Retire remaining active NVD sources

08-threat-intel/source-map.yaml

@@ -456,6 +456,9 @@ systems:
         confidence: official
         advisory_mode: core
         results_per_page: 50
+        status: retired
+        retired_reason: Adobe Magento Security Index is now the active official machine-readable source, so NVD public search is no longer needed for daily collection.
+        replacement_sources: [Adobe Magento Security Index]
     ecosystem_sources:
       - name: GHSA Adobe Commerce
         kind: ghsa-global
@@ -503,12 +506,19 @@ systems:
         advisory_mode: core
         keywords: [magento]
         max_items: 50
+      - name: OSV Magento Open Source
+        kind: osv-batch
+        confidence: official
+        advisory_mode: core
       - name: NVD Magento
         kind: nvd-search
         keyword: Magento
         confidence: official
         advisory_mode: core
         results_per_page: 50
+        status: retired
+        retired_reason: OSV Magento Open Source plus Magento GitHub advisories replace NVD public search for machine-readable collection.
+        replacement_sources: [Magento GitHub Advisories, OSV Magento Open Source]
     ecosystem_sources:
       - name: Sansec Research
         kind: html-links
@@ -519,9 +529,9 @@ systems:
         max_items: 50
     research_sources: []
     package_names:
-      - ecosystem: composer
+      - ecosystem: Packagist
         name: magento/product-community-edition
-      - ecosystem: composer
+      - ecosystem: Packagist
         name: magento/framework
     cpe_keys: ["magento:magento"]
     ghsa_keywords: [magento]
@@ -1812,15 +1822,24 @@ systems:
     tier: rolling-24m
     advisory_modes: [core]
     official_sources:
+      - name: OSV ASP.NET Core
+        kind: osv-batch
+        confidence: official
+        advisory_mode: core
       - name: NVD ASP.NET Core
         kind: nvd-search
         keyword: ASP.NET Core
         confidence: official
         advisory_mode: core
         results_per_page: 40
+        status: retired
+        retired_reason: OSV ASP.NET Core provides machine-readable NuGet-aligned coverage with lower latency than NVD public search.
+        replacement_sources: [OSV ASP.NET Core]
     ecosystem_sources: []
     research_sources: []
-    package_names: []
+    package_names:
+      - ecosystem: NuGet
+        name: Microsoft.AspNetCore.App
     cpe_keys: ["microsoft:asp.net_core"]
     ghsa_keywords: [asp.net core]
     kev_keywords: [asp.net core]
@@ -1894,6 +1913,9 @@ systems:
         confidence: official
         advisory_mode: server
         results_per_page: 50
+        status: retired
+        retired_reason: Official NGINX advisories page and CISA KEV together provide the needed daily signal without NVD public-search latency.
+        replacement_sources: [NGINX Security Advisories, CISA KEV NGINX]
       - name: CISA KEV NGINX
         kind: kev-json
         url: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
@@ -1936,6 +1958,9 @@ systems:
         confidence: official
         advisory_mode: server
         results_per_page: 50
+        status: retired
+        retired_reason: Official Apache HTTPD advisories page plus CISA KEV are sufficient active sources for daily monitoring.
+        replacement_sources: [Apache HTTPD Security, CISA KEV Apache HTTPD]
     ecosystem_sources: []
     research_sources: []
     package_names: []
@@ -1972,6 +1997,9 @@ systems:
         confidence: official
         advisory_mode: server
         results_per_page: 50
+        status: retired
+        retired_reason: Official Tomcat advisories page plus CISA KEV are sufficient active sources for daily monitoring.
+        replacement_sources: [Apache Tomcat Security, CISA KEV Tomcat]
     ecosystem_sources: []
     research_sources: []
     package_names: []
@@ -2072,6 +2100,9 @@ systems:
         confidence: official
         advisory_mode: server
         results_per_page: 40
+        status: retired
+        retired_reason: HAProxy Blog Feed is an active official RSS source, so NVD public search is no longer required.
+        replacement_sources: [HAProxy Blog Feed]
     ecosystem_sources: []
     research_sources: []
     package_names: []
@@ -2128,15 +2159,24 @@ systems:
     tier: rolling-24m
     advisory_modes: [core]
     official_sources:
+      - name: OSV Adminer
+        kind: osv-batch
+        confidence: official
+        advisory_mode: core
       - name: NVD Adminer
         kind: nvd-search
         keyword: Adminer
         confidence: official
         advisory_mode: core
         results_per_page: 40
+        status: retired
+        retired_reason: OSV Adminer provides a machine-readable Packagist-aligned source, removing the need for NVD public search.
+        replacement_sources: [OSV Adminer]
     ecosystem_sources: []
     research_sources: []
-    package_names: []
+    package_names:
+      - ecosystem: Packagist
+        name: vrana/adminer
     cpe_keys: ["adminer:adminer"]
     ghsa_keywords: [adminer]
     kev_keywords: [adminer]
@@ -2188,12 +2228,22 @@ systems:
         advisory_mode: core
         keywords: [security release, gitlab]
         max_items: 50
+      - name: GitLab Security Releases Atom
+        kind: atom-feed
+        url: https://about.gitlab.com/security-releases.xml
+        confidence: official
+        advisory_mode: core
+        keywords: [security release, gitlab]
+        max_items: 50
       - name: NVD GitLab
         kind: nvd-search
         keyword: GitLab CE
         confidence: official
         advisory_mode: core
         results_per_page: 40
+        status: retired
+        retired_reason: GitLab Security Releases Atom provides an official machine-readable feed, so NVD public search is no longer required.
+        replacement_sources: [GitLab Security Releases, GitLab Security Releases Atom]
     ecosystem_sources:
       - name: GitLab Advisory Database
         kind: html-links
@@ -2225,12 +2275,22 @@ systems:
         advisory_mode: core
         keywords: [jenkins]
         max_items: 60
+      - name: Jenkins Security Advisories RSS
+        kind: rss-feed
+        url: https://www.jenkins.io/security/advisories/rss.xml
+        confidence: official
+        advisory_mode: core
+        keywords: [jenkins]
+        max_items: 60
       - name: NVD Jenkins
         kind: nvd-search
         keyword: Jenkins
         confidence: official
         advisory_mode: core
         results_per_page: 40
+        status: retired
+        retired_reason: Jenkins Security Advisories RSS provides an official machine-readable feed, replacing NVD public search.
+        replacement_sources: [Jenkins Security Advisories, Jenkins Security Advisories RSS]
     ecosystem_sources: []
     research_sources: []
     package_names: []
@@ -2286,12 +2346,22 @@ systems:
         advisory_mode: core
         keywords: [kibana, elastic, security]
         max_items: 60
+      - name: Elastic Security Announcements RSS
+        kind: rss-feed
+        url: https://discuss.elastic.co/c/announcements/security-announcements/31.rss
+        confidence: official
+        advisory_mode: core
+        keywords: [kibana, elastic, security]
+        max_items: 60
       - name: NVD Kibana
         kind: nvd-search
         keyword: Kibana
         confidence: official
         advisory_mode: core
         results_per_page: 40
+        status: retired
+        retired_reason: Elastic Security Announcements RSS provides an official machine-readable feed, replacing NVD public search.
+        replacement_sources: [Elastic Security Announcements, Elastic Security Announcements RSS]
     ecosystem_sources: []
     research_sources: []
     package_names: []