Vulnerability Data

 View Only

  • 1.  What data format do you use for sharing vulnerability data?

    Posted Nov 18, 2024 09:19:00 AM

    I'm looking at OpenVEX and the NVD CVE API formats. Are there other formats to consider and what are the pro and cons of each?



    ------------------------------
    John Wang
    VP Product Management
    Saviynt
    ------------------------------


  • 2.  RE: What data format do you use for sharing vulnerability data?

    Posted Nov 18, 2024 12:18:00 PM

    We are generally using the OSV format, the CVE format is to limiting, although some of the problems have been fixed in CVE v5 it's not really a good fit for us. Long term we may end up using STIX or some SBOM format depending on exactly what we're doing. 



    ------------------------------
    Kurt Seifried
    Chief Blockchain Officer and Director of Special Projects
    Cloud Security Alliance
    [email protected]
    ------------------------------

    Original Message


  • 3.  RE: What data format do you use for sharing vulnerability data?

    Posted Nov 18, 2024 05:17:00 PM

    Thanks for the feedback Kurt. It's good to know. I'm also looking at OSV and SPDX. One thing I'm considering is using OSV with extended attributes for the individual CVSS attribute fields that the NVD CVE API schema has.



    ------------------------------
    John Wang
    VP Product Management
    Saviynt
    ------------------------------

    Original Message