|
|
Products and services can be made "CVE Compatible" by following the guidelines below. Numerous organizations from around the world already incorporate CVE Entries or reference CVE IDs in their capabilities, processes, products, services, etc.
NOTE: The previous formal CVE Compatibility Program of declarations and questionnaires has been discontinued and its product listings have been moved to "archive" status. The CVE Team will no longer accept declarations or questionnaires. Instead, the guidelines below have been provided to assist you in making your product or service "CVE Compatible."
Capability - security tool, database, website, advisory, or service that provides a security vulnerability or exposure identification function.
User - a consumer or potential consumer of the Capability.
Owner - the owner or maintainer of the Capability.
Security Element - a database record, email message, security advisory, assessment probe, signature, etc., which is related to a specific vulnerability or exposure.
Repository - an implicit or explicit collection of security elements that supports a capability, e.g., a vulnerability database, advisory archive, the set of signatures in an intrusion detection system (IDS), or website.
Tool - a software application or device that either examines a host or network and produces information that is related to vulnerabilities or exposures or aggregates this type of information, e.g., a vulnerability scanner, intrusion detection system, risk management, security information manager, or compliance reporting tool or service.
Task - a Tool’s probe, check, signature, etc., that performs some action that produces security information (i.e., the security element).
Map/Mapping - the specification of relationships between security elements in a Repository and the CVE Identifiers (CVE IDs) that are related to those elements.
These are the high-level guidelines for all capabilities. Many of them are described in detail in later sections.
2.1) The capability should provide additional value or information beyond that which is provided in CVE itself (i.e., CVE ID, description, references, and associated data).
2.2) The capability should be available to the public, or to a set of consumers, in a production version.
2.3) The capability should allow users to locate security elements using CVE IDs ("CVE Searchable").
2.4) When the capability presents security elements to the user, it should allow the user to obtain the associated CVE IDs ("CVE Output").
2.5) For a capability with a Repository, the capability’s mapping should accurately link security elements to the appropriate CVE IDs ("Mapping Accuracy").
2.6) The capability’s documentation should adequately describe CVE, CVE Compatibility, and how the CVE-related functionality in the capability is used ("CVE Documentation").
2.7) The capability should satisfy any additional guidelines for the specific type of capability, as specified in Appendix A.
2.8) The capability should satisfy all guidelines for its distribution media, as specified in Appendix B.
2.9) The capability is not required to do any of the following:
2.10) If the capability does not satisfy all guidelines, then the Owner should not advertise that it is CVE Compatible.
CVE Compatibility only facilitates data sharing if the capability’s mapping is accurate. Therefore, CVE-Compatible capabilities should meet minimum accuracy requirements.
3.1) For a capability with a Repository, the Repository should strive an Accuracy Percentage of 90 percent or greater.
3.2) If the capability is based on, or uses, another CVE-Compatible capability (the "Source" capability), and the Owner becomes aware of mapping errors in the Source capability, then the Owner should report those errors to the Owner of the Source capability as soon as possible.
3.3) The mapping accuracy for Advisory archives should be performed against all of the security elements of the archive repository subsequent to, and including, the archive’s first use of a CVE ID in a security element.
3.4) A capability should accurately reflect the status of deprecated CVE IDs within three (3) months for on-line capabilities and services.
The following guidelines apply to documentation that is provided with the capability.
4.1) The documentation should include a brief description of CVE and CVE Compatibility, which can be based on verbatim portions of documents from the CVE website.
4.2) The documentation should describe how the user can find individual security elements in the capability’s repository by using CVE IDs.
4.3) The documentation should describe how the user can obtain CVE IDs from individual elements in the capability’s repository.
4.4) If the documentation includes an index, including references to CVE-related documentation under the term "CVE" is recommended.
Users must know how "up-to-date" a capability’s repository is with respect to its mapping to CVE. The capability owner should indicate the currency of a mapping by providing the date of its last update of CVE information and indicate what portion of CVE content they utilize and where they gather the CVE content from.
5.1) Each new version of the capability should identify the most recent date of CVE content that was used in creating or updating the mapping through at least one of the following: change logs, new feature lists, help files, or some other mechanism. The capability is "up-to-date" with respect to that date.
