Hi,
In the json data you are reporting: https://security-tracker.debian.org/tracker/data/json
There are 28947 CVES, and there are 2800~ which aren't exist in the json:
For example:
For CVE-2021-2014 exists a page: https://security-tracker.debian.org/tracker/CVE-2021-2014 - with an
informative data
But in the json the CVE doesn't exist.
Another example is for cve that became reject: https://security-tracker.debian.org/tracker/CVE-2021-30631
I wanted to know if it is by mistake and if there is a json which includes
all cves.
Furthermore, do you have an api that returns the information in json format
for a specific cve?
--
Best Regards,



*Adi Matalon*
Software Developer

www.WhiteSourceSoftware.com <https://www.whitesourcesoftware.com/>

Ariel Sharon 4, HaShahar Tower 32 Floor

Givatayim, Israel 5320047


*WhiteSource <http://www.whitesourcesoftware.com/> empowers businesses
to develop better software *
*by harnessing the power of open source* <https://www.facebook.com/whitesource/>
<https://twitter.com/WhiteSourceSoft> <https://www.linkedin.com/company/2440656/>

<div dir="ltr"><div>Hi,</div><div>In the json data you are reporting:</div><div><a href="https://security-tracker.debian.org/tracker/data/json">https://security-tracker.debian.org/tracker/data/json</a><br></div><div><font face="arial, sans-serif">There
are <span style="color:rgb(52,55,65);letter-spacing:-0.08px;white-space:pre-wrap">28947 CVES, and there are 2800~ which aren&#39;t exist in the json:</span></font></div><div><span style="color:rgb(52,55,65);letter-spacing:-0.08px;white-space:pre-wrap"><
font face="arial, sans-serif" style="">For example:</font></span></div><div>For CVE-2021-2014 exists a page: <a href="https://security-tracker.debian.org/tracker/CVE-2021-2014">https://security-tracker.debian.org/tracker/CVE-2021-2014</a> - with an
informative data</div><div>But in the json the CVE doesn&#39;t exist.</div><div>Another example is for cve that became reject:</div><div><a href="https://security-tracker.debian.org/tracker/CVE-2021-30631">https://security-tracker.debian.org/tracker/
CVE-2021-30631</a><br></div><div>I wanted to know if it is by mistake and if there is a json which includes all cves.</div><div>Furthermore, do you have an api that returns the information in json format for a specific cve?</div>-- <br><div dir="ltr"
class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div style="color:rgb(34,34,34)">Best Regards,</div><div style="color:rgb(34,34,34)"><br></div><div style="color:rgb(34,34,34)"><table border="0" cellspacing="0" cellpadding="0"
style="border-collapse:collapse;border:none"><tbody><tr style="height:63.8pt"><td width="151" valign="top" style="width:4cm;border-top:none;border-bottom:none;border-left:none;border-right:1pt double rgb(255,192,0);padding:0cm 5.4pt;height:63.8pt"><img
src="https://docs.google.com/uc?export=download&amp;id=1SXav0o7APIaELDK3FypHeeT-x5qEpjFM&amp;revid=0B8bNYaYC069Xc0NGTVh1SmFTNkFWOXZvZm9UT0V0eXEreHdZPQ" width="178" height="44" style="margin-right:0px">   </td><td width="190" valign="top" style="width:
142.4pt;border:none;padding:0cm 5.4pt;height:63.8pt"><p class="MsoNormal" style="text-align:left;margin:0cm 0cm 0.0001pt 5.65pt;line-height:normal"><font face="arial, sans-serif"><font color="#002060"><span style="font-size:13.3333px"><b>Adi Matalon</b></
span></font><br></font></p><font face="arial, sans-serif"><div style="text-align:left"><font color="#002060"><span style="font-size:12px">Software Developer</span></font></div></font><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 5.65pt;line-height:
normal;background-image:initial;background-position:initial;background-repeat:initial"><font face="arial, sans-serif"><span lang="en-IL"><a href="https://www.whitesourcesoftware.com/" style="color:rgb(17,85,204)" target="_blank"><span lang="EN-US" style="
font-size:7pt;color:rgb(32,56,100)">www.</span><span style="font-size:7pt;color:rgb(32,56,100)">WhiteSourceSoftware.com</span></a></span><span lang="en-IL" style="font-size:7pt"></span></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 5.65pt;
line-height:normal;background-image:initial;background-position:initial;background-repeat:initial"><font face="arial, sans-serif"><span lang="en-IL" style="font-size:7pt;color:rgb(0,32,96)">Ariel Sharon 4, HaShahar Tower</span><span dir="RTL"></span><
span dir="RTL"></span><span lang="HE" dir="RTL" style="font-size:7pt;color:rgb(0,32,96)"><span dir="RTL"></span><span dir="RTL"></span> </span><span dir="LTR"></span><span dir="LTR"></span><span lang="en-IL" style="font-size:7pt;color:rgb(0,32,96)"><
span dir="LTR"></span><span dir="LTR"></span>32</span><span lang="en-IL" style="font-size:7pt;color:rgb(0,32,96)"> </span><span lang="en-IL" style="font-size:7pt;color:rgb(0,32,96)">Floor</span><span lang="en-IL" style="font-size:7pt"></span></font></p><
p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 5.65pt;line-height:normal;background-image:initial;background-position:initial;background-repeat:initial"><span lang="en-IL" style="font-size:7pt;color:rgb(0,32,96)"><font face="arial, sans-serif">
Givatayim, Israel 5320047</font></span></p></td></tr></tbody></table><p style="margin:0px"><br></p><div><div><div style="font-size:12.8px"><b style="font-size:13px;color:rgb(68,68,68);font-family:arial,helvetica,sans-serif"><a href="http://www.
whitesourcesoftware.com/" style="color:rgb(17,85,204)" target="_blank">WhiteSource</a> empowers businesses to develop better software </b></div><span style="font-size:12.8px"><b style="font-size:13px;color:rgb(68,68,68);font-family:arial,helvetica,
sans-serif">by harnessing the power of open source</b><br></span></div><div><a href="https://www.facebook.com/whitesource/" style="color:rgb(17,85,204)" target="_blank"><img src="https://docs.google.com/uc?export=download&amp;id=1z1BYp0qCwJ-
Jfes7b3bUd8uCLuOx8L6u&amp;revid=0BwHnNFnDg6gddG5NWVR2blNUTlM5MEVobGhPdlBRc3hjajVvPQ"></a><a href="https://twitter.com/WhiteSourceSoft" style="color:rgb(17,85,204)" target="_blank"><img src="https://drive.google.com/a/whitesourcesoftware.com/uc?id=1pw3_
5Kpd-3u8cGfcHVMTZulYERtJNWYm&amp;export=download" alt=""></a><a href="https://www.linkedin.com/company/2440656/" style="color:rgb(17,85,204)" target="_blank"><img src="https://docs.google.com/uc?export=download&amp;id=15XYQpNxvw3Jz0iOaigZzJE73NUx3bh-E&
amp;revid=0BwHnNFnDg6gdMGczVzRKWG5IbUdLNTVPSVV0SG01a3RBc040PQ"></a></div></div></div></div></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Dec 19, 2021 at 12:26:12PM +0200, Adi Matalon wrote:

