Migrate from NVD data feeds to NVD API 2.0

[olafz]

The NVD announced changes to the API and Data Feeds, see https://nvd.nist.gov/General/News/changes-to-feeds-and-apis.

One of the changes is a rate-limit on the API:

In October 2021, the NVD announced the availability of API keys and changes to its API rate limits. Users who request and activate a key may include it as a parameter of their request’s URL string.

Beginning immediately, users transmitting requests without a key will see a reduction in the number of requests they can make in a rolling 60 second window. Users transmitting requests that include their API key will see no change in service and may continue to make requests at the current rate. New users may request an API key here.

It would be nice to be able to enter a NVD API key in DependencyTrack.

[valentijnscholten]

To use the API key, DT would first need to switch to use the API instead of the data feeds.

[nscuro]

Thanks @olafz, I modified the title of your issue to reflect that we indeed have to migrate away from our legacy data feed consumption to the NVD's new API, which will also include API key usage.

If I got it right, we have time until roughly Q3 2023:

In late 2022 the NVD will release the 2.0 version of its APIs. [...] Approximately 6 months after the release of the 2.0 APIs the NVD will retire all RSS feeds. Approximately 12 months after the release of the 2.0 APIs the NVD will also retire all remaining data feeds.

Obviously it'd be beneficial to migrate way earlier than that.

[stevespringett]

The announcement from the NVD will lead to a number of issues DT will have to deal with.

1. Mirroring time will increase, especially for default installations without an NVD API key
2. The announcement did not provide details about the v2 API. I don't want to use the v1 APIs at this time since, per their documentation, dictionaryCpes "may become truncated" without any specific guidance for how to avoid other than "Reducing the resultsPerPage may prevent the data from being truncated" which isn't very helpful.
3. The current API uses the CVE JSON v4.0 spec, which is now old. v5.0 is the current spec with v5.1 in development.
4. DT will need to track internally where the mirroring left off and how to keep the mirror up to date without having to re-mirror everything

[Marck]

Hi all, are there any updates on this?

[nscuro]

Yes, kind of. We are planning to implement support for the new API as opt-in feature, while still keeping the legacy feed functionality around as default mechanism. Because the API requires API keys to be even remotely usable, and it's still very unstable (https://github.com/jeremylong/Open-Vulnerability-Project/issues/42), at this point in time we likely cannot do a "hard switch" to it.

[mfriedenhagen]

The feed will not be supported after Q1/2024 to my understanding. Using outdated feeds may lead to the wrong impression of being secure.

[nscuro]

As raised in Slack, implementation of this should involve updating the documentation as well: https://owasp.slack.com/archives/C6R3R32H4/p1697628231823949

[github-actions[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.