From a2805faacb63504b630edf97e410888808898c21 Mon Sep 17 00:00:00 2001 From: Josh Bressers Date: Tue, 19 Mar 2024 14:45:25 -0500 Subject: [PATCH 1/2] Fix some descriptions to be more accurate with the project goal Signed-off-by: Josh Bressers --- README.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f5f2693c..2721b10c 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ -# Grype DB NVD Overrides +# NVD Data Overrides -This repository is for filling the gap NVD has left in the Grype vulnerability dataset. On Feb 15, 2024 [NVD](https://nvd.nist.gov) stopped their regular process of enriching most CVE IDs with additional metadata. This data was used by Grype to match artifacts not covered by other ecosystems. +This repository is for filling the gap NVD has left in the public vulnerability dataset. On Feb 15, 2024 [NVD](https://nvd.nist.gov) stopped their regular process of enriching most CVE IDs with additional metadata. -This repo is meant to provide additional data that is currently missing from NVD, and ensure Grype can use that enrichment. +This repo is meant to provide additional data that is currently missing from NVD. Please note, this data does not provide severity information. By definition only NVD can supply NVD CVSS scores. @@ -24,8 +24,11 @@ Regardless of the data format used, it can be expected that this override data w # FAQ +### Why are you doing this? + This data provided by NVD was used by Grype to match artifacts not covered by other ecosystems. We refer to this as the "matcher of last resort". As such, we need this data for a properly functioning Grype. Since we need this data, Grype is an open source project, and it would be beneficial to cooperate. Creating an open source project seemed like the best option. + ### What happens if NVD goes back to normal? -In the event NVD returns, or some other project takes over the current task of NVD, we expect to continue to maintain this project. Grype needs the ability to augment and enrich some of the vulnerability data. Not every vulnerability database supports every ecosystem. +In the event NVD returns, or some other project takes over the current task of NVD, we expect to continue to maintain this project. Not every vulnerability database supports every ecosystem, so being able to enrich vulnerability data makes sense. For example there could be vulnerability data about a binary they build, but if that binary is also downloaded from the project directly, that information may not be tracked anywhere else. From 2aae5206861d54c2544f5f57aac92821ddcf1419 Mon Sep 17 00:00:00 2001 From: Josh Bressers Date: Tue, 19 Mar 2024 15:17:48 -0500 Subject: [PATCH 2/2] Fix a typo about ecosystems Signed-off-by: Josh Bressers --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2721b10c..aef4ab81 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ Regardless of the data format used, it can be expected that this override data w # FAQ ### Why are you doing this? - This data provided by NVD was used by Grype to match artifacts not covered by other ecosystems. We refer to this as the "matcher of last resort". As such, we need this data for a properly functioning Grype. Since we need this data, Grype is an open source project, and it would be beneficial to cooperate. Creating an open source project seemed like the best option. + This data provided by NVD was used by Grype to match artifacts not covered by other data sources. We refer to this as the "matcher of last resort". As such, we need this data for a properly functioning Grype. Since we need this data, Grype is an open source project, and it would be beneficial to cooperate. Creating an open source project seemed like the best option. ### What happens if NVD goes back to normal? In the event NVD returns, or some other project takes over the current task of NVD, we expect to continue to maintain this project. Not every vulnerability database supports every ecosystem, so being able to enrich vulnerability data makes sense.