NVD CVE 4.0 to CVE 5.0 Transition
The CVE Program has created a new format for the CVE List with many enhancements over the former iteration.
The NVD will be transitioning from processing the CVE 4.0 dataset to processing the CVE 5.0 dataset.
Due to differences between these two datasets, there will be a large volume of changes to the NVD dataset.
All vulnerability records within the NVD are currently derived from the CVE List.
Note: Publication to the CVE List is controlled by the CNAs responsible for the CVE records. Decisions regarding CVE counting guidelines,
CNA oversight/guidance, CVE legitimacy, CVE publication date, initial data availability, etc. of CVE
Records in the CVE List are made as a function of CVE Program operations.
Below is a list of the changes data consumers should be aware of once the transition to the CVE 5.0 dataset has completed.
Reference URLs
- Encoding requirements changed where special characters must be %encoded. This will cause many CVE record references to be amended.
- Due to the way the NVD processes reference link changes, URLs impacted will lose any associated reference tags.
Descriptions
- Due to Unicode support needs many CVEs records will have description changes. There may still be issues with certain special character sets.
- Some CVE Records will have description updates due to white space differences.
Source Associations
- Source associations for some CVEs may change (this is due to processing issues prior to the CVE 5.0 data)
- sourceIdentifier /cves/ API output WILL transition from email addresses to UUIDs as the primary identifier for newly added CNAs. Already existing CNAs will still reference an email address for now.
- sourceIdentifier /source/ API output will now display all known email associations and the UUID for each source.
CVE Status
- Due to expected practices not being adhered to properly within the CVE 4.0 dataset, a subset of CVE records will become REJECTED after the transition to CVE 5.0 dataset.
CWE
- Some data was not provided in a supported format in the CVE 4.0 JSON. The CVE 5.0 JSON contains validation rules that have normalized data provisioning. Some CVE records may now also contain CNA provided CWE data that was previously missing.
CVSS
- Some data was not provided in a supported format in the CVE 4.0 JSON. The CVE 5.0 JSON contains validation rules that have normalized data provisioning. Some CVE records may now also contain CNA provided CVSS data that was previously missing.
CVMAP
- Due to Source changes, CWE changes and CVSS changes as part of this transition, some CNAs may now qualify for CVMAP assessment emails and changes to acceptance levels. Additionally, some CNAs may have CVEs added to their more recent CVMAP reports now that the NVD dataset properly reflects provisioned data points or source associations.
Auditing Improvements
- General improvements regarding how certain events, data additions and removals are audited.