@EugenMayer I noticed this issue as well.

Specifically, items like https://nvd.nist.gov/vuln/detail/CVE-1999-0007

Not sure why this is an issue you mention? The mirror, also the old code, was downloading CVEs starting from 2002, so if that has been an issue, it has been one in the past. So how Is this related to the new code?

it can be easily fixed by changing https://github.com/jeremylong/Open-Vulnerability-Project/blob/main/vulnz/src/main/java/io/github/jeremylong/vulnz/cli/commands/CveCommand.java#L73

or we introduce a variable that defaults to 2002 and can be changed (to define the year to start from)

From https://nvd.nist.gov/vuln/data-feeds

The vulnerability feeds provide CVE® data organized by the first four digits of a CVE® identifier (except for the 2002 feeds which include vulnerabilities prior to and including "CVE-2002-").

This is due to the new code. I've found a couple other bugs I'm fixing - and I think I know why the ODC (owasp dependency-check) clients can't use this cache...

@jeremylong i'am happy to assist if you tell me what to work on. Very interested in the ODC issue for sure.

a) I assume, the "prior" 2002 issue is that we now request using a year-range and thus hard-exclude anything prio 2002, while the old code fetched them anyway? Very hard to grasp detail
b) odc might be something with the format?

I could try to fix a) if you like, for b) i would need informations

The fact that ODC clients error when using the new cache will be fixed with e00c0c1. In a lot of ways I want to refactor some of the methods that handle reading/writing the file for the "year" to also handle the modified - in a lot of ways it is just a special year and will reduce code duplication.