[Question] Missing KBs - Servicing Stack Updates, Cumulative Updates, Etc.

[xeacott]

Cross referencing the total number of KBs and CVEs discovered through these APIs, there appears to be missing information and such is the case shown here.... https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001

That CVE is in reference to March 23, 2020 for CVE ADV990001, where ADV990001 is suppose to contain all the Servicing Stack Updates. However this CVE is not contained the API response for 2020-Mar. Is there a reason why this information is missing?

[xeacott]

You can also find the case described below....

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Mar The March 2020 information is missing CVE CVE-2020-0796 in the response data, which contains these KBs ... https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796 All of which are security updates and are critical.

I've found these APIs to have this occur kind of often, leaving them not complete. Is there any way the API's can be updated to address these gaps, or does anyone suggest having a secondary source of information to combine these lists together?

[mdowst]

I am seeing the same behavior. It appears that the API is filter on the Release date and not the Last Updated date. For example, if I download the data for Aug 2021 with the URI - https://api.msrc.microsoft.com/cvrf/2021-Aug?api-version=2016-08-01, it does not include the following CVEs.

Release date Last Updated CVE
------------ ------------ ---
20-Jul-21    10-Aug-21    CVE-2021-36934
15-Jul-21    10-Aug-21    CVE-2021-34481
13-Jul-21    4-Aug-21     CVE-2021-34466
10-Mar-20    10-Aug-21    CVE-2020-0765
13-Nov-18    10-Aug-21    ADV990001