Phase 3 of Legacy CVE Download Formats Deprecation Now Underway
Once-per-month updates in March, April, May, and June 2024
Phase 3 of the phased deprecation of legacy CVE content download formats (i.e., CSV, HTML, XML, and CVRF) scheduled for the first half of 2024 is underway. In Phase 3, per the phase-out schedule noted below, the legacy download formats will only be updated once per month in March, April, May, and June 2024. They will no longer be updated after June 30, 2024.
The legacy download formats have been replaced by CVE JSON as the only supported format for CVE Records and downloads. See below.
This change was first announced in July 2023 in a CVE Blog article entitled “Legacy CVE Download Formats Will Be Phased Out Beginning January 1, 2024” on the CVE.ORG website and promoted throughout the remainder of 2023 in the CVE Announce email newsletter and on CVE social media. A second blog article, “Deprecation of Legacy CVE Download Formats Now Underway,” was published in January 2024, and a third, “Phase 2 of Legacy CVE Download Formats Deprecation Now Underway,” was published in February 2024, and promoted on the CVE.ORG website, in the CVE Announce email newsletter, and on CVE social media.
Phase-Out Schedule
Phased deprecation means that the frequency of updates to the legacy download formats will be reduced over the coming months until they are no longer updated at the end of June 2024.
To assist consumers with their transition to the new format, the frequency of updates to the legacy download formats are being reduced from daily updates (which ended on December 31, 2023) to updates on the following schedule:
New Format for CVE Records and Downloads
CVE Downloads in our new official data format for CVE Records, “CVE JSON,” are hosted in the cvelistV5 repository on GitHub.com. Update frequency and other details are available in the repository ReadMe.
CVE JSON is a richer, more structured format for vulnerability identification and description and will provide enhanced information for your customers. The schema for this new format is also available on GitHub.
Who Is Affected?
CVE Numbering Authority (CNA) partners, tool vendors, and other parties that use CVE download files for automation or other purposes should pay particular attention to this change.
Take Action Now!
Product teams and others need to update their tools and processes to the new supported format prior to these legacy format download files no longer being updated after June 30, 2024.
Please use our CVE Blog website feedback form, comment on the CVE Blog on Medium, or use the CVE Request Web forms and select “Other” from the dropdown menu, to provide feedback about this article.
