As I announced in the previous newsletter, we have undertaken several works to make the database as complete as possible however the universes decided otherwise.
So the whole team was focused to enhance our CPEs platform structure in such way to align with the newest NVD configuration. This took a little time to review the database schema, update our engine to reflect the changes and do all the tests.
Hopefully by the end of this month, we will submit another update with several new datasources additions.
Improving the Vulnerability Targets Classification
NVD has modified its structure to report targets and affected CPEs . As an improvement, we have extended our database to support this concept : “configuration“. Several keys were added to “Classification->Targets” to make the CPE reporting more precise (version_affected, from / to, running_on)
The following sample from CVE-2017-3112 shows the multiple configurations and valid combinations and their parameters.
As you can see, “Targets” reports 4 configurations.
Example : Configuration 4 is valid whenever the following conditions are satisfied : Adobe flash player version up to 126.96.36.199 running on Windows 10 or Windows 8.1
Python API Update (new version 0.9.9)
Support to Conditional CPE configurations concept
The vFeed python API has been updated to support the modification of the CPE schema concept.
Data JSON schema added
Schema that describes the structure of vFeed JSON data has been added. It could be used for validation purposes or to understand the vFeed vulnerability data JSON design.
Here is a detailed changelog of the latest vFeed python API version 0.9.9