Provide the vulnerability information for cases in a machine-readable format

[madcatter24]

Request to provide the vulnerability information for cases in a machine-readable format. It would greatly facilitate the ingestion of these cases into an organization's existing internal vulnerability tracking tools. It's possible that this could be facilitated using an API.

[zmanion]

Consider CSAF/CVRF. VINCE can already produce CVE JSON. CVE JSON (and CVRF) may or may not be sufficient, and this issue may benefit from waiting for results from the CVD protocol work.

[sei-vsarvepalli]

Consider CSAF/CVRF. VINCE can already produce CVE JSON. CVE JSON (and CVRF) may or may not be sufficient, and this issue may benefit from waiting for results from the CVD protocol work.

We have a sample CVRF API written in purely mostly with current VINCE API and a client side JS. The code is available at
https://github.com/CERTCC/VINCE/blob/main/api_examples/

and the sample output for VU#257161 is here in the CERT demo site.

https://democert.org/vince/VU-257161-CVRF.html

[tschmidtb51]

VINCE now supports the CSAF.

[zmanion]

Possibly different things:

1. Completed case, vulnerability note written and published --> produce CSAF
2. In-progress, possibly under embargo case, vulnerability note not written, information not complete --> produce CSAF

Not sure if 2 is possible, depending on required fields/elements of CSAF. Maybe deliver an incomplete CSAF via VINCE API? Other VINCE API features support 2, just not in CSAF format.

[zmanion]

As noted in #24, VINCE does not formally support the specific vendor|product|version set of information needed to produce parts of valid CSAF.

Closing with the acknowledgement that VINCE does partially support CSAF and we're open to other machine-readable formats and integration.