Expanding Affected Configuration Data

What we’ve done so far at Vulners to mitigate NVD service degradation

Since February 12th, the National Vulnerabilities Database (NVD) added more than 7000 vulnerabilities. Only just over 400 of those were enriched with crucial information like CWE, CVSS, and CPE.

Since it became clear that this situation won't go away soon, we've been hard at work to fix it and offer a viable alternative for NVD data to help power your vulnerability management processes.

CNA-Provided Affected Software Configuration

We’ve enriched our NVD Collection (type:cve) with affected software configuration information provided by CNA, where it is available across all CVE.

It is now possible to use this data for Lucene-based searches through the API, webhooks, or email notifications.

This information is not normalized across all CNA, so you’d need to be careful and explorative creating the queries. Unfortunately, this feature doesn’t allow for accurate search using affected versions.

Vulners CPE Configuration

To enable unified search functionality across all vulnerabilities, we implement standardized CPE generation from CNA-provided affected software configurations.

We go vendor by vendor, with Microsoft, Linux Kernel, Mozilla, and Adobe now being available. We have created a framework that helps our team add new vendors with minimal effort, so we expect to improve the coverage at a greater pace.

This will enable our search API to accurately take in account the affected versions range, minimizing false positives in the results.