National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

JSON 1.1 Vulnerability Feed

Due to changes required to support CVSS v3.1 scoring, the JSON vulnerability feeds must be modified. This will require the consumers of this data to update their internal processes. We will be providing the JSON 1.1 schema on the data feeds page and the information below to prepare for this transition. In addition to the CVSS v3.1 support, we are also removing the data provided in the affects section as this was not providing the level of CPE detail necessary.  Instead, please refer to the CPE Match Feed (https://nvd.nist.gov/vuln/data-feeds#cpeMatch).  This was released in July for a much richer data set. The CPE Match Feed announcement can be read at https://nvd.nist.gov/General/News/CPE-Match-Feed-1-0-Release. The JSON 1.1 data feeds will be available on September 9th, 2019.  At that time the current JSON 1.0 data feeds will no longer available.

Schema files:

These are the schema files for the 1.1 feeds. Please note that these are currently labled as "beta". We will be releasing the schemas without references to "beta" on September 9th.

Changes from JSON 1.0 to 1.1 Vulnerability Feeds:
  • The nvd_cve_feed_json_1.0.schema will be renamed nvd_cve_feed_json_1.1.schema.
  • The cvss-v3.0.json schema will be renamed to cvss-v3.x.json to convey support for both CVSS V3.0 and V3.1.
  • In cvss-v3.x.json the version enumeration has been expanded to include 3.1.
                               "version": {
                               "description": "CVSS Version",
                               "type": "string",
                               "enum": [ "3.0", "3.1" ]
                                }
  • In cvss-v3.x.json the vectorString pattern (regex) has been modified to allow for the CVSS:3.1 prefix.
                                "vectorString": {
                                 "type": "string",
                                "pattern": "^CVSS:3.[01]/((AV:[NALP]...
 
  • In CVE_JSON_4.0_min.schema, the affects element has been removed from the required properties.
                                "required": [ "data_type", "data_format", "data_version", "CVE_data_meta", "affects", "problemtype", "references", "description" ],
 
  • In nvd_cve_feed_json_1.1.schema, the last_modified property was added to def_cpe_name.