| JSON Field | CVEs | CVE Percent | CNAs | CNA Percent | JSON Type Discovered | JSON Schema |
|---|---|---|---|---|---|---|
| affected | 247740 | 94.5% | 350 | 98.9% | array | array of product |
| affected.collectionURL | 6630 | 2.5% | 46 | 13.0% | string | uriType |
| affected.cpes | 4947 | 1.9% | 9 | 2.5% | array | array of strings |
| affected.defaultStatus | 30089 | 11.5% | 295 | 83.3% | string | status ("affected", "unaffected", "unknown") |
| affected.modules | 1894 | 0.7% | 85 | 24.0% | array | array of strings |
| affected.packageName | 5647 | 2.2% | 64 | 18.1% | string | string |
| affected.platforms | 6988 | 2.7% | 166 | 46.9% | array | array of objects |
| affected.product | 112076 | 42.8% | 349 | 98.6% | string | string |
| affected.programFiles | 3154 | 1.2% | 22 | 6.2% | array | array of strings |
| affected.programRoutines | NA | NA | NA | NA | array | array of objects |
| affected.programRoutines.name | 116 | 0.0% | 11 | 3.1% | string | string |
| affected.repo | 3796 | 1.4% | 73 | 20.6% | string | uriType |
| affected.vendor | 97319 | 37.1% | 344 | 97.2% | string | string |
| affected.versionType | 1 | 0.0% | 1 | 0.3% | string | |
| affected.versions | 247584 | 94.4% | 350 | 98.9% | array | array of objects |
| affected.versions.changes | 3758 | 1.4% | 53 | 15.0% | array | array of objects |
| affected.versions.changes.at | 3758 | 1.4% | 53 | 15.0% | string | array of objects |
| affected.versions.changes.status | 3758 | 1.4% | 53 | 15.0% | string | array of objects |
| affected.versions.lessThan | 29076 | 11.1% | 257 | 72.6% | string | string |
| affected.versions.lessThanOrEqual | 20754 | 7.9% | 211 | 59.6% | string | string |
| affected.versions.status | 247584 | 94.4% | 350 | 98.9% | string | status ("affected", "unaffected", "unknown") |
| affected.versions.version | 104779 | 40.0% | 349 | 98.6% | string | string |
| affected.versions.versionType | 46258 | 17.6% | 295 | 83.3% | string | string |
Detailed view of Affected Products (container.cna.affected)
This view is specifically focused on container.cna.affected. The table below shortened all of the variables so the container.cna. portion is truncated.
JSON Fieldis the compound name of the JSON data elementCVEscount of unique CVE identifiers with theJSON FieldCVE Percentpercent of total CVEsCNAscount of unique CNA short names providing theJSON FieldCNA Percentpercent of total CVEsJSON Type Discoveredthe type of json data present in the dataJSON Schemawhat the JSON schema defines the data to be, if this is not present there is no definition of the `JSON Field” in the JSON schema.
Affected vendor, product, version and/or package name or repository.
These fields represent the minimum necessary to identify the vulnerable product(s) or software. The table below identifies How many CVEs and CNAs have non-null values in the field. One thing to note: the “version” is represented by a JSON object and this code looks for anything specified in the “versions” object while ignoring the containers.cna.affected.versions.status since almost every record had that value with nothing else specified in this section.
Are the vendor and product defined in the CPE dictionary?
This grabs the CPE dictionary from NVD and will first check the value provided “as is” against the same value in the CPE dictionary. Second, it does a case-insensitive match against the defined values in the CPE.
CPE Dict 2.3 has 21,699 unique vendors and 134,714 unique combinations of vendor and product.
When are CVEs published with vendor, product and version (VPV)?
This next plot treats a “complete” record if any of the “affected” records has a value in the vendor AND product AND versions. It is not inspecting those fields for quality, just that something in present. Again, the containers.cna.affected.versions.status is being ignored.
Which CNAs are published more complete VPV values?
This looks at the percent of CVEs with a complete VPV record from each CNA and compares against the total number of CVEs from that CNA.
Take note just how many CNAs are across the bottom (or the lack of CNAs at the bottom). This indicates that almost every CNA has been able to produce a complete VPV record.
mitre as a CNA really sticks out here.
Timing of complete VPV records without CVEs published by MITRE
collection URL
affected.cpes
