NVD table has empty source or source as the third-party Vulnerability scanner

HelloCAD · 3 weeks ago

Hi,

We have NVD integration active for Vulnerability Response and other third-party scanners (Rapid7 & Wiz).

When we look into the NVD table (sn_vul_nvd_entry), we see that some of the CVEs have source populated as the Third-party and some have empty source.

See below screenshot for example.

Is this suppose to happen? If yes, what exactly is happening? Why would some entries have empty source?

Ranjane_Omkar · 2 weeks ago

Hello @HelloCAD,

1) Not all NVD entries have complete information available. If you are importing older records, this could be because the information was not available in the previous scoring version. It could also be that a newly published CVE does not have the information available yet.

2) To ensure a Vulnerable Item can be created immediately, the Third-Party scanner integration first creates a placeholder record for the new CVE in the sn_vul_nvd_entry table. It stamps "Qualys" into the source field to show that it was the originator of this record. Later, when your scheduled NVD integration runs, it will find the official data for that same CVE and enrich the existing stub record with the full details (like CVSS scores and summary). This mechanism is a core feature of the ServiceNow Vulnerability Response application. It ensures that you can respond to threats detected by your scanners in real-time, without having to wait for the daily NVD synchronization to complete. This is often the case for very new vulnerabilities.

Regards,

----
If this response was helpful, please select "Accept as Solution" and "Helpful." This helps both the community and me.