New National Vulnerability Database visualizations and feeds

Recently, the National Institute of Standards and Technology (NIST) introduced a new version of National Vulnerability Database (NVD) website.

NIST NVD new site

I will not say that I liked this redesign:

new NVD website

IMHO, old website with US flag was much prettier and useful:

old NVD website

But the very fact that the site is developing, I really like very much. Let’s see what’s new there.

Very nice news that now you can download NVD feeds in JSON format.

new feeds

Here is the direct link https://nvd.nist.gov/vuln/data-feeds#JSON_FEED

nvd feed json download

I have nothing against xml, but you must admit it’s much nicer when you can get data in a form of a python dict automatically. Analysis of this format is a topic for another post, but believe me, it’s quite simple and pretty obvious. =)

Secondly, they added some visualizations. Now you can see which CVEs were processed recently (adds CVSS vectors). They are displayed on the main page “Latest 20 scored vulnerabilities from the NVD”:

latest scored vulnerabilities

Note many CVEs from 2015 in this list, not only fresh vulnerabilities from 2017.

At https://nvd.nist.gov/general/visualizations/ you can see the diagrams for vulnerabilities. It’s certainly not a cvedetails.com yet, but way better than nothing. 😉

For example, Relative Vulnerability Type Totals By Year. It is a bit confusing that some years get out from 100%. 😉 Apparently because the same vulnerability can have several CWEs and the diagram is incorrectly drawn.

vulnerability type totals

The same picture redrawn in a slightly different form (Vulnerability Type Change by Year):

vulnerability type changes

The positive thing is that over time the number of vulnerabilities with”other” CWE becomes much smaller. This means that the classification process is going well.

Here you can see vulnerabilities by product vendor (CPE):

cpe stat

As usual, it’s very tempting to make a conclusion that Cisco products are most vulnerable. Of course it is not true. This only means that the vulnerabilities of Cisco products are described better than others.

And here is a picture for the checklists (NCP), where situation is less clear.

checklists

What was the idea. NIST has created a protocol for describing security content – SCAP. The main part of this protocol was OVAL – the standard that can be used to describe desirable state of a system using a set of criteria. You can see examples of OVAL content on Center for Internet Security OVAL repository. OVAL is a universal tool, however the most common usage of OVAL standard and SCAP is for describing secure configurations, for example, USGCB. Well, the actual National Checklist Program is a collection of such content in one of the four states:

  • IV – Will work in SCAP validated tool
  • III – Should work in SCAP validated tool
  • II – Non-SCAP automation content
  • I – Non-automated prose content

And, as we can see, the number of checklists that will exactly work in certified SCAP solutions not increases over time, but decreases. Imho, that can be because SCAP protocol is constantly changing and the certification process is changing, and there is no real motivation to make SCAP content, and especially to pass formal verification:

checklist requirements

Note that the date on the diagram is the date of initial publication, not the last update.  If we look for the checklists of the search engine, we can see tier IV content that was updated in 2015 and 2016:

NCP search

One thought on “New National Vulnerability Database visualizations and feeds

  1. Pingback: Downloading and analyzing NVD CVE feed | Alexander V. Leonov

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.