In the json data you are reporting:
[1]https://security-tracker.debian.org/tracker/data/json
There are 28947 CVES, and there are 2800~ which aren't exist in the json:
For example:
For CVE-2021-2014 exists a page:
[2]https://security-tracker.debian.org/tracker/CVE-2021-2014 - with an
informative data
But in the json the CVE doesn't exist.

The web site lists (approximately) all CVEs, even those that don't apply
to Debian. The JSON feed only lists CVEs that impact Debian in some
form. In the case of CVE-2021-2014, Debian does not ship Mysql <=
5.7.32 in any supported release, so it is not included in the JSON file.
If anything, maybe the web listing for this CVE could more clearly
indicate that Debian isn't impacted. But as it is, the lack of any
impacted stable releases on the web view should give a good hint.

Another example is for cve that became reject:
[3]https://security-tracker.debian.org/tracker/CVE-2021-30631

Similar to the previous one, since the CVE is rejected it cannot impact
any shipped Debian versions, and thus doesn't appear in the JSON file.

I wanted to know if it is by mistake and if there is a json which includes
all cves.

The JSON data for CVEs that actually impact Debian is already 29MB
(minified). A full feed would be significantly larger.

The downloads at https://cve.mitre.org/data/downloads/index.html might
be useful to you.

Furthermore, do you have an api that returns the information in json
format for a specific cve?

Not at this time. This may be worth a wishlist bug against security.debian.org. I could see how this could be a useful feature.

noah

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

--Apple-Mail-F7239BED-2935-4EAF-9972-A1573D36F82C
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable


Thank you for your answer!
I still have another two questions:

for CVE-2021-43818 exists a page with information about the vulnerable package, lxml.
It is written that the package is vulnerable and there is no fix.
This is the download link for one of the vulnerable version: http://security-cdn.debian.org/pool/main/l/lxml/python-lxml_3.7.1-1+deb9u3_arm64.deb
So why doesn't this cve exist in the json file?

