Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE Onboarding Timeline #371

Closed
theinfosecguy opened this issue May 7, 2023 · 1 comment
Closed

CVE Onboarding Timeline #371

theinfosecguy opened this issue May 7, 2023 · 1 comment

Comments

@theinfosecguy
Copy link
Contributor

I'm working on implementing Google OSV & have a couple of questions regarding Google OSV:

  • How long does it take to onboard a CVE to the OSV vulnerability database?
  • Is the CVE data onboarded from NVD or other sources as well?
@andrewpollock
Copy link
Contributor

Hello,

I think this is more of an osv.dev question than an OSV Scanner one, so I'll try and field it.

You've said "CVE" specifically, so I'm going to assume you're talking about CVEs and CVEs only (as opposed to OSV records we import from our current data sources.

Today, osv.dev doesn't import CVEs at all.

I'm working on a project to convert select CVEs from the NVD into OSV records (being tracked in google/osv.dev#783)

If you're wondering how CVEs wind up being referenced on OSV records, it's because the source record has the CVE specified as an alias.

More generally, the service level objectives we are targeting around things like import latency are documented at https://google.github.io/osv.dev/faq/#what-are-osvs-service-level-objectives-slos

I hope this answers your question adequately, if not, please reopen and clarify your question a little more for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrewpollock @theinfosecguy