Why is Contrast Security reporting different information to that published by NVD?

  • Updated

Overview

At Contrast Security, we aim to provide the most reliable and current information about your Open Source libraries. There may be occasions when Contrast reports differently to NVD (National Vulnerability Database), which can be due to data published that is incomplete, inaccurate, or outdated.

First, let’s get some background on the process of how information gets to NVD. Once a vulnerability is identified by a group or individual, an ID can be requested for a CVE (Common Vulnerabilities and Exposures). If successfully assigned an ID, this information will be publicly released via CVE - Home . The CVE team will evaluate the issue in order to provide a detailed description, vulnerability type, name of affected software, and external references (e.g. mailing lists, blog post, technical reports).

While CVE list is maintained by the MITRE organization, NVD is managed by NIST (National Institute of  Standards and Technology).  Upon receiving a new CVE ID from CVE list, the NVD team will analyze the issue further, adding enhanced details such as severity scores. Information from CVE list is fully synced with NVD, and any updates to the CVE record will appear here. 

Question

Why is Contrast Security reporting different information to what is published by NVD?

Answer

It is important to consider, while every effort is made by NVD to keep records up to date and accurate, the volume of existing and emerging CVEs is extensive. The method for maintaining NVD is largely manual, and so, prone to human error.

NVD Description

One of the most common discrepancies we find is within the vulnerability description. The description is maintained by the CVE Assignment Team, and commonly is not a field that is updated. As such, it represents a snapshot of information at the time of being raised. Let’s take CVE-2020-36518, for example. The description (at time of article being written) is:

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

After our own analysis of GitHub commits and the vendor advisory, we determined this description is incorrect, and further versions of this package were vulnerable.

NVD Known Affected Software Configurations

When referencing vulnerable versions, it is important to note that NVD lists the CPE (Common Platform Enumeration), whereas Contrast will reference the specific package affected by the vulnerability. CPE specification is a structured naming scheme for applications, operating systems, and hardware.

The issue with using CPE for identifying libraries or packages is it is often not specific enough, and cannot be directly mapped to the ecosystem:package system we use. For example: NVD - CVE-2018-1199, the CPE is as follows: cpe:2.3:a:pivotal_software:spring_framework, whereas the vulnerable package is actually maven/org.springframework/spring-core

In the case of when NVD reports the correct package, the versions listed as vulnerable can also be inaccurate. For example: Spring-web Java Deserialization: CVE-2016-1000027. We consider the use of NVD as one part of the puzzle. Contrast Security analyzes vulnerabilities based on vendor sources, blog/forum posts, GitHub commits, and POCs. For data quality and consistency, we consider all sources to provide you with a complete view of your application’s health.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request