Another example is CVE-2021-2166.
It is written that the package is vulnerable and there is no fix.
This is the download link for one of the vulnerable version: http://security-cdn.debian.org/pool/main/m/mariadb-10.3/mariadb-server-10.3_10.3.25-0+deb10u1_i386.deb
mysql-8.0 is vulnerable and no fixed exists and still the cve doesn't exist in the json file.

On 27 Dec 2021, at 14:00, Adi Matalon <adi.matalon@whitesourcesoftware.com> wrote:

Thank you for your answer!
I still have another two questions:

for CVE-2021-43818 exists a page with information about the vulnerable package, lxml.
It is written that the package is vulnerable and there is no fix.
This is the download link for one of the vulnerable version: http://security-cdn.debian.org/pool/main/l/lxml/python-lxml_3.7.1-1+deb9u3_arm64.deb
So why doesn't this cve exist in the json file?

Another example is CVE-2021-2166.
It is written that the package is vulnerable and there is no fix.
This is the download link for one of the vulnerable version: http://security-cdn.debian.org/pool/main/m/mariadb-10.3/mariadb-server-10.3_10.3.25-0+deb10u1_i386.deb
mysql-8.0 is vulnerable and no fixed exists and still the cve doesn't exist in the json file.

--Apple-Mail-F7239BED-2935-4EAF-9972-A1573D36F82C
Content-Type: text/html;
charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div style="direction: rtl;"><br></div><span style="-webkit-text-size-adjust: auto; background-color: rgb(255, 255, 255);">Thank you for your answer!</
span><div style="-webkit-text-size-adjust: auto;">I still have another two questions:<div><br><div>for&nbsp;CVE-2021-43818 exists a page with information about the vulnerable package, lxml.</div><div>It is written that the package is vulnerable&nbsp;and
there is no fix.</div><div>This is the download link for one of the vulnerable version:</div><div><a href="http://security-cdn.debian.org/pool/main/l/lxml/python-lxml_3.7.1-1+deb9u3_arm64.deb">http://security-cdn.debian.org/pool/main/l/lxml/python-lxml_3.
7.1-1+deb9u3_arm64.deb</a><br></div><div>So why doesn't&nbsp;this cve exist in the json&nbsp;file?</div><div><br></div><div>Another example is&nbsp;CVE-2021-2166.</div><div><div>It is written that the package is vulnerable&nbsp;and there is no fix.</div><

This is the download link for one of the vulnerable version:</div></div><div><a href="http://security-cdn.debian.org/pool/main/m/mariadb-10.3/mariadb-server-10.3_10.3.25-0+deb10u1_i386.deb">http://security-cdn.debian.org/pool/main/m/mariadb-10.3/

mariadb-server-10.3_10.3.25-0+deb10u1_i386.deb</a><br></div><div>mysql-8.0 is vulnerable&nbsp;and no fixed exists&nbsp;and still the cve doesn't exist in the json&nbsp;file.</div></div><div style="direction: rtl;"><br></div><div style="direction: rtl;"><

</div></div><div dir="ltr"><blockquote type="cite">On 27 Dec 2021, at 14:00, Adi Matalon &lt;adi.matalon@whitesourcesoftware.com&gt; wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">Thank you for your answer!<div>I still have

another two questions:<div><br><div>for&nbsp;CVE-2021-43818 exists a page with information about the vulnerable package, lxml.</div><div>It is written that the package is vulnerable&nbsp;and there is no fix.</div><div>This is the download link for one of
the vulnerable version:</div><div><a href="http://security-cdn.debian.org/pool/main/l/lxml/python-lxml_3.7.1-1+deb9u3_arm64.deb">http://security-cdn.debian.org/pool/main/l/lxml/python-lxml_3.7.1-1+deb9u3_arm64.deb</a><br></div><div>So why doesn't&nbsp;
this cve exist in the json&nbsp;file?</div><div><br></div><div>Another example is&nbsp;CVE-2021-2166.</div><div><div>It is written that the package is vulnerable&nbsp;and there is no fix.</div><div>This is the download link for one of the vulnerable
version:</div></div><div><a href="http://security-cdn.debian.org/pool/main/m/mariadb-10.3/mariadb-server-10.3_10.3.25-0+deb10u1_i386.deb">http://security-cdn.debian.org/pool/main/m/mariadb-10.3/mariadb-server-10.3_10.3.25-0+deb10u1_i386.deb</a><br></div><

mysql-8.0 is vulnerable&nbsp;and no fixed exists&nbsp;and still the cve doesn't exist in the json&nbsp;file.</div></div></div></div></blockquote></body></html>

--Apple-Mail-F7239BED-2935-4EAF-9972-A1573D36F82C--

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)