For "master download" of NVD: https://nvd.nist.gov/download.aspx
2015-11-13 1:15 GMT+03:00 Shawn Wells <[email protected]>: > > > On 11/10/15 3:04 PM, Su Zhang wrote: >> >> Thanks for your response. >> I looked into the doc and found the following description >> >> "The oscap utility maps Red Hat Security Advisories to CVE identifiers >> that are linked to the National Vulnerability Database and reports which >> security advisories are not applied." >> >> However, does Red Hat security advisories capture all CVEs? Or it only >> capture its own product related CVEs? If it does not have a comprehensive >> CVEs, then do you know how to incorporate the entire NVD vulnerability data? > > > Definitely a good question, and one we may not be documenting in the best > way. > > The Red Hat CVE content reflects authoritative content for *Red Hat* > technologies. For example, RHEL6 CVE data would include "core RHEL," but > also packages that we ship/support, such as our release of Apache included > in Enterprise Linux. > > For third party vendors (e.g. MongoDB, Websphere) you'd have to get CVE/OVAL > data directly from them. I'm not aware of a "master download" of NVD, > however they do point you to various vendor content: > https://oval.mitre.org/repository/about/other_repositories.html > > CIS recently took over DHS' OVAL repository from MITRE, and it contains many > CVE definitions for Unix/Linux/Windows/VMWare: > https://oval.cisecurity.org/repository/download > > -- > Shawn Wells > Office of the Chief Technologist > U.S. Public Sector > [email protected] | 443.534.0130 > > > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
