Support for NIST 2.0 data feeds

[andham]

Is your feature request related to a problem? Please describe.
The current usage of NIST 2.0 APIs causes issues in some corporate environments, such as air-gapped.

Describe the solution you'd like
Using the NIST data feed is much easier to handle in such an environment as creating an mirror of the feeds is easier than "api-mirror". NIST has recently announced (see https://www.nist.gov/itl/nvd) that they will support 2.0 data feeds in parallell with the 2.0 APIs.
So the possibility to use the new 2.0 data feeds instead of the 2.0 APIs would we great!

Describe alternatives you've considered
An alternative solution could be to set up an internal centralized vuln database which we create from the data feeds, and have dep-check use that database. However, that would require centralized management instead of just creating a self-contained container image.

Additional context
n/a

[aikebah]

plan to support, but it all needs to be built first by NVD. Following that it should be fairly easy to implement and support those alongside the current support of the 2.0 API I expect, but for the time being there is nothing we can do.

[andham]

The new 2.0 data feeds are now available. See https://www.nist.gov/itl/nvd
The old 1.1 data feeds will be removed on Aug 20.

[jeremylong]

I love requests like this. So easy to implement. Current release of ODC (with zero updates):

$ ./dependency-check.sh --updateonly    --nvdDatafeed https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-\{0\}.json.gz    
[INFO] Checking for updates
[INFO] NVD API Cache requires several updates; this could take a couple of minutes.
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2012.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2011.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2010.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2009.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2008.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2007.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2006.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2005.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2004.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2003.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2025.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2002.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2024.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2023.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2022.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2021.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2020.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2019.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2018.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2017.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2016.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2015.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2014.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2013.json.gz
[INFO] Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-modified.json.gz
[INFO] Begin database maintenance

Now the question - do we make this the default again and stop using the API? @aikebah any opinion on this?

[jeremylong]

In some ways, I think we should support both by default. Initial load should be from the datafeed and updates should be from the API.

[aikebah]

@jeremylong Agree with your remark to support both API and feeds, with initial loads (and large-period delta's) using datafeeds to run the update, but short-period updates using the API. Feels like the sanest approach for 'load-on-NVD-server' optimisation perspective.

Might be good to check with your NVD contacts whether there's a resource-extensive way to establish 'total updated records count since timestamp x' and use that to decide between updating using API (for a few pages) or datafeed (if the delta is a significant portion compared to known CVE count).

For initial load it seems to me that datafeed based update is always least resource-intensive for NVD servers.

[jeremylong]

To determine which route to go - on the update we could just make a single call to the API and if it indicates a largish amount, revert to the feed.

[philippe-granet]

https://www.nist.gov/itl/nvd

July 24, 2025: NVD Technical Update

Legacy Data Feed Reminder

The following unsupported legacy data feed files will remain available in parallel of the updated 2.0 data feed files until August 20th, 2025 as a courtesy. After that time, the legacy data feed files will be removed from the data feeds page and will no longer be accessible. 

The 1.1 Vulnerability Feeds
The 1.0 CPE Match Feed
The Official CPE 2.3 Dictionary .zip and .gz

The old 1.1 data feeds will be removed on Aug 20 (in 12 days).
Same issue as DependencyTrack/dependency-track#4742 ?

[jeremylong]

DC already supports the datafeeds. I've left this ticket open as I'm considering moving the initial update to use the datafeed instead of the API.