You could play with https://github.com/toolswatch/vFeed or https://github.com/athiasjerome/XORCISM
2015-11-13 20:47 GMT+03:00 Shawn Wells <[email protected]>: > > > On 11/12/15 11:58 PM, Jerome Athias wrote: >> >> For "master download" of NVD: >> >> https://nvd.nist.gov/download.aspx > > > Nice - thanks! > > Looks like the CVE content is posted with mappings to vendor announcements > (RHSA, Cisco SA). e.g.: > http://pastebin.com/RkpdDFXb > > I believe you'll need to ping vendors for associated OVAL content. > > > >> 2015-11-13 1:15 GMT+03:00 Shawn Wells <[email protected]>: >>> >>> >>> On 11/10/15 3:04 PM, Su Zhang wrote: >>>> >>>> Thanks for your response. >>>> I looked into the doc and found the following description >>>> >>>> "The oscap utility maps Red Hat Security Advisories to CVE identifiers >>>> that are linked to the National Vulnerability Database and reports which >>>> security advisories are not applied." >>>> >>>> However, does Red Hat security advisories capture all CVEs? Or it only >>>> capture its own product related CVEs? If it does not have a >>>> comprehensive >>>> CVEs, then do you know how to incorporate the entire NVD vulnerability >>>> data? >>> >>> >>> Definitely a good question, and one we may not be documenting in the best >>> way. >>> >>> The Red Hat CVE content reflects authoritative content for *Red Hat* >>> technologies. For example, RHEL6 CVE data would include "core RHEL," but >>> also packages that we ship/support, such as our release of Apache >>> included >>> in Enterprise Linux. >>> >>> For third party vendors (e.g. MongoDB, Websphere) you'd have to get >>> CVE/OVAL >>> data directly from them. I'm not aware of a "master download" of NVD, >>> however they do point you to various vendor content: >>> https://oval.mitre.org/repository/about/other_repositories.html >>> >>> CIS recently took over DHS' OVAL repository from MITRE, and it contains >>> many >>> CVE definitions for Unix/Linux/Windows/VMWare: >>> https://oval.cisecurity.org/repository/download >>> >>> -- >>> Shawn Wells >>> Office of the Chief Technologist >>> U.S. Public Sector >>> [email protected] | 443.534.0130 >>> >>> >>> -- >>> SCAP Security Guide mailing list >>> [email protected] >>> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >>> https://github.com/OpenSCAP/scap-security-guide/ > > > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
