Check your applications!

[nvd-news]

What has changed

The APIs have undergone significant backend changes to support increasing requests from our growing user base. Many of these changes will not be apparent to the public while others—like a greater default value for resultsPerPage—will improve the speed of almost every workflow.

For many users, the most noticeable changes from 1.0 to 2.0 should include improved documentation, two new API endpoints providing the public with CPE Match Strings and Data Source records, six new parameters for the CVE API that allow users to filter requests based on metadata like CISA’s Known Exploited Vulnerabilities (KEV), as well as two new parameters for the CPE API to search for products using new Universally Unique Identifiers (UUID).

Additional enhancements have been added to make the APIs easier to use and more secure. Two of these changes make greater use of the request and response headers. Whereas the 1.0 APIs accepted API Keys in the request's URL query, the 2.0 APIs require the API key to be passed via the request header in an apiKey field. In the 2.0 APIs, whenever client errors occur users can examine the response header for a new field named message. The message field provides users additional information to aid in debugging.

The data in the NVD provides a catalyst for open research, learning, and discovery.  For that reason, the NVD intends to make all data that would be available to users of the website also available via its APIs. The 2.0 APIs include significant additions to the default content returned by each API and later this year the NVD will release another endpoint specifically for CVE change histories.   Further supporting this mission, the CVE and Source APIs identify information providers who participate in the CVE program and in the Collaborative Vulnerability Metadata Acceptance Process (CVMAP) where applicable.

Actions you should take

From now through January, you should explore the new APIs!  The APIs have been released in an open beta. In this release the APIs may contain some bugs and changes to the schema will not affect versioning.  As a member of the NVD News Google Group we would like to hear from you—but before you reach out, please read the Transition Guide and Change Timeline posted to the NVD news page. 

In January 2023, the NVD plans for the new APIs to leave beta and to mark the 1.0 APIs deprecated.  

Actions you must take

As soon as possible, you must investigate whether the automated workflows you have in place use web scraping tools, the legacy data feeds, or the 1.0 APIs.  When the 2.0 APIs exit beta in January 2023, all users must transition to the updated APIs to continue to get NVD data past September 2023.  The legacy data feeds and 1.0 APIs will be retired in September of 2023. For more information on when the NVD plans to retire legacy services please review the Change Timeline posted to the NVD news page.

Share your user stories

We want to know if you encounter an issue with the new APIs or if you are confused about how to solve a unique transition problem. Please share your user stories with n...@nist.gov. Please ensure each user story includes a description of what you are looking to do (your what) and the problem you are looking to solve (your why). Please note, while the NVD looks forward to providing you with clear and valuable resources, the NVD does not currently provide code snippets in any language or code reviews for any user group. The NVD also does not endorse any code base, repository, user agent, or third-party platforms.

V/r,

The National Vulnerability Database Team