PowerPlatformConnectors/independent-publisher-connectors/NIST National Vulnerability Database

NIST National Vulnerability Database

The NVD is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. This product uses the NVD API but is not endorsed or certified by the NVD.

Publisher: Paul Culmsee

Obtaining Credentials

NIST NVD uses API keys to allow access to the API. You can get an API key here.

• On the API key requests page, enter data into the three fields on the requests form.
• Scroll to the bottom of the Terms of Use, and then click the check box marked "I agree to the Terms of Use."
• Check the inbox of the email address provided in the steps above for an email from nvd-noreply@nist.gov.
• Activate and view the API Key by opening the single-use hyperlink. Store the API Key in a secure location as the page will no longer be available after it is closed. If your key isn't activated within seven days, a request for a new API Key must be submitted.

Supported Operations

Retrieve a collection of CVE

Get a collection of CVE. The Common Vulnerabilities and Exposures (CVE) program is a dictionary or glossary of vulnerabilities identified for specific code bases, such as software applications or open libraries

Retrieve CPE information

Get a collection of CPE. The Official CPE Dictionary is a searchable repository of hardware and software products maintained by the National Vulnerability Database (NVD)

API Documentation

https://nvd.nist.gov/developers

Known Issues and Limitations

• When filtering by date, please note the format. As it is unlikely you need to filter based on time, I suggest you specify 000 for sub-seconds and use hh:mm for UTC offset. Eg. For Power Automate flows, this is an example of correctly specifying a date with no UTC offset. formatDateTime(utcNow(), 'yyyy-MM-ddTHH:mm:ss:000 UTC+00:00')

• There are a large number of vulnerabilities stored in a highly granular way. You will need to filter your results and learn the schema to apply filters. E.g Filtering by CPE Match string or CVE match string is documented (here)[http://cpe.mitre.org/specification/index.html]

• Each API Key is associated with a single email address. If an email address is used to request an additional API key, clicking the single-use hyperlink will invalidate the key previously associated with that email address. The key will not be invalidated if the email is used to request another key, but the link is not opened. There is no process for retrieving a forgotten key.

• The rate limit with an API key is 100 requests in a rolling 60 second window.

• The best practice for making requests within the rate limit is to use the modified date parameters. No more than once every two hours, automated requests should include a range where modStartDate equals the time of the last CVE or CPE received and modEndDate equals the current time. Enterprise-scale development should enforce this approach through a single requestor to ensure all users are in sync and have the latest CVE and CPE information. It is also recommended that users "sleep" their scripts for six seconds between requests.

paconn create --api-def apiDefinition.swagger.json --api-prop apiProperties.json.