Introduction to Development with NVD Data
The Common Vulnerabilities and Exposures (CVE) Program is a dictionary or glossary of vulnerabilities that have been identified for specific code bases, such as software applications or open libraries. A unique identifier known as the CVE ID allows stakeholders a common means of discussing and researching a specific, unique exploit. The Common Platform Enumeration (CPE) program fulfills a function similar to the CVE program for IT products and platforms. The Security Content Automation Protocol (SCAP) program combines CVE and CPE in a suite of tools to help automate vulnerability management and evaluate compliance with federal information technology security requirements.
The NVD maintains the authoritative CPE dictionary, while the CVE Program is maintained by the MITRE corporation. Both programs are sponsored by the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). The National Vulnerability Database (NVD) is tasked with analyzing each CVE once it has been published to the CVE List. NVD analysts use the reference information provided with the CVE and any publicly available information at the time of analysis to associate Reference Tags, Common Vulnerability Scoring System (CVSS) v3.1, CWE, and CPE Applicability statements.
CVEs are typically available in the NVD within an hour of their publishing. Once a CVE is in the NVD, analysts can begin the analysis process. The processing time can vary depending on the CVE, the information available, and the quantity of CVEs published within a given time frame. After analysis is complete, CVE and CPE may be updated (modified). If modification occurs, the NVD will automatically refresh any associated CVE and CPE records.