5.2) The Owner should publicize how quickly it will update the capability’s repository to include new CVE information.
5.3) The Owner should describe the criteria and mechanism for selecting the CVE information they include in their capability.
5.4) The Owner should describe where it gathers new CVE content from.
A capability should function with CVE IDs independent of the format of the CVE ID’s representation in the capability, whether it is using the older style four-digit CVE ID syntax or the, four-digit or higher-digit CVE ID syntax (used after the CVE ID Syntax modification in use after 31 December 2013).
6.1) If a user performs a search using YYYY-NNNN, YYYY-NNNNN, or YYYY-NNNNNN, the capability should return the security elements that correspond to CVE-YYYY-NNNN, CVE-YYYY-NNNNN, or CVE-YYYY-NNNNNN respectively.
Since a wide variety of capabilities use CVE, certain types of capabilities may have unique features that require special attention with respect to CVE Compatibility.
A.1) The Capability should satisfy all additional requirements that are related to the specific type of capability.
A.1.1) If the Capability is a vulnerability assessment scanner, intrusion detection system (IDS), or a product that integrates the results of one or more scanners and IDSs, then it should meet the Tool Guidelines.
A.1.2) If the Capability is a service (such as a managed intrusion detection and response service, or a remote scanning service) then it should meet the Security Service Guidelines.
A.1.3) If the Capability is an online vulnerability or signature database, web-based archive, or maintenance/patch site, then it should meet the Online Capability Guidelines.
A.1.4) If the Capability is an aggregation tool like a security information manager, a compliance reporting tool, or a service supplying these types of aggregations of vulnerability type information, then it must satisfy the Aggregation Capability Guidelines.
A.2.1) The Tool should allow the user to use CVE IDs to locate associated Tasks in that Tool ("CVE Searchable") by providing at least one of the following: a "find" or "search" function, a mapping between that Tool’s Task names and CVE IDs, or another mechanism.
A.2.2) For any report that identifies individual security elements, the Tool should allow the user to determine the associated CVE IDs for those elements ("CVE Output") by doing at least one of the following: including CVE IDs directly in the report, providing a mapping between the Tool’s Task names and CVE IDs, or using some other mechanism.
A.2.3) Any required reports or mappings should satisfy the media requirements as specified in Appendix B.
A.2.4) The Tool, or the Owner, should provide the user with a list of all CVE IDs that are associated with the Tool’s Tasks.
A.2.5) The Tool should allow the user to select a set of Tasks by providing a file that contains a list of CVE IDs.
A.2.6) The interface of the Tool should allow the user to browse, select, and deselect a set of Tasks by using individual CVE IDs.
A.2.7) If the Tool does not have a Task that is associated with a CVE ID as specified by the user in the A.2.5 or A.2.6 Tool requirements, then the Tool should notify the user that it cannot perform the associated Task.
A.2.8) The Owner should warrant that (1) the rate of false positives is less than 100 percent, i.e., if the Tool reports a specific security element, it is at least sometimes correct, and (2) the rate of false negatives is less than 100 percent, i.e., if an event occurs that is related to a specific security element, then sometimes the Tool reports that event.
Security Services might use CVE-Compatible tools in their work, but they may not provide their customers with direct access to those tools. Thus it could be difficult for customers to identify and compare the capabilities of different services. The Security Service Guidelines address this potential limitation.
A.3.1) The Security Service should be able to use CVE IDs to tell a user which security elements are tested or detected by the service ("CVE Searchable") by doing one or more of the following: providing the user with a list of CVE IDs that identify the elements that are tested or detected by that Service, providing the user with a mapping between the Service’s elements and CVE IDs, responding to a user-supplied list of CVE IDs by identifying which of the CVE IDs are tested or detected by the Service, or by using some other mechanism.
A.3.2) For any report that identifies individual security elements, the Service should allow the user to determine the associated CVE names for those elements ("CVE Output") by doing one or more of the following: allowing the user to include CVE names directly in the report, providing the user with a mapping between the security elements and CVE names, or by using some other mechanism.
