Colleagues,

As of March 29, 2023, the CVE Program achieved "hard 
deploy<https://cveproject.github.io/automation-cve-services-faqs#what-is-meant-by-cve-services-21-hard-deploy>"
 of the CVE Services<https://www.cve.org/AllResources/CveServices>/CVE JSON 
5.0<https://www.cve.org/AllResources/CveServices#cve-json-5>/CVE JSON 5.0 Bulk 
Download<https://www.cve.org/Media/News/item/blog/2023/03/29/CVE-Downloads-in-JSON-5-Format>
 automation upgrade.
Hard deploy means all issues with CVE Services "soft 
deploy<https://cveproject.github.io/automation-cve-services-faqs#what-is-meant-by-cve-services-21-soft-deploy>"
 have been addressed, and the CVE JSON 5.0 Bulk Download capability is 
available for community use.
CVE Services/CVE JSON 5.0 Hard Deploy
Both CVE Services and CVE JSON 5.0 are in active use by the CVE Numbering 
Authority (CNA)<https://www.cve.org/ProgramOrganization/CNAs> community. Please 
see the "CVE Services<https://www.cve.org/AllResources/CveServices>" page on 
the CVE.ORG website for the most current information about CVE Services and CVE 
JSON 5.0.
Bulk Downloads in CVE JSON 5.0 Format Hard Deploy
CVE 
Records<https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryRecord>
 in CVE JSON 5.0 
format<https://www.cve.org/AllResources/CveServices#cve-json-5> are now 
available for bulk download by the community. "Bulk download" means all CVE 
Records and updates are included in a single download file.
CVE JSON 5.0 (view the schema<https://github.com/CVEProject/cve-schema>) is the 
new official data format for CVE Records and download files. Download files 
based upon CVE JSON 4.0 will be deprecated on or before December 31, 2023 (see 
the "Legacy Downloads Available for Limited Time Only" section below).
These downloads enable development of custom applications for vulnerability 
management or analysis. To view individual CVE Records, please continue to use 
the CVE ID lookup search box at the top of all CVE.ORG<https://www.cve.org/> 
web pages. It provides equally fresh data.
New Download Files Hosted on GitHub
The new download files are hosted in the cvelistV5 
repository<https://github.com/CVEProject/cvelistV5> on GitHub.com. The 
repository includes release versions of all current CVE Records generated from 
the official CVE Services API. View the repository 
ReadMe<https://github.com/CVEProject/cvelistV5/blob/main/README.md> for 
additional information and known issues.
Baseline releases are issued once per day at midnight and posted on the 
cvelistV5 repository Releases<https://github.com/CVEProject/cvelistV5/releases> 
page in the following file name format: CVE Prefix-Year-Month-Day _ Greenwich 
Mean Time (GMT), (e.g., "CVE 2023-03-17_0000Z"). Hourly updates that include 
any additional CVE Records and/or other changes made since the baseline release 
are also provided on the Releases page using the same file name format, with 
time changes encoded at the end.
How to Access the New Download Files
All download files, including baseline and hourly releases, are available on 
GitHub, while a single download file of the most recent release is available 
from the CVE.ORG website.
On GitHub:
Experienced users of GitHub may use the traditional GitHub functions to 
maintain their own copy of the CVE List (e.g., "git 
clone<https://github.com/git-guides/git-clone>" with periodic syncs).
In addition, users may download a zipped CVE List "baseline" that is updated at 
midnight (GMT) each day. A "modified" file is updated every hour that contains 
only the CVE Records that have been modified/added since the baseline.
Each baseline and hourly release includes three items:

  *   ZIP file of all current CVE Records at midnight (e.g., 
"2023-03-28_all_CVEs_at_midnight.zip.zip")
  *   ZIP file of all CVE Records added or modified since midnight (e.g., 
"2023-03-28_delta_CVEs_at_2200Z.zip")
  *   Release Notes for the specific release that contains a text list of CVE 
Records that have been modified/added since midnight
NOTE: The most current 
release<https://github.com/CVEProject/cvelistV5/releases> contains the most 
up-to-date CVE List content. Hourly updates contain only the most recent 
updates.
On CVE.ORG:
The most-current download file, which includes all CVE Records and updates, is 
always available from the Downloads<https://www.cve.org/Downloads> page on the 
CVE.ORG website as a single ZIP file:

  *   
main.zip<https://github.com/CVEProject/cvelistV5/archive/refs/heads/main.zip>
Legacy Downloads Available for Limited Time Only
Legacy format CVE List downloads<https://www.cve.org/Downloads#legacy-format> 
(i.e., CSV, HTML, XML, and CVRF), which are derived from CVE JSON 4.0, will 
remain available for download on the CVE.ORG website for a limited time. They 
will be deprecated on or before December 31, 2023.
Any tools or automation that use these old formats may no longer work once the 
old formats have been deprecated, so organizations should take action now.

Questions? Please use the CVE Request Web Forms<https://cveform.mitre.org/> and 
select "Other" from the dropdown.

Respectfully,
CVE Program Secretariat
cve-prog-secretar...@mitre.org<mailto:cve-prog-secretar...@mitre.org>

[A picture containing text, clipart  Description automatically generated]

Reply via email to