CVE Content Decisions Overview
CVE content decisions (CDs) are the guidelines used to ensure that CVE Identifiers are created in a consistent fashion, independent of who is doing the creation. There are two major types of CDs: Inclusion and Abstraction.
There are differences between many vulnerability databases or products in the type of content they include, as well as the level of abstraction. These differences occur within the same database or product. Because of this variety and the flat structure of the CVE Identifier, CVE cannot be flexible enough to account for these differences. It is important for vulnerability analysts to be aware of these differences. As such, CVE CDs not only document the guidelines for creating content, they often indicate areas in which there is inconsistency across vulnerability information sources. Quantitative analyses of vulnerabilities that use CVE-normalized data can be more easily replicated, and the CVE CDs help to ensure that the data is normalized in a predictable fashion.
The Two Most Commonly Used Content Decisions
Two of the most commonly used abstraction facets of CVE CDs are shown in the example below. They also highlight some of the most common discrepancies across vulnerability information sources. These CDs were revised many times over a period of a year and a half, but they were stabilized in early 2001 when they were modified to make them less sensitive to the amount of information that is available for a vulnerability. From an academic perspective this approach is not optimal, but it is proving to be repeatable and less likely to cause CVE Identifiers to become split or merged when new information becomes available after the initial analysis has been performed.
Examples of SF-LOC and SF-EXEC Abstraction Facets
CD:SF-LOC is less sensitive to the lack of detailed information such as source code, exploits, or attack traces. However, it is still sensitive to changes in version information. Problems that occur in libraries pose special challenges for this CD, because they could be exhibited at several points within the same executable, or in many different executables. Ultimately, while this CD is intended to minimize the amount of information that is required to produce results, it is still dependent on critical information sources such as the vendor of the vulnerable product.
CD:SF-EXEC is also susceptible to error if the problem occurs in a library or other common codebase.