dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Add support for European Union Vulnerability Database (EUVD)

Open software-testing-professional opened this issue 8 months ago • 3 comments

Current Behavior

Currently Dependency Track uses the National Vulnerability Database to download vulnerabilty information.

Proposed Behavior

Having in mind the recent "almost-shutdown" of the MITRE CVE Database (https://cve.mitre.org/), due to unclear financing, this could IMHO also happen to the National Vulnerability Database (https://nvd.nist.gov/) itself.

Recently the European Union has released an early beta version of the "Eurpean Union Vulnerability Database": https://euvd.enisa.europa.eu/

Some news can be found here: https://www.theregister.com/2025/04/18/splintering_cve_bug_tracking/

IMPORTANT: Being in early beta, there is no EUVD API documentation yet. Some reverse engineering efforts have been made (like here: https://github.com/cku-heise/euvd-api-doc) to get a basic understanding of the API. Official documentation has been announced, though.

From my point of view, it would be a good idea to also support the EUVD as a selectable alternative to the NVD - as soon as the API is officially documented.

Checklist

software-testing-professional avatar Apr 22 '25 11:04 software-testing-professional

See also: https://github.com/DependencyTrack/dependency-track/discussions/4851

nscuro avatar Apr 22 '25 11:04 nscuro

Meanwhile a first draft of the API documentation was released: https://euvd.enisa.europa.eu/apidoc

software-testing-professional avatar Apr 28 '25 07:04 software-testing-professional

The page is now live: https://www.helpnetsecurity.com/2025/05/14/enisa-european-vulnerability-database-euvd/

Waize avatar May 14 '25 04:05 Waize

I just wanted to open the same feature request. This would be a most interesting feature indeed.

amsnek avatar Sep 24 '25 08:09 amsnek

For everyone arriving here, please read this comment: https://github.com/DependencyTrack/dependency-track/discussions/4851#discussioncomment-12868941

It doesn't look like anything changed since then. The EUVD as it stands right now can not replace the NVD or any other database, since it lacks machine-readable matching information.

Additionally:

  • The information it contains is merely an aggregation of other (primarily US-based) sources.
  • The API is absolutely horrendous (https://github.com/DependencyTrack/vuln-db/issues/37#issuecomment-2887048027).

So far the only reason to "support" the EUVD seems to be that we can collect EUVD- identifiers.

I'd welcome anyone to tell me I'm wrong, and that there is useful data in the EUVD that we won't get elsewhere (i.e., directly from the sources that the EUVD aggregates).

nscuro avatar Sep 24 '25 08:09 nscuro