'Public Exploit' field in Vulnerability

sach1 · 4 weeks ago

Does any know how the value for 'Public Exploit' field is populated in the Vulnerability database?

On our instance the value is set to 'unknown' for all the vulnerabilities.

I am not able to find any information about the field in ServiceNow documentation but there are risk score calculators configured on the basis of it.

Chris McDevitt · 3 weeks ago

@Simon Hendery That is correct. If you take a look at the CVE metadata you will see that it does not contain information like public exploits. That field in ServiceNow is used for tools that enhance the CVE. For example, if you look at MS TVM you will see where that integration populates the public_exploits field. (I don't have access to Recorded Futures, but I know it also enhances the data.)

TL;DR
I often use Studio's global search capability to find where in the code fields are referenced so I can figure out how they work. Then I go to the docs and drop the field name into the search.

View solution in original post

Simon Hendery · 3 weeks ago

Hi @sach1

This is a great question, and I'm hoping one of ServiceNow's in-house experts might be able to answer it (cc: @Chris McDevitt, @andy_ojha, @Eliz Skogquist) 🙏

My initial understanding was that the public_exploit property was derived by ServiceNow during the process of adding NVD data to the sn_vul_nvd_entry table. That was done by analysing certain NVD reference sources.

But looking at an sn_vul_nvd_entry table with 300k+ records, public_exploit = 'Unknown' for every record. So maybe the value isn't determined by ServiceNow?

I've found one reference (14MB PDF, see pg. 276) that suggests it's set by API data coming in from third-party tools:

Hoping one of our experts can clarify!

Chris McDevitt · 3 weeks ago

@Simon Hendery That is correct. If you take a look at the CVE metadata you will see that it does not contain information like public exploits. That field in ServiceNow is used for tools that enhance the CVE. For example, if you look at MS TVM you will see where that integration populates the public_exploits field. (I don't have access to Recorded Futures, but I know it also enhances the data.)

TL;DR
I often use Studio's global search capability to find where in the code fields are referenced so I can figure out how they work. Then I go to the docs and drop the field name into the search.

Simon Hendery · 3 weeks ago

Much appreciated @Chris McDevitt! And that's a great tip re using Studio's search feature.

Hope that helps you also, @sach1. If you could kindly mark Chris's answer as a correct solution, that will help others with a similar query in the future.

sach1 · 2 weeks ago

Thank you @Simon Hendery @Chris McDevitt for your replies.

I created a support case with ServiceNow and they confirmed that the field value in populated only for certain vendor integrations. NVD import does not populate it.