Two months and counting

I’ve written a number of posts lately on the problems with the National Vulnerability Database (NVD); this one was the first. Briefly speaking, around the middle of February, the NVD greatly slowed the rate at which it incorporated new CVEs into the database (CVEs originate in the CVE.org database, which is run by the Department of Homeland Security. The NVD is run by NIST, which is part of the Department of Commerce).

In addition, the small number of new CVEs that have appeared in the NVD since mid-February don’t have CPE names with them (CPE is the only software identifier supported by the NVD). A CVE report without a CPE name on it is about as useful as a car without a steering wheel, since the whole point of a CVE report is to identify the product(s) that is affected by the vulnerability (i.e., the CVE). While CPE has a fixed specification and CPE names could in theory be generated automatically, the NIST staff members that run the NVD feel compelled to create each CPE name manually.

However, it seems they’re not doing that very well, either. See the graph below, which was created last week by Patrick Garrity of VulnCheck. The X axis labels are very small, but each day of 2024 is a datapoint. On February 12, the “(CVEs) Analyzed” line (in green) flatlined. It has remained at an almost constant value since then, meaning almost no new CVEs have been analyzed in two months; since the NVD staff members only create a CPE name to go with a CVE when they “analyze” the CVE, this means that virtually no useful CVE reports (i.e., reports that link a CVE with one or more CPE names) have been added to the NVD since February 12.

                               

.

Of course, this has not been due to a lack of new CVE reports coming from CVE.org. The red “(CVEs) Awaiting Analysis” line has steadily climbed since February 12. In other words, since February 12, new CVEs have appeared at their normal pace, but almost no new CVE reports have been analyzed by the NVD staff, meaning they still do not have CPE names.

What happened to cause this problem? NIST has put up about four or five notices since late February, the latest of which is this one. It has no explanation, of course, even though that’s been promised a couple of times. However, sometimes actions (or non-actions, in this case) speak much louder than words. Here is what I think NIST is really telling us:

1.      We still don’t fully understand what happened on Feb. 12. However, it wasn’t any sudden increase in new CVEs to analyze, any sudden decrease in staff, any sudden loss of funding, etc. The NVD has always been understaffed and underfunded, and new CVEs have increased most years.

2.      No matter what the cause of the problem (other than a direct nuclear strike), we would have been up and running within minutes of the event – if our infrastructure weren’t two decades old. Any important modern database is fully redundant, but we have always had single points of failure. Clearly one or more of these failed.

3.      Ironically, all of the data in the NVD is also in CVE.org, which utilizes a modern, fully-redundant database infrastructure. Why don’t we switch all queries to CVE.org, you ask? We refer you to Tom’s earlier statement: CVE.org is part of DHS, while we are part of the Department of Commerce. Maybe the two Secretaries will meet to work this out. And maybe Israel will sit down and have a good talk with Iran. But don’t count on either of these happening anytime soon.

4.      We would like to tell you that we’re working on the problem, but how can we do that, since we still don’t understand it? Instead, we’re going to tell you about an idea we discussed with the OWASP SBOM Forum a year ago, but never followed up on: a “consortium” of private companies that will help us fix our problems. That will take 9-12 months at a minimum to put into place, and even theno, it’s not clear what this group could do to fix our ancient infrastructure. But we have to point to something that we’re going to do, rather than just say we’ll continue to run from crisis to crisis. But that’s the most likely outcome.

5.      Have a nice day!

To sum up, we’re two months into the NVD’s problem, and we still don’t have even a partial explanation of the problem, let alone a full one. And we definitely don’t have a solution!

What’s the next step, both for your organization and the US government? The next step is to figure out what the options are for the next step. The OWASP SBOM Forum is assembling a group to do exactly that, and expects the group to start meeting soon. Let me know if you’d like to participate in that, by contributing your time, your organization’s money, or both (participation does not require a contribution).

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

My book "Introduction to SBOM and VEX" is now available in paperback and Kindle versions! For background on the book and the link to order it, see this post.