Also parse text and HTML OpenSSL feeds #1128

pombredanne · 2023-02-14T16:53:29Z

OpenSSL publishes an XML feed that we parse but this is not updated
https://www.openssl.org/news/vulnerabilities.html
and https://www.openssl.org/news/secadv/ should be alternative good sources.

keshav-space · 2023-02-15T13:48:25Z

OpenSSL also provides an updated JSON feed https://www.openssl.org/news/secjson

pombredanne · 2024-04-25T10:37:49Z

Structured data are gone: XML data is gone, secadv/ index is gone and secjson/ index is gone.
The security data comes from a private repository per https://github.com/openssl/web/blob/d3ec13fa40e74fad789462dee4323faa2c6d2991/Makefile#L526 but seems no longer published.
OpenSSL also has now "premium releases" that are built as explained there https://github.com/openssl/tools/blob/291a580209449f6aebf34e433f3b5f9afbd44c2b/HOWTO-publish-a-release.md

I filed openssl/web#483 upstream as this is problematic.
At the moment the ways to solve this issue would be:

Scrape the HTML page to get the list of known vulnerabilities OpenSSL ids and CVEs
Fetch the corresponding JSON for each CVE as is https://www.openssl.org/news/secjson/CVE-2002-0659.json
Alternatively parse the unstructured text as in https://www.openssl.org/news/secadv/20240115.txt

(note that the date used by OpenSSL as a vulnerability ID is different from the CVE id)

pombredanne · 2024-08-20T08:54:29Z

Just some status:

With all this, scraping the web page is likely the way out:

pombredanne added Data collection importer labels Feb 14, 2023

pombredanne mentioned this issue Apr 25, 2024

Add test to check that all URLs we use are alive #1467

Open

Provide feedback