, 2024. Please see https://github.com/CVEProject/cve-website/issues/1996#issuecomment-2343457012. If this issue persists, feel free to contribute to that issue.

M-nj avatar Sep 16 '24 13:09 M-nj

This is essentially a duplicate of https://github.com/CVEProject/automation-working-group/issues/133. Please add specific use cases that would be met if this data were to be published in official form (instead of a set of unofficial website assets). Thank you!

mprpic avatar Oct 08 '24 21:10 mprpic