Release Version 9.7.1 with NVD API
Note:
Reinstalling or upgrading 9.7.1 will not include NVD API changes. A user must apply a patch to 9.7.1 to receive the NVD API changes.
The National Vulnerability Database (NVD) has retired all legacy data feeds and switched to an API-based feed to better serve increasing requests. As a result, Resolver redefined RiskVision to leverage the NVD APIs without causing data interruptions.
Users must request and activate an API key from the NVD site and embed the API key in the RiskVision NVD properties file. Please refer to the Requesting an NVD 2.0 API Key article for more information on requesting an NVD API Key.
Minor Version Upgrade Support To
- Apace from version 2.4.54 to 2.4.57
- Tomcat from version 8.5.85 to 8.5.88
Requesting an NVD API Key
The National Vulnerability Database (NVD) is implementing API keys for URL string data requests. Users must request an API key and add it to their URL request sting to prevent service and request rate changes. For more information, please refer to the Requesting an NVD 2.0 API Key article.
NVD API Configuration with RiskVision v9.7.1
The National Vulnerability Database (NVD) has retired all legacy data feeds and switched to an API-based feed to better serve increasing requests. As a result, Resolver redefined RiskVision to leverage the NVD APIs without causing data interruptions. For more information, please refer to the Configure NVD API to import data into RiskVision article.
Properties
We have added the following properties below to align with the NVD API support for better data rendering and deprecated some inactive properties.
New Properties:
- You can request an API key at: https://nvd.nist.gov/developers/request-an-api-key nvd.api.key=
- URL stem for retrieving CVE information using 2.0 API nvd.cve.api2.endpoint=https://services.nvd.nist.gov/rest/json/cves/2.0
- URL stem for retrieving CPE information using 2.0 API nvd.cpe.api2.endpoint=https://services.nvd.nist.gov/rest/json/cpes/2.0
- URL stem for retrieving CPE match criteria information using 2.0 API nvd.cpematch.api2.endpoint=https://services.nvd.nist.gov/rest/json/cpematch/2.0
Depreciated Properties:
- Indicate if the connector should get a full download from the NVD CVE site(all files from 'fromYear' to 'toYear'). If the value is set to false, only download the modified file. loadOnStart=false
- NvdCveUrl=https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-[YEAR].json.zip NvdCpeUrl=https://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.zip NvdCpeMatchFeedURL=https://nvd.nist.gov/feeds/json/cpematch/1.0/nvdcpematch-1.0.json.zip
- Download cve files dated fromYear to toYear, default from 2002 to current year cve.fromYear= cve.toYear=
Additional Information
- CVE Reference URL attribute mapping appears on the Vulnerability Identification tab, which will have a duplicate record.
- By default, LoadonStart with false will retrieve the last 24 hours of data if it's true. It is going to retrieve all the data from the beginning and end.
Version 9.7.1 Path Notes
Internal Ticket ID | Description |
RRV-7490 | Support both CPE 2.2 and 2.3 data sources |