The VulnCheck provided NIST NVD 1.0 and NIST NVD 2.0 follow the JSON schemas developed by NIST:
The only exception to these schemas is where VulnCheck has added CPE enrichment. Adding our CPE data to the same field that NIST populates would only cause confusion, so we've instead added the following fields:
vcConfigurations: Exactly the same as the NVD configurations field, but populated by VulnCheck.vcVulnerableCPEs: NVD uses matchCriteriaId to facilitate CPE "unrolling". VulnCheck has decided to remove this additional step, and include the unrolled CPE in the vcVulnerableCPEs field.Note that, vcConfigurations matchCriteriaId will always be empty because we are using vcVulnerableCPEs instead. However, it's a required field in the NIST schema so we elected to leave it.
The following example of vcConfigurations and vcVulnerableCPEs is from nist-nvd2?cve=CVE-2024-28746. Note that the cpeMatch describes the affected versions, and vcVulnerableCPEs lists them.
"vcConfigurations": [
{
"nodes": [
{
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.8.0",
"versionEndExcluding": "2.8.3",
"matchCriteriaId": ""
}
]
}
]
}
],
"vcVulnerableCPEs": [
"cpe:2.3:a:apache:airflow:2.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:airflow:2.8.1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:airflow:2.8.2:*:*:*:*:*:*:*"
]
The following example of vcConfigurations and vcVulnerableCPEs is from nist-nvd?cve=CVE-2024-28746:
"vcConfigurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.8.0",
"versionEndExcluding": "2.8.3"
}
]
}
]
},
"vcVulnerableCPEs": [
"cpe:2.3:a:apache:airflow:2.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:airflow:2.8.1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:airflow:2.8.2:*:*:*:*:*:*:*"
]