Jerome, Thanks a lot for sharing. These tools are super helpful.
Su On Fri, Nov 13, 2015 at 9:59 AM, Jerome Athias <[email protected]> wrote: > You could play with > https://github.com/toolswatch/vFeed > or > https://github.com/athiasjerome/XORCISM > > 2015-11-13 20:47 GMT+03:00 Shawn Wells <[email protected]>: > > > > > > On 11/12/15 11:58 PM, Jerome Athias wrote: > >> > >> For "master download" of NVD: > >> > >> https://nvd.nist.gov/download.aspx > > > > > > Nice - thanks! > > > > Looks like the CVE content is posted with mappings to vendor > announcements > > (RHSA, Cisco SA). e.g.: > > http://pastebin.com/RkpdDFXb > > > > I believe you'll need to ping vendors for associated OVAL content. > > > > > > > >> 2015-11-13 1:15 GMT+03:00 Shawn Wells <[email protected]>: > >>> > >>> > >>> On 11/10/15 3:04 PM, Su Zhang wrote: > >>>> > >>>> Thanks for your response. > >>>> I looked into the doc and found the following description > >>>> > >>>> "The oscap utility maps Red Hat Security Advisories to CVE identifiers > >>>> that are linked to the National Vulnerability Database and reports > which > >>>> security advisories are not applied." > >>>> > >>>> However, does Red Hat security advisories capture all CVEs? Or it only > >>>> capture its own product related CVEs? If it does not have a > >>>> comprehensive > >>>> CVEs, then do you know how to incorporate the entire NVD vulnerability > >>>> data? > >>> > >>> > >>> Definitely a good question, and one we may not be documenting in the > best > >>> way. > >>> > >>> The Red Hat CVE content reflects authoritative content for *Red Hat* > >>> technologies. For example, RHEL6 CVE data would include "core RHEL," > but > >>> also packages that we ship/support, such as our release of Apache > >>> included > >>> in Enterprise Linux. > >>> > >>> For third party vendors (e.g. MongoDB, Websphere) you'd have to get > >>> CVE/OVAL > >>> data directly from them. I'm not aware of a "master download" of NVD, > >>> however they do point you to various vendor content: > >>> https://oval.mitre.org/repository/about/other_repositories.html > >>> > >>> CIS recently took over DHS' OVAL repository from MITRE, and it contains > >>> many > >>> CVE definitions for Unix/Linux/Windows/VMWare: > >>> https://oval.cisecurity.org/repository/download > >>> > >>> -- > >>> Shawn Wells > >>> Office of the Chief Technologist > >>> U.S. Public Sector > >>> [email protected] | 443.534.0130 > >>> > >>> > >>> -- > >>> SCAP Security Guide mailing list > >>> [email protected] > >>> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > >>> https://github.com/OpenSCAP/scap-security-guide/ > > > > > > -- > > SCAP Security Guide mailing list > > [email protected] > > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > https://github.com/OpenSCAP/scap-security-guide/ > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ > -- Su Zhang
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
