0

I'm looking for a way to categorize CVE product names by operating system, application etc. Is there any dataset available to deal with this? https://www.cvedetails.com offers these categories for products but I need this information available offline. Can anyone provide any insight?

schroeder
  • 129,372
  • 55
  • 299
  • 340
gbatt
  • 1

1 Answers1

2

Since CVE is only the IDentifier to any vendor-recognized vulnerability for specific software/hardware, there is no way to categorize them using these identifiers as a basis, unless you take into account the year included in the CVE. Although, the year does not always match the date on which the Vulnerability has become public.

Knowing that each CVE ID is related to a Common Platform Enumeration (CPE), you can use it to categorize the CVE. For this, I recommend using the Data Feeds (https://nvd.nist.gov/vuln/data-feeds) provided by National Vulnerability Database (NVD).

I would like to emphasize 2 things:

  1. A CVE can be refused even that the vulnerability comes to public. In NVD Data Feeds files they appears as "** REJECT **". So, keep these files up-to-date;
  2. You are still at risk for some false negative - i.e. Whose vulnerability affects certain platforms, you find the platform being enumerated in the vendor's security advisory, but it is not being enumerated in the NVD data files: CVE-2017-11779

NVD Data Feeds: https://nvd.nist.gov/vuln/detail/CVE-2017-11779

Portal MS Security Response Center: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11779

Note that the Windows Server 2012's CPE (cpe:/o:microsoft:windows_server_2012) is not present in either NVD Data Feeds nor CVEDetails.

slayer
  • 452
  • 4
  • 14