NVD 2.0 API Changes

372 views
Skip to first unread message

nvd-news

unread,
Dec 19, 2022, 2:52:55 PM12/19/22
to nvd-news

We released the 2.0 APIs in late September and have been gathering feedback making updates and adjustments as needed. On 12/16/2022 we deployed a series of updates and improvements to the 2.0 APIs and the associated documentation based on the feedback received to date. Below is a list of changes made since the initial release.

General

· Improved CORS header support.

· Many clerical and clarifying changes to the 2.0 API documentation.

· Improved handling of certain scenarios requiring encoded characters

CVE (/cves/)

· Clarified that the “lastModified” date for a CVE record is not changed when a CVE record changes to “Undergoing Analysis” status in the NVD data set.

· Added a new parameter that filters responses to exclude rejected CVE records. See https://nvd.nist.gov/developers/vulnerabilities#cves-noRejected

· Added a series of parameters that allows users to search for a range of versions for a given virtualMatchString value. (Note that search results are limited to searching the CPE Match Criteria of a CVE based on how the virtualMatchString parameter operates.) See https://nvd.nist.gov/developers/vulnerabilities#cves-versionStart See https://nvd.nist.gov/developers/vulnerabilities#cves-versionEnd

· Added a new property, cisaVulnerabilityName, in responses regarding CISA KEV data.

Additionally, we relabeled other related properties (cisaExploitAdd, cisaActionDue, cisaRequiredAction) to align and identify they are CISA populated items.

· Moved “baseSeverity” property to its proper location in the cvssMetricV2 object.

· Removed the “negate” property from appearing in the configurations object in responses.

· Amended schema to include “id”, “published” and “lastModified” as required.

CVE Change History (/cvehistory/)

· Released this API for public use in October.

CPE (/cpes/)

· Added a “deprecates” array for relevant CPE records. Previously we only included a “deprecatedBy” array when a CPE had been deprecated by another. This change allows for awareness in either direction of the deprecation chain. (Example)

Match Criteria (/cpematch/)

· Amended data regarding “cpeLastModified” to be populated as expected or to align with the lastModified date.

· Resolved inconsistent encodings in the responses for CPE Names and CPE Match Criteria. This involved changing the schema and aligns with the approach used in other API responses.

We appreciate and look forward to continued feedback, comments, and requests during this open beta period. We want to know if you encounter an issue with the new APIs or if you are confused about how to solve a unique transition problem. Please share your experience with us by emailing n...@nist.gov!

Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages