Description
Background
Currently, the Temurin VDR Generator fetches vulnerabilities from the OJVG website and it goes to the NIST database to get further information about those vulnerabilities. The NIST NVD DB is throttled and/or requires an API Key.
Dependency Track Deliverables
NVD MIrror
It may be much more efficient to go to a NIST DB Mirror hosted in Dependency Track. The Eclipse foundation has set up a Dependency Track Instance, so we may be able to go and use this instead of the NVD. This would mean that we could make unthrottled requests and build the VDR (even in PRs) in seconds instead of tens of minutes.
Alternative VDR
Additionally, we may be able to use Dependency Track to fetch CVEs for the Open JDK (this requires getting a CPE or pURL in the Temurin SBOM so Dependency Track has something to index from). We can use Dependency Track to export these in both VDR and VEX formats. We may need to apply some kind of filter (ie: remove vulnerabilities with a dependency score below a certain number) so that the VDR is not overly noisy.
Outcomes
NVD Mirror
By using an NVD mirror, we would be able to speed up builds and reduce direct reliance on the NVD (and instead rely on infrastructure hosted by the Eclipse Foundation).
Alternative VDR
By generating this, we are able to verify the OJVG Vulnerability disclosure list, and also flag other possible vulnerabilities. We will also be able to produce a VEX document in addition to the VDR, which makes Temurin even more compatible with the OWASP supply chain security initiatives.