NVD 错误:自 NIST CVSS v4.0 更改以来 API 密钥无效

问题描述 投票:0回答:1

我有一个使用 NVD API 提取漏洞数据的流程。多年来一直运行良好。

突然,我在日志中收到周期性错误,例如:

Downloaded 6000 CVEs.
Process finished at 2024-07-02 11:02:55
Total duration: 173.34 seconds
Downloaded 8000 CVEs.
Error: Invalid API key
Process finished at 2024-07-02 15:01:10
Total duration: 0.30 seconds
Downloaded 0 CVEs.
Process finished at 2024-07-02 17:00:37
Total duration: 1.92 seconds
Downloaded 0 CVEs.
Error: Invalid API key

我在这里用这段代码测试了这个问题:

import requests
import logging
import time

# Configure logging
logging.basicConfig(filename='/<dir>/api_key_check.log', level=logging.INFO, format='%(asctime)s:%(levelname)s:%(message)s')

def is_valid_api_key(apiKey, retries=3, delay=5, timeout=10):
    test_url = 'https://services.nvd.nist.gov/rest/json/cves/2.0'
    test_params = {'startIndex': 0, 'resultsPerPage': 1}
    headers = {'apiKey': apiKey}

    for attempt in range(retries):
        try:
            logging.info(f"Attempt {attempt + 1} to check API key.")
            test_response = requests.get(test_url, params=test_params, headers=headers, timeout=timeout)
            if test_response.status_code == 200:
                logging.info("API key is valid.")
                return True
            elif test_response.status_code == 403:
                logging.error("Forbidden: The API key might be invalid or rate-limited.")
                return False
            else:
                logging.error(f"Unexpected status code {test_response.status_code} on attempt {attempt + 1}")
        except requests.Timeout:
            logging.error(f"Request timed out on attempt {attempt + 1}")
        except requests.RequestException as e:
            logging.error(f"Request failed on attempt {attempt + 1}: {e}")
        time.sleep(delay)

    logging.error("API key validation failed after multiple attempts.")
    return False

# Replace 'your_api_key_here' with your actual API key
apiKey = 'your_api_key_here'
if is_valid_api_key(apiKey):
    print("API key is valid.")
else:
    print("Error: Invalid API key.")

我运行它,我得到:

Error: Invalid API key.

NIST 和 NVD 人员并不擅长回应。这已经坏了4天了。

他们的聊天群里有这个:

https://groups.google.com/a/list.nist.gov/g/nvd-news

有没有人遇到过这个问题,或者有什么指导?

python security cve
1个回答
0
投票

我没有 API 密钥来尝试,但他们的 API 文档包括:

激活后,API 密钥可以作为请求者 URL 字符串的参数包含在内

我在文档中没有看到任何建议您可以将其作为标头提供的内容,我认为它很可能从未作为标头起作用,但 API 以前不需要密钥即可工作,而您只是遇到了他们的新功能更低的利率限制。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.