From 32127d69596e98a5e3aa11be57aaf3d1ff8fd061 Mon Sep 17 00:00:00 2001
From: Aditya kumar singh <143548997+Adityakk9031@users.noreply.github.com>
Date: Sat, 27 Dec 2025 11:33:22 +0530
Subject: [PATCH] Fix incorrect default starting year in NVD importer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The function fetch_cve_data_1_1 used starting_year=2025 by default, but
NVD JSON CVE feeds are available starting from 2002. This caused older
CVE data (2002–2024) to be skipped when no starting year was provided.

This updates the default starting_year to 2002 so all available NVD CVE
data is fetched by default, matching documented behavior.

Fixes: https://github.com/aboutcode-org/vulnerablecode/issues/2079

Signed-off-by: Aditya Kumar Singh <adityasinghtomar78@gmail.com>
Signed-off-by: Aditya kumar singh <143548997+Adityakk9031@users.noreply.github.com>
---
 vulnerabilities/pipelines/v2_importers/nvd_importer.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vulnerabilities/pipelines/v2_importers/nvd_importer.py b/vulnerabilities/pipelines/v2_importers/nvd_importer.py
index 876b7a905..b5be58db2 100644
--- a/vulnerabilities/pipelines/v2_importers/nvd_importer.py
+++ b/vulnerabilities/pipelines/v2_importers/nvd_importer.py
@@ -111,7 +111,7 @@ def fetch(url, logger=None):
     return json.loads(data)
 
 
-def fetch_cve_data_1_1(starting_year=2025, logger=None):
+def fetch_cve_data_1_1(starting_year=2002, logger=None):
     """
     Yield tuples of (year, lists of CVE mappings) from the NVD, one for each
     year since ``starting_year`` defaulting to 2002.