This site uses cookies for managing your session and website analytics purposes. Allow Cookies

VulnIQ

NVD CVE Feeds

National Vulnerability Database (NVD) is provided by U.S. National Institute of Standards and Technology (NIST). https://nvd.nist.gov/general describes NVD as follows :

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP).
...
The NVD performs analysis on CVEs that have been published to the CVE Dictionary. NVD staff are tasked with analysis of CVEs by aggregating data points from the description, references supplied and any supplemental data that can be found publicly at the time.
...

The entire NVD database can be downloaded from this web page for public use. All NIST publications are available in the public domain according to Title 17 of the United States Code. Please see https://nvd.nist.gov/general for more information.

VulnIQ engine free version contains vulnerability data from NVD, enhanced with data from various other sources. Much better than NVD or other sites and it's free!
You don't need to implement your own NVD feed processor! Just use VulnIQ and get much more than just CVEs.

NVD Feed Format

Historically NVD provided feeds in xml format but recently they moved to a new JSON based format and they are planning to stop providing XML feeds. Please see https://nvd.nist.gov/General/News/JSON-Feed-1-0-Release for more information.

NVD feeds provide quite detailed information for free. It is the very first data source data needs to be fed into a vulnerability management programme.
Actually anyone working in the field of ICT will sooner or later need to lookup information about a security vulnerability and one way or the other depends on data provided by NVD.

VulnIQ Solution

VulnIQ security information engine includes a processor that automatically downloads and processes NVD JSON feeds and updates its internal database with the latest information. VulnIQ uses NVD feeds as its primary and authoritative source for CVE data.

The whole update process is automated and runs without human intervention.

We will monitor changes in NVD urls or data formats and necessary program or documentation updates will be released as soon as possible to make sure that customers are not affected by any changes in NVD data.

Making Vulnerability Data Usable
Web UI

VulnIQ engine provides a fully featured web UI for viewing vulnerability data. You will not need to browse the internet just to view vulnerability data. VulnIQ provides the most complete vulnerability information including CVE data, vulnerability timeline/history, discovered relations, vendor advisories, OVAL definitions and much more.

VulnIQ collects CVSS Scores from other sources such as vendor advisories and enhances CVE data. For example https://free.vulniq.com/data/CVE-2019-12624/info contains an additional CVSS score from the vendor advisory.

APIs and Automation
VulnIQ engine provides various API endpoints that can be used to query vulnerabilities by the following:
  • CPEs
  • OS package name and versions, for example debian package name and versions. OS package names and CPE names used by NVD usually do not match, VulnIQ collects CPE-package name mapping information from various sources and makes querying by package names possible.
  • Vendor, product, version names. Instead of using CPE names, you can simply provide vendor, product and version strings and it will work.
Using VulnIQ engine you will not need to implement your own NVD feed processor. You can simply use VulnIQ APIs and VulnIQ engine will take care of the rest.