On Sun, Dec 19, 2021 at 12:26:12PM +0200, Adi Matalon wrote: > In the json data you are reporting: > [1]https://security-tracker.debian.org/tracker/data/json > There are 28947 CVES, and there are 2800~ which aren't exist in the json: > For example: > For CVE-2021-2014 exists a page: > [2]https://security-tracker.debian.org/tracker/CVE-2021-2014 - with an > informative data > But in the json the CVE doesn't exist.
The web site lists (approximately) all CVEs, even those that don't apply to Debian. The JSON feed only lists CVEs that impact Debian in some form. In the case of CVE-2021-2014, Debian does not ship Mysql <= 5.7.32 in any supported release, so it is not included in the JSON file. If anything, maybe the web listing for this CVE could more clearly indicate that Debian isn't impacted. But as it is, the lack of any impacted stable releases on the web view should give a good hint. > Another example is for cve that became reject: > [3]https://security-tracker.debian.org/tracker/CVE-2021-30631 Similar to the previous one, since the CVE is rejected it cannot impact any shipped Debian versions, and thus doesn't appear in the JSON file. > I wanted to know if it is by mistake and if there is a json which includes > all cves. The JSON data for CVEs that actually impact Debian is already 29MB (minified). A full feed would be significantly larger. The downloads at https://cve.mitre.org/data/downloads/index.html might be useful to you. > Furthermore, do you have an api that returns the information in json > format for a specific cve? Not at this time. This may be worth a wishlist bug against security.debian.org. I could see how this could be a useful feature. noah