blob: 19f025e2c7ed2646d24b4b562b6ac042f6b548bd [file] [view]
<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
**Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)*
- [Tool: cve.org](#tool-cveorg)
- [What this tool provides](#what-this-tool-provides)
- [URLs](#urls)
- [Publication state check — `check-published`](#publication-state-check--check-published)
- [Confidentiality](#confidentiality)
- [When to replace this tool with another](#when-to-replace-this-tool-with-another)
- [Per-project configuration](#per-project-configuration)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->
# Tool: cve.org
This directory documents the **cve.org** tool adapter — the public
CVE registry every CNA tool ultimately publishes records to. Unlike
[`tools/cve-tool-vulnogram/`](../cve-tool-vulnogram/) (the CNA-side tool where the
security team drafts and reviews the record), `cve.org` is
**read-only** from the skills' perspective: we query it to confirm
that a record has propagated from the CNA tool to the public
registry.
Use the [MITRE CVE Services API v2](https://cveawg.mitre.org/api-docs/)
for programmatic checks and the public `cve.org` UI for human-
readable lookup.
## What this tool provides
One capability: **publication state check**. Given a `CVE-ID`,
answer *"is this record live on cve.org yet?"*. Used by
`security-issue-sync` to drive the *"notify the reporter that the
CVE is published"* proposal (see the
[*"Check recently-closed trackers for CVE publication state"*
section](../../skills/security-issue-sync/SKILL.md)
in the sync skill).
## URLs
| Purpose | URL |
|---|---|
| Public HTML record | `https://www.cve.org/CVERecord?id=<CVE-ID>` |
| CVE Services JSON API v2 | `https://cveawg.mitre.org/api/cve/<CVE-ID>` |
| NVD record (alternative public registry — often a few days behind cve.org) | `https://nvd.nist.gov/vuln/detail/<CVE-ID>` |
| NVD JSON API | `https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=<CVE-ID>` |
## Publication state check — `check-published`
The canonical state field on the CVE Services API is
`cveMetadata.state`, with three relevant values:
| `state` | Meaning |
|---|---|
| `RESERVED` | CVE ID has been allocated but no content has been published. The API returns a minimal record (metadata only). |
| `PUBLISHED` | Full CVE record is live on cve.org. The API returns the full CNA container (descriptions, affected, references, credits). |
| `REJECTED` | CVE was withdrawn after allocation. The API returns a record with `containers.cna.rejectedReasons`. |
Recipe:
```bash
# Read-only, no auth required. Returns JSON.
curl -sSf https://cveawg.mitre.org/api/cve/<CVE-ID> \
| jq -r '.cveMetadata.state'
```
Interpretation:
- `RESERVED` → the record is still in the CNA's draft / review
queue. The propagation from the CNA tool (for ASF projects,
Vulnogram) to cve.org has not completed yet. Check again on the
next sync run.
- `PUBLISHED` → the record is live on cve.org. This is the signal
the sync skill waits for before proposing the final
*CVE-published* email to the reporter.
- `REJECTED` → something went wrong post-publication. Surface to the
security team; do not notify the reporter on the happy path.
- Non-zero exit from `curl` (404, 5xx, DNS failure) → treat as
*"unknown — try again next sync"*. Do not propose notification
on an absent response; cve.org sometimes returns transient 5xx
during CNA-feed propagation.
Extract the `datePublished` alongside the state when you need to
print *"published on YYYY-MM-DD"* in the reporter email:
```bash
curl -sSf https://cveawg.mitre.org/api/cve/<CVE-ID> \
| jq -r '{state: .cveMetadata.state, datePublished: .cveMetadata.datePublished}'
```
## Confidentiality
`cve.org` is the **public** CVE registry — everything it returns is
world-readable. No confidentiality concerns; the API has no auth and
no rate-limit the skills bump into at normal cadence (a handful of
closed trackers per sync sweep).
The *"Linking CVEs"* rule in [`../../AGENTS.md`](../../AGENTS.md)
applies: before the CVE record is live on cve.org, skills link only
to the project's CVE-tool URL (team-internal); once `cveMetadata.state`
returns `PUBLISHED`, the public `cve.org/CVERecord?id=<CVE-ID>` link
becomes the canonical one for reporter emails and any public
surface.
## When to replace this tool with another
Unlikely — cve.org is the single public CVE registry every CNA
feeds. If a project decides to track NVD publication separately
(NVD assigns a severity after cve.org publication, which can take
additional days), add NVD-specific recipes to this file rather than
creating a sibling adapter; NVD is a consumer of cve.org data, not
a parallel registry.
## Per-project configuration
None required. The URL templates above apply to every CVE ID
regardless of which CNA owns it. The skills substitute the concrete
`<CVE-ID>` per tracker at read time.