cve-schema
cvelistV5
cve-schema | cvelistV5 | |
---|---|---|
2 | 5 | |
216 | 502 | |
6.9% | 18.3% | |
4.8 | 4.8 | |
8 days ago | 5 days ago | |
HTML | ||
Creative Commons Zero v1.0 Universal | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
cve-schema
- Greetings! CVE API to CSV
-
Rage about CVE dataset quality(?)
I adopted JSON for the CVE data format when I invented it (https://github.com/CVEProject/cve-schema/tree/master/schema ) for two main reasons:
cvelistV5
-
Maccarone: AI-managed code blocks in Python
We, as an industry, didn't stop shipping bugs. (Small example: https://github.com/CVEProject/cvelistV5/releases)
And that thorough code review prevents bugs is, at best, a debatable assertion. See e.g. https://www.microsoft.com/en-us/research/publication/code-re...
It finds _some_ bugs. CI/CD, and a massive investment in automated testing has probably had the largest impact in moving software quality forward. (See e.g. "Accelerate", Forsgren, Humble & Kim)
Code review is an excellent tool to socialize knowledge and train up more junior engineers, but in terms of preventing bugs, it's low-value.
-
"Mirror" of the soon to be deprecated NIST NVD CVE Feeds
There seems to be new repository in a new JSON format: https://github.com/CVEProject/cvelistV5
-
Please don't use GPT for Security Guidance
Meanwhile, over here, I just stare at https://github.com/CVEProject/cvelistV5 and mumble "any reasonable dev, front of mind".
-
On the uselessness of MITRE's CVE List
The issues I filed in the cvelistV5 repo are also unanswered, so I guess nobody gives a damn.
-
Rage about CVE dataset quality(?)
118955 entries don't even have an affected vendor/product software field, and neither with a valid version string and/or condition. They only contain plaintext descriptions and no version matching field either. Filed an issue here about it.
What are some alternatives?
opencve - CVE Alerting Platform
gsd-tools - Global Security Database Tools
maccarone - AI-managed code blocks in Python ⏪⏩
Loki - Loki - Simple IOC and YARA Scanner
osv.dev - Open source vulnerability DB and triage service.
cvelist - Pilot program for CVE submission through GitHub. CVE Record Submission via Pilot PRs ending 6/30/2023