|
1 | 1 | # NIST National Vulnerability Database |
2 | | -The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. This product uses the NVD API but is not endorsed or certified by the NVD. |
| 2 | +The NVD is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. This product uses the NVD API but is not endorsed or certified by the NVD. |
3 | 3 |
|
4 | 4 |
|
5 | 5 | ## Publisher: Paul Culmsee |
6 | 6 |
|
7 | | -## Prerequisites |
| 7 | +## Obtaining Credentials |
8 | 8 | NIST NVD uses API keys to allow access to the API. You can get an API key [here](https://nvd.nist.gov/developers/request-an-api-key). |
9 | 9 | * On the API key requests page, enter data into the three fields on the requests form. |
10 | 10 | * Scroll to the bottom of the Terms of Use, and then click the check box marked "I agree to the Terms of Use." |
11 | 11 | * Check the inbox of the email address provided in the steps above for an email from nvd-noreply@nist.gov. |
12 | | -* Activate and view the API Key by opening the single-use hyperlink. Store the API Key in a secure location as the page will no longer be available after it is closed. If your key is not activated within seven days, a request for a new API Key must be submitted. |
| 12 | +* Activate and view the API Key by opening the single-use hyperlink. Store the API Key in a secure location as the page will no longer be available after it is closed. If your key isn't activated within seven days, a request for a new API Key must be submitted. |
13 | 13 |
|
14 | 14 | ## Supported Operations |
15 | | -### Retrieve a specific CVE |
16 | | -Get details of a specific CVE. A unique identifier known as the CVE ID allows stakeholders a common means of discussing and researching a specific, unique exploit. |
17 | 15 |
|
18 | 16 | ### Retrieve a collection of CVE |
19 | | -Get a collection of CVE. The Common Vulnerabilities and Exposures (CVE) program is a dictionary or glossary of vulnerabilities that have been identified for specific code bases, such as software applications or open libraries |
| 17 | +Get a collection of CVE. The Common Vulnerabilities and Exposures (CVE) program is a dictionary or glossary of vulnerabilities identified for specific code bases, such as software applications or open libraries |
20 | 18 |
|
21 | 19 | ### Retrieve CPE information |
22 | | -Get a collection of CPE. The Official CPE Dictionary, is a searchable repository of hardware and software products maintained by the National Vulnerability Database (NVD) |
| 20 | +Get a collection of CPE. The Official CPE Dictionary is a searchable repository of hardware and software products maintained by the National Vulnerability Database (NVD) |
23 | 21 |
|
24 | 22 | ## API Documentation |
25 | 23 | https://nvd.nist.gov/developers |
26 | 24 |
|
27 | 25 | ## Known Issues and Limitations |
28 | | -* FIltering by date is very specific in terms of format. It is unlikely you need to filter based on time so I suggest you specify 000 for subseconds and use hh:mm for UTC offset. Eg. For Power Automate flows, this is an example of correctly specifying a date with no UTC offset. formatDateTime(utcNow(), 'yyyy-MM-ddTHH:mm:ss:000 UTC+00:00') |
| 26 | +* When filtering by date, please note the format. As it is unlikely you need to filter based on time, I suggest you specify 000 for sub-seconds and use hh:mm for UTC offset. Eg. For Power Automate flows, this is an example of correctly specifying a date with no UTC offset. formatDateTime(utcNow(), 'yyyy-MM-ddTHH:mm:ss:000 UTC+00:00') |
29 | 27 |
|
30 | | -* There are a large number of vulnerabilties stored in a highly granular way. You will need to filter your results and learn the schema to apply filters. eg Filtering by CPE Match string or CVE match string is documented (here)[http://cpe.mitre.org/specification/index.html] |
| 28 | +* There are a large number of vulnerabilities stored in a highly granular way. You will need to filter your results and learn the schema to apply filters. E.g Filtering by CPE Match string or CVE match string is documented (here)[http://cpe.mitre.org/specification/index.html] |
31 | 29 |
|
32 | 30 | * Each API Key is associated with a single email address. If an email address is used to request an additional API key, clicking the single-use hyperlink will invalidate the key previously associated with that email address. The key will not be invalidated if the email is used to request another key, but the link is not opened. There is no process for retrieving a forgotten key. |
33 | 31 |
|
34 | 32 | * The rate limit with an API key is 100 requests in a rolling 60 second window. |
35 | 33 |
|
36 | | -* The best practice for making requests within the rate limit is to use the modified date parameters. No more than once every two hours, automated requests should include a range where modStartDate equals the time of the last CVE or CPE received and modEndDate equals the current time. Enterprise scale development should enforce this approach through a single requestor to ensure all users are in sync and have the latest CVE and CPE information. It is also recommended that users "sleep" their scripts for six seconds between requests. |
| 34 | +* The best practice for making requests within the rate limit is to use the modified date parameters. No more than once every two hours, automated requests should include a range where modStartDate equals the time of the last CVE or CPE received and modEndDate equals the current time. Enterprise-scale development should enforce this approach through a single requestor to ensure all users are in sync and have the latest CVE and CPE information. It is also recommended that users "sleep" their scripts for six seconds between requests. |
37 | 35 |
|
38 | | -* Always update this connector via the command line tool. The custom connector UI will report and error with the "Remote Auth Reader" policy because the UI does not allow an empty value. If you save the connector via the custom connector UI, it writes an invalid value to the policy which will stop the Get Zones endpoint from working. |
39 | 36 | ``` |
40 | 37 | paconn create --api-def apiDefinition.swagger.json --api-prop apiProperties.json. |
41 | 38 | ``` |
0 commit comments