Advisory workflow: NVD CVE API v1 depreciation

Our advisory workflow relies on the data provided by NVD. Initially we leveraged the data provided through their JSON feed and stored the data in https://gitlab.com/gitlab-org/secure/vulnerability-research/advisories/nvd-mirror-json-data.

Since about a year we are using the NVD api (v1) to collect advisory updates. The data provided was backwards compatible with the JSON Schema for NVD Vulnerability Data Feed version 1.1 so that we did not have to upgrade our whole advisory generation process. nvd-mirror-api is a small tool that collects updates through the API on an hourly basis and applies the them to nvd-mirror-json-data.

However, as of Dec, 15th the v1 endpoint is going to be deprecated so that we have to switch to the v2 endpoint. The data provided through this endpoint is no longer compatible with JSON Schema for NVD Vulnerability Data Feed version 1.1 (documentation) so that we have to adapt our advisory generation process. In addition NVD announced their CVE 4.0 to 5.0 transition recently which may also have an impact on the data format used by the v2 endpoint.

Suggested Steps:

1. Create a new Git repository (similar to https://gitlab.com/gitlab-org/secure/vulnerability-research/advisories/nvd-mirror-json-data) that harbours the data in the new format. We could probably mirror: https://github.com/CVEProject/cvelistV5/tree/main directly?!
2. Change the nvd-mirror-api to use the new v2 endpoint and to automatically submit updates to the new repository. It looks as if cvelistV5 has a pretty good update cadence (hourly) so that we may be able to skip this step entirely.
3. Change the extract tool, i.e., the tool that used to extract data from nvd-mirror-json-data to be compatible with the new format and configure it to use use the new CVE advisory data repository.