Published 13 June 2024 12:00 AM
2 min. read

Updated Logic for Handling CVE Data Sources in Vulners Database

This post thumbnail

We are streamlining the storage and retrieval of CVE records from various sources.

Reason Behind the Change

Historically, Vulners maintained a single data collection to cover CVE records, primarily sourcing data from NVD, with additional sources added over time. However, in February 2024, NVD ceased to be a reliable source for data enrichment. This issue was exacerbated in early May 2024, when NVD went on an unannounced hiatus for five days, halting all data updates.

Given that the CVE Project’s CVE List is the original source of CNA-provided data and with the emergence of new enriched CVE data sources like CISA Vulnrichment, which is gaining official ADP status, we decided it was time to rethink how we handle CVE data in the Vulners database.

New Collections and Their Roles

The core principle of the Vulners DB is that each data source is stored in a dedicated collection. This approach simplifies crawlers maintenance and enhances overall architecture robustness.

New Collections

We are introducing new dedicated data collections for distinct CVE data sources, included in a new bulletin family CVE:

  • type:cvelist now includes data from the CVE List.
  • type:nvd now includes CVE data from NVD.

Data in these collections are gathered independently of their corresponding sources, improving robustness and clarity. For instance, CNA-assigned CVSS or CWE information can be found in the type:cvelist collection, while NVD-assigned CVSS and CWE data are collected in the type:nvd collection. The same logic applies to affected software configurations.

Ensuring Backward Compatibility

To maintain backward compatibility, we will keep type:cve as a synthetic collection that aggregates data from the type:cvelist and type:nvd collections.

This type:cve collection will continue to be a place for Vulners CPE configurations. To keep them separate from CPE configurations that come from NVD and other sources, each provider will have its section, which is cpeConfigurations.vulnersCpeConfiguration for Vulners CPE.

What to Expect Moving Forward

We have created a robust foundation with a rationalized database structure. However, it will take some time to fully support the new collections in the UI, including new metrics like CVSS v4, which only became available in May 2024.

We also plan to incorporate Vulnrichment as a separate data source in the coming weeks.

Most importantly, we will soon release a fully reworked search API that will work with all available affected software configurations from various sources — CNA (including those enhanced by Vulners), NVD, and Vulnrichment.

Over time, we will further rationalize the data structure within collections, removing duplicative fields. These changes will be announced separately, with clear instructions on which fields will be removed and where to find the data.

Stay Tuned for Updates

We look forward to your feedback and suggestions on new features that could make the user experience more streamlined.

Please reach out to our team at [email protected] or with contacts.