You are viewing this page in an unauthorized frame window.
This is a potential security issue, you are being redirected to
https://nvd.nist.gov
An official website of the United States government
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
This documentation assumes that you already understand at least one common programming
language and are generally familiar with JSON RESTful services. JSON specifies the
format of the data returned by the REST service. REST refers to a style of services
that allow computers to communicate via HTTP over the Internet.
Click here for a list of
best practices and additional information
on where to start. The NVD is also documenting
popular workflows to assist developers
working with the APIs.
Source API
The Source API is used to easily retrieve detailed information on the organizations
that provide the data contained in the NVD dataset.
The API is updated whenever a new source is added, or an existing source is
modified. Data sources change so infrequently that users interested in this information
may choose to limit their requests to once per day.
These parameters return only the source records that were last
modified during the specified period. If a source record has been modified
more recently than the specified period, it will not be included
in the response. If filtering by the last modified date, both
lastModStartDate and lastModEndDate are
required.
The maximum allowable range when using any
date range parameters is 120 consecutive days.
A source record is considered "modified"
when any of the follow actions occur:
A new source record is created
An existing source record is modified
An existing source changes acceptance level in CVMAP
Values must be entered in the extended ISO-8601 date/time format:
The "T" is a literal to separate the date from the time. The Z indicates
an optional offset-from-UTC. Please note, if a positive Z value is used
(such as +01:00 for Central European Time) then the "+" should be encoded
in the request as "%2B". The user agent may handle this automatically.
Request all source records modified between the start and end datetimes
This parameter specifies the maximum number of source records to be returned
in a single API response. For network considerations, the default value and
maximum allowable limit is 1,000.
This parameter returns all source records where the exact value of sourceIdentifiers
matches the {sourceIdentifier}.
A request made to the Source API without any additional parameters will return detailed information on
all organizations that provide the data contained in the NVD dataset, including every valid
{sourceIdentifier} value. The CVE API also
returns valid {sourceIdentifier} values within the descriptions object.
Request all source records associated with the data source "[email protected]"
This parameter specifies the index of the first source record to be returned in
the response data. The index is zero-based, meaning the first source record
is at index zero.
The Source API returns four primary objects in the response body that are
used for pagination:
resultsPerPage, startIndex, totalResults,
and sources. totalResults indicates the
total number of source records that match the request parameters.
If the value of totalResults is greater than the value of resultsPerPage,
there are more records than could be returned by a single API
response and additional requests must update the startIndex
to get the remaining records.
The best, most efficient, practice for keeping up to date with
the NVD is to use the date range parameters to request
only the source records that have been modified since your last request.
Request 20 source records, beginning at index 0 and ending at index 19
This API response includes only one JSON schema for defining the structure of the response data.
The following document includes information
on data types, regex patterns, maximum character length, and similar information that can support
developers and database administrators looking to create their own local repository.
The Source API returns seven primary objects in the body of the response:
resultsPerPage, startIndex,
totalResults, format,
version, timestamp,
and sources.
The totalResults object indicates the number of source records
that match the request criteria, including all parameters. If the value of
totalResults is greater than the value of
resultsPerPage, then additional requests are necessary to
return the remaining records. The parameter startIndex may be
used in subsequent requests to identify the starting point for the next request. More
information and the best practices for using resultsPerPage
and startIndex are described above.
The format and version objects
identify the format and version of the API response. timestamp
identifies when the response was generated.
The sources object contains an array of objects equal
to the number of records returned in the response and is sorted in ascending order
by the created property.
The sources object is explained in more detail below.
JSON response objects are either optional or required. Required response objects are always returned
by the API and may contain fields without data. Optional response objects are only returned when
they contain data. For example, the v3AcceptanceLevel object is optional
so it will only appear when a data source is a participant in the
Collaborative Vulnerability Metadata Acceptance Process (CVMAP) and
it has an CVSSv3 acceptance level.
sources required
This object contains the following required data: source name,
the email address used by the CVE Program to identify the source,
an object containing all email addresses linked to the source,
the date and time that the source first appeared in the NVD, and
the date and time that the record was last modified.
If the source participates in CVMAP the following optional objects may be returned:
v2AcceptanceLevel,
v3AcceptanceLevel, and
cweAcceptanceLevel.
Each object contains the source's current level in the process and the date
that the level last changed. Complete audit histories are available on the
CVMAP webpage.