Scripts for generating Vulnerability Disclosure Reports
Currently the VDR is generated by aggregating data from 2 sources: the OpenJDK Vulnerability Group and the NIST API.
We use ojvg_download.py to download data from OpenJDK Vulnerability Group, and parse it into a more machine readable format .
We use ojvg_convert.py to generate CycloneDX format objects, enhance with data from NIST, and generate a vdr, which is saved in data/vdr.json
To install the requirements:
# (Recommended) create a local virtual environment
python3 -m venv .venv
source .venv/bin/activate
# install project dependencies
python -m pip install --upgrade pip
python -m pip install -r requirements.txt
# install pytest if it's not already available
python -m pip install pytestThere are some tests, in order to run them, you can do:
# from the repo root, using the venv
python -m pytest -q
# or without activating the venv
./.venv/bin/python -m pytest -qThis project is formatted using black (a fairly standard Python formatter).To format files, use:
python3 -m black <filename>.pyThe end-to-end flow requires network access to OpenJDK and NIST NVD. Outputs and caches are written under data/.
# ensure output/cache directory exists
mkdir -p data
# optional: use an API token for higher NVD rate limits
export NIST_NVD_TOKEN="<your-nist-token>"
# 1) scrape OJVG advisories and build intermediate JSON
python ojvg_download.py # writes data/openjvg_summary.json
# 2) convert + enrich + validate and write the VDR
python ojvg_convert.py # writes data/vdr.jsonTip: In VS Code, pick the interpreter via “Python: Select Interpreter” and choose .venv/bin/python so testing and tools use the venv.