Do you want an update on the NVD? Are you sure you want to see it?

On Friday, before our weekly OWASP SBOM Forum meeting, Bruce Lowenthal of Oracle and Andrey Lukashenkov of Vulners provided the group an update on how the National Vulnerability Database (NVD) is doing in getting out of the huge hole it started digging for itself on February 12 of this year. The last update I provided was exactly one month ago. You’ll be pleased (?) to hear they’re making progress: the hole is getting deeper by the day!

The “hole” I’m referring to is the number of new CVE (vulnerability) reports released by CVE.org, that the NVD has not “enriched” by adding a CPE name to them. To learn why having a CPE name (or more than one) in the report is so important, see the post I just referenced, and also this post. Before February 12, the NVD usually enriched almost every new CVE report they received every month. However, starting on that day, the number of CVEs enriched each day dropped to literally zero on some days, and not much more than that on other days.

A month ago, Andrey said the NVD had a backlog of 17,000 vulnerabilities since February 12; yesterday, he said the backlog is “well over” 18,000. Bruce added some great details:

1.      After enriching only a tiny percentage of CVEs between February 12 and June 1, the NVD started at least enriching some – although they were still increasing the backlog by 75-100 CVEs a day (I developed that estimate, based on data that Andrey provided me a month ago).

2.      However, it seems even that was too good to last, since Bruce says that now the NVD seems to have stopped enriching June CVE reports, after enriching about 37% of them. Not only have they abandoned June CVEs, but they have mostly skipped over July altogether, and are concentrating on August CVEs.

3.      He provided some interesting details: Since last Friday, 652 new CVEs have been published by CVE.org for July and August (and none for June, mind you. So June remains at 37% enriched). But the NVD only enriched 37 CVEs from July and 174 from August. Given that we’re in the middle of August but July is over, one would think they would be enriching many more from July than August; instead, it’s the other way around.

4.      In any case, the 211 CVEs enriched since last Friday means the backlog grew by 652 – 211 = 441; this is within the 75-100 daily range I estimated a month ago. At least you have to credit the NVD’s consistency: they’re growing the backlog by a fairly steady amount every day. On the other hand, I don’t think they deserve hearty thanks for that dubious achievement.

5.      And what has the NVD said about all this? The last time they said anything about the backlog was May 29, when they announced, “We anticipate that that this backlog will be cleared by the end of the (government) fiscal year.” Let’s see…The FY ends on September 30, which is 44 days from now. To be charitable, let’s say the backlog is currently 18,000 and it’s growing by 61 a day (the daily rate it grew since Friday, August 9); that means it will be 20,684 on September 30. Since they’re enriching about 30 CVEs a day (at least since last Friday), that means they will have to crank up their daily enrichment rate from 30 to 470 per day, which is an increase of over 1400 percent! Do you think they can do this?...I didn’t think so.

The worst part about this whole episode (if that’s the right word. “Total collapse” would be better) is that they’ve provided zero useful information on a) the cause of the problem, b) when the problem will be fixed (meaning they’ll not only eliminate the backlog, but get back to an enrichment pace with zero backlog growth), and c) what they’ll do to prevent the problem from recurring. Given their silence, I have to assume the answers are:

a)      We aren’t going to tell you.

b)     Never.

c)      Nothing.

Have a good day!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

I lead the OWASP SBOM Forum and its Vulnerability Database Working Group. These two groups work to understand and address issues like what’s discussed in this post; please email me to learn more about what we do or to join us. You can also support our work through easy directed donations to OWASP, a 501(c)(3) nonprofit, which are passed through to the SBOM Forum. Please email me to discuss that.

My book "Introduction to SBOM and VEX" is available in paperback and Kindle versions! For background on the book and the link to order it, see this post.