From ce06805d530f6cb1e65c711dd34d7de9e177b5ac Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 19 Oct 2019 22:45:37 +0200
Subject: update-nvd: Fetch NVD JSON feeds instead of XML feeds

As per October 16, 2019, NVD does not provide anymore the XML data
feeds which the security-tracker uses to fill in long description of a
CVE or determine the external severity.

In update-nvd target switch to fetch the json files from

	https://nvd.nist.gov/feeds/json/cve/1.1/$feedname

instead.

Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
---
 Makefile | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'Makefile')

diff --git a/Makefile b/Makefile
index 10e2c8ab2a..545a293228 100644
--- a/Makefile
+++ b/Makefile
@@ -112,14 +112,16 @@ update-lists:
 
 # Since October 16, 2015 the XML data feeds are no longer available for
 # download in an uncompressed format.
+# As per October 16, 2019, the XML data feeds were discontinued and NVD
+# only provides JSON feeds. Cf. https://bugs.debian.org/942670
 update-nvd:
 	mkdir -p data/nvd
 	for x in $$(seq 2002 $$(date +%Y)) ; do \
-	  name=nvdcve-$$x.xml.gz; \
-	  wget -q -Odata/nvd/$$name https://nvd.nist.gov/download/$$name || true; \
+	  name=nvdcve-1.1-$$x.json.gz; \
+	  wget -q -Odata/nvd/$$name https://nvd.nist.gov/feeds/json/cve/1.1/$$name || true; \
 	  gzip -f -d data/nvd/$$name || true; \
 	done
-	bin/update-nvd data/nvd/nvdcve-*.xml
+	bin/update-nvd data/nvd/nvdcve-*.json
 
 # Experimental code to compare the Debian and NVD CVE databases using
 # CPE values as common key.
-- 
cgit v1.2.3