User Story: Leveraging the CVE Program to Bridge the NVD Enrichment Gap for CRA Compliance #21
Description
Context: Our Quality Baseline
As developers of vulnerability assessment and monitoring tools, we operate against six core quality objectives to ensure our users receive actionable intelligence:
- Completeness: The data conveyed is complete; no (available or known) data items are missing for the subject of interest.
- Accuracy: The data conveyed is accurate; no false information is included.
- Consistency: The data is clear and comprehensible. Inconsistencies – such as deviations between different data perspectives – are considered faults.
- Relevance: The aggregated and displayed data is relevant to the users and supports their tasks and activities.
- Traceability: The origin of the data is clear or can be easily analyzed to its source.
- Performance: The data views can be produced, loaded and used in adequate, acceptable timeframe; navigation must be intuitive and quick.
These objectives guide the definition and implementation of our tools. We evaluate results from various data sources against these goals to identify and address issues and shortcomings in our data pipeline.
How does this relate to CVE Program?
It became apparent that when relying exclusively on NVD data, our completeness objective could not be reached. For example, we analyzed a specific version of OpenSSL based on the information provided on the official OpenSSL project pages. Based on that source, we expected - ath that time - nine vulnerabilities. However, our dashboard revealed only one vulnerability when using NVD data alone.
We investigated the discrepancy and found that the NVD – particularly for recent vulnerabilities – often lacks immediate, detailed information. Specifically, CPE configurations with curated version details are frequently not yet available, which makes the automated correlation of vulnerabilities to software components impossible.
In this case-driven analysis we found that the CVE List contains more immediate and detailed information. Integrating this data allowed us to fill the gaps, and when combined with vendor advisories, the resulting data met our completeness and accuracy expectations.
At the time writing the number of vulnerabilities has grown to 25:
Immediate Data Access and the EU Cyber Resilience Act
Completeness and accuracy are critical when preparing for the EU Cyber Resilience Act (CRA). Manufacturers of Products with Digital Elements are mandated to identify and document vulnerabilities throughout their product's entire lifecycle.
Under the CRA, manufacturers must become aware of vulnerabilities without delay and are required to report actively exploited vulnerabilities to authorities within strict timeframes (e.g., 24-hour early warnings for critical assets). In this high-stakes environment, relying on delayed or incomplete data is a compliance risk.
The CVE List and the CVE Program in general are essential resources that provide immediate, reliable, and sufficiently accurate data foundation necessary to support the mandatory evaluation and communication processes.
References
I If you would like to find out more, feel free to visit our public examples. These dashboards are a key element in our open-source assessment and reporting pipeline: