Nist Nvd

VulnCheck CPE Schema

Integrate with NVD 1.0 and NVD 2.0 using long established schemas with additional VulnCheck fields

The VulnCheck provided NIST NVD 1.0 and NIST NVD 2.0 follow the JSON schemas developed by NIST:

  1. NVD 1.0 Schema
  2. NVD 2.0 Schema

The only exception to these schemas is where VulnCheck has added CPE enrichment. Adding our CPE data to the same field that NIST populates would only cause confusion, so we've instead added the following fields:

  1. vcConfigurations: Exactly the same as the NVD configurations field, but populated by VulnCheck.
  2. vcVulnerableCPEs: NVD uses matchCriteriaId to facilitate CPE "unrolling". VulnCheck has decided to remove this additional step, and include the unrolled CPE in the vcVulnerableCPEs field.

Note that, vcConfigurations matchCriteriaId will always be empty because we are using vcVulnerableCPEs instead. However, it's a required field in the NIST schema so we elected to leave it.

VulnCheck Added CPE Example From NIST NVD 2.0

The following example of vcConfigurations and vcVulnerableCPEs is from nist-nvd2?cve=CVE-2024-28746. Note that the cpeMatch describes the affected versions, and vcVulnerableCPEs lists them.

  "vcConfigurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "2.8.0",
              "versionEndExcluding": "2.8.3",
              "matchCriteriaId": ""
            }
          ]
        }
      ]
    }
  ],
  "vcVulnerableCPEs": [
    "cpe:2.3:a:apache:airflow:2.8.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:apache:airflow:2.8.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:apache:airflow:2.8.2:*:*:*:*:*:*:*"
  ]

VulnChecked Added CPE Example From NIST NVD 1.0

The following example of vcConfigurations and vcVulnerableCPEs is from nist-nvd?cve=CVE-2024-28746:

  "vcConfigurations": {
    "CVE_data_version": "4.0",
    "nodes": [
      {
        "cpe_match": [
          {
            "vulnerable": true,
            "cpe23Uri": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*",
            "versionStartIncluding": "2.8.0",
            "versionEndExcluding": "2.8.3"
          }
        ]
      }
    ]
  },
  "vcVulnerableCPEs": [
    "cpe:2.3:a:apache:airflow:2.8.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:apache:airflow:2.8.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:apache:airflow:2.8.2:*:*:*:*:*:*:*"
  ]

NIST NVD 2.0

VulnCheck makes it easy to migrate from the NIST NVD 2.0 to NVD++ from VulnCheck.

Attribution Notice

Leveraging VulnCheck NVD++ and the data in it, in your own production, solution, or service, is easy to do at no additional cost, but requires prominent public attribution to VulnCheck.