Hello! The company I work for has tasked me with checking the security advisories that Cisco publishes. This task seemed ripe for automation, especially since Cisco provides a restful API where you can access all of the advisories they publish. They advertise being able to return extremely useful and pertinent data such as vulnerable products, the CVSS score, and a written summary of the vulnerability. If you want to get more information such as the affected software releases, you must have a certain kind of account with Cisco, which luckily we have, to access the bug API.

The concept of this API is great. Ideally you could have an inventory that automatically compares the model and version number of live devices on your network against the advisories, and only notify you about the ones that actually apply to your devices. You could set policies on top of this, like only notify me if the CVSS score is a High or more, etc. 

The problem I am experiencing is that the data returned from the API is inaccurate, incomplete, and inconsistent. These things make this data untrustworthy, and forces me to manually read each and every advisory. The data returned often leaves out vulnerable products and version information. 

The natural next step is to forgo the API altogether and use web-scraping to pull the data. This is also not achievable because there is no consistent formatting between individual advisories, and they are often incomplete as well. Last month there were many advisories that came through without any vulnerable version listed, despite the vulnerability being about vulnerable software. 

Additionally, I have found other security-related APIs from Cisco, where you can pass in model numbers and it will return you the applicable advisories, but this is not available for all products that Cisco provides and we would potentially miss something important.

So my question to the community is, have you found a way to automate the processing of these vulnerabilities? If so, how?