arch-security-tracker icon indicating copy to clipboard operation
arch-security-tracker copied to clipboard
verified publisher icon archlinux

Easier API access to CVE descriptions

Open polynomialspace opened this issue 6 years ago • 3 comments

Currently /all.json provides bulk access to public CVE/advisory data, but does not include CVE descriptions; descriptions appear to only be available via individual CVE or advisory pages, which makes a rather inefficient process if one wishes to gather such data.

polynomialspace avatar Jun 12 '19 10:06 polynomialspace

When we visit /all.json, the main JSON received is:

{
    "name": "AVG-2",
    "packages": [
      "test"
    ],
    "status": "Vulnerable",
    "severity": "Critical",
    "type": "authentication bypass",
    "affected": "1.0",
    "fixed": "1.1",
    "ticket": null,
    "issues": [
      "CVE-2020-25639"
    ],
    "advisories": []
  }

The CVE description should go inside issues[] right ..? And if that's the case, we'd need to create a json obj in issues[] as well ..? Something like: { id: "CVE-2020-25639", "description": "Some desc here" } maybe?

RijulGulati avatar Oct 11 '20 11:10 RijulGulati

yes, but the issue here is that this will break API compatibility. while you could already implement this in a PR, we may first need to land a versioned API before applying it.

anthraxx avatar Oct 12 '20 13:10 anthraxx

I see. I think it'll be better if this is implemented after API versioning is done. Out of curiosity, will it be something like /v1/all.json, /v2/all.json? Is API versioning enhancement being tracked somewhere? Maybe I could refer it and chip in ..?

RijulGulati avatar Oct 13 '20 19:10 RijulGulati