Collect SUSE

[haikoschol]

https://www.suse.com/support/security/cvrf/

[pombredanne]

Here are a few candidate CVRF libraries and pointers that may be of some help:

• @mprpic https://github.com/mprpic/advisory-parser (which has quite a few interesting formats beyond CVRF)
• @mschiffm https://github.com/mschiffm/cvrfparse
• https://github.com/oasis-open/csaf-parser
• https://github.com/sdrees/cvrf-util
• https://github.com/efrenfuentes/cvrfparse

And articles or specs:

• https://blogs.cisco.com/security/tools-of-the-trade-cvrfparse
• https://blogs.cisco.com/security/the-missing-manual-cvrf-1-1-part-1-of-2
• https://blogs.cisco.com/security/the-missing-manual-cvrf-1-1-part-2-of-2
• https://blogs.cisco.com/security/cvrf-1-2-2
• https://github.com/CVRF
• https://github.com/oasis-tcs/csaf
• https://github.com/oasis-open/csaf-documentation
• https://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html

[pombredanne]

Also, not sure this is all up to date but we have https://support.novell.com/security/oval/suse.linux.enterprise.server.11.xml and https://support.novell.com/security/oval/suse.linux.enterprise.server.12.xml

[sbs2001]

This is the total data which I am able to get

Note_Notes :::: Title:Vulnerability Description|Type:General|Ordinal:1|{http://www.w3.org/XML/1998/namespace}lang:en|Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
ProductID :::: openSUSE Leap 42.3:ucode-intel-debuginfo-20170707-13.1
CVE_Vulnerability :::: CVE-2017-5715
Status_ProductStatuses :::: Type:Fixed
Threat_Threats :::: Type:Impact|Description:critical
BaseScore_ScoreSet :::: 4.7
Vector_ScoreSet :::: AV:L/AC:M/Au:N/C:C/I:N/A:N
Remediation_Remediations :::: Type:Vendor Fix|URL:http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00015.html
Description_Remediation :::: {http://www.w3.org/XML/1998/namespace}lang:en|Please Install the update.
URL_Reference :::: ['https://www.suse.com/security/cve/CVE-2017-5715.html', 'https://bugzilla.suse.com/1068032', 'https://bugzilla.suse.com/1074562', 'https://bugzilla.suse.com/1074578', 'https://bugzilla.suse.com/1074701', 'https://bugzilla.suse.com/1074919', 'https://bugzilla.suse.com/1075006', 'https://bugzilla.suse.com/1075007', 'https://bugzilla.suse.com/1075419']
Description_Reference :::: ['CVE-2017-5715', 'SUSE Bug 1068032', 'SUSE Bug 1074562', 'SUSE Bug 1074578', 'SUSE Bug 1074701', 'SUSE Bug 1074919', 'SUSE Bug 1075006', 'SUSE Bug 1075007', 'SUSE Bug 1075419']
FullProductName :::: ProductID:openSUSE Leap 42.3:ucode-intel-debuginfo-20170707-13.1|ucode-intel-debuginfo-20170707-13.1 as a component of openSUSE Leap 42.3
Relationship :::: ProductReference:ucode-intel-debuginfo-20170707-13.1|RelationType:Default Component Of|RelatesToProductReference:openSUSE Leap 42.3

Which is further filtered to get
{'title': 'Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.', 'platform': 'openSUSE Leap 42.3', 'cve_id': 'CVE-2017-5715', 'package': 'ucode-intel-debuginfo-20170707-13.1'}
Let me know if we can add more data to the above dict from the total data

[haikoschol]

@sbs2001 thanks! Adding the URLs in URL_Reference as VulnerabilityReference would be nice.

[sbs2001]

Just discovered http://ftp.suse.com/pub/projects/security/ , specifically http://ftp.suse.com/pub/projects/security/yaml/ is useful, we could populate our db with resolved packages(these yamls basically contains list of backports with fix to vulnerabilities). http://ftp.suse.com/pub/projects/security/oval/ is of limited value as I am not sure what difference will it make compared to using CVRF.

http://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml is also interesting considering we might want to collect severity indicators of a particular vulnerability from different sources.

Also @haikoschol SUSE folks provide Etags :) in their response headers.