Has the NVD thrown in the towel?

I’ve been relying on three people to follow the ongoing saga with the National Vulnerability Database (NVD) for me: Andrey Lukashenkov of Vulners, Patrick Garrity of VulnCheck, and Bruce Lowenthal of Oracle. Early this morning (Chicago time) I emailed all three of them to ask for an update, since the last post I wrote on this subject (I’ve written many previous ones, which you can find by searching for NVD in the search bar at the top of this post) was on December 9.

Andrey replied first, but I must admit that he had an unfair advantage, since Patrick and Bruce both live in the US and Andrey lives in Spain. Regardless, I was shocked by what he told me: In the last two weeks of the year, the NVD “enriched” (i.e., added one or more CPEs to) only 15 CVE records out of a total 1,188. That’s just 1% (plus, all 15 were in the week beginning December 16; no CVEs at all were enriched during the last week in Andrey’s spreadsheet, which ended today, December 30).

To provide some perspective on this, in the first 50 weeks of this year, the NVD enriched 17,577 of 38,593 CVE records, or 45%. In previous years, the NVD enriched almost 100% of new CVE records, usually within a few days of receiving them from CVE.org. Of course, it was shocking that the NVD only enriched 45% of CVE records through mid-December, but – holiday or no holiday – it’s well beyond shocking that they seem to have literally thrown in the towel the last two weeks (after working during these weeks in previous years, with time off for the federal holidays).[i]

If you want to understand what this means, I’ll refer you back to the December 9 post. In brief, the problem is (and if you don’t understand any of the terms below, please read this post):

1.      New software vulnerabilities are reported to CVE.org by the CVE Numbering Authorities (CNAs). The CVE report includes a description of the vulnerability, a CVE number assigned to it by the CNA, and a textual description of the affected product or products.

2.      CVE.org includes the new record in their database and forwards it on to the NVD.

3.      Up until February 12, 2024, the NVD usually created the machine-readable CPE name, which is required for a user to look up vulnerabilities for a particular product in the NVD.

4.      If there is no CPE name attached to a CVE record in the NVD (as is the case with 55% of the new CVE records created this year), a user of the product that is described as affected in the text of the record will not see that CVE number when they search using the product’s CPE name. In other words, that CVE number will be invisible to searches for that product[ii].

5.      Of course, the user won’t see an error message when this happens. In fact, if that CVE is the only one listed for that product in the NVD, the user will just learn that there are no vulnerabilities that apply to that product. Of course, this isn’t true.

In summary, the fact that 55% of the 2024 CVE records in the NVD are invisible to automated product searches means that any search for vulnerabilities found in a product (including searches initiated by a scanning tool) is going to miss more than 55% of the vulnerabilities reported for the product this year (including the great majority of vulnerabilities reported after February 12).

It remains to be seen whether the NVD has given up on enriching CVE records altogether, but the fact that I even must mention that possibility shows how far the NVD has fallen. I don’t recommend that anybody bet the farm on the NVD coming back for perhaps a year or two, if even that. We need to move as quickly as possible toward introducing purl into the CVE ecosystem. More posts are coming on that subject.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

My book "Introduction to SBOM and VEX" is now available in paperback and Kindle versions! For background on the book and the link to order it, see this post.

---

[i] In case you were wondering if the NVD has deigned to explain to us why this happened, I’ll point out that the last entry on their “news updates” page is from November 15.

[ii] The fourth paragraph of the December 9 post mentions, “..a few firms like Vulners (Andrey’s employer) and VulnCheck have taken it upon themselves to add their own CPEs to some of the unenriched CVE records..” This means you will find more vulnerabilities applicable to a particular product if you search either of those databases.