https://github.com/adoptium/temurin-vdr-generator
Scripts for generating Vulnerability Disclosure Reports
https://github.com/adoptium/temurin-vdr-generator
secure-dev
Last synced: 8 months ago
JSON representation
Scripts for generating Vulnerability Disclosure Reports
- Host: GitHub
- URL: https://github.com/adoptium/temurin-vdr-generator
- Owner: adoptium
- Created: 2024-03-05T14:40:34.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2025-09-29T22:27:29.000Z (9 months ago)
- Last Synced: 2025-09-30T00:25:23.292Z (9 months ago)
- Topics: secure-dev
- Language: Python
- Size: 229 KB
- Stars: 1
- Watchers: 13
- Forks: 7
- Open Issues: 13
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# temurin-vdr-generator
Scripts for generating Vulnerability Disclosure Reports
Currently the VDR is generated by aggregating data from 2 sources: the OpenJDK Vulnerability Group and the NIST API.
We use `ojvg_download.py` to download data from OpenJDK Vulnerability Group, and parse it into a more machine readable format .
We use `ojvg_convert.py` to generate CycloneDX format objects, enhance with data from NIST, and generate a vdr, which is saved in `data/vdr.json`
## Installation
To install the requirements:
```sh
# (Recommended) create a local virtual environment
python3 -m venv .venv
source .venv/bin/activate
# install project dependencies
python -m pip install --upgrade pip
python -m pip install -r requirements.txt
# install pytest if it's not already available
python -m pip install pytest
```
## Tests
There are some tests, in order to run them, you can do:
```sh
# from the repo root, using the venv
python -m pytest -q
# or without activating the venv
./.venv/bin/python -m pytest -q
```
## Formatting
This project is formatted using [black](https://pypi.org/project/black/) (a fairly standard Python formatter).To format files, use:
```sh
python3 -m black .py
```
## End-to-end VDR generation (online)
The end-to-end flow requires network access to OpenJDK and NIST NVD. Outputs and caches are written under `data/`.
```sh
# ensure output/cache directory exists
mkdir -p data
# optional: use an API token for higher NVD rate limits
export NIST_NVD_TOKEN=""
# 1) scrape OJVG advisories and build intermediate JSON
python ojvg_download.py # writes data/openjvg_summary.json
# 2) convert + enrich + validate and write the VDR
python ojvg_convert.py # writes data/vdr.json
```
Tip: In VS Code, pick the interpreter via “Python: Select Interpreter” and choose `.venv/bin/python` so testing and tools use the venv.