Use Case

Determine if an NVD CVE configuration applies to a given CPE. Determine which NVD CVE are applicable to a given CPE.

Background

The NVD Vulnerability Feeds are no longer provided in XML. They are now only provided in JSON (https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement). Each vulnerability includes a "configurations" node in JSON. The configuration nodes seem to have the same data model as the XML CPE Applicability Language used by the CPE library (https://cpe.readthedocs.io/en/latest/examples.html#language-matching). However, users of the CPE library will need to write custom code to translate between NVD JSON configurations and CPE Applicability Language XML.

Enhancement

It seems that it would generally useful if the CPELanguage classes accepted the JSON used in the NVD CVE configurations nodes instead of just XML.

Is the new JSON format a one-to-one translation of the old XML format?