In a Linkedin Live session yesterday, Ilkka Turunen, Field CTO of Sonatype, and Brian Fox, co-founder and CTO, discussed an ongoing critical yet underreported issue in the National Vulnerability Database (NVD).
Their discussion shed light on an alarming development that could have wide-reaching implications for cybersecurity infrastructure globally.
The current issue in the NVD
The NVD, managed by the United States' National Institute of Standards and Technology (NIST), serves as a pivotal repository for documented cybersecurity vulnerabilities.
"The NVD is part of the core infrastructure in the industry for tracking and knowing about security vulnerabilities," said Turunen. "When you report a security vulnerability in the NVD, it gets an official Common Vulnerabilities and Exposures (CVE) code, then it is an officially identified vulnerability that can be discovered by anyone searching to see if they are affected by a current vulnerability."
However, Fox revealed a concerning situation.
"About a month ago, new vulnerabilities published into the database stopped having additional metadata assigned to them," said Fox. "There's been a huge influx of vulnerabilities being inserted into the NVD without this metadata being attached to them that would allow tools to reason what the impact of the vulnerability is."
This missing metadata, crucial for determining the impact of a vulnerability, includes Common Vulnerability Scoring System (CVSS) scores and Common Platform Enumerator (CPE) identifiers. This lapse has led to a growing backlog of vulnerabilities, leaving cybersecurity tools that rely on this data effectively blind.
The implications
The absence of critical metadata means that the association between vulnerabilities and affected software components is missing.
"Essentially when you submit a security vulnerability into the NVD, that involves a two-step process: you input the vulnerability itself and the NVD analyzes it," said Turunen. "They've essentially stopped doing step two in that process, which is to take the initial report and associate it with affected software components along with a whole host of other metadata. That's the current case for every entry into NVD. The backlog is growing by the day, and there are about 3,000 vulnerabilities currently awaiting analysis."
This gap hinders the ability of security tools to alert organizations about potential risks.
"If you're relying just on free open source tools, you’re not getting the alerts, because even though the vulnerabilities are in the NVD, that association is missing," said Turunen. "When these tools check if 'x' component has a known security vulnerability in the NVD, the answer will come out as empty or nothing new. Many vendors in this business just download the dump of the NVD, and unfortunately, that is not going to get populated anymore as long as this current problem persists, so you're driving blind even though it feels like everything is working."
An unspoken challenge
Fox elaborated on the issue with the CPE, which serves as a coordinates system for identifying vulnerabilities, noting its inadequacy in addressing the complexities of modern software development.
"A problem with the CPE coordinates system is that it is not precise enough to deal with the realities of component-based development," said Fox. "The Struts project has something like 84 different sub-modules in it, so when a vulnerability comes in and gets associated to some version of Apache Struts, tools that rely on the CPE are going to provide false positives for something like 83 of the 84 Struts components because typically the same piece of code does not exist in multiple places in these sub-modules."
As the co-founder of Sonatype, Fox further elaborated that near the company's inception over twelve years ago, his team saw that most vulnerabilities did not have a CPE, so they had to build systems that would compensate for that.
He highlighted that Sonatype always aims to provide more precise data and better matching, since tools that heavily rely upon the CPE can lead to a lot of false positives and false negatives in many cases. Additionally, Sonatype's customers remain unaffected by the current NVD situation.
"Take a look at your security tools. What are you using for software composition analysis?" said Fox. "If your security tools are not producing many or any alerts recently, that would be a pretty good indicator that your vendor is not enriching their data, and you are missing a whole lot."
Moreover, the conversation touched upon the broader implications for the open source ecosystem. With the rise in vulnerabilities and the associated costs of maintaining secure software, the current model of relying heavily on volunteer contributions and minimal resources is showing its limitations.
"Maybe you are now not receiving many new alerts, and it’s not because the bad guys have taken a day off or because the researchers are not finding new things," said Fox. "It's because of this situation with NVD which your tool is relying on and is now effectively blind to what’s going on."
Moving forward
As we move forward, the conversation underscores the essential role of innovative solutions and proactive measures in ensuring the cybersecurity infrastructure remains resilient against ever-evolving threats.
"When you add on the pressures that the software industry will go through over the next few years with increased regulation requiring awareness of whether or not you have exploitable vulnerabilities in your software and releases," said Turunen. "I think this is a sobering moment for anyone relying on NVD, and they understand that the NVD is not an immutable resource — it can go away and these things can happen. It's like if you ordered a meal box, and half of it is missing while you’re still paying the full price."
The session concluded with advice for those affected by the current NVD challenges. For smaller projects lacking enterprise-level funding, Sonatype offers tools such as OSS Index and Sonatype Vulnerability Scanner as free resources to help bridge the gap left by the NVD’s current metadata omission.
Turunen and Fox's discussion serves as a wake-up call for the cybersecurity community. It highlights the need for more robust, reliable systems for vulnerability management and the importance of industry collaboration to address these systemic issues.
"The NVD really is one of the central sources of cybersecurity information," said Turunen. "This is a good reminder that a lot of the infrastructure upon which we rely is surprisingly brittle and has no guarantee that it will work to the standard that you expect, because there truly is no service obligation to something like this."
