VulnCheck Community CPE Schema
The VulnCheck provided NIST NVD 1.0 and NIST NVD 2.0 follow the JSON schemas developed by NIST:
The only exception to these schemas is where VulnCheck has added CPE enrichment. Adding our CPE data to the same field that NIST populates would only cause confusion, so we've instead added the following fields:
vcConfigurations: Exactly the same as the NVDconfigurationsfield, but populated by VulnCheck.vcVulnerableCPEs: NVD usesmatchCriteriaIdto facilitate CPE "unrolling". VulnCheck has decided to remove this additional step, and include the unrolled CPE in thevcVulnerableCPEsfield.
Note that, vcConfigurations matchCriteriaId will always be empty because we are using vcVulnerableCPEs instead. However, it's a required field in the NIST schema so we elected to leave it.
VulnCheck Added CPE Example From NIST NVD 2.0
The following example of vcConfigurations and vcVulnerableCPEs is from nist-nvd2?cve=CVE-2024-28746. Note that the cpeMatch describes the affected versions, and vcVulnerableCPEs lists them.
"vcConfigurations": [
{
"nodes": [
{
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.8.0",
"versionEndExcluding": "2.8.3",
"matchCriteriaId": ""
}
]
}
]
}
],
"vcVulnerableCPEs": [
"cpe:2.3:a:apache:airflow:2.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:airflow:2.8.1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:airflow:2.8.2:*:*:*:*:*:*:*"
]
VulnChecked Added CPE Example From NIST NVD 1.0
The following example of vcConfigurations and vcVulnerableCPEs is from nist-nvd?cve=CVE-2024-28746:
"vcConfigurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.8.0",
"versionEndExcluding": "2.8.3"
}
]
}
]
},
"vcVulnerableCPEs": [
"cpe:2.3:a:apache:airflow:2.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:airflow:2.8.1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:airflow:2.8.2:*:*:*:*:*:*:*"
]
