OVANA: An Approach to Analyze and Improve the Information Quality of Vulnerability Databases

“…As mentioned above, vulnerability and exploit repositories offer search engines to extract information about them. However, these searches are sometimes limited, as the information is only available for a fee, and it is not always possible to secure complete information (Kuehn et al, 2021;Zhang et al, 2015). Moreover, the amount of extracted information can be unmanageable, which is a crucial problem since this information is essential to identify which elements (parts, vendors, versions, OS, etc.)…”

“…This information is crucial to determine whether a vulnerability can be used as an attack vector and should or should not be taken into account for assessment. However, vulnerability repositories may have poor quality (Kuehn et al, 2021), limitations that hinder their use (Zhang et al, 2015) -such as a limited number of searches or hidden information retrieved-, or even their vulnerability information may be unlinked from exploits. In fact, automatic detection of system features and vulnerabilities remains an open problem (Gawron et al, 2015;Tommy et al, 2017).…”

Feature models to boost the vulnerability management process

“…As mentioned above, vulnerability and exploit repositories offer search engines to extract information about them. However, these searches are sometimes limited, as the information is only available for a fee, and it is not always possible to secure complete information (Kuehn et al, 2021;Zhang et al, 2015). Moreover, the amount of extracted information can be unmanageable, which is a crucial problem since this information is essential to identify which elements (parts, vendors, versions, OS, etc.)…”

“…This information is crucial to determine whether a vulnerability can be used as an attack vector and should or should not be taken into account for assessment. However, vulnerability repositories may have poor quality (Kuehn et al, 2021), limitations that hinder their use (Zhang et al, 2015) -such as a limited number of searches or hidden information retrieved-, or even their vulnerability information may be unlinked from exploits. In fact, automatic detection of system features and vulnerabilities remains an open problem (Gawron et al, 2015;Tommy et al, 2017).…”

Feature models to boost the vulnerability management process

“…Five papers contribute to other purposes, including comparing the information contents of different vulnerability databases (Tripathi andSingh, 2011, Forain et al, 2022), multi-class vulnerability detection (Zou et al, 2019), and vulnerability information quality enhancement (Glanz et al, 2015;Takahashi and Inoue, 2016;Kuehn et al, 2021).…”

The Anatomy of a Vulnerability Database: A Systematic Mapping Study

“…NVD CVE database is generally of high quality and acts as a ground truth in our (and many others) studies. However, it still suffers from inherent data quality issues, as highlighted by recent works by Anwar et al (2022), Dong et al (2019), and Kuehn et al (2021), and this may indirectly affect any studies and comparisons to where it is used as a ground truth. At the same time, to the best of our knowledge, there is no better and more curated ground truth for vulnerability information than NVD CVE.…”

Evaluating Zero-Shot Chatgpt Performance on Predicting CVE Data From Vulnerability Descriptions