openVuln API /advisories/<oval|cvrf>/all/ does not return all results

Hello,

openVuln API does not return all results. For example, the advisory "cisco-sa-20080326-pptp" is not present in both /advisories/oval/all and /advisories/cvrf/all results. Could you please help?

I looked into this a bit and experienced similar results. Playing around with other API calls, I noticed there are no advisories listed with severity "High" after 2010. Hopefully someone from PSIRT team can shed more light on this.

Hi,

OVAL definitions are supported for  high and critical Cisco IOS advisories that starting from 2010.

Regards,

Omar Santos

PSIRT

Hi Omar

forgive my ignorance but should - cisco-sa-20160916-ikev1 be found within the oval API. considering it's both created after 2010 and a high cisco vulnerability. Oval looks great, would be keen to use!!

HI Aidan,

We just published the OVAL definition for that vulnerability today. It is posted at the OVAL Repository

and should also be available via the API.

Thank you!

OMar

Hey Omar. Thanks for the reply.

Will vulnerabilities be posted on the oval repository immediately after they’re found in the future? Or is it better to go with the CVSR api, as that appears to be showing all vulnerabilities at the time of posting.

Thanks for your help.

Aidan

<http://www.vodafone.co.nz/>

Aidan Houlihan

Discover Graduate

Graduate Programme

Vodafone New Zealand Ltd.

Mobile: +64 27 391 2468

Email: aidan.houlihan@vodafone.com

Lambton House, 160 Lambton Quay, Wellington, New Zealand

vodafone.co.nz <http://www.vodafone.co.nz>

This message and any files or documents attached are confidential and may also be legally privileged, protected from disclosure and/or protected by other legal rules. It is intended only for the individual or entity named. If you are not the named addressee or you have received this email in error, please inform the sender immediately, delete it from your system and do not copy or disclose it or its contents or use it for any purpose. Thank you. Please also note that transmission cannot be guaranteed to be secure or error-free.

Hi Aidan,

There are a few differences on the benefits between an OVAL definition and CVRF files:

• CVRF files are indeed available for all published vulnerabilities at the moment of publication. They are automatically generated when an advisory is published.
• OVAL definitions are supported for IOS and IOS-XE high and critical vulnerabilities and they include affected versions and configuration checks. The OVAL standard is designed to do a full assessment of an impact of a vulnerability.
• CVRF files do not include configuration checks and complete coverage of all versions affected by a given vulnerability. CVRF was not originally designed as OVAL, it is basically just an XML representation of the advisory and it currently has some limitations for remediation assessment and product family. Just as an FYI, the CVRF standard will go over a major update very soon and it is being transitioned from ICASI to the OASIS (https://www.oasis-open.org/) standards body, as we speak. A new technical committee will be created within the next couple of months to enhance the standard and include better support for product and version enumeration. More details to come soon.

Hi Omar,

Thank you for your explanation.

Kind regards,

Andrei

Hi Omar,

I just checked, there's 1882 CVRF and 81 OVAL vulnerabilities available through openVuln API, totaling 1963 vulnerabilities which is even more than it can be found on the official web page Security Advisories and Alerts - 1948 vulnerabilities. Great progress! Thank you very much!