A.3.3) Any required reports or mappings that are provided by the Service should satisfy the media requirements as specified in Appendix B.
A.3.4) If the Service provides the user with direct access to a product that identifies security elements, then that product should be CVE Compatible.
A.3.5) The Owner should warrant that (1) the rate of false positives is less than 100 percent, i.e., if a Tool reports a specific security element, it is at least sometimes correct, and (2) the rate of false negatives is less than 100 percent, i.e., if an event occurs that is related to a specific security element, then sometimes the Service reports that event.
A.4.1) The Online Capability should allow a user to find related security elements from the Online Capability’s repository ("CVE Searchable") by providing one of the following: a search function with returns CVE IDs for related elements, a mapping that links each element with its associated CVE ID(s), or some other mechanism.
A.4.1.1) The Online Capability should provide a URL "template" that allows a computer program to easily construct a link that accesses the search function as outlined in Online Capability Guidelines A.4.1.
Examples:
https://www.example.com/cgi-bin/db-search.cgi?cvename=CVE-YYYY-NNNN
https://www.example.com/cgi-bin/db-search.cgi?cvename=CVE-YYYY-NNNNN
https://www.example.com/cgi-bin/db-search.cgi?cvename=CVE-YYYY-NNNNNN
https://www.example.com/cve/CVE-YYYY-NNNN.html
https://www.example.com/cve/CVE-YYYY-NNNNN.html
https://www.example.com/cve/CVE-YYYY-NNNNNN.html
A.4.1.2) If the URL template is for a CGI program, the program should accept the HTTP "GET" method.
A.4.2) For any report that identifies individual security elements, the Online Capability should allow the user to determine the associated CVE IDs for those elements ("CVE Output") by doing at least one of the following: by allowing the user to include CVE IDs directly in the report, providing the user with a mapping between the security elements and CVE IDs, or by some other mechanism.
A.4.3) If the Online Capability does not provide details for individual security elements, then the Online Capability should provide a mapping that links each element with its associated CVE ID(s).
A.5.1) The Aggregation capability should allow the user to use CVE IDs to locate associated elements in that capability ("CVE Searchable") by providing at least one of the following: a "find" or "search" function, a mapping between that capability’s names and CVE IDs, or another similiar mechanism.
A.5.2) For any report that identifies individual security elements, the Aggregation capability should allow the user to determine the associated CVE IDs for those elements ("CVE Output") by doing at least one of the following: including CVE IDs directly in the report, providing a mapping between the capability’s names and CVE IDs, or using some other mechanism.
A.5.3) Any required reports or mappings should satisfy the media guidelines as specified in Appendix B.
A.5.4) The Tool, or the Owner, should provide the user with a list of all CVE IDs that are associated with the Tool’s Tasks.
A.5.5) The Tool should allow the user to select a set of Tasks by providing a file that contains a list of CVE IDs.
A.5.6) The interface of the Tool should allow the user to browse, select, and deselect a set of Tasks by using individual CVE IDs.
B.1) It is recommended that the distribution media that is used by a CVE-Compatible capability use a media format that is covered in this appendix.
B.2) The media format should satisfy the specific requirements for that format.
B.3.1) The document should be in a commonly available format which has readers that support a "find" or "search" function ("CVE Searchable"), such as raw ASCII text, HTML, or PDF.
B.3.2) If the document only provides short names or titles for individual elements, then it should list the CVE IDs that are related to those elements ("CVE Output").
B.3.3) The document should include a mapping from elements to CVE IDs, which lists the appropriate pages for each element.
B.4.1) The GUI should provide the user with a search function that allows the user to enter a CVE ID and retrieve the related elements ("CVE Searchable").
B.4.2) If the GUI lists details for an individual element, then it should list the CVE ID(s) that map to that element ("CVE Output"). Otherwise, the GUI should provide the user with a mapping in a format that satisfies the B.3.1 Electronic Documents guidelines.
B.4.3) The GUI SHOULD allow the user to export or access CVE-related data in an alternate format that satisfies the B.3.1 Electronic Documents guidelines.