Hello,
we are using both NIST ... (CVE Only) and TVM Vulnerability(CVE) integration, they both update National Vulnerability Database Entries (sn_vul_nvd_entry). The NIST NVD integration is executed first and TVM later (in couple of hours). We see number of CVEs missing V3_base_score despite having detections (about 800 out of 2200 published this year alone) and having CVSS in one of the sources (typically TVM).
Example can be NVD - CVE-2024-9960 score as 8.8 by CISA-ADP but the score is not adopted by NIST, while adopted by TVM:
What is suggestion here, can we get TVM to update NVD Entries originating from NIST, or should we stop using NIST NVD altogether? (or change the order of execution)
Hey there,
Out of curiosity, did you ever see the CVE record in VR, get enriched with that 8.8 CVSS v3.x base score?
It looks like on Oct 16, the CISA ADP enrichment was updated, and I do see that CVE reflects the (CVSS Base Score) change in my lab instance.
I believe it was the delta update from NVD that pulled this in, but I also do have some other integrations like FIRST.ORG for EPSS, CISA Exploit enrichment, and other scanners running in parallel.
Curious if you saw this CVE record updated on your side as well?
Not really, I don't see the score updated:
both NIST and TVM integration run multiple time since it was first created.
That's interesting...
I went back to the lab to take a look at the data imported from NVD on Oct 16 and Oct 17 (delta jobs) on two different instances.
On a NOW instance with the VR integration w/ NVD (v1.4.2)
- I see exactly what you see
- CVE-2024-9960 looks like more of a shell record and is missing the CVSS metrics
On another NOW instance with VR integration w/ NVD (v1.4.5)
- I see the CVSS metrics mapped to the CVE-2024-9960 record (aligning to the ADP adjustment, where CVSS 3.1 base score is 8.8)
-------------------------------------------------------------------------------
Can you clarify what version of the Vulnerability Response Integration with NVD you have running?
It could very well be a lingering issue that was addressed in a recent update, if you are running v1.4.3 or prior...
-------------------------------------------------------------------------------
More context from the NOW Instance running v1.4.5 of the Vulnerability Response Integration with NVD, Store App...
When the NVD integration job ran on Oct 16, CVE-2024-9960 was included but had no metrics or CVSS scores
- CVE last modified = 2024-10-16T16:38
When the NVD integration job ran on Oct 17, CVE-2024-9960 was included - and it included the metrics + CVSS (c3.1) base score of 8.8... Aligning to the ADP scoring adjustment
- CVE last modified = 2024-10-16T20:35
