As explained in the previous blog post the new OpenCVE v2 release is planned for the end of July.

Even if we worked hard to migrate the data from v1 to v2 as best as we can, this new release is a complete refactoring of the technical stack so some breaking changes are expected.

This blog post is dedicated to the OpenCVE v1 users, it presents the changes they can expect.

Users Profile

If you use the SaaS version of OpenCVE your account will automatically be migrated. You will also retrieve your tags and your list of subscriptions (vendors and products).

OpenCVE v2 provides the Organizations & Projects Management feature that allows you to manage your subscriptions and notifications per project. As these objects don’t exist in the v1, we’ll automatically create a default organization and a default project for you in which your subscriptions will be moved. Your notification settings (including the types of events, the minimum CVSS score, …) will also be migrated in a new email notification.

For the ones who use OpenCVE in their own on-premise installation, this migration of users will be doable with the import_from_v1 Django command.

Reports & Changes

In OpenCVE v1 each bulk of changes creates a new report for the user. The database model is quite complicated, included multiple models like Task, Event, Change and Report. So it’s currently possible to receive several reports per day in case of a CVE updated multiple times.

This will not be possible in OpenCVE v2 as the report feature provides a way to display the changes of your subscriptions in a daily basis. A report is associated to a project, so each project will have its own daily reports, for instance the project Acme including the subscriptions Linux and Cisco will have daily reports if changes are made on these vendors.

Because of this new format, and the changes induced in the data model, it was very complicated, if not impossible, to migrate the reports objects from V1 to V2. So when the migration will be done on Opencve.io the current reports will be lost.

CVE History

OpenCVE v1 only relies on the NVD database, so the view named History in a CVE detail page only displays the changes made by the NVD.

In addition of the NVD, the new version of OpenCVE uses other CVEs providers like the Mitre, Redhat or the Vulnrichment repo of the CISA. An algorithm is used to aggregate this data in OpenCVE (for instance if the CNA gives a CVSS score we chose it, then we check if Vulnrichment provides it, and so on with other CVEs providers).

For this reason the History view of each CVE will now display the changes of the aggregated data, and not only the NVD one. So the data you see today in the History view of OpenCVE v1 will no longer be visible in OpenCVE v2.

However please note we have already planned to fetch the history of each CVE provider to display it in the CVEs details pages, so this NVD history will be available again in a future version.

API

The new API of OpenCVE v2 is still in Beta. For now we only provides read-only endpoints (aka GET requests), but of course we plan to add read-write calls in order to let you manage your organizations and your projects.

Here are the current calls:

/api/cve/
/api/cve/<cve_id>/
/api/organizations/
/api/organizations/<name>/
/api/organizations/<organization_name>/projects/
/api/organizations/<organization_name>/projects/<name>/
/api/organizations/<organization_name>/projects/<project_name>/cve/
/api/vendors/
/api/vendors/<name>/
/api/vendors/<vendor_name>/cve/
/api/vendors/<vendor_name>/products/
/api/vendors/<vendor_name>/products/<name>/
/api/vendors/<vendor_name>/products/<product_name>/cve/
/api/weaknesses/
/api/weaknesses/<cwe_id>/
/api/weaknesses/<weakness_cwe_id>/cve/

If you use the OpenCVE v1 API you can see some changes, mainly due to the new features of OpenCVE v2 (the organizations and projects feature for instance). It means you will need to update your calls.

We’ll provide in the next days a detailed documentation of these calls so you will be able to compare the current API with